CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2024-41090 – tap: add missing verification for short frame
https://notcve.org/view.php?id=CVE-2024-41090
In the Linux kernel, the following vulnerability has been resolved: tap: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 A denial of service (DoS) attack was found in the mlx5 driver in the Linux kernel. A KVM guest VM using virtio-net can crash the host by sending a short packet, for example, size < ETH_HLEN. The packet may traverse through vhost-net, macvtap, and vlan without any validation or drop. • https://git.kernel.org/stable/c/0efac27791ee068075d80f07c55a229b1335ce12 https://git.kernel.org/stable/c/8be915fc5ff9a5e296f6538be12ea75a1a93bdea https://git.kernel.org/stable/c/7431144b406ae82807eb87d8c98e518475b0450f https://git.kernel.org/stable/c/e5e5e63c506b93b89b01f522b6a7343585f784e6 https://git.kernel.org/stable/c/ee93e6da30377cf2a75e16cd32bb9fcd86a61c46 https://git.kernel.org/stable/c/aa6a5704cab861c9b2ae9f475076e1881e87f5aa https://git.kernel.org/stable/c/73d462a38d5f782b7c872fe9ae8393d9ef5483da https://git.kernel.org/stable/c/e1a786b9bbb767fd1c922d424aaa8078c • CWE-20: Improper Input Validation •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-41012 – filelock: Remove locks reliably when fcntl/close race is detected
https://notcve.org/view.php?id=CVE-2024-41012
In the Linux kernel, the following vulnerability has been resolved: filelock: Remove locks reliably when fcntl/close race is detected When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. Separately, posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle). After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory. Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: filelock: Elimina bloqueos de manera confiable cuando se detecta fcntl/close race Cuando fcntl_setlk() corre con close(), elimina el bloqueo creado con do_lock_file_wait(). Sin embargo, los LSM pueden permitir el primer do_lock_file_wait() que creó el bloqueo y al mismo tiempo negar el segundo do_lock_file_wait() que intenta eliminar el bloqueo. Por separado, posix_lock_file() también podría no eliminar un bloqueo debido a un fallo en la asignación de GFP_KERNEL (al dividir un rango por la mitad). • https://git.kernel.org/stable/c/c293621bbf678a3d85e3ed721c3921c8a670610d https://git.kernel.org/stable/c/d30ff33040834c3b9eee29740acd92f9c7ba2250 https://git.kernel.org/stable/c/dc2ce1dfceaa0767211a9d963ddb029ab21c4235 https://git.kernel.org/stable/c/5661b9c7ec189406c2dde00837aaa4672efb6240 https://git.kernel.org/stable/c/52c87ab18c76c14d7209646ccb3283b3f5d87b22 https://git.kernel.org/stable/c/ef8fc41cd6f95f9a4a3470f085aecf350569a0b3 https://git.kernel.org/stable/c/5f5d0799eb0a01d550c21b7894e26b2d9db55763 https://git.kernel.org/stable/c/b6d223942c34057fdfd8f149e763fa823 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48865 – tipc: fix kernel panic when enabling bearer
https://notcve.org/view.php?id=CVE-2022-48865
In the Linux kernel, the following vulnerability has been resolved: tipc: fix kernel panic when enabling bearer When enabling a bearer on a node, a kernel panic is observed: [ 4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc] ... [ 4.520030] Call Trace: [ 4.520689] <IRQ> [ 4.521236] tipc_link_build_proto_msg+0x375/0x750 [tipc] [ 4.522654] tipc_link_build_state_msg+0x48/0xc0 [tipc] [ 4.524034] __tipc_node_link_up+0xd7/0x290 [tipc] [ 4.525292] tipc_rcv+0x5da/0x730 [tipc] [ 4.526346] ? __netif_receive_skb_core+0xb7/0xfc0 [ 4.527601] tipc_l2_rcv_msg+0x5e/0x90 [tipc] [ 