CVE-2024-26610 – wifi: iwlwifi: fix a memory corruption
https://notcve.org/view.php?id=CVE-2024-26610
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix a memory corruption iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in bytes, we'll write past the buffer. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: wifi: iwlwifi: corrige una corrupción de memoria iwl_fw_ini_trigger_tlv::data es un puntero a un __le32, lo que significa que si copiamos a iwl_fw_ini_trigger_tlv::data + offset mientras el offset está en bytes, escribiremos más allá del búfer. A memory corruption flaw was found in the Linux kernel Intel Wireless WiFi Next Gen AGN module. This issue could allow a local user to crash the system. • https://git.kernel.org/stable/c/cf29c5b66b9f83939367d90679eb68cdfa2f0356 https://git.kernel.org/stable/c/05dd9facfb9a1e056752c0901c6e86416037d15a https://git.kernel.org/stable/c/99a23462fe1a6f709f0fda3ebbe8b6b193ac75bd https://git.kernel.org/stable/c/aa2cc9363926991ba74411e3aa0a0ea82c1ffe32 https://git.kernel.org/stable/c/870171899d75d43e3d14360f3a4850e90a9c289b https://git.kernel.org/stable/c/f32a81999d0b8e5ce60afb5f6a3dd7241c17dd67 https://git.kernel.org/stable/c/cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d https://lists.debian.org/debian-lts-announce/2024/06/ • CWE-680: Integer Overflow to Buffer Overflow •
CVE-2024-26608 – ksmbd: fix global oob in ksmbd_nl_policy
https://notcve.org/view.php?id=CVE-2024-26608
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix global oob in ksmbd_nl_policy Similar to a reported issue (check the commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds another global out-of-bounds read for policy ksmbd_nl_policy. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810 CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 __nlmsg_parse include/net/netlink.h:748 [inline] genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565 genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdd66a8f359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003 RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: ksmbd_nl_policy+0x100/0xa80 The buggy address belongs to the physical page: page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9 ^ ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05 ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9 ================================================================== To fix it, add a placeholder named __KSMBD_EVENT_MAX and let KSMBD_EVENT_MAX to be its original value - 1 according to what other netlink families do. Also change two sites that refer the KSMBD_EVENT_MAX to correct value. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrige el oob global en ksmbd_nl_policy Similar a un problema reportado (verifique el commit b33fb5b801c6 ("net: qualcomm: rmnet: corrige el oob global en rmnet_policy"), mi fuzzer local encuentra otra Lectura global fuera de los límites para la política ksmbd_nl_policy. Consulte el seguimiento del error a continuación: ==================================== ================================ ERROR: KASAN: global fuera de los límites en validar_nla lib/nlattr.c :386 [en línea] ERROR: KASAN: global fuera de los límites en __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Lectura de tamaño 1 en addr ffffffff8f24b100 por tarea syz-executor.1/62810 CPU: 0 PID: 62810 Comm: syz-executor.1 Contaminado: GN 6.1.0 #3 Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 01/04/2014 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [en línea] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report +0xbb/0x1c0 mm/kasan/report.c:495 validar_nla lib/nlattr.c:386 [en línea] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 __nlmsg_parse incluir /net/netlink.h:748 [en línea] genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565 genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734 genl_family_rcv_msg net/netlink/genetlink. c:833 [en línea] genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net /netlink/af_netlink.c:1319 [en línea] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [en línea] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket. c:2565 do_syscall_x64 arco /x86/entry/common.c:50 [en línea] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdd66a8f359 Código: 28 00 00 00 75 05 48 8 3 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff f ff f7 d8 64 89 01 48 RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8 f359 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003 RBP: 00007fdd66ada493 R08: 00000000000000000 R09: 00000000000000000 R 10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000 La dirección del error pertenece a la variable: ksmbd_nl_policy+0x 100/0xa80 La dirección del error pertenece a la página física: página:0000000034f47940 refcount:1 mapcount:0 mapeo: 0000000000000000 índice: 0x0 pfn: 0x1ccc4b banderas: 0x200000000001000 (reservado | nodo = 0 | zona = 2) sin formato: 02000000000001000 ffffea00073312c8 ffffea00073312c8 000000000 0000000 raw: 0000000000000000 00000000000000000 00000001ffffffff 0000000000000000 página volcada porque: kasan: mal acceso detectado Estado de la memoria alrededor de la dirección con errores: ffffffff8f24b000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff8f24b100 : f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9 ^ ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05 ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9 ======== = ==================================================== ======= Para solucionarlo, agregue un marcador de posición llamado __KSMBD_EVENT_MAX y truncado • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf https://git.kernel.org/stable/c/aaa1f1a2ee80888c12ae2783f3a0be10e14067c5 https://git.kernel.org/stable/c/2c939c74ef0b74e99b92e32edc2a59f9b9ca3d5a https://git.kernel.org/stable/c/9863a53100f47652755545c2bd43e14a1855104d https://git.kernel.org/stable/c/6993328a4cd62a24df254b587c0796a4a1eecc95 https://git.kernel.org/stable/c/ebeae8adf89d9a82359f6659b1663d09beec2faa •
CVE-2023-52498 – PM: sleep: Fix possible deadlocks in core system-wide PM code
https://notcve.org/view.php?id=CVE-2023-52498
In the Linux kernel, the following vulnerability has been resolved: PM: sleep: Fix possible deadlocks in core system-wide PM code It is reported that in low-memory situations the system-wide resume core code deadlocks, because async_schedule_dev() executes its argument function synchronously if it cannot allocate memory (and not only in that case) and that function attempts to acquire a mutex that is already held. Executing the argument function synchronously from within dpm_async_fn() may also be problematic for ordering reasons (it may cause a consumer device's resume callback to be invoked before a requisite supplier device's one, for example). Address this by changing the code in question to use async_schedule_dev_nocall() for scheduling the asynchronous execution of device suspend and resume functions and to directly run them synchronously if async_schedule_dev_nocall() returns false. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: PM: suspensión: soluciona posibles bloqueos en el código PM de todo el sistema central. Se informa que en situaciones de poca memoria, el código central de reanudación de todo el sistema se bloquea porque async_schedule_dev() ejecuta su el argumento funciona sincrónicamente si no puede asignar memoria (y no solo en ese caso) y esa función intenta adquirir un mutex que ya está retenido. La ejecución de la función de argumento sincrónicamente desde dpm_async_fn() también puede ser problemática por razones de pedido (puede causar que la devolución de llamada de currículum de un dispositivo consumidor se invoque antes que la de un dispositivo proveedor requerido, por ejemplo). • https://git.kernel.org/stable/c/f46eb832389f162ad13cb780d0b8cde93641990d https://git.kernel.org/stable/c/a1d62c775b07213c73f81ae842424c74dd14b5f0 https://git.kernel.org/stable/c/e1c9d32c98309ae764893a481552d3f99d46cb34 https://git.kernel.org/stable/c/e681e29d1f59a04ef773296e4bebb17b1b79f8fe https://git.kernel.org/stable/c/9bd3dce27b01c51295b60e1433e1dadfb16649f7 https://git.kernel.org/stable/c/7839d0078e0d5e6cc2fa0b0dfbee71de74f1e557 https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html •
CVE-2023-52497 – erofs: fix lz4 inplace decompression
https://notcve.org/view.php?id=CVE-2023-52497
In the Linux kernel, the following vulnerability has been resolved: erofs: fix lz4 inplace decompression Currently EROFS can map another compressed buffer for inplace decompression, that was used to handle the cases that some pages of compressed data are actually not in-place I/O. However, like most simple LZ77 algorithms, LZ4 expects the compressed data is arranged at the end of the decompressed buffer and it explicitly uses memmove() to handle overlapping: __________________________________________________________ |_ direction of decompression --> ____ |_ compressed data _| Although EROFS arranges compressed data like this, it typically maps two individual virtual buffers so the relative order is uncertain. Previously, it was hardly observed since LZ4 only uses memmove() for short overlapped literals and x86/arm64 memmove implementations seem to completely cover it up and they don't have this issue. Juhyung reported that EROFS data corruption can be found on a new Intel x86 processor. After some analysis, it seems that recent x86 processors with the new FSRM feature expose this issue with "rep movsb". Let's strictly use the decompressed buffer for lz4 inplace decompression for now. Later, as an useful improvement, we could try to tie up these two buffers together in the correct order. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: erofs: corrige la descompresión in situ de lz4 Actualmente, EROFS puede asignar otro búfer comprimido para la descompresión in situ, que se utilizó para manejar los casos en que algunas páginas de datos comprimidos en realidad no están in situ I/ o. Sin embargo, como la mayoría de los algoritmos LZ77 simples, LZ4 espera que los datos comprimidos estén organizados al final del buffer descomprimido y usa explícitamente memmove() para manejar la superposición: ________________________________________________________ |_ dirección de descompresión --> ____ |_ datos comprimidos _| Aunque EROFS organiza los datos comprimidos de esta manera, normalmente asigna dos buffers virtuales individuales, por lo que el orden relativo es incierto. • https://git.kernel.org/stable/c/0ffd71bcc3a03ebb3551661a36052488369c4de9 https://git.kernel.org/stable/c/a0180e940cf1aefa7d516e20b259ad34f7a8b379 https://git.kernel.org/stable/c/77cbc04a1a8610e303a0e0d74f2676667876a184 https://git.kernel.org/stable/c/33bf23c9940dbd3a22aad7f0cda4c84ed5701847 https://git.kernel.org/stable/c/f36d200a80a3ca025532ed60dd1ac21b620e14ae https://git.kernel.org/stable/c/bffc4cc334c5bb31ded54bc3cfd651735a3cb79e https://git.kernel.org/stable/c/3c12466b6b7bf1e56f9b32c366a3d83d87afb4de https://lists.debian.org/debian-lts-announce/2024/06/ •
CVE-2023-52495 – soc: qcom: pmic_glink_altmode: fix port sanity check
https://notcve.org/view.php?id=CVE-2023-52495
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink_altmode: fix port sanity check The PMIC GLINK altmode driver currently supports at most two ports. Fix the incomplete port sanity check on notifications to avoid accessing and corrupting memory beyond the port array if we ever get a notification for an unsupported port. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: soc: qcom: pmic_glink_altmode: corregir la comprobación de la integridad del puerto el controlador PMIC GLINK altmode actualmente admite como máximo dos puertos. Se corrige la verificación incompleta de la integridad del puerto en las notificaciones para evitar acceder y dañar la memoria más allá del conjunto de puertos si alguna vez recibimos una notificación de un puerto no compatible. • https://git.kernel.org/stable/c/080b4e24852b1d5b66929f69344e6c3eeb963941 https://git.kernel.org/stable/c/532a5557da6892a6b2d5793052e1bce1f4c9e177 https://git.kernel.org/stable/c/d26edf4ee3672cc9828f2a3ffae34086a712574d https://git.kernel.org/stable/c/c4fb7d2eac9ff9bfc35a2e4d40c7169a332416e0 •