Page 443 of 2462 results (0.017 seconds)

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tcp: agregue controles de seguridad a rx zerocopy La intención de TCP rx zerocopy es mapear páginas inicialmente asignadas desde controladores NIC, no páginas propiedad de un fs. Este parche añade a can_map_frag() estas comprobaciones adicionales: - La página no debe ser compuesta. - página->mapeo debe ser NULL. Esto soluciona el pánico informado por ZhangPeng. syzbot pudo realizar un loopback de paquetes creados con sendfile(), asignando páginas propiedad de un archivo ext4 a TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4 , &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00) 000000c0 )='. • https://git.kernel.org/stable/c/93ab6cc69162775201587cc9da00d5016dc890e2 https://git.kernel.org/stable/c/f48bf9a83b1666d934247cb58a9887d7b3127b6f https://git.kernel.org/stable/c/718f446e60316bf606946f7f42367d691d21541e https://git.kernel.org/stable/c/b383d4ea272fe5795877506dcce5aad1f6330e5e https://git.kernel.org/stable/c/d15cc0f66884ef2bed28c7ccbb11c102aa3a0760 https://git.kernel.org/stable/c/1b8adcc0e2c584fec778add7777fe28e20781e60 https://git.kernel.org/stable/c/577e4432f3ac810049cb7e6b71f4d96ec7c6e894 https://lists.debian.org/debian-lts-announce/2024/06/ • CWE-20: Improper Input Validation •

CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Fix crash when setting number of cpus to an odd number When the number of cpu cores is adjusted to 7 or other odd numbers, the zone size will become an odd number. The address of the zone will become: addr of zone0 = BASE addr of zone1 = BASE + zone_size addr of zone2 = BASE + zone_size*2 ... The address of zone1/3/5/7 will be mapped to non-alignment va. Eventually crashes will occur when accessing these va. So, use ALIGN_DOWN() to make sure the zone size is even to avoid this bug. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pstore/ram: soluciona el fallo al establecer el número de CPU en un número impar. Cuando el número de núcleos de CPU se ajusta a 7 u otros números impares, el tamaño de la zona se convertirá en un número impar. La dirección de la zona se convertirá en: dirección de zona0 = BASE dirección de zona1 = BASE + tamaño_zona dirección de zona2 = BASE + tamaño_zona*2 ... La dirección de zona1/3/5/7 se asignará a va no alineada . • https://git.kernel.org/stable/c/8b69c30f4e8b69131d92096cb296dc1f217101e4 https://git.kernel.org/stable/c/e9f6ac50890104fdf8194f2865680689239d30fb https://git.kernel.org/stable/c/a63e48cd835c34c38ef671d344cc029b1ea5bf10 https://git.kernel.org/stable/c/2a37905d47bffec61e95d99f0c1cc5dc6377956c https://git.kernel.org/stable/c/75b0f71b26b3ad833c5c0670109c0af6e021e86a https://git.kernel.org/stable/c/0593cfd321df9001142a9d2c58d4144917dff7ee https://git.kernel.org/stable/c/cd40e43f870cf21726b22487a95ed223790b3542 https://git.kernel.org/stable/c/d49270a04623ce3c0afddbf3e984cb245 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •

CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: block/rnbd-srv: Check for unlikely string overflow Since "dev_search_path" can technically be as large as PATH_MAX, there was a risk of truncation when copying it and a second string into "full_path" since it was also PATH_MAX sized. The W=1 builds were reporting this warning: drivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra': drivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=] 616 | snprintf(full_path, PATH_MAX, "%s/%s", | ^~ In function 'rnbd_srv_get_full_path', inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096 616 | snprintf(full_path, PATH_MAX, "%s/%s", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 617 | dev_search_path, dev_name); | ~~~~~~~~~~~~~~~~~~~~~~~~~~ To fix this, unconditionally check for truncation (as was already done for the case where "%SESSNAME%" was present). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: block/rnbd-srv: Comprueba si hay un desbordamiento de cadena improbable. Dado que "dev_search_path" técnicamente puede ser tan grande como PATH_MAX, existía el riesgo de truncamiento al copiarlo y una segunda cadena en " full_path" ya que también tenía un tamaño PATH_MAX. Las compilaciones W=1 informaban esta advertencia: drivers/block/rnbd/rnbd-srv.c: En función 'process_msg_open.isra': drivers/block/rnbd/rnbd-srv.c:616:51: advertencia: '% La salida de la directiva s se puede truncar escribiendo hasta 254 bytes en una región de tamaño entre 0 y 4095 [-Wformat-truncation=] 616 | snprintf(full_path, PATH_MAX, "%s/%s", | ^~ En la función 'rnbd_srv_get_full_path', insertada desde 'process_msg_open.isra' en drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block /rnbd/rnbd-srv.c:616:17: nota: 'snprintf' genera entre 2 y 4351 bytes en un destino de tamaño 4096 616 | snprintf(full_path, PATH_MAX, "%s/%s", | ^~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 617 | dev_search_path, dev_name); | ~~~~~~~ ~~~~~~~~~~~~~~~~~~~ Para solucionar este problema, verifique incondicionalmente el truncamiento (como ya se hizo en el caso en el que "%SESSNAME%" estaba presente). • https://git.kernel.org/stable/c/95bc866c11974d3e4a9d922275ea8127ff809cf7 https://git.kernel.org/stable/c/f6abd5e17da33eba15df2bddc93413e76c2b55f7 https://git.kernel.org/stable/c/af7bbdac89739e2e7380387fda598848d3b7010f https://git.kernel.org/stable/c/5b9ea86e662035a886ccb5c76d56793cba618827 https://git.kernel.org/stable/c/a2c6206f18104fba7f887bf4dbbfe4c41adc4339 https://git.kernel.org/stable/c/9e4bf6a08d1e127bcc4bd72557f2dfafc6bc7f41 https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html •

CVSS: 4.4EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: PCI: switchtec: Fix stdev_release() crash after surprise hot remove A PCI device hot removal may occur while stdev->cdev is held open. The call to stdev_release() then happens during close or exit, at a point way past switchtec_pci_remove(). Otherwise the last ref would vanish with the trailing put_device(), just before return. At that later point in time, the devm cleanup has already removed the stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause a fatal page fault, and the subsequent dma_free_coherent(), if reached, would pass a stale &stdev->pdev->dev pointer. Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after stdev_kill(). • https://git.kernel.org/stable/c/d8c293549946ee5078ed0ab77793cec365559355 https://git.kernel.org/stable/c/4a5d0528cf19dbf060313dffbe047bc11c90c24c https://git.kernel.org/stable/c/ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8 https://git.kernel.org/stable/c/1d83c85922647758c1f1e4806a4c5c3cf591a20a https://git.kernel.org/stable/c/0233b836312e39a3c763fb53512b3fa455b473b3 https://git.kernel.org/stable/c/e129c7fa7070fbce57feb0bfc5eaa65eef44b693 https://git.kernel.org/stable/c/df25461119d987b8c81d232cfe4411e91dcabe66 https://lists.debian.org/debian-lts-announce/2024/06/ •

CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: nbd: always initialize struct msghdr completely syzbot complains that msg->msg_get_inq value can be uninitialized [1] struct msghdr got many new fields recently, we should always make sure their values is zero by default. [1] BUG: KMSAN: uninit-value in tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 inet_recvmsg+0x131/0x580 net/ipv4/af_inet.c:879 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0x12b/0x1e0 net/socket.c:1066 __sock_xmit+0x236/0x5c0 drivers/block/nbd.c:538 nbd_read_reply drivers/block/nbd.c:732 [inline] recv_work+0x262/0x3100 drivers/block/nbd.c:863 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700 worker_thread+0xf45/0x1490 kernel/workqueue.c:2781 kthread+0x3ed/0x540 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Local variable msg created at: __sock_xmit+0x4c/0x5c0 drivers/block/nbd.c:513 nbd_read_reply drivers/block/nbd.c:732 [inline] recv_work+0x262/0x3100 drivers/block/nbd.c:863 CPU: 1 PID: 7465 Comm: kworker/u5:1 Not tainted 6.7.0-rc7-syzkaller-00041-gf016f7547aee #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: nbd5-recv recv_work En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nbd: siempre inicializa completamente la estructura msghdr syzbot se queja de que el valor msg->msg_get_inq puede no estar inicializado [1] la estructura msghdr obtuvo muchos campos nuevos recientemente, siempre debemos asegurarnos de que sus valores sean cero por defecto. [1] ERROR: KMSAN: valor uninit en tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 inet_recvmsg+0x131/0x580 net/ipv4/af_inet. c:879 sock_recvmsg_nosec net/socket.c:1044 [en línea] sock_recvmsg+0x12b/0x1e0 net/socket.c:1066 __sock_xmit+0x236/0x5c0 drivers/block/nbd.c:538 nbd_read_reply drivers/block/nbd.c:732 [en línea] recv_work+0x262/0x3100 drivers/block/nbd.c:863 Process_one_work kernel/workqueue.c:2627 [en línea] Process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700 workqueue.c :2781 kthread+0x3ed/0x540 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Mensaje de variable local creado en: __sock_xmit+0x4c/0x5c0 drivers/block/nbd.c:513 nbd_read_reply drivers/block/nbd.c:732 [en línea] recv_work+0x262/0x3100 drivers/block/nbd.c:863 CPU: 1 PID: 7465 Comm : kworker/u5:1 No contaminado 6.7.0-rc7-syzkaller-00041-gf016f7547aee #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 17/11/2023 Cola de trabajo: nbd5-recv recv_work • https://git.kernel.org/stable/c/f94fd25cb0aaf77fd7453f31c5d394a1a68ecf60 https://git.kernel.org/stable/c/d9c54763e5cdbbd3f81868597fe8aca3c96e6387 https://git.kernel.org/stable/c/1960f2b534da1e6c65fb96f9e98bda773495f406 https://git.kernel.org/stable/c/b0028f333420a65a53a63978522db680b37379dd https://git.kernel.org/stable/c/78fbb92af27d0982634116c7a31065f24d092826 https://access.redhat.com/security/cve/CVE-2024-26638 https://bugzilla.redhat.com/show_bug.cgi?id=2270103 • CWE-456: Missing Initialization of a Variable •