CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-43853 – cgroup/cpuset: Prevent UAF in proc_cpuset_show()
https://notcve.org/view.php?id=CVE-2024-43853
However, the css of the root will never be released, yet the cgroup_root should be freed when it is unmounted. This means that obtaining a reference to the css of the root does not guarantee that css.cgrp->root will not be freed. Fix this problem by using rcu_read_lock in proc_cpuset_show(). As cgroup_root is kfree_rcu after commit d23b5c577715 ("cgroup: Make operations on the cgroup root_list RCU safe"), css->cgroup won't be freed during the critical section. To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to replace task_get_css with task_css. [1] https://syzkaller.appspot.com/bug? • https://git.kernel.org/stable/c/a79a908fd2b080977b45bf103184b81c9d11ad07 https://git.kernel.org/stable/c/27d6dbdc6485d68075a0ebf8544d6425c1ed84bb https://git.kernel.org/stable/c/10aeaa47e4aa2432f29b3e5376df96d7dac5537a https://git.kernel.org/stable/c/688325078a8b5badd6e07ae22b27cd04e9947aec https://git.kernel.org/stable/c/4e8d6ac8fc9f843e940ab7389db8136634e07989 https://git.kernel.org/stable/c/29a8d4e02fd4840028c38ceb1536cc8f82a257d4 https://git.kernel.org/stable/c/96226fbed566f3f686f53a489a29846f2d538080 https://git.kernel.org&# •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41045 – bpf: Defer work in bpf_timer_cancel_and_free
https://notcve.org/view.php?id=CVE-2024-41045
The callback running in parallel trying to arm the timer will fail, and freeing bpf_hrtimer without waiting is sufficient (given kfree_rcu), and bpf_timer_cb will return HRTIMER_NORESTART, preventing the timer from being rearmed again. However, there exists a UAF scenario where the callback arms the timer before entering this function, such that if cancellation fails (due to timer callback invoking this routine, or the target timer callback running concurrently). • https://git.kernel.org/stable/c/b00628b1c7d595ae5b544e059c27b1f5828314b4 https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1 https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-41010 – bpf: Fix too early release of tcx_entry
https://notcve.org/view.php?id=CVE-2024-41010
This causes the ingress qdisc created in step 1 to be removed, thus freeing the previously linked tcx_entry: rtnetlink_rcv_msg() => tc_modify_qdisc() => qdisc_create() => clsact_init() [a] => qdisc_graft() => qdisc_destroy() => __qdisc_destroy() => ingress_destroy() [b] => tcx_entry_free() => kfree_rcu() // tcx_entry freed 5. ... This registers the cleanup_net worker, and during the process of releasing the remaining clsact qdisc, it accesses the tcx_entry that was already freed in step 4, causing the UAF to occur: cleanup_net() => ops_exit_list() => default_device_exit_batch() => unregister_netdevice_many() => unregister_netdevice_many_notify() => dev_shutdown() => qdisc_put() => clsact_destroy() [c] => tcf_block_put_ext() => tcf_chain0_head_change_cb_del() => tcf_chain_head_change_item() => clsact_chain_head_change() => mini_qdisc_pair_swap() // UAF There are also other variants, the gist is to add an ingress (or clsact) qdisc with a specific shared block, then to replace that qdisc, waiting for the tcx_entry kfree_rcu() to be executed and subsequently accessing the current active qdisc's miniq one way or another. The correct fix is to turn the miniq_active boolean into a counter. ... Esto hace que se elimine la qdisc de entrada creada en el paso 1, liberando así la tcx_entry previamente vinculada: rtnetlink_rcv_msg() => tc_modify_qdisc() => qdisc_create() => clsact_init() [a] => qdisc_graft() => qdisc_destroy( ) => __qdisc_destroy() => ingress_destroy() [b] => tcx_entry_free() => kfree_rcu() // tcx_entry liberado 5. ... Esto registra el trabajador cleanup_net y, durante el proceso de liberación de la qdisc clsact restante, accede a tcx_entry que ya se liberó en el paso 4, lo que provoca que se produzca la UAF: cleanup_net() => ops_exit_list() => default_device_exit_batch() => unregister_netdevice_many() => unregister_netdevice_many_notify() => dev_shutdown() => qdisc_put() => clsact_destroy() [c] => tcf_block_put_ext() => tcf_chain0_head_change_cb_del() => tcf_chain_head_change_item() => clsact_chain_head_change() => mini_qdisc_pair _intercambiar( ) // UAF También hay otras variantes, lo esencial es agregar una qdisc de ingreso (o clsact) con un bloque compartido específico, luego reemplazar esa qdisc, esperar a que se ejecute tcx_entry kfree_rcu() y posteriormente acceder al activo actual miniq de qdisc de una forma u otra. • https://git.kernel.org/stable/c/e420bed025071a623d2720a92bc2245c84757ecb https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857 https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-35969 – kernel: ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
https://notcve.org/view.php?id=CVE-2024-35969
The reference count drops to zero and kfree_rcu is scheduled. 3. ipv6_get_ifaddr continues and tries to increments the reference count (in6_ifa_hold). 4. ... El recuento de referencias cae a cero y se programa kfree_rcu. 3. ipv6_get_ifaddr continúa e intenta incrementar el recuento de referencias (in6_ifa_hold). 4. • https://git.kernel.org/stable/c/5c578aedcb21d79eeb4e9cf04ca5b276ac82614c https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1 https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903 https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70 https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652 https://git.kernel.org&# •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-27395 – kernel: net: openvswitch: Fix Use-After-Free in ovs_ct_exit
https://notcve.org/view.php?id=CVE-2024-27395
In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix Use-After-Free in ovs_ct_exit Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal of ovs_ct_limit_exit, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: openvswitch: Fix Use-After-Free en ovs_ct_exit Dado que kfree_rcu, que se llama en el recorrido hlist_for_each_entry_rcu de ovs_ct_limit_exit, no forma parte de la sección crítica de lectura de RCU, es posible que el período de gracia de RCU pasará durante el recorrido y la clave quedará libre. • https://git.kernel.org/stable/c/11efd5cb04a184eea4f57b68ea63dddd463158d1 https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994 https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424 https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3 https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4 https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1 https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137 https://git.kernel.org&# •