CVE-2021-29657 – KVM nested_svm_vmrun Double Fetch
https://notcve.org/view.php?id=CVE-2021-29657
arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in which an AMD KVM guest can bypass access control on host OS MSRs when there are nested guests, aka CID-a58d9166a756. This occurs because of a TOCTOU race condition associated with a VMCB12 double fetch in nested_svm_vmrun. El archivo arch/x86/kvm/svm/nested.c en el kernel de Linux versiones anteriores a 5.11.12, presenta un uso de memoria previamente liberada en el que un invitado KVM de AMD puede omitir el control de acceso en los MSR del SO anfitrión cuando se presentan invitados anidados, también se conoce como CID-a58d9166a756. Esto ocurre debido a una condición de carrera TOCTOU asociada con un doble fetch VMCB12 en la función nested_svm_vmrun • http://packetstormsecurity.com/files/163324/KVM-nested_svm_vmrun-Double-Fetch.html https://bugs.chromium.org/p/project-zero/issues/detail?id=2177 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a58d9166a756a0f4a6618e4f593232593d6df134 https://security.netapp.com/advisory/ntap-20210902-0008 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-416: Use After Free •
CVE-2020-25670
https://notcve.org/view.php?id=CVE-2020-25670
A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. Se encontró una vulnerabilidad en el kernel de Linux donde un filtrado de refcount en la función llcp_sock_bind() causa un uso de la memoria previamente liberada que podría conllevar a una escaladas de privilegios • http://www.openwall.com/lists/oss-security/2020/11/01/1 http://www.openwall.com/lists/oss-security/2021/05/11/4 https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PW3OASG7OEMHANDWBM5US5WKTOC76KMH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTVACC6PGS6OSD3EYY7FZUAZT2EUMFH5 https://li • CWE-416: Use After Free •
CVE-2021-3483
https://notcve.org/view.php?id=CVE-2021-3483
A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions before kernel 5.12-rc6 are affected Se encontró una fallo en el controlador Nosy en el kernel de Linux. Este problema permite a un dispositivo ser insertado dos veces en una lista doblemente enlazada, conllevando a un uso de la memoria previamente liberada cuando uno de estos dispositivos es eliminado. • http://www.openwall.com/lists/oss-security/2021/04/07/1 https://bugzilla.redhat.com/show_bug.cgi?id=1948045 https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html https://security.netapp.com/advisory/ntap-20210629-0002 • CWE-416: Use After Free •
CVE-2021-3489 – Linux kernel eBPF RINGBUF map oversized allocation
https://notcve.org/view.php?id=CVE-2021-3489
The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee ("bpf, ringbuf: Deny reserve of buffers larger than ringbuf") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") (v5.8-rc1). La función eBPF RINGBUF bpf_ringbuf_reserve() del kernel de Linux no comprobaba que el tamaño asignado fuera menor que el tamaño del ringbuf, lo que permitía a un atacante realizar escrituras fuera de los límites del kernel y, por tanto, la ejecución de código arbitrario. Este problema se solucionó a través del commit 4b81ccebaeee ("bpf, ringbuf: Deny reserve of buffers larger than ringbuf") (v5.13-rc4) y se retroalimentó a los kernels estables en versiones v5.12.4, v5.11.21 y v5.10.37. • https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=4b81ccebaeee885ab1aa1438133f2991e3a2b6ea https://security.netapp.com/advisory/ntap-20210716-0004 https://ubuntu.com/security/notices/USN-4949-1 https://ubuntu.com/security/notices/USN-4950-1 https://www.openwall.com/lists/oss-security/2021/05/11/10 https://www.zerodayinitiative.com/advisories/ZDI-21-590 https://access.redhat.com/security/cve/CVE-2021-3489 https://bugzilla.redhat.com/show_bug.cgi?id=1959559 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2021-3490 – Linux kernel eBPF bitwise ops ALU32 bounds tracking
https://notcve.org/view.php?id=CVE-2021-3490
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1). El seguimiento de los límites de la ALU32 de eBPF para las operaciones por bits (AND, OR y XOR) en el kernel de Linux no actualizaba correctamente los límites de 32 bits, lo que podía convertirse en lecturas y escrituras fuera de los límites en el kernel de Linux y, por tanto, en la ejecución de código arbitrario. Este problema fue corregido a través del commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) y retrocedido a los kernels estables en v5.12.4, v5.11.21 y v5.10.37. • https://github.com/pivik271/CVE-2021-3490 http://packetstormsecurity.com/files/164015/Linux-eBPF-ALU32-32-bit-Invalid-Bounds-Tracking-Local-Privilege-Escalation.html https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e https://security.netapp.com/advisory/ntap-20210716-0004 https://ubuntu.com/security/notices/USN-4949-1 https://ubuntu.com/security/notices/USN-4950-1 https://www.openwall.com/lists/oss-security/2021/05/11/11 https:/ • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •