CVE-2024-26888 – Bluetooth: msft: Fix memory leak
https://notcve.org/view.php?id=CVE-2024-26888
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: msft: Fix memory leak Fix leaking buffer allocated to send MSFT_OP_LE_MONITOR_ADVERTISEMENT. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: msft: Reparar pérdida de memoria Reparar pérdida de búfer asignado para enviar MSFT_OP_LE_MONITOR_ADVERTISEMENT. • https://git.kernel.org/stable/c/9e14606d8f38ea52a38c27692a9c1513c987a5da https://git.kernel.org/stable/c/f9965f7f38c90449a5fb26edb8a7d22b1dcf0283 https://git.kernel.org/stable/c/80fe27811c56ecd3896c3d511ab8298146071d98 https://git.kernel.org/stable/c/98e9920c75e0790bff947a00d192d24bf1c724e0 https://git.kernel.org/stable/c/5987b9f7d9314c7411136005b3a52f61a8cc0911 https://git.kernel.org/stable/c/5cb93417c93716a5404f762f331f5de3653fd952 https://git.kernel.org/stable/c/a6e06258f4c31eba0fcd503e19828b5f8fe7b08b •
CVE-2024-26886 – Bluetooth: af_bluetooth: Fix deadlock
https://notcve.org/view.php?id=CVE-2024-26886
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: <TASK> __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? • https://git.kernel.org/stable/c/37f71e2c9f515834841826f4eb68ec33cfb2a1ff https://git.kernel.org/stable/c/1d576c3a5af850bf11fbd103f9ba11aa6d6061fb https://git.kernel.org/stable/c/2e07e8348ea454615e268222ae3fc240421be768 https://git.kernel.org/stable/c/db1b14eec8c61a20374de9f9c2ddc6c9406a8c42 https://git.kernel.org/stable/c/2b16d960c79abc397f102c3d23d30005b68cb036 https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e2 • CWE-833: Deadlock •
CVE-2024-26885 – bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
https://notcve.org/view.php?id=CVE-2024-26885
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bpf: corrige la verificación de desbordamiento de DEVMAP_HASH en arcos de 32 bits. • https://git.kernel.org/stable/c/6f9d451ab1a33728adb72d7ff66a7b374d665176 https://git.kernel.org/stable/c/225da02acdc97af01b6bc6ce1a3e5362bf01d3fb https://git.kernel.org/stable/c/4b81a9f92b3676cb74b907a7a209b3d15bd9a7f9 https://git.kernel.org/stable/c/c826502bed93970f2fd488918a7b8d5f1d30e2e3 https://git.kernel.org/stable/c/edf7990baa48de5097daa9ac02e06cb4c798a737 https://git.kernel.org/stable/c/250051acc21f9d4c5c595e4fcb55986ea08c4691 https://git.kernel.org/stable/c/22079b3a423382335f47d9ed32114e6c9fe88d7c https://git.kernel.org/stable/c/e89386f62ce9a9ab9a94835a9890883c2 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2024-26884 – bpf: Fix hashtab overflow check on 32-bit arches
https://notcve.org/view.php?id=CVE-2024-26884
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix hashtab overflow check on 32-bit arches The hashtab code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. So apply the same fix to hashtab, by moving the overflow check to before the roundup. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: corrige la comprobación de desbordamiento de hashtab en arcos de 32 bits. • https://git.kernel.org/stable/c/daaf427c6ab392bedcd018e326b2ffa1e1110cd6 https://git.kernel.org/stable/c/33ec04cadb77605b71d9298311919303d390c4d5 https://git.kernel.org/stable/c/92c81fbb3ed2e0dfc33a4183a67135e1ab566ace https://git.kernel.org/stable/c/64f00b4df0597590b199b62a37a165473bf658a6 https://git.kernel.org/stable/c/3b08cfc65f07b1132c1979d73f014ae6e04de55d https://git.kernel.org/stable/c/a83fdaeaea3677b83a53f72ace2d73a19bcd6d93 https://git.kernel.org/stable/c/8435f0961bf3dc65e204094349bd9aeaac1f8868 https://git.kernel.org/stable/c/d817f0d34d927f2deb17dadbfe212c9a6 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2024-26883 – bpf: Fix stackmap overflow check on 32-bit arches
https://notcve.org/view.php?id=CVE-2024-26883
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check on 32-bit arches The stackmap code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. The commit in the fixes tag actually attempted to fix this, but the fix did not account for the UB, so the fix only works on CPUs where an overflow does result in a neat truncation to zero, which is not guaranteed. Checking the value before rounding does not have this problem. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bpf: corrige la verificación de desbordamiento del mapa de pila en arcos de 32 bits. • https://git.kernel.org/stable/c/063c722dd9d285d877e6fd499e753d6224f4c046 https://git.kernel.org/stable/c/7e3a6b820535eb395784060ae26c5af579528fa0 https://git.kernel.org/stable/c/8032bf2af9ce26b3a362b9711d15f626ab946a74 https://git.kernel.org/stable/c/6183f4d3a0a2ad230511987c6c362ca43ec0055f https://git.kernel.org/stable/c/253150830a012adfccf90afcebae8fda5b05a80f https://git.kernel.org/stable/c/766107351731ae223ebf60ca22bdfeb47ce6acc8 https://git.kernel.org/stable/c/d0e214acc59145ce25113f617311aa79dda39cb3 https://git.kernel.org/stable/c/21e5fa4688e1a4d3db6b72216231b2423 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •