CVE-2022-48631 – ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0
https://notcve.org/view.php?id=CVE-2022-48631
In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0 When walking through an inode extents, the ext4_ext_binsearch_idx() function assumes that the extent header has been previously validated. However, there are no checks that verify that the number of entries (eh->eh_entries) is non-zero when depth is > 0. And this will lead to problems because the EXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this: [ 135.245946] ------------[ cut here ]------------ [ 135.247579] kernel BUG at fs/ext4/extents.c:2258! [ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP [ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4 [ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 [ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0 [ 135.256475] Code: [ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246 [ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023 [ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c [ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c [ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024 [ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000 [ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 [ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0 [ 135.277952] Call Trace: [ 135.278635] <TASK> [ 135.279247] ? preempt_count_add+0x6d/0xa0 [ 135.280358] ? • https://git.kernel.org/stable/c/bb7eb3ca4b3b0d2c7872cf1a41c30f5e5bd65df0 https://git.kernel.org/stable/c/958b0ee23f5ac106e7cc11472b71aa2ea9a033bc https://git.kernel.org/stable/c/be4df018c0be5ebecf1ca510feacc23be415cefc https://git.kernel.org/stable/c/2f5e9de15e4f55fbf56f22d4a2ce406246cc462d https://git.kernel.org/stable/c/29a5b8a137ac8eb410cc823653a29ac0e7b7e1b0 •
CVE-2024-26928 – smb: client: fix potential UAF in cifs_debug_files_proc_show()
https://notcve.org/view.php?id=CVE-2024-26928
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrige UAF potencial en cifs_debug_files_proc_show() Omita las sesiones que se están eliminando (estado == SES_EXITING) para evitar UAF. A flaw was found in the Linux kernel. The following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show(). • https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88 https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1 https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502 https://access.redhat.com/security/cve/CVE-2024-26928 https://bugzilla.redhat.com/show_bug.cgi?id=2277937 • CWE-416: Use After Free •
CVE-2023-52646 – aio: fix mremap after fork null-deref
https://notcve.org/view.php?id=CVE-2023-52646
In the Linux kernel, the following vulnerability has been resolved: aio: fix mremap after fork null-deref Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced a null-deref if mremap is called on an old aio mapping after fork as mm->ioctx_table will be set to NULL. [jmoyer@redhat.com: fix 80 column issue] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: aio: corrige mremap después de la bifurcación null-deref Commit e4a0d3e720e7 ("aio: Make it posible reasignar el anillo aio") introdujo un null-deref si se llama a mremap en un mapeo aio antiguo después de la bifurcación como mm->ioctx_table se establecerá en NULL. [jmoyer@redhat.com: soluciona el problema de 80 columnas] • https://git.kernel.org/stable/c/e4a0d3e720e7e508749c1439b5ba3aff56c92976 https://git.kernel.org/stable/c/808f1e4b5723ae4eda724d2ad6f6638905eefd95 https://git.kernel.org/stable/c/d8dca1bfe9adcae38b35add64977818c0c13dd22 https://git.kernel.org/stable/c/4326d0080f7e84fba775da41d158f46cf9d3f1c2 https://git.kernel.org/stable/c/c261f798f7baa8080cf0214081d43d5f86bb073f https://git.kernel.org/stable/c/178993157e8c50aef7f35d7d6d3b44bb428199e1 https://git.kernel.org/stable/c/af126acf01a12bdb04986fd26fc2eb3b40249e0d https://git.kernel.org/stable/c/81e9d6f8647650a7bead74c5f926e2997 •
CVE-2024-26926 – binder: check offset alignment in binder_get_object()
https://notcve.org/view.php?id=CVE-2024-26926
In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying txn") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df ("binder: add function to copy binder object from buffer"), likely removed due to redundancy at the time. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Binder: verifique la alineación de desplazamiento en binder_get_object() El commit 6d98eb95b450 ("binder: evite posibles fugas de datos al copiar txn") introdujo cambios en la forma en que se copian los objetos de Binder. Al hacerlo, eliminó involuntariamente una verificación de alineación de desplazamiento realizada mediante llamadas a binder_alloc_copy_from_buffer() -> check_buffer(). • https://git.kernel.org/stable/c/c056a6ba35e00ae943e377eb09abd77a6915b31a https://git.kernel.org/stable/c/23e9d815fad84c1bee3742a8de4bd39510435362 https://git.kernel.org/stable/c/7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde https://git.kernel.org/stable/c/6d98eb95b450a75adb4516a1d33652dc78d2b20c https://git.kernel.org/stable/c/66e12f5b3a9733f941893a00753b10498724607d https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12 https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da887 •
CVE-2024-26925 – netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
https://notcve.org/view.php?id=CVE-2024-26925
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: libera mutex después de nft_gc_seq_end de la ruta de cancelación. El mutex de confirmación no debe liberarse durante la sección crítica entre nft_gc_seq_begin() y nft_gc_seq_end(); de lo contrario, el trabajador asíncrono de GC podría recopilar objetos caducados y obtener el bloqueo de confirmación liberado dentro de la misma secuencia de GC. nf_tables_module_autoload() libera temporalmente el mutex para cargar las dependencias del módulo, luego vuelve a reproducir la transacción nuevamente. Muévalo al final de la fase de cancelación después de llamar a nft_gc_seq_end(). A flaw was found in the Linux kernel’s Netfilter nf_tables module. • https://git.kernel.org/stable/c/4b6346dc1edfb9839d6edee7360ed31a22fa6c95 https://git.kernel.org/stable/c/23292bdfda5f04e704a843b8f97b0eb95ace1ca6 https://git.kernel.org/stable/c/b44a459c6561595ed7c3679599c5279204132b33 https://git.kernel.org/stable/c/5d319f7a81431c6bb32eb4dc7d7975f99e2c8c66 https://git.kernel.org/stable/c/720344340fb9be2765bbaab7b292ece0a4570eae https://git.kernel.org/stable/c/f85ca36090cbb252bcbc95fc74c2853fc792694f https://git.kernel.org/stable/c/e07e68823116563bdbc49cef185cda6f463bc534 https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f791 • CWE-667: Improper Locking •