CVE-2024-26921 – inet: inet_defrag: prevent sk release while still in use
https://notcve.org/view.php?id=CVE-2024-26921
In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: inet: inet_defrag: evita la liberación de sk mientras aún está en uso ip_local_out() y otras funciones pueden pasar skb->sk como argumento de función. Si el skb es un fragmento y el reensamblaje ocurre antes de que regrese dicha llamada a la función, el sk no debe liberarse. • https://git.kernel.org/stable/c/7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab https://git.kernel.org/stable/c/9705f447bf9a6cd088300ad2c407b5e1c6591091 https://git.kernel.org/stable/c/4318608dc28ef184158b4045896740716bea23f0 https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325 https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727 https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981 https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272 https://access.redhat.com/security/cve/CVE-2024-26921 • CWE-124: Buffer Underwrite ('Buffer Underflow') •
CVE-2024-26920 – tracing/trigger: Fix to return error if failed to alloc snapshot
https://notcve.org/view.php?id=CVE-2024-26920
In the Linux kernel, the following vulnerability has been resolved: tracing/trigger: Fix to return error if failed to alloc snapshot Fix register_snapshot_trigger() to return error code if it failed to allocate a snapshot instead of 0 (success). Unless that, it will register snapshot trigger without an error. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: rastreo/activador: Corrección para devolver error si no se pudo asignar la instantánea. Corrección de Register_snapshot_trigger() para devolver código de error si no se pudo asignar una instantánea en lugar de 0 (éxito). A menos que eso, registrará la activación de la instantánea sin error. • https://git.kernel.org/stable/c/57f2a2ad73e99a7594515848f4da987326a15981 https://git.kernel.org/stable/c/0026e356e51ab3b54322eeb445c75a087ede5b9d https://git.kernel.org/stable/c/0bbe7f719985efd9adb3454679ecef0984cb6800 https://git.kernel.org/stable/c/7c6feb347a4bb1f02e55f6814c93b5f7fab887a8 https://git.kernel.org/stable/c/a289fd864722dcf5363fec66a35965d4964df515 https://git.kernel.org/stable/c/7054f86f268c0d9d62b52a4497dd0e8c10a7e5c7 https://git.kernel.org/stable/c/ffa70d104691aa609a18a9a6692049deb35f431f https://git.kernel.org/stable/c/733c611a758c68894a4480fb999637476 •
CVE-2024-26919 – usb: ulpi: Fix debugfs directory leak
https://notcve.org/view.php?id=CVE-2024-26919
In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: Fix debugfs directory leak The ULPI per-device debugfs root is named after the ulpi device's parent, but ulpi_unregister_interface tries to remove a debugfs directory named after the ulpi device itself. This results in the directory sticking around and preventing subsequent (deferred) probes from succeeding. Change the directory name to match the ulpi device. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: usb: ulpi: corrige la fuga del directorio debugfs La raíz debugfs por dispositivo ULPI lleva el nombre del dispositivo principal ulpi, pero ulpi_unregister_interface intenta eliminar un directorio debugfs que lleva el nombre del dispositivo ulpi en sí. Esto da como resultado que el directorio permanezca y evite que las pruebas posteriores (diferidas) se realicen correctamente. • https://git.kernel.org/stable/c/bd0a0a024f2a41e7cc8eadb9862f82c45884b69c https://git.kernel.org/stable/c/d31b886ed6a5095214062ee4fb55037eb930adb6 https://git.kernel.org/stable/c/330d22aba17a4d30a56f007d0f51291d7e00862b https://git.kernel.org/stable/c/33713945cc92ea9c4a1a9479d5c1b7acb7fc4df3 https://git.kernel.org/stable/c/3caf2b2ad7334ef35f55b95f3e1b138c6f77b368 https://access.redhat.com/security/cve/CVE-2024-26919 https://bugzilla.redhat.com/show_bug.cgi?id=2275777 •
CVE-2024-26917 – scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock"
https://notcve.org/view.php?id=CVE-2024-26917
In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock" This reverts commit 1a1975551943f681772720f639ff42fbaa746212. This commit causes interrupts to be lost for FCoE devices, since it changed sping locks from "bh" to "irqsave". Instead, a work queue should be used, and will be addressed in a separate commit. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: scsi: Revertir "scsi: fcoe: Reparar posible punto muerto en &fip->ctlr_lock" Esto revierte el commit 1a1975551943f681772720f639ff42fbaa746212. Este commit provoca que se pierdan las interrupciones para los dispositivos FCoE, ya que cambió los bloqueos de sping de "bh" a "irqsave". En su lugar, se debe utilizar una cola de trabajo, que se abordará en un commit separado. • https://git.kernel.org/stable/c/264eae2f523d2aae38188facb4ece893023f25da https://git.kernel.org/stable/c/d2bf25674cea74b865d367d09be5dfe9aff5922a https://git.kernel.org/stable/c/9cce8ef7a6fa858bbcacd8679a5ca5a4fd3a6df3 https://git.kernel.org/stable/c/076fb40cf27ab9232d8cce1f007e663e46705302 https://git.kernel.org/stable/c/5a5fb3b1754fa2b4db95f0151b4af0fb6f8918ec https://git.kernel.org/stable/c/1a1975551943f681772720f639ff42fbaa746212 https://git.kernel.org/stable/c/4ea46b479a00dd232f0dbc81fdc27f9330ecb3ad https://git.kernel.org/stable/c/694ddc5bf35a5b6f9acb6e4724324c910 •
CVE-2024-26916 – Revert "drm/amd: flush any delayed gfxoff on suspend entry"
https://notcve.org/view.php?id=CVE-2024-26916
In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd: flush any delayed gfxoff on suspend entry" commit ab4750332dbe ("drm/amdgpu/sdma5.2: add begin/end_use ring callbacks") caused GFXOFF control to be used more heavily and the codepath that was removed from commit 0dee72639533 ("drm/amd: flush any delayed gfxoff on suspend entry") now can be exercised at suspend again. Users report that by using GNOME to suspend the lockscreen trigger will cause SDMA traffic and the system can deadlock. This reverts commit 0dee726395333fea833eaaf838bc80962df886c8. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Revertir "drm/amd: eliminar cualquier gfxoff retrasado al suspender la entrada" commit ab4750332dbe ("drm/amdgpu/sdma5.2: agregar devoluciones de llamada de anillo de inicio/fin de uso") provocó que el control de GFXOFF se utilizará más intensamente y la ruta de código que se eliminó del commit 0dee72639533 ("drm/amd: eliminar cualquier gfxoff retrasado al suspender la entrada") ahora se puede ejercer nuevamente en suspensión. Los usuarios informan que al usar GNOME para suspender el activador de la pantalla de bloqueo provocará tráfico SDMA y el sistema puede bloquearse. Esto revierte el commit 0dee726395333fea833eaaf838bc80962df886c8. • https://git.kernel.org/stable/c/f94942885e8416ce9de84d8fae93684002682b5d https://git.kernel.org/stable/c/78b2ba39beef21c8baebb1868569c2026ad76de0 https://git.kernel.org/stable/c/3aae4ef4d799fb3d0381157640fdb251008cf0ae https://git.kernel.org/stable/c/ab4750332dbe535243def5dcebc24ca00c1f98ac https://git.kernel.org/stable/c/65158edb0a3a8df23197d52cd24287e39eaf95d6 https://git.kernel.org/stable/c/ff70e6ff6fc2413caf33410af7462d1f584d927e https://git.kernel.org/stable/c/caa2565a2e13899be31f7b1e069e6465d3e2adb0 https://git.kernel.org/stable/c/d855ceb6a5fde668c5431156bc60fae0c •