CVE-2024-26601 – ext4: regenerate buddy after block freeing failed if under fc replay
https://notcve.org/view.php?id=CVE-2024-26601
In the Linux kernel, the following vulnerability has been resolved: ext4: regenerate buddy after block freeing failed if under fc replay This mostly reverts commit 6bd97bf273bd ("ext4: remove redundant mb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based on code in mb_free_blocks(), fast commit replay can end up marking as free blocks that are already marked as such. This causes corruption of the buddy bitmap so we need to regenerate it in that case. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: regenerar amigo después de que falló la liberación del bloque si se encuentra en reproducción fc. Esto revierte principalmente el commit 6bd97bf273bd ("ext4: eliminar mb_regenerate_buddy() redundante") y reintroduce mb_regenerate_buddy(). • https://git.kernel.org/stable/c/0983142c5f17a62055ec851372273c3bc77e4788 https://git.kernel.org/stable/c/6bd97bf273bdb4944904e57480f6545bca48ad77 https://git.kernel.org/stable/c/94ebf71bddbcd4ab1ce43ae32c6cb66396d2d51a https://git.kernel.org/stable/c/c1317822e2de80e78f137d3a2d99febab1b80326 https://git.kernel.org/stable/c/78327acd4cdc4a1601af718b781eece577b6b7d4 https://git.kernel.org/stable/c/ea42d6cffb0dd27a417f410b9d0011e9859328cb https://git.kernel.org/stable/c/6b0d48647935e4b8c7b75d1eccb9043fcd4ee581 https://git.kernel.org/stable/c/c9b528c35795b711331ed36dc3dbee90d • CWE-118: Incorrect Access of Indexable Resource ('Range Error') •
CVE-2024-26600 – phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
https://notcve.org/view.php?id=CVE-2024-26600
In the Linux kernel, the following vulnerability has been resolved: phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP If the external phy working together with phy-omap-usb2 does not implement send_srp(), we may still attempt to call it. This can happen on an idle Ethernet gadget triggering a wakeup for example: configfs-gadget.g1 gadget.0: ECM Suspend configfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup ... Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute ... PC is at 0x0 LR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc] ... musb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core] usb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether] eth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c dev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4 sch_direct_xmit from __dev_queue_xmit+0x334/0xd88 __dev_queue_xmit from arp_solicit+0xf0/0x268 arp_solicit from neigh_probe+0x54/0x7c neigh_probe from __neigh_event_send+0x22c/0x47c __neigh_event_send from neigh_resolve_output+0x14c/0x1c0 neigh_resolve_output from ip_finish_output2+0x1c8/0x628 ip_finish_output2 from ip_send_skb+0x40/0xd8 ip_send_skb from udp_send_skb+0x124/0x340 udp_send_skb from udp_sendmsg+0x780/0x984 udp_sendmsg from __sys_sendto+0xd8/0x158 __sys_sendto from ret_fast_syscall+0x0/0x58 Let's fix the issue by checking for send_srp() and set_vbus() before calling them. For USB peripheral only cases these both could be NULL. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: phy: ti: phy-omap-usb2: corrige la desreferencia del puntero NULL para SRP. • https://git.kernel.org/stable/c/657b306a7bdfca4ae1514b533a0e7c3c6d26dbc6 https://git.kernel.org/stable/c/486218c11e8d1c8f515a3bdd70d62203609d4b6b https://git.kernel.org/stable/c/8398d8d735ee93a04fb9e9f490e8cacd737e3bf5 https://git.kernel.org/stable/c/be3b82e4871ba00e9b5d0ede92d396d579d7b3b3 https://git.kernel.org/stable/c/8cc889b9dea0579726be9520fcc766077890b462 https://git.kernel.org/stable/c/0430bfcd46657d9116a26cd377f112cbc40826a4 https://git.kernel.org/stable/c/14ef61594a5a286ae0d493b8acbf9eac46fd04c4 https://git.kernel.org/stable/c/396e17af6761b3cc9e6e4ca94b4de7f64 • CWE-476: NULL Pointer Dereference •
CVE-2024-26599 – pwm: Fix out-of-bounds access in of_pwm_single_xlate()
https://notcve.org/view.php?id=CVE-2024-26599
In the Linux kernel, the following vulnerability has been resolved: pwm: Fix out-of-bounds access in of_pwm_single_xlate() With args->args_count == 2 args->args[2] is not defined. Actually the flags are contained in args->args[1]. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pwm: corrige el acceso fuera de los límites en of_pwm_single_xlate() Con args->args_count == 2 args->args[2] no está definido. En realidad, las banderas están contenidas en args->args[1]. • https://git.kernel.org/stable/c/3ab7b6ac5d829e60c3b89d415811ff1c9f358c8e https://git.kernel.org/stable/c/7b85554c7c2aee91171e038e4d5442ffa130b282 https://git.kernel.org/stable/c/e5f2b4b62977fb6c2efcbc5779e0c9dce18215f7 https://git.kernel.org/stable/c/bae45b7ebb31984b63b13c3519fd724b3ce92123 https://git.kernel.org/stable/c/a297d07b9a1e4fb8cda25a4a2363a507d294b7c9 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2024-26598 – KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
