CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50162 – bpf: devmap: provide rxq after redirect
https://notcve.org/view.php?id=CVE-2024-50162
In the Linux kernel, the following vulnerability has been resolved: bpf: devmap: provide rxq after redirect rxq contains a pointer to the device from where the redirect happened. Currently, the BPF program that was executed after a redirect via BPF_MAP_TYPE_DEVMAP* does not have it set. This is particularly bad since accessing ingress_ifindex, e.g. SEC("xdp") int prog(struct xdp_md *pkt) { return bpf_redirect_map(&dev_redirect_map, 0, 0); } SEC("xdp/devmap") int prog_after_redirect(struct xdp_md *pkt) { bpf_printk("ifindex %i", pkt->ingress_ifindex); return XDP_PASS; } depends on access to rxq, so a NULL pointer gets dereferenced: <1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000 <1>[ 574.475188] #PF: supervisor read access in kernel mode <1>[ 574.475194] #PF: error_code(0x0000) - not-present page <6>[ 574.475199] PGD 0 P4D 0 <4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI <4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23 <4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023 <4>[ 574.475231] Workqueue: mld mld_ifc_work <4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c <4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b <4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 <4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000 <4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 <4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 <4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 <4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 <4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 <4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 <4>[ 574.475303] PKRU: 55555554 <4>[ 574.475306] Call Trace: <4>[ 574.475313] <IRQ> <4>[ 574.475318] ? __die+0x23/0x70 <4>[ 574.475329] ? page_fault_oops+0x180/0x4c0 <4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490 <4>[ 574.475346] ? • https://git.kernel.org/stable/c/cb261b594b4108668e00f565184c7c221efe0359 https://git.kernel.org/stable/c/fe068afb868660fe683a8391c6c17ecbe2254922 https://git.kernel.org/stable/c/a778fbe087c19f4ece5f5fc14173328f070c3803 https://git.kernel.org/stable/c/49454f09936a9a96edfb047156889879cb4001eb https://git.kernel.org/stable/c/9167d1c274a336e4763eeb3f3f9cb763c55df5aa https://git.kernel.org/stable/c/ca9984c5f0ab3690d98b13937b2485a978c8dd73 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50160 – ALSA: hda/cs8409: Fix possible NULL dereference
https://notcve.org/view.php?id=CVE-2024-50160
In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/cs8409: Fix possible NULL dereference If snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then NULL pointer dereference will occur in the next line. Since dolphin_fixups function is a hda_fixup function which is not supposed to return any errors, add simple check before dereference, ignore the fail. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: hda/cs8409: Se corrige una posible desreferencia de NULL. Si snd_hda_gen_add_kctl no puede asignar memoria y devuelve NULL, se producirá una desreferencia de puntero NULL en la siguiente línea. Dado que la función dolphin_fixups es una función hda_fixup que no debería devolver ningún error, se debe agregar una comprobación simple antes de la desreferencia e ignorar el error. Encontrado por Linux Verification Center (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/20e507724113300794f16884e7e7507d9b4dec68 https://git.kernel.org/stable/c/4e19aca8db696b6ba4dd8c73657405e15c695f14 https://git.kernel.org/stable/c/21dc97d5086fdabbe278786bb0a03cbf2e26c793 https://git.kernel.org/stable/c/8971fd61210d75fd2af225621cd2fcc87eb1847c https://git.kernel.org/stable/c/a5dd71a8b849626f42d08a5e73d382f2016fc7bc https://git.kernel.org/stable/c/c9bd4a82b4ed32c6d1c90500a52063e6e341517f •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50156 – drm/msm: Avoid NULL dereference in msm_disp_state_print_regs()
https://notcve.org/view.php?id=CVE-2024-50156
In the Linux kernel, the following vulnerability has been resolved: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() If the allocation in msm_disp_state_dump_regs() failed then `block->state` can be NULL. The msm_disp_state_print_regs() function _does_ have code to try to handle it with: if (*reg) dump_addr = *reg; ...but since "dump_addr" is initialized to NULL the above is actually a noop. The code then goes on to dereference `dump_addr`. Make the function print "Registers not stored" when it sees a NULL to solve this. Since we're touching the code, fix msm_disp_state_print_regs() not to pointlessly take a double-pointer and properly mark the pointer as `const`. Patchwork: https://patchwork.freedesktop.org/patch/619657/ En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/msm: Evitar la desreferenciación NULL en msm_disp_state_print_regs() Si la asignación en msm_disp_state_dump_regs() falla, entonces `block->state` puede ser NULL. La función msm_disp_state_print_regs() _sí_ tiene código para intentar manejarlo con: if (*reg) dump_addr = *reg; ...pero como "dump_addr" se inicializa a NULL, lo anterior es en realidad un noop. • https://git.kernel.org/stable/c/98659487b845c05b6bed85d881713545db674c7c https://git.kernel.org/stable/c/42cf045086feae77b212f0f66e742b91a5b566b7 https://git.kernel.org/stable/c/e8e9f2a12a6214080c8ea83220a596f6e1dedc6c https://git.kernel.org/stable/c/f7ad916273483748582d97cfa31054ccb19224f3 https://git.kernel.org/stable/c/563aa81fd66a4e7e6e551a0e02bcc23957cafe2f https://git.kernel.org/stable/c/293f53263266bc4340d777268ab4328a97f041fa •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50155 – netdevsim: use cond_resched() in nsim_dev_trap_report_work()
