CVE-2024-26752 – l2tp: pass correct message length to ip6_append_data
https://notcve.org/view.php?id=CVE-2024-26752
In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: l2tp: pasa la longitud correcta del mensaje a ip6_append_data l2tp_ip6_sendmsg necesita evitar tener en cuenta el encabezado de transporte dos veces al unir más datos en un skbuff ya parcialmente ocupado. Para gestionar esto, verificamos si skbuff contiene datos usando skb_queue_empty al decidir cuántos datos agregar usando ip6_append_data. Sin embargo, el código que realizó el cálculo era incorrecto: ulen = len + skb_queue_empty(&sk->sk_write_queue)? • https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59 https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6 https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070 https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844 https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0 •
CVE-2024-26751 – ARM: ep93xx: Add terminator to gpiod_lookup_table
https://notcve.org/view.php?id=CVE-2024-26751
In the Linux kernel, the following vulnerability has been resolved: ARM: ep93xx: Add terminator to gpiod_lookup_table Without the terminator, if a con_id is passed to gpio_find() that does not exist in the lookup table the function will not stop looping correctly, and eventually cause an oops. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ARM: ep93xx: Agregar terminador a gpiod_lookup_table Sin el terminador, si se pasa un con_id a gpio_find() que no existe en la tabla de búsqueda, la función no dejará de repetirse correctamente y eventualmente causará un oops • https://git.kernel.org/stable/c/b2e63555592f81331c8da3afaa607d8cf83e8138 https://git.kernel.org/stable/c/9e200a06ae2abb321939693008290af32b33dd6e https://git.kernel.org/stable/c/999a8bb70da2946336327b4480824d1691cae1fa https://git.kernel.org/stable/c/70d92abbe29692a3de8697ae082c60f2d21ab482 https://git.kernel.org/stable/c/eec6cbbfa1e8d685cc245cfd5626d0715a127a48 https://git.kernel.org/stable/c/786f089086b505372fb3f4f008d57e7845fff0d8 https://git.kernel.org/stable/c/97ba7c1f9c0a2401e644760d857b2386aa895997 https://git.kernel.org/stable/c/6abe0895b63c20de06685c8544b908c7e •
CVE-2024-26749 – usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()
https://notcve.org/view.php?id=CVE-2024-26749
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() ... cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); list_del_init(&priv_req->list); ... 'priv_req' actually free at cdns3_gadget_ep_free_request(). But list_del_init() use priv_req->list after it. [ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4 [ 1542.642868][ T534] [ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3): [ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4 [ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3] [ 1542.671571][ T534] usb_ep_disable+0x44/0xe4 [ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8 [ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368 [ 1542.685478][ T534] ffs_func_disable+0x18/0x28 Move list_del_init() before cdns3_gadget_ep_free_request() to resolve this problem. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: usb: cdns3: uso de memoria fijo después de liberar en cdns3_gadget_ep_disable() ... cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); list_del_init(&priv_req->lista); ... 'priv_req' en realidad es gratuito en cdns3_gadget_ep_free_request(). Pero list_del_init() usa priv_req->list después. [ 1542.642868][ T534] ERROR: KFENCE: lectura de uso después de liberación en __list_del_entry_valid+0x10/0xd4 [ 1542.642868][ T534] [ 1542.653162][ T534] Lectura de uso después de liberación en 0x000000009ed0ba99 (en kfence-#3 ): [ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4 [ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3] [ 1542.671571][ T534] usb_ep_disable+0x44/0x e4 [ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8 [ 1542.680839] [ T534] ffs_func_set_alt+0x74/0x368 [ 1542.685478][ T534] ffs_func_disable+0x18/0x28 Mueva list_del_init() antes de cdns3_gadget_ep_free_request() para resolver este problema. • https://git.kernel.org/stable/c/7733f6c32e36ff9d7adadf40001039bf219b1cbe https://git.kernel.org/stable/c/cfa9abb5570c489dabf6f7fb3a066cc576fc8824 https://git.kernel.org/stable/c/b40328eea93c75a5645891408010141a0159f643 https://git.kernel.org/stable/c/4e5c73b15d95452c1ba9c771dd013a3fbe052ff3 https://git.kernel.org/stable/c/2134e9906e17b1e5284300fab547869ebacfd7d9 https://git.kernel.org/stable/c/29e42e1578a10c611b3f1a38f3229b2d664b5d16 https://git.kernel.org/stable/c/9a07244f614bc417de527b799da779dcae780b5d https://git.kernel.org/stable/c/cd45f99034b0c8c9cb346dd0d6407a95c •
CVE-2024-26748 – usb: cdns3: fix memory double free when handle zero packet
https://notcve.org/view.php?id=CVE-2024-26748
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: cdns3: corrige la memoria doblemente libre cuando se maneja el paquete cero 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, solicitud 832); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (solicitud->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, solicitud); El controlador agrega una solicitud de paquete cero adicional cuando pone en cola un paquete, cuya longitud mod tamaño máximo del paquete es 0. Cuando se complete la transferencia, ejecute la línea 831, usb_gadget_giveback_request() liberará esta solicitud. • https://git.kernel.org/stable/c/7733f6c32e36ff9d7adadf40001039bf219b1cbe https://git.kernel.org/stable/c/aad6132ae6e4809e375431f8defd1521985e44e7 https://git.kernel.org/stable/c/1e204a8e9eb514e22a6567fb340ebb47df3f3a48 https://git.kernel.org/stable/c/3a2a909942b5335b7ea66366d84261b3ed5f89c8 https://git.kernel.org/stable/c/9a52b694b066f299d8b9800854a8503457a8b64c https://git.kernel.org/stable/c/70e8038813f9d3e72df966748ebbc40efe466019 https://git.kernel.org/stable/c/92d20406a3d4ff3e8be667c79209dc9ed31df5b3 https://git.kernel.org/stable/c/5fd9e45f1ebcd57181358af28506e8a66 •
CVE-2024-26747 – usb: roles: fix NULL pointer issue when put module's reference
https://notcve.org/view.php?id=CVE-2024-26747
In the Linux kernel, the following vulnerability has been resolved: usb: roles: fix NULL pointer issue when put module's reference In current design, usb role class driver will get usb_role_switch parent's module reference after the user get usb_role_switch device and put the reference after the user put the usb_role_switch device. However, the parent device of usb_role_switch may be removed before the user put the usb_role_switch. If so, then, NULL pointer issue will be met when the user put the parent module's reference. This will save the module pointer in structure of usb_role_switch. Then, we don't need to find module by iterating long relations. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: roles: soluciona el problema del puntero NULL al colocar la referencia del módulo. • https://git.kernel.org/stable/c/5c54fcac9a9de559b444ac63ec3cd82f1d157a0b https://git.kernel.org/stable/c/7b169e33a3bc9040e06988b2bc15e83d2af80358 https://git.kernel.org/stable/c/e279bf8e51893e1fe160b3d8126ef2dd00f661e1 https://git.kernel.org/stable/c/ef982fc41055fcebb361a92288d3225783d12913 https://git.kernel.org/stable/c/0158216805ca7e498d07de38840d2732166ae5fa https://git.kernel.org/stable/c/4b45829440b1b208948b39cc71f77a37a2536734 https://git.kernel.org/stable/c/01f82de440f2ab07c259b7573371e1c42e5565db https://git.kernel.org/stable/c/1c9be13846c0b2abc2480602f8ef42136 • CWE-476: NULL Pointer Dereference •