CVE-2024-26852 net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6routempathnotify syzbot found another use-after-free in ip6routempathnotify 1 Commit f7225172f25a "net/ipv6: prevent use after free in ip6routempathnotify" was not able to fix the root cause. We...

CVE-2024-26852 net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6routempathnotify syzbot found another use-after-free in ip6routempathnotify 1 Commit f7225172f25a "net/ipv6: prevent use after free in ip6routempathnotify" was not able to fix the root cause. We...

CVE-2024-26815 net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check

In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: proper TCATAPRIOTCENTRYINDEX check taprioparsetcentry is not correctly checking TCATAPRIOTCENTRYINDEX attribute: int tc; // Signed value tc = nlagetu32tbTCATAPRIOTCENTRYINDEX; if tc = TCQOPTMAXQUEUE...

CVE-2024-26815

The CVE-2024-26815 entry concerns the Linux kernel taprio qdisc: taprio_parse_tc_entry() fails to validate TCA_TAPRIO_TC_ENTRY_INDEX, allowing negative values to be fed and triggering a UBSAN shift-out-of-bounds in net/sched/sch_taprio.c. The patch fixes the check by ensuring the index is within ...

CVE-2024-26792 btrfs: fix double free of anonymous device after snapshot creation failure

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in...

CVE-2024-26780 af_unix: Fix task hung while purging oob_skb in GC.

In the Linux kernel, the following vulnerability has been resolved: afunix: Fix task hung while purging oobskb in GC. syzbot reported a task hung; at the same time, GC was looping infinitely in listforeachentrysafe for OOB skb. 0 syzbot demonstrated that the listforeachentrysafe was not actually...

CVE-2024-26780

CVE-2024-26780 | Linux kernel (af_unix) — The vulnerability centers on a task hang during purging oob_skb in GC. The root cause is that list_for_each_entry_safe() is not actually safe when a single skb has references from multiple sockets; freeing such an skb can unlink current and next sockets i...

CVE-2024-26750 af_unix: Drop oob_skb ref before purging queue in GC.

In the Linux kernel, the following vulnerability has been resolved: afunix: Drop oobskb ref before purging queue in GC. syzbot reported another task hung in unixgc. 0 The current while loop assumes that all of the left candidates have oobskb and calling kfreeskboobskb releases the remaining...

CVE-2024-26681

In the Linux kernel, the following vulnerability has been resolved: netdevsim: avoid potential loop in nsimdevtrapreportwork Many syzbot reports include the following trace 1 If nsimdevtrapreportwork can not grab the mutex, it should rearm itself at least one jiffie later. 1 Sending NMI from CPU ...

CVE-2024-26675

In the Linux kernel, the following vulnerability has been resolved: pppasync: limit MRU to 64K syzbot triggered a warning 1 in allocpages: WARNONONCEGFPorder MAXPAGEORDER, gfp Willem fixed a similar issue in commit c0a2a1b0d631 "ppp: limit MRU to 64K" Adopt the same sanity check for...

CVE-2024-26676

In the Linux kernel, the following vulnerability has been resolved: afunix: Call kfreeskb for dead unixsk-oobskb in GC. syzbot reported a warning 0 in unixgc with a repro, which creates a socketpair and sends one socket's fd to itself using the peer. socketpairAFUNIX, SOCKSTREAM, 0, 3, 4 = 0...

CVE-2024-26681 netdevsim: avoid potential loop in nsim_dev_trap_report_work()

In the Linux kernel, the following vulnerability has been resolved: netdevsim: avoid potential loop in nsimdevtrapreportwork Many syzbot reports include the following trace 1 If nsimdevtrapreportwork can not grab the mutex, it should rearm itself at least one jiffie later. 1 Sending NMI from CPU ...

CVE-2024-26681

CVE-2024-26681 is a Linux kernel vulnerability affecting the netdevsim driver. The issue arises in nsim_dev_trap_report_work() where failure to grab a mutex could lead to a loop/backtrace scenario, potentially impacting system stability. The vulnerability details are grounded in a kernel trace an...

CVE-2024-26681 netdevsim: avoid potential loop in nsim_dev_trap_report_work()

In the Linux kernel, the following vulnerability has been resolved: netdevsim: avoid potential loop in nsimdevtrapreportwork Many syzbot reports include the following trace 1 If nsimdevtrapreportwork can not grab the mutex, it should rearm itself at least one jiffie later. 1 Sending NMI from CPU ...

CVE-2024-26641

In the Linux kernel, the following vulnerability has been resolved: ip6tunnel: make sure to pull inner header in ip6tnlrcv syzbot found ip6tnlrcv could access unitiliazed data 1. Call pskbinetmaypull to fix this, and initialize ipv6h variable after this call as it can change skb-head. 1 BUG: KMSA...

CVE-2024-26638

In the Linux kernel, the following vulnerability has been resolved: nbd: always initialize struct msghdr completely syzbot complains that msg-msggetinq value can be uninitialized 1 struct msghdr got many new fields recently, we should always make sure their values is zero by default. 1 BUG: KMSAN...

CVE-2024-26635

In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETHPTR8022. syzbot reported an uninit-value bug below. 0 llc supports ETHP8022 0x0004 and used to support ETHPTR8022 0x0011, and syzbot abused the latter to trigger the bug. write$tunr0,...

CVE-2024-26636

In the Linux kernel, the following vulnerability has been resolved: llc: make llcuisendmsg more robust against bonding changes syzbot was able to trick llcuisendmsg, allocating an skb with no headroom, but subsequently trying to push 14 bytes of Ethernet header 1 