https://notcve.org/view.php?id=CVE-2024-50155
In the Linux kernel, the following vulnerability has been resolved: netdevsim: use cond_resched() in nsim_dev_trap_report_work() I am still seeing many syzbot reports hinting that syzbot might fool nsim_dev_trap_report_work() with hundreds of ports [1] Lets use cond_resched(), and system_unbound_wq instead of implicit system_wq. [1] INFO: task syz-executor:20633 blocked for more than 143 seconds. Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:25856 pid:20633 tgid:20633 ppid:1 flags:0x00004006 ... NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events nsim_dev_trap_report_work RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210 Code: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0 RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246 RAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00 RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577 R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000 R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 spin_unlock_bh include/linux/spinlock.h:396 [inline] nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline] nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netdevsim: use cond_resched() en nsim_dev_trap_report_work() Todavía veo muchos informes de syzbot que insinúan que syzbot podría engañar a nsim_dev_trap_report_work() con cientos de puertos [1] Usemos cond_resched() y system_unbound_wq en lugar de system_wq implícito. [1] INFORMACIÓN: tarea syz-executor:20633 bloqueada durante más de 143 segundos. No contaminada 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" deshabilita este mensaje. tarea:syz-executor estado:D pila:25856 pid:20633 tgid:20633 ppid:1 indicadores:0x00004006 ... Seguimiento NMI para CPU 1 CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 No contaminado 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 13/09/2024 Cola de trabajo: eventos nsim_dev_trap_report_work RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210 Código: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0 RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246 RAX: 00000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00 RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577 R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000 R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Seguimiento de llamadas: __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 spin_unlock_bh include/linux/spinlock.h:396 [en línea] nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [en línea] nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850 process_one_work kernel/workqueue.c:3229 [en línea] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 subproceso de trabajo+0x870/0xd30 kernel/workqueue.c:3391 subproceso de trabajo+0x2f0/0x390 kernel/kthread.c:389 ret_de_la_bifurcación+0x4b/0x80 arch/x86/kernel/process.c:147 ret_de_la_bifurcación_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 • https://git.kernel.org/stable/c/0193e0660cc6689c794794b471492923cfd7bfbc https://git.kernel.org/stable/c/6eecddd9c3c8d6e3a097531cdc6d500335b35e46 https://git.kernel.org/stable/c/ba5e1272142d051dcc57ca1d3225ad8a089f9858 https://git.kernel.org/stable/c/d91964cdada76740811b7c621239f9c407820dbc https://git.kernel.org/stable/c/24973f4b64f93232a48fe78029385de762a2418d https://git.kernel.org/stable/c/681ce79ab6fba2f8d1c5ea60239f0086baebd0d3 https://git.kernel.org/stable/c/32f054f93937b548c61b3bf57d8f4aefc50f3b16 https://git.kernel.org/stable/c/a1494d532e28598bde7a5544892ef9c7d •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50154 – tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
https://notcve.org/view.php?id=CVE-2024-50154
In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp/dccp: No use timer_pending() en reqsk_queue_unlink(). Martin KaFai Lau informó de un use-after-free [0] en reqsk_timer_handler(). """ Estamos viendo un use-after-free de un programa bpf adjunto a trace_tcp_retransmit_synack. El programa pasa el req->sk al ayudante del kernel bpf_sk_storage_get_tracing que comprueba si hay valores nulos antes de usarlo. """ El commit 83fccfc3940c ("inet: soluciona un posible bloqueo en reqsk_queue_unlink()") agregó timer_pending() en reqsk_queue_unlink() para no llamar a del_timer_sync() desde reqsk_timer_handler(), pero introdujo una pequeña ventana de carrera. Antes de que se llame al temporizador, expire_timers() llama a detach_timer(timer, true) para borrar timer->entry.pprev y lo marca como no pendiente. • https://git.kernel.org/stable/c/83fccfc3940c4a2db90fd7e7079f5b465cd8c6af https://git.kernel.org/stable/c/d3a1196bfc462943694623412d8e03aaf172bdc1 https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17 https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1 https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3 https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f •