Page 9 of 4574 results (0.009 seconds)

CVSS: -EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix use-after-free in tun_detach() syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net. This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done. • https://git.kernel.org/stable/c/83c1f36f9880814b24cdf6c2f91f66f61db65326 https://git.kernel.org/stable/c/1f23f1890d91812c35d32eab1b49621b6d32dc7b https://git.kernel.org/stable/c/16c244bc65d1175775325ec0489a5a5c830e02c7 https://git.kernel.org/stable/c/5f442e1d403e0496bacb74a58e2be7f500695e6f https://git.kernel.org/stable/c/04b995e963229501401810dab89dc73e7f12d054 https://git.kernel.org/stable/c/4cde8da2d814a3b7b176db81922d4ddaad7c0f0e https://git.kernel.org/stable/c/5daadc86f27ea4d691e2131c04310d0418c6cd12 •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: sctp: fix memory leak in sctp_stream_outq_migrate() When sctp_stream_outq_migrate() is called to release stream out resources, the memory pointed to by prio_head in stream out is not released. The memory leak information is as follows: unreferenced object 0xffff88801fe79f80 (size 64): comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s) hex dump (first 32 bytes): 80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................ 90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................ backtrace: [<ffffffff81b215c6>] kmalloc_trace+0x26/0x60 [<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770 [<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0 [<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30 [<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0 [<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0 [<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120 [<ffffffff8755446a>] __sys_sendto+0x23a/0x340 [<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0 [<ffffffff89978b49>] do_syscall_64+0x39/0xb0 [<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd • https://git.kernel.org/stable/c/637784ade221a3c8a7ecd0f583eddd95d6276b9a https://git.kernel.org/stable/c/a7555681e50bdebed2c40ff7404ee73c2e932993 https://git.kernel.org/stable/c/176ee6c673ccd118e9392fd2dbb165423bdb99ca https://git.kernel.org/stable/c/0dfb9a566327182387c90100ea54d8426cee8c67 https://git.kernel.org/stable/c/fa20f88271259d42ebe66f0a8c4c20199e888c99 https://git.kernel.org/stable/c/9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9 •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: afs: Fix server->active leak in afs_put_server The atomic_read was accidentally replaced with atomic_inc_return, which prevents the server from getting cleaned up and causes rmmod to hang with a warning: Can't purge s=00000001 • https://git.kernel.org/stable/c/2757a4dc184997c66ef1de32636f73b9f21aac14 https://git.kernel.org/stable/c/c5078548c29c735f71b05053659c0cb294e738ad https://git.kernel.org/stable/c/ef4d3ea40565a781c25847e9cb96c1bd9f462bc6 •

CVSS: -EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So call it after using to avoid refcount leak. • https://git.kernel.org/stable/c/14513ee696a0cd12a19318e433b75a786808adc3 https://git.kernel.org/stable/c/bb75a0d1223d43f97089841aecb28a9b4de687a9 https://git.kernel.org/stable/c/0dd1da5a15eeecb2fe4cf131b3216fb455af783c https://git.kernel.org/stable/c/2f74cffc7c85f770b1b1833dccb03b8cde3be102 https://git.kernel.org/stable/c/ea5844f946b1ec5c0b7c115cd7684f34fd48021b https://git.kernel.org/stable/c/c40db1e5f316792b557d2be37e447c20d9ac4635 https://git.kernel.org/stable/c/6e035d5a2a6b907cfce9a80c5f442c2e459cd34e https://git.kernel.org/stable/c/f598da27acbeee414679cacd14294db3e •

CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) Check for null before removing sysfs attrs If coretemp_add_core() gets an error then pdata->core_data[indx] is already NULL and has been kfreed. Don't pass that to sysfs_remove_group() as that will crash in sysfs_remove_group(). [Shortened for readability] [91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label' <cpu offline> [91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 [91855.165103] #PF: supervisor read access in kernel mode [91855.194506] #PF: error_code(0x0000) - not-present page [91855.224445] PGD 0 P4D 0 [91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI ... [91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80 ... [91855.796571] Call Trace: [91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp] [91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp] [91855.871107] cpuhp_invoke_callback+0x105/0x4b0 [91855.893432] cpuhp_thread_fun+0x8e/0x150 ... Fix this by checking for NULL first. • https://git.kernel.org/stable/c/199e0de7f5df31a4fc485d4aaaf8a07718252ace https://git.kernel.org/stable/c/fb503d077ff7b43913503eaf72995d1239028b99 https://git.kernel.org/stable/c/070d5ea4a0592a37ad96ce7f7b6b024f90bb009f https://git.kernel.org/stable/c/280110db1a7d62ad635b103bafc3ae96e8bef75c https://git.kernel.org/stable/c/89eecabe6a47403237f45aafd7d24f93cb973653 https://git.kernel.org/stable/c/f06e0cd01eab954bd5f2190c9faa79bb5357e05b https://git.kernel.org/stable/c/7692700ac818866d138a8de555130a6e70e6ac16 https://git.kernel.org/stable/c/ae6c8b6e5d5628df1c475c0a8fca1465e • CWE-476: NULL Pointer Dereference •