4.528737] __netif_receive_skb_list_core+0x20b/0x260 [ 4.530068] netif_receive_skb_list_internal+0x1bf/0x2e0 [ 4.531450] ? dev_gro_receive+0x4c2/0x680 [ 4.532512] napi_complete_done+0x6f/0x180 [ 4.533570] virtnet_poll+0x29c/0x42e [virtio_net] ... The node in question is receiving activate messages in another thread after changing bearer status to allow message sending/ receiving in current thread: thread 1 | thread 2 -------- | -------- | tipc_enable_bearer() | test_and_set_bit_lock() | tipc_bearer_xmit_skb() | | tipc_l2_rcv_msg() | tipc_rcv() | __tipc_node_link_up() | tipc_link_build_state_msg() | tipc_link_build_proto_msg() | tipc_mon_prep() | { | ... | // null-pointer dereference | u16 gen = mon->dom_gen; | ... | } // Not being executed yet | tipc_mon_create() | { | ... | // allocate | mon = kzalloc(); | ... | } | Monitoring pointer in thread 2 is dereferenced before monitoring data is allocated in thread 1. • https://git.kernel.org/stable/c/35c55c9877f8de0ab129fa1a309271d0ecc868b9 https://git.kernel.org/stable/c/2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5 https://git.kernel.org/stable/c/f96dc3adb9a97b8f3dfdb88796483491a3006b71 https://git.kernel.org/stable/c/f4f59fdbc748805b08c13dae14c01f0518c77c94 https://git.kernel.org/stable/c/be4977b847f5d5cedb64d50eaaf2218c3a55a3a3 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48863 – mISDN: Fix memory leak in dsp_pipeline_build()
https://notcve.org/view.php?id=CVE-2022-48863
In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, "|"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mISDN: corrige la pérdida de memoria en dsp_pipeline_build() dsp_pipeline_build() asigna el puntero dup mediante kstrdup(cfg), pero luego actualiza la variable dup mediante strsep(&dup, "|"). Como resultado, cuando llama a kfree(dup), la variable dup contiene NULL. Encontrado por el proyecto de verificación de controladores de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/960366cf8dbb3359afaca30cf7fdbf69a6d6dda7 https://git.kernel.org/stable/c/a3d5fcc6cf2ecbba5a269631092570aa285a24cb https://git.kernel.org/stable/c/7777b1f795af1bb43867375d8a776080111aae1b https://git.kernel.org/stable/c/640445d6fc059d4514ffea79eb4196299e0e2d0f https://git.kernel.org/stable/c/c6a502c2299941c8326d029cfc8a3bc8a4607ad5 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48860 – ethernet: Fix error handling in xemaclite_of_probe
https://notcve.org/view.php?id=CVE-2022-48860
In the Linux kernel, the following vulnerability has been resolved: ethernet: Fix error handling in xemaclite_of_probe This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. As the remove function do. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ethernet: corrige el manejo de errores en xemaclite_of_probe Este puntero de nodo lo devuelve of_parse_phandle() con refcount incrementado en esta función. Llamar a of_node_put() para evitar la fuga de recuento. • https://git.kernel.org/stable/c/5cdaaa12866e916d0ada8b56c5f0e543cfc7fe3d https://git.kernel.org/stable/c/669172ce976608b25a2f76f3c65d47f042d125c9 https://git.kernel.org/stable/c/b7220f8e9d6c6b9594ddfb3125dad938cd478b1f https://git.kernel.org/stable/c/8609e29611befc4bfbe7a91bb50fc65ae72ff549 https://git.kernel.org/stable/c/8ee065a7a9b6a3976c16340503677efc4d8351f6 https://git.kernel.org/stable/c/979b418b96e35f07136f77962ccfaa54cf3e30e1 https://git.kernel.org/stable/c/5e7c402892e189a7bc152b125e72261154aa585d https://git.kernel.org/stable/c/1852854ee349881efb78ccdbbb2378389 • CWE-401: Missing Release of Memory after Effective Lifetime •