CVE-2024-26585

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tls: corrige la ejecución entre la programación de trabajo de transmisión y el cierre del socket De manera similar a el commit anterior, el hilo de envío (recvmsg/sendmsg) puede cerrarse tan pronto como el controlador de cifrado asíncrono llame a complete(). Reordene la programación del trabajo antes de llamar a complete(). En primer lugar, esto parece más lógico, ya que es el orden inverso de lo que hará el hilo de envío.

A race condition vulnerability was found in the tls subsystem of the Linux kernel. The submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(), which could lead to undefined behavior and a denial of service.

In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.

This update for the Linux Kernel 5.14.21-150500_55_49 fixes several issues. The following security issues were fixed. Fixed potential UAF in cifs_signal_cifsd_for_reconnect. Gpiolib: cdev: Fix use after free in lineinfo_changed_notify. Net: do not leave a dangling sk pointer, when socket creation fails hfsplus: fix uninit-value in copy_name. Fs/9p: only translate RWX permissions for plain 9P2000. Hsr: Prevent use after free in prp_create_tagged_frame. Fixed a general protection fault in i915_perf_open_ioctl. Set gtt bound flag in amdgpu_ttm_gart_bind. Fixed use-after-free bugs caused by sco_sock_timeout. Drm/client: Fully protect modes with dev->mode_config.mutex. Fixed false-positive lockdep splat for spin_lock in __unix_gc. Fixed double free of the ha->vp_map pointer. Fixed underflow in parse_server_interfaces. Fixed Integer Overflow or Wraparound vulnerability in x86 and ARM md, raid, raid5 modules. Fixed use-after-free in ip6_route_mpath_notify. Fixed memory corruption in wifi/iwlwifi. Fixed an out-of-bound bug in ipvlan caused by unset skb->mac_header. Fixed SDMA off-by-one error in _pad_sdma_tx_descs. Fixed a race condition in nfc_llcp_sock_get and nfc_llcp_sock_get_sn. Fixed race between tx work scheduling and socket close. Fixed a race condition in the GSM 0710 tty multiplexor via the GSMIOC_SETCONF ioctl that could lead to local privilege escalation. Fixed UAF write bug in tomoyo_write_control. Fixed a denial of service related to ICMPv6 'Packet Too Big' packets.