CVE-2023-52443 – apparmor: avoid crash when parsed profile name is empty
https://notcve.org/view.php?id=CVE-2023-52443
In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: <TASK> ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside. AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org). • https://git.kernel.org/stable/c/04dc715e24d0820bf8740e1a1135ed61fe162bc8 https://git.kernel.org/stable/c/9286ee97aa4803d99185768735011d0d65827c9e https://git.kernel.org/stable/c/1d8e62b5569cc1466ceb8a7e4872cf10160a9dcf https://git.kernel.org/stable/c/5ff00408e5029d3550ee77f62dc15f1e15c47f87 https://git.kernel.org/stable/c/0a12db736edbb4933e4274932aeea594b5876fa4 https://git.kernel.org/stable/c/9d4fa5fe2b1d56662afd14915a73b4d0783ffa45 https://git.kernel.org/stable/c/5c0392fdafb0a2321311900be83ffa572bef8203 https://git.kernel.org/stable/c/77ab09b92f16c8439a948d1af48919695 • CWE-476: NULL Pointer Dereference •
CVE-2024-26585 – tls: fix race between tx work scheduling and socket close
https://notcve.org/view.php?id=CVE-2024-26585
In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tls: corrige la ejecución entre la programación de trabajo de transmisión y el cierre del socket De manera similar a el commit anterior, el hilo de envío (recvmsg/sendmsg) puede cerrarse tan pronto como el controlador de cifrado asíncrono llame a complete(). Reordene la programación del trabajo antes de llamar a complete(). En primer lugar, esto parece más lógico, ya que es el orden inverso de lo que hará el hilo de envío. A race condition vulnerability was found in the tls subsystem of the Linux kernel. • https://git.kernel.org/stable/c/a42055e8d2c30d4decfc13ce943d09c7b9dad221 https://git.kernel.org/stable/c/dd32621f19243f89ce830919496a5dcc2158aa33 https://git.kernel.org/stable/c/196f198ca6fce04ba6ce262f5a0e4d567d7d219d https://git.kernel.org/stable/c/6db22d6c7a6dc914b12c0469b94eb639b6a8a146 https://git.kernel.org/stable/c/e327ed60bff4a991cd7a709c47c4f0c5b4a4fd57 https://git.kernel.org/stable/c/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb https://access.redhat.com/security/cve/CVE-2024-26585 https://bugzilla.redhat.com/show_bug.cgi?id=2265517 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2024-26584 – net: tls: handle backlogging of crypto requests
https://notcve.org/view.php?id=CVE-2024-26584
In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tls: manejar el retraso de solicitudes criptográficas Dado que estamos configurando el indicador CRYPTO_TFM_REQ_MAY_BACKLOG en nuestras solicitudes a la API criptográfica, crypto_aead_{encrypt,decrypt} puede devolver -EBUSY en lugar de - EINPROGRESS en situaciones válidas. • https://git.kernel.org/stable/c/a54667f6728c2714a400f3c884727da74b6d1717 https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368 https://git.kernel.org/stable/c/cd1bbca03f3c1d845ce274c0d0a66de8e5929f72 https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754 https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694 https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3 https://access.redhat.com/security/cve/CVE-2024-26584 https://bugzilla.redhat.com/show_bug.cgi?id=2265519 • CWE-393: Return of Wrong Status Code CWE-755: Improper Handling of Exceptional Conditions •
CVE-2024-26583 – tls: fix race between async notify and socket close
https://notcve.org/view.php?id=CVE-2024-26583
In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tls: corrige la ejecución entre la notificación asíncrona y el cierre del socket. El hilo de envío (uno que llamó recvmsg/sendmsg) puede salir tan pronto como el controlador criptográfico asíncrono llame a complete(), por lo que cualquier código pasado ese punto corre el riesgo de tocar datos ya liberados. Intente evitar por completo el bloqueo y las banderas adicionales. Haga que el hilo principal contenga una referencia adicional, de esta manera podemos depender únicamente del contador de referencia atómica para la sincronización. • https://git.kernel.org/stable/c/0cada33241d9de205522e3858b18e506ca5cce2c https://git.kernel.org/stable/c/cf4cc95a15f599560c7abd89095a7973a4b9cec3 https://git.kernel.org/stable/c/8dc5025c6a444548ab5e2ef9e6f4479f71c7c1a0 https://git.kernel.org/stable/c/9b81d43da15e56ed89f083f326561acdcaf549ce https://git.kernel.org/stable/c/f17d21ea73918ace8afb9c2d8e734dbf71c2c9d7 https://git.kernel.org/stable/c/7a3ca06d04d589deec81f56229a9a9d62352ce01 https://git.kernel.org/stable/c/86dc27ee36f558fe223dbdfbfcb6856247356f4a https://git.kernel.org/stable/c/6209319b2efdd8524691187ee99c40637 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVE-2024-26582 – net: tls: fix use-after-free with partial reads and async decrypt
https://notcve.org/view.php?id=CVE-2024-26582
In the Linux kernel, the following vulnerability has been resolved: net: tls: fix use-after-free with partial reads and async decrypt tls_decrypt_sg doesn't take a reference on the pages from clear_skb, so the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when we try to read from the partially-read skb. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tls: corrige el use-after-free con lecturas parciales y descifrado asíncrono tls_decrypt_sg no toma una referencia en las páginas de clear_skb, por lo que put_page() en tls_decrypt_done las libera y activamos un use-after-free en Process_rx_list cuando intentamos leer desde el skb parcialmente leído. A use-after-free vulnerability was found in the tls subsystem of the Linux kernel. The tls_decrypt_sg() function doesn't take references on the pages from clear_skb, so the put_page() in tls_decrypt_done() releases them and a use-after-free can be triggered in process_rx_list when trying to read from the partially-read skb. This issue could lead to a denial of service condition or code execution. • https://git.kernel.org/stable/c/fd31f3996af2627106e22a9f8072764fede51161 https://git.kernel.org/stable/c/20b4ed034872b4d024b26e2bc1092c3f80e5db96 https://git.kernel.org/stable/c/d684763534b969cca1022e2a28645c7cc91f7fa5 https://git.kernel.org/stable/c/754c9bab77a1b895b97bd99d754403c505bc79df https://git.kernel.org/stable/c/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f https://access.redhat.com/security/cve/CVE-2024-26582 https://bugzilla.redhat.com/show_bug.cgi?id=2265518 • CWE-416: Use After Free •