https://notcve.org/view.php?id=CVE-2024-26598
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: arm64: vgic-its: Evite posibles UAF en la caché de traducción LPI. Existe un escenario potencial de UAF en el caso de que un caché de traducción LPI se acelere con una operación que invalide la caché, como un comando DISCARD ITS. La raíz del problema es que vgic_its_check_cache() no eleva el refcount en vgic_irq antes de eliminar el bloqueo que serializa los cambios de refcount. • https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88 https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703 https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4 https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6 https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1 https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80 https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f https://lists.debian.org/debian-lts-announce/2024/06/ • CWE-416: Use After Free •
CVE-2024-26597 – net: qualcomm: rmnet: fix global oob in rmnet_policy
https://notcve.org/view.php?id=CVE-2024-26597
In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: qualcomm: rmnet: fix global oob in rmnet_policy La variable rmnet_link_ops asigna un maxtype *más grande* que conduce a una lectura global fuera de los límites al analizar los atributos de netlink. Vea el seguimiento del error a continuación: =============================================== ===================== ERROR: KASAN: global-fuera de los límites en validar_nla lib/nlattr.c:386 [en línea] ERROR: KASAN: global- fuera de los límites en __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Lectura de tamaño 1 en addr ffffffff92c438d0 por tarea syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Contaminado: GN 6.1.0 #3 Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 01/04/2014 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl +0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [en línea] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c :495 validar_nla lib/nlattr.c:386 [en línea] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [en línea] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/ enlace de red /af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [en línea] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/ socket.c:714 [en línea] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3 /0x1c0 neto /socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [en línea] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Código: 2 8 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ffff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf21 9ff80 RCX: 00007fdcf2072359 RDX: 00000000000000000 RSI: 0000000020000200 RDI: 00000000000000003 RBP: 00007fdcf20bd493 R08: 000000000000000000 R09: 0000000000000000 R10: 00000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R 15: 0000000000022000 La dirección con errores pertenece a la variable: rmnet_policy+0x30/0xe0 La dirección con errores pertenece a la página física: página:0000000065bdeb3c refcount:1 mapcount:0 mapeo:0000000000000000 índice:0x0 pfn:0x155243 banderas: 0x200000000001000(reservado|nodo=0|zona=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 página volcada porque: kasan: mal acceso detectado Estado de la memoria alrededor de la dirección del error: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c438 80: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 Según según el comentario de `nla_parse_nested_deprecated`, el tipo máximo debe ser len (matriz de destino) - 1. • https://git.kernel.org/stable/c/14452ca3b5ce304fb2fea96dbc9ca1e4e7978551 https://git.kernel.org/stable/c/093dab655808207f7a9f54cf156240aeafc70590 https://git.kernel.org/stable/c/02467ab8b404d80429107588e0f3425cf5fcd2e5 https://git.kernel.org/stable/c/2295c22348faf795e1ccdf618f6eb7afdb2f7447 https://git.kernel.org/stable/c/3b5254862258b595662a0ccca6e9eeb88d6e7468 https://git.kernel.org/stable/c/ee1dc3bf86f2df777038506b139371a9add02534 https://git.kernel.org/stable/c/c4734535034672f59f2652e1e0058c490da62a5c https://git.kernel.org/stable/c/17d06a5c44d8fd2e8e61bac295b091534 • CWE-125: Out-of-bounds Read •