CVE-2024-26889 – Bluetooth: hci_core: Fix possible buffer overflow
https://notcve.org/view.php?id=CVE-2024-26889
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: hci_core: soluciona un posible desbordamiento del búfer struct hci_dev_info tiene un campo de nombre de tamaño fijo[8], por lo que en caso de que hdev->name sea mayor que strcpy intentaría escribir más allá su tamaño, por lo que esto soluciona este problema cambiando al uso de strscpy. A buffer overflow flaw was found in struct hci_dev_info in the variable name[8] in the Linkkux Kernel. If an attacker crafts an exploit copying more than the size of the name[8], it results in a buffer overflow and a denial of service. • https://git.kernel.org/stable/c/194ab82c1ea187512ff2f822124bd05b63fc9f76 https://git.kernel.org/stable/c/b48595f5b1c6e81e06e164e7d2b7a30b1776161e https://git.kernel.org/stable/c/ffb060b136dd75a033ced0fc0aed2882c02e8b56 https://git.kernel.org/stable/c/bbec1724519ecd9c468d1186a8f30b7567175bfb https://git.kernel.org/stable/c/a55d53ad5c86aee3f6da50ee73626008997673fa https://git.kernel.org/stable/c/dcda165706b9fbfd685898d46a6749d7d397e0c0 https://git.kernel.org/stable/c/d9ce7d438366431e5688be98d8680336ce0a0f8d https://git.kernel.org/stable/c/5558f4312dca43cebfb9a1aab3d632be9 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2024-26888 – Bluetooth: msft: Fix memory leak
https://notcve.org/view.php?id=CVE-2024-26888
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: msft: Fix memory leak Fix leaking buffer allocated to send MSFT_OP_LE_MONITOR_ADVERTISEMENT. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: msft: Reparar pérdida de memoria Reparar pérdida de búfer asignado para enviar MSFT_OP_LE_MONITOR_ADVERTISEMENT. • https://git.kernel.org/stable/c/9e14606d8f38ea52a38c27692a9c1513c987a5da https://git.kernel.org/stable/c/f9965f7f38c90449a5fb26edb8a7d22b1dcf0283 https://git.kernel.org/stable/c/80fe27811c56ecd3896c3d511ab8298146071d98 https://git.kernel.org/stable/c/98e9920c75e0790bff947a00d192d24bf1c724e0 https://git.kernel.org/stable/c/5987b9f7d9314c7411136005b3a52f61a8cc0911 https://git.kernel.org/stable/c/5cb93417c93716a5404f762f331f5de3653fd952 https://git.kernel.org/stable/c/a6e06258f4c31eba0fcd503e19828b5f8fe7b08b •
CVE-2024-26887 – Bluetooth: btusb: Fix memory leak
https://notcve.org/view.php?id=CVE-2024-26887
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: Fix memory leak This checks if CONFIG_DEV_COREDUMP is enabled before attempting to clone the skb and also make sure btmtk_process_coredump frees the skb passed following the same logic. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: btusb: corrige la pérdida de memoria. Esto verifica si CONFIG_DEV_COREDUMP está habilitado antes de intentar clonar el skb y también se asegura de que btmtk_process_coredump libere el skb pasado siguiendo la misma lógica. • https://git.kernel.org/stable/c/0b70151328781a89c89e4cf3fae21fc0e98d869e https://git.kernel.org/stable/c/620b9e60e4b55fa55540ce852a0f3c9e6091dbbc https://git.kernel.org/stable/c/b10e6f6b160a60b98fb7476028f5a95405bbd725 https://git.kernel.org/stable/c/b08bd8f02a24e2b82fece5ac51dc1c3d9aa6c404 https://git.kernel.org/stable/c/79f4127a502c5905f04da1f20a7bbe07103fb77c •
CVE-2024-26886 – Bluetooth: af_bluetooth: Fix deadlock
https://notcve.org/view.php?id=CVE-2024-26886
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: <TASK> __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? • https://git.kernel.org/stable/c/37f71e2c9f515834841826f4eb68ec33cfb2a1ff https://git.kernel.org/stable/c/1d576c3a5af850bf11fbd103f9ba11aa6d6061fb https://git.kernel.org/stable/c/2e07e8348ea454615e268222ae3fc240421be768 https://git.kernel.org/stable/c/db1b14eec8c61a20374de9f9c2ddc6c9406a8c42 https://git.kernel.org/stable/c/2b16d960c79abc397f102c3d23d30005b68cb036 https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae https://git.kernel.org/stable/c/0625d7c240b307b78640dcd823cb738cb900a8ba https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb • CWE-833: Deadlock •
CVE-2024-26885 – bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
https://notcve.org/view.php?id=CVE-2024-26885
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bpf: corrige la verificación de desbordamiento de DEVMAP_HASH en arcos de 32 bits. • https://git.kernel.org/stable/c/6f9d451ab1a33728adb72d7ff66a7b374d665176 https://git.kernel.org/stable/c/1f5e352b9088211fa5eb4e1639cd365f4f7d2f65 https://git.kernel.org/stable/c/225da02acdc97af01b6bc6ce1a3e5362bf01d3fb https://git.kernel.org/stable/c/4b81a9f92b3676cb74b907a7a209b3d15bd9a7f9 https://git.kernel.org/stable/c/c826502bed93970f2fd488918a7b8d5f1d30e2e3 https://git.kernel.org/stable/c/edf7990baa48de5097daa9ac02e06cb4c798a737 https://git.kernel.org/stable/c/250051acc21f9d4c5c595e4fcb55986ea08c4691 https://git.kernel.org/stable/c/22079b3a423382335f47d9ed32114e6c9 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •