{"schema_version":"1.7.2","id":"OESA-2024-1650","modified":"2024-05-24T11:08:08Z","published":"2024-05-24T11:08:08Z","upstream":["CVE-2023-52615","CVE-2023-52621","CVE-2023-52623","CVE-2023-52629","CVE-2023-52630","CVE-2023-52635","CVE-2023-52655","CVE-2023-52675","CVE-2023-52676","CVE-2023-52685","CVE-2023-52690","CVE-2023-52694","CVE-2024-26610","CVE-2024-26661","CVE-2024-26675","CVE-2024-26686","CVE-2024-26702","CVE-2024-26712","CVE-2024-26825","CVE-2024-26851","CVE-2024-26900","CVE-2024-26901","CVE-2024-26903","CVE-2024-26908","CVE-2024-26923","CVE-2024-26926","CVE-2024-26937","CVE-2024-27395","CVE-2024-27396","CVE-2024-27398","CVE-2024-27431","CVE-2024-35791","CVE-2024-35845","CVE-2024-35849","CVE-2024-35943"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwrng: core - Fix page fault dead lock on mmap-ed hwrng\r\n\r\nThere is a dead-lock in the hwrng device read path. This triggers\nwhen the user reads from /dev/hwrng into memory also mmap-ed from\n/dev/hwrng. The resulting page fault triggers a recursive read\nwhich then dead-locks.\r\n\r\nFix this by using a stack buffer when calling copy_to_user.(CVE-2023-52615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\r\n\r\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\r\n\r\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n ......\n Call Trace:\n \u0026lt;TASK\u0026gt;\n ? __warn+0xa5/0x240\n ? bpf_map_lookup_elem+0x54/0x60\n ? report_bug+0x1ba/0x1f0\n ? handle_bug+0x40/0x80\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1b/0x20\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\n ? rcu_is_watching+0x23/0x50\n ? bpf_map_lookup_elem+0x54/0x60\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ___bpf_prog_run+0x513/0x3b70\n __bpf_prog_run32+0x9d/0xd0\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n bpf_trampoline_6442580665+0x4d/0x1000\n __x64_sys_getpgid+0x5/0x30\n ? do_syscall_64+0x36/0xb0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n \u0026lt;/TASK\u0026gt;(CVE-2023-52621)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: Fix a suspicious RCU usage warning\r\n\r\nI received the following warning while running cthon against an ontap\nserver running pNFS:\r\n\r\n[ 57.202521] =============================\n[ 57.202522] WARNING: suspicious RCU usage\n[ 57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[ 57.202525] -----------------------------\n[ 57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[ 57.202527]\n other info that might help us debug this:\r\n\r\n[ 57.202528]\n rcu_scheduler_active = 2, debug_locks = 1\n[ 57.202529] no locks held by test5/3567.\n[ 57.202530]\n stack backtrace:\n[ 57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[ 57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[ 57.202536] Call Trace:\n[ 57.202537] \u0026lt;TASK\u0026gt;\n[ 57.202540] dump_stack_lvl+0x77/0xb0\n[ 57.202551] lockdep_rcu_suspicious+0x154/0x1a0\n[ 57.202556] rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202596] rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202621] ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202646] rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202671] ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202696] nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202728] ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202754] nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[ 57.202760] filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[ 57.202765] pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202788] __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202813] nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202831] nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202849] nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202866] write_cache_pages+0x265/0x450\n[ 57.202870] ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202891] nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202913] do_writepages+0xd2/0x230\n[ 57.202917] ? filemap_fdatawrite_wbc+0x5c/0x80\n[ 57.202921] filemap_fdatawrite_wbc+0x67/0x80\n[ 57.202924] filemap_write_and_wait_range+0xd9/0x170\n[ 57.202930] nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202947] nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202969] __se_sys_close+0x46/0xd0\n[ 57.202972] do_syscall_64+0x68/0x100\n[ 57.202975] ? do_syscall_64+0x77/0x100\n[ 57.202976] ? do_syscall_64+0x77/0x100\n[ 57.202979] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 57.202982] RIP: 0033:0x7fe2b12e4a94\n[ 57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 \u0026lt;48\u0026gt; 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[ 57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[ 57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[ 57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[ 57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[ 57.202993] R10: 00007f\n---truncated---(CVE-2023-52623)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\r\n\r\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\r\n\r\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(\u0026amp;psw-\u0026gt;work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw-\u0026gt;state = 0 // use\r\n\r\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.(CVE-2023-52629)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2023-52630)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\r\n\r\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\r\n\r\nwhile true\ndo\n echo \u0026quot;simple_ondemand\u0026quot; \u0026gt; /sys/class/devfreq/1d84000.ufshc/governor\n echo \u0026quot;performance\u0026quot; \u0026gt; /sys/class/devfreq/1d84000.ufshc/governor\ndone\r\n\r\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\r\n\r\nLet\u0026apos;s use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\r\n\r\n[1]\n...\n..\n\u0026lt;idle\u0026gt;-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428\n\u0026lt;idle\u0026gt;-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c\n\u0026lt;idle\u0026gt;-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428\nkworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227\nvendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532\nvendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428\nxxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428\r\n\r\n[2]\r\n\r\n 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][ C4] Mem abort info:\n[ 9436.261666][ C4] ESR = 0x96000044\n[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][ C4] SET = 0, FnV = 0\n[ 9436.261673][ C4] EA = 0, S1PTW = 0\n[ 9436.261675][ C4] Data abort info:\n[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044\n[ 9436.261680][ C4] CM = 0, WnR = 1\n[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\r\n\r\n[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)\n[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][ C4] sp : ffffffc010023dd0\n[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---(CVE-2023-52635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: aqc111: check packet for fixup for true limit\r\n\r\nIf a device sends a packet that is inbetween 0\nand sizeof(u64) the value passed to skb_trim()\nas length will wrap around ending up as some very\nlarge value.\r\n\r\nThe driver will then proceed to parse the header\nlocated at that position, which will either oops or\nprocess some random value.\r\n\r\nThe fix is to check against sizeof(u64) rather than\n0, which the driver currently does. The issue exists\nsince the introduction of the driver.(CVE-2023-52655)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Guard stack limits against 32bit overflow\r\n\r\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1\u0026lt;\u0026lt;29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1\u0026lt;\u0026lt;29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1\u0026lt;\u0026lt;29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\r\n\r\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904(CVE-2023-52676)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: ram_core: fix possible overflow in persistent_ram_init_ecc()\r\n\r\nIn persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return\n64-bit value since persistent_ram_zone::buffer_size has type size_t which\nis derived from the 64-bit *unsigned long*, while the ecc_blocks variable\nthis value gets assigned to has (always 32-bit) *int* type. Even if that\nvalue fits into *int* type, an overflow is still possible when calculating\nthe size_t typed ecc_total variable further below since there\u0026apos;s no cast to\nany 64-bit type before multiplication. Declaring the ecc_blocks variable\nas *size_t* should fix this mess...\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.(CVE-2023-52685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\nAdd a null pointer check, and release \u0026apos;ent\u0026apos; to avoid memory leaks.(CVE-2023-52690)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\r\n\r\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.(CVE-2023-52694)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: fix a memory corruption\r\n\r\niwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that\nif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in\nbytes, we\u0026apos;ll write past the buffer.(CVE-2024-26610)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Add NULL test for \u0026apos;timing generator\u0026apos; in \u0026apos;dcn21_set_pipe()\u0026apos;\r\n\r\nIn \u0026quot;u32 otg_inst = pipe_ctx-\u0026gt;stream_res.tg-\u0026gt;inst;\u0026quot;\npipe_ctx-\u0026gt;stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.(CVE-2024-26661)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppp_async: limit MRU to 64K\r\n\r\nsyzbot triggered a warning [1] in __alloc_pages():\r\n\r\nWARN_ON_ONCE_GFP(order \u0026gt; MAX_PAGE_ORDER, gfp)\r\n\r\nWillem fixed a similar issue in commit c0a2a1b0d631 (\u0026quot;ppp: limit MRU to 64K\u0026quot;)\r\n\r\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\r\n\r\n[1]:\r\n\r\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n __do_kmalloc_node mm/slub.c:3969 [inline]\n __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n receive_buf drivers/tty/tty_buffer.c:444 [inline]\n flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860(CVE-2024-26675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/proc: do_task_stat: use sig-\u0026gt;stats_lock to gather the threads/children stats\r\n\r\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\r\n\r\nChange do_task_stat() to use sig-\u0026gt;stats_lock to gather the statistics\noutside of -\u0026gt;siglock protected section, in the likely case this code will\nrun lockless.(CVE-2024-26686)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC\r\n\r\nRecently, we encounter kernel crash in function rm3100_common_probe\ncaused by out of bound access of array rm3100_samp_rates (because of\nunderlying hardware failures). Add boundary check to prevent out of\nbound access.(CVE-2024-26702)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/kasan: Fix addr error caused by page alignment\r\n\r\nIn kasan_init_region, when k_start is not page aligned, at the begin of\nfor loop, k_cur = k_start \u0026amp; PAGE_MASK is less than k_start, and then\n`va = block + k_cur - k_start` is less than block, the addr va is invalid,\nbecause the memory address space from va to block is not alloced by\nmemblock_alloc, which will not be reserved by memblock_reserve later, it\nwill be used by other places.\r\n\r\nAs a result, memory overwriting occurs.\r\n\r\nfor example:\nint __init __weak kasan_init_region(void *start, size_t size)\n{\n[...]\n\t/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */\n\tblock = memblock_alloc(k_end - k_start, PAGE_SIZE);\n\t[...]\n\tfor (k_cur = k_start \u0026amp; PAGE_MASK; k_cur \u0026lt; k_end; k_cur += PAGE_SIZE) {\n\t\t/* at the begin of for loop\n\t\t * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)\n\t\t * va(dcd96c00) is less than block(dcd97000), va is invalid\n\t\t */\n\t\tvoid *va = block + k_cur - k_start;\n\t\t[...]\n\t}\n[...]\n}\r\n\r\nTherefore, page alignment is performed on k_start before\nmemblock_alloc() to ensure the validity of the VA address.(CVE-2024-26712)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: free rx_data_reassembly skb on NCI device cleanup\r\n\r\nrx_data_reassembly skb is stored during NCI data exchange for processing\nfragmented packets. It is dropped only when the last fragment is processed\nor when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.\nHowever, the NCI device may be deallocated before that which leads to skb\nleak.\r\n\r\nAs by design the rx_data_reassembly skb is bound to the NCI device and\nnothing prevents the device to be freed before the skb is processed in\nsome way and cleaned, free it on the NCI device cleanup.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2024-26825)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\r\n\r\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\r\n\r\nvmlinux get_bitmap(b=75) + 712\n\u0026lt;net/netfilter/nf_conntrack_h323_asn1.c:0\u0026gt;\nvmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n\u0026lt;net/netfilter/nf_conntrack_h323_asn1.c:592\u0026gt;\nvmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n\u0026lt;net/netfilter/nf_conntrack_h323_asn1.c:814\u0026gt;\nvmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n\u0026lt;net/netfilter/nf_conntrack_h323_asn1.c:576\u0026gt;\nvmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n\u0026lt;net/netfilter/nf_conntrack_h323_asn1.c:814\u0026gt;\nvmlinux DecodeRasMessage() + 304\n\u0026lt;net/netfilter/nf_conntrack_h323_asn1.c:833\u0026gt;\nvmlinux ras_help() + 684\n\u0026lt;net/netfilter/nf_conntrack_h323_main.c:1728\u0026gt;\nvmlinux nf_confirm() + 188\n\u0026lt;net/netfilter/nf_conntrack_proto.c:137\u0026gt;\r\n\r\nDue to abnormal data in skb-\u0026gt;data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.(CVE-2024-26851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd: fix kmemleak of rdev-\u0026gt;serial\r\n\r\nIf kobject_add() is fail in bind_rdev_to_array(), \u0026apos;rdev-\u0026gt;serial\u0026apos; will be\nalloc not be freed, and kmemleak occurs.\r\n\r\nunreferenced object 0xffff88815a350000 (size 49152):\n comm \u0026quot;mdadm\u0026quot;, pid 789, jiffies 4294716910\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc f773277a):\n [\u0026lt;0000000058b0a453\u0026gt;] kmemleak_alloc+0x61/0xe0\n [\u0026lt;00000000366adf14\u0026gt;] __kmalloc_large_node+0x15e/0x270\n [\u0026lt;000000002e82961b\u0026gt;] __kmalloc_node.cold+0x11/0x7f\n [\u0026lt;00000000f206d60a\u0026gt;] kvmalloc_node+0x74/0x150\n [\u0026lt;0000000034bf3363\u0026gt;] rdev_init_serial+0x67/0x170\n [\u0026lt;0000000010e08fe9\u0026gt;] mddev_create_serial_pool+0x62/0x220\n [\u0026lt;00000000c3837bf0\u0026gt;] bind_rdev_to_array+0x2af/0x630\n [\u0026lt;0000000073c28560\u0026gt;] md_add_new_disk+0x400/0x9f0\n [\u0026lt;00000000770e30ff\u0026gt;] md_ioctl+0x15bf/0x1c10\n [\u0026lt;000000006cfab718\u0026gt;] blkdev_ioctl+0x191/0x3f0\n [\u0026lt;0000000085086a11\u0026gt;] vfs_ioctl+0x22/0x60\n [\u0026lt;0000000018b656fe\u0026gt;] __x64_sys_ioctl+0xba/0xe0\n [\u0026lt;00000000e54e675e\u0026gt;] do_syscall_64+0x71/0x150\n [\u0026lt;000000008b0ad622\u0026gt;] entry_SYSCALL_64_after_hwframe+0x6c/0x74(CVE-2024-26900)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\r\n\r\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\r\n\r\n[1]\n\u0026quot;BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\u0026quot;\r\n\r\nPer Chuck Lever\u0026apos;s suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.(CVE-2024-26901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\r\n\r\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\r\n\r\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\r\n\r\n2. In our fuzz test case, the timing of the controller\u0026apos;s response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\r\n\r\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)-\u0026gt;chan-\u0026gt;conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn-\u0026gt;hcon, d-\u0026gt;sec_level, auth_type, d-\u0026gt;out);`,\nspecifically when accessing `conn-\u0026gt;hcon`, a null-ptr-deref error occurred.\r\n\r\nTo fix this bug, check if `sk-\u0026gt;sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.(CVE-2024-26903)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-26908)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Fix garbage collector racing against connect()\r\n\r\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\r\n\r\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV\u0026apos;s fd will be passed via sendmsg(), gets inflight count bumped\r\n\r\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\r\n\r\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\r\n\r\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\r\n\r\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\r\n\r\n\t\t\tclose(V)\r\n\r\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\r\n\r\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\r\n\r\n\t\t\t\t\t\t// gc_candidates={L, V}\r\n\r\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\r\n\r\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V\u0026apos;s\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\r\n\r\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\r\n\r\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.(CVE-2024-26923)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: check offset alignment in binder_get_object()\r\n\r\nCommit 6d98eb95b450 (\u0026quot;binder: avoid potential data leakage when copying\ntxn\u0026quot;) introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -\u0026gt; check_buffer().\r\n\r\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\r\n\r\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\u0026quot;binder: add function to copy binder object from buffer\u0026quot;), likely\nremoved due to redundancy at the time.(CVE-2024-26926)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/i915/gt: Reset queue_priority_hint on parking\r\n\r\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\r\n\r\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\r\n\r\n\u0026lt;3\u0026gt;[ 166.210729] __engine_park:283 GEM_BUG_ON(engine-\u0026gt;sched_engine-\u0026gt;queue_priority_hint != (-((int)(~0U \u0026gt;\u0026gt; 1)) - 1))\n\u0026lt;0\u0026gt;[ 166.210781] Dumping ftrace buffer:\n\u0026lt;0\u0026gt;[ 166.210795] ---------------------------------\n...\n\u0026lt;0\u0026gt;[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n\u0026lt;0\u0026gt;[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n\u0026lt;0\u0026gt;[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n\u0026lt;0\u0026gt;[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n\u0026lt;0\u0026gt;[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n\u0026lt;0\u0026gt;[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n\u0026lt;0\u0026gt;[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n\u0026lt;0\u0026gt;[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n\u0026lt;0\u0026gt;[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n\u0026lt;0\u0026gt;[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n\u0026lt;0\u0026gt;[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n\u0026lt;0\u0026gt;[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n\u0026lt;0\u0026gt;[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n\u0026lt;0\u0026gt;[ 167.303534] \u0026lt;idle\u0026gt;-0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n\u0026lt;0\u0026gt;[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n\u0026lt;0\u0026gt;[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n\u0026lt;0\u0026gt;[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine-\u0026gt;sched_engine-\u0026gt;queue_priority_hint != (-((int)(~0U \u0026gt;\u0026gt; 1)) - 1))\n\u0026lt;0\u0026gt;[ 167.303811] ---------------------------------\n\u0026lt;4\u0026gt;[ 167.304722] ------------[ cut here ]------------\n\u0026lt;2\u0026gt;[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n\u0026lt;4\u0026gt;[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n\u0026lt;4\u0026gt;[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n\u0026lt;4\u0026gt;[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n\u0026lt;4\u0026gt;[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n\u0026lt;4\u0026gt;[ 16\n---truncated---(CVE-2024-26937)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\r\n\r\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27395)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: gtp: Fix Use-After-Free in gtp_dellink\r\n\r\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27396)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\r\n\r\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\r\n\r\n Cleanup Thread | Worker Thread\nsco_sock_release |\n sco_sock_close |\n __sco_sock_close |\n sco_sock_set_timer |\n schedule_delayed_work |\n sco_sock_kill | (wait a time)\n sock_put(sk) //FREE | sco_sock_timeout\n | sock_hold(sk) //USE\r\n\r\nThe KASAN report triggered by POC is shown below:\r\n\r\n[ 95.890016] ==================================================================\n[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[ 95.890755] Workqueue: events sco_sock_timeout\n[ 95.890755] Call Trace:\n[ 95.890755] \u0026lt;TASK\u0026gt;\n[ 95.890755] dump_stack_lvl+0x45/0x110\n[ 95.890755] print_address_description+0x78/0x390\n[ 95.890755] print_report+0x11b/0x250\n[ 95.890755] ? __virt_addr_valid+0xbe/0xf0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_report+0x139/0x170\n[ 95.890755] ? update_load_avg+0xe5/0x9f0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_check_range+0x2c3/0x2e0\n[ 95.890755] sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] process_one_work+0x561/0xc50\n[ 95.890755] worker_thread+0xab2/0x13c0\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] kthread+0x279/0x300\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork+0x34/0x60\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork_asm+0x11/0x20\n[ 95.890755] \u0026lt;/TASK\u0026gt;\n[ 95.890755]\n[ 95.890755] Allocated by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] __kasan_kmalloc+0x86/0x90\n[ 95.890755] __kmalloc+0x17f/0x360\n[ 95.890755] sk_prot_alloc+0xe1/0x1a0\n[ 95.890755] sk_alloc+0x31/0x4e0\n[ 95.890755] bt_sock_alloc+0x2b/0x2a0\n[ 95.890755] sco_sock_create+0xad/0x320\n[ 95.890755] bt_sock_create+0x145/0x320\n[ 95.890755] __sock_create+0x2e1/0x650\n[ 95.890755] __sys_socket+0xd0/0x280\n[ 95.890755] __x64_sys_socket+0x75/0x80\n[ 95.890755] do_syscall_64+0xc4/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] Freed by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] kasan_save_free_info+0x40/0x50\n[ 95.890755] poison_slab_object+0x118/0x180\n[ 95.890755] __kasan_slab_free+0x12/0x30\n[ 95.890755] kfree+0xb2/0x240\n[ 95.890755] __sk_destruct+0x317/0x410\n[ 95.890755] sco_sock_release+0x232/0x280\n[ 95.890755] sock_close+0xb2/0x210\n[ 95.890755] __fput+0x37f/0x770\n[ 95.890755] task_work_run+0x1ae/0x210\n[ 95.890755] get_signal+0xe17/0xf70\n[ 95.890755] arch_do_signal_or_restart+0x3f/0x520\n[ 95.890755] syscall_exit_to_user_mode+0x55/0x120\n[ 95.890755] do_syscall_64+0xd1/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the object at ffff88800c388000\n[ 95.890755] which belongs to the cache kmalloc-1k of size 1024\n[ 95.890755] The buggy address is located 128 bytes inside of\n[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the physical page:\n[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 95.890755] ano\n---truncated---(CVE-2024-27398)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpumap: Zero-initialise xdp_rxq_info struct before running XDP program\r\n\r\nWhen running an XDP program that is attached to a cpumap entry, we don\u0026apos;t\ninitialise the xdp_rxq_info data structure being used in the xdp_buff\nthat backs the XDP program invocation. Tobias noticed that this leads to\nrandom values being returned as the xdp_md-\u0026gt;rx_queue_index value for XDP\nprograms running in a cpumap.\r\n\r\nThis means we\u0026apos;re basically returning the contents of the uninitialised\nmemory, which is bad. Fix this by zero-initialising the rxq data\nstructure before running the XDP program.(CVE-2024-27431)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: SVM: Flush pages under kvm-\u0026gt;lock to fix UAF in svm_register_enc_region()\r\n\r\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm-\u0026gt;lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\r\n\r\nNote, the \u0026quot;obvious\u0026quot; alternative of using local variables doesn\u0026apos;t fully\nresolve the bug, as region-\u0026gt;pages is also dynamically allocated. I.e. the\nregion structure itself would be fine, but region-\u0026gt;pages could be freed.\r\n\r\nFlushing multiple pages under kvm-\u0026gt;lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.(CVE-2024-35791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\r\n\r\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it.(CVE-2024-35845)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\r\n\r\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\r\n\r\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n Uninit was created at:\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n __do_kmalloc_node mm/slub.c:3954 [inline]\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n kmalloc_node include/linux/slab.h:648 [inline]\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n kvmalloc include/linux/slab.h:766 [inline]\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n Bytes 40-65535 of 65536 are uninitialized\n Memory access of size 65536 starts at ffff888045a40000\r\n\r\nThis happens, because we\u0026apos;re copying a \u0026apos;struct btrfs_data_container\u0026apos; back\nto user-space. This btrfs_data_container is allocated in\n\u0026apos;init_data_container()\u0026apos; via kvmalloc(), which does not zero-fill the\nmemory.\r\n\r\nFix this by using kvzalloc() which zeroes out the memory on allocation.(CVE-2024-35849)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\r\n\r\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2024-35943)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-200.0.0.113.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-source-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","kernel-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","perf-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","kernel-tools-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-200.0.0.113.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-200.0.0.113.oe2203sp3.src.rpm"],"x86_64":["kernel-tools-debuginfo-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","perf-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","kernel-tools-devel-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","kernel-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-200.0.0.113.oe2203sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1650"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52615"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52621"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52623"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52629"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52630"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52635"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52655"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52675"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52676"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52685"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52690"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52694"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26610"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26661"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26675"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26686"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26702"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26712"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26825"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26851"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26900"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26901"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26903"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26908"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26923"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26926"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26937"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27395"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27396"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27398"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27431"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35791"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35845"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35849"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35943"}],"database_specific":{"severity":"High"}}