CVE-2023-52576 – x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()
https://notcve.org/view.php?id=CVE-2023-52576
In the Linux kernel, the following vulnerability has been resolved: x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer() The code calling ima_free_kexec_buffer() runs long after the memblock allocator has already been torn down, potentially resulting in a use after free in memblock_isolate_range(). With KASAN or KFENCE, this use after free will result in a BUG from the idle task, and a subsequent kernel panic. Switch ima_free_kexec_buffer() over to memblock_free_late() to avoid that bug. • https://git.kernel.org/stable/c/fee3ff99bc67604fba77f19da0106f3ec52b1956 https://git.kernel.org/stable/c/eef16bfdb212da60f5144689f2967fb25b051a2b https://git.kernel.org/stable/c/d2dfbc0e3b7a04c2d941421a958dc31c897fb204 https://git.kernel.org/stable/c/34cf99c250d5cd2530b93a57b0de31d3aaf8685b •
CVE-2023-52574 – team: fix null-ptr-deref when team device type is changed
https://notcve.org/view.php?id=CVE-2023-52574
In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? • https://git.kernel.org/stable/c/1d76efe1577b4323609b1bcbfafa8b731eda071a https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457 https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7 https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255 https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58 https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468 • CWE-476: NULL Pointer Dereference •
CVE-2023-52573 – net: rds: Fix possible NULL-pointer dereference
https://notcve.org/view.php?id=CVE-2023-52573
In the Linux kernel, the following vulnerability has been resolved: net: rds: Fix possible NULL-pointer dereference In rds_rdma_cm_event_handler_cmn() check, if conn pointer exists before dereferencing it as rdma_set_service_type() argument Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/fd261ce6a30e01ad67c416e2c67e263024b3a6f9 https://git.kernel.org/stable/c/812da2a08dc5cc75fb71e29083ea20904510ac7a https://git.kernel.org/stable/c/f515112e833791001aaa8ab886af3ca78503617f https://git.kernel.org/stable/c/ea82139e6e3561100d38d14401d57c0ea93fc07e https://git.kernel.org/stable/c/51fa66024a5eabf270164f2dc82a48ffb35a12e9 https://git.kernel.org/stable/c/069ac51c37a6f07a51f7134d8c34289075786a35 https://git.kernel.org/stable/c/f1d95df0f31048f1c59092648997686e3f7d9478 •
CVE-2023-52572 – cifs: Fix UAF in cifs_demultiplex_thread()
https://notcve.org/view.php?id=CVE-2023-52572
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix UAF in cifs_demultiplex_thread() There is a UAF when xfstests on cifs: BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160 Read of size 4 at addr ffff88810103fc08 by task cifsd/923 CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45 ... Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 kasan_check_range+0x145/0x1a0 smb2_is_network_name_deleted+0x27/0x160 cifs_demultiplex_thread.cold+0x172/0x5a4 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 923: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x54/0x60 kmem_cache_alloc+0x147/0x320 mempool_alloc+0xe1/0x260 cifs_small_buf_get+0x24/0x60 allocate_buffers+0xa1/0x1c0 cifs_demultiplex_thread+0x199/0x10d0 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 Freed by task 921: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x143/0x1b0 kmem_cache_free+0xe3/0x4d0 cifs_small_buf_release+0x29/0x90 SMB2_negotiate+0x8b7/0x1c60 smb2_negotiate+0x51/0x70 cifs_negotiate_protocol+0xf0/0x160 cifs_get_smb_ses+0x5fa/0x13c0 mount_get_conns+0x7a/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The UAF is because: mount(pid: 921) | cifsd(pid: 923) -------------------------------|------------------------------- | cifs_demultiplex_thread SMB2_negotiate | cifs_send_recv | compound_send_recv | smb_send_rqst | wait_for_response | wait_event_state [1] | | standard_receive3 | cifs_handle_standard | handle_mid | mid->resp_buf = buf; [2] | dequeue_mid [3] KILL the process [4] | resp_iov[i].iov_base = buf | free_rsp_buf [5] | | is_network_name_deleted [6] | callback 1. After send request to server, wait the response until mid->mid_state != SUBMITTED; 2. Receive response from server, and set it to mid; 3. Set the mid state to RECEIVED; 4. • https://git.kernel.org/stable/c/ec637e3ffb6b978143652477c7c5f96c9519b691 https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3 https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f •
CVE-2023-52569 – btrfs: remove BUG() after failure to insert delayed dir index item
https://notcve.org/view.php?id=CVE-2023-52569
In the Linux kernel, the following vulnerability has been resolved: btrfs: remove BUG() after failure to insert delayed dir index item Instead of calling BUG() when we fail to insert a delayed dir index item into the delayed node's tree, we can just release all the resources we have allocated/acquired before and return the error to the caller. This is fine because all existing call chains undo anything they have done before calling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending snapshots in the transaction commit path). So remove the BUG() call and do proper error handling. This relates to a syzbot report linked below, but does not fix it because it only prevents hitting a BUG(), it does not fix the issue where somehow we attempt to use twice the same index number for different index items. • https://git.kernel.org/stable/c/39c4a9522db0072570d602e9b365119e17fb9f4f https://git.kernel.org/stable/c/d10fd53393cc5de4b9cf1a4b8f9984f0a037aa51 https://git.kernel.org/stable/c/2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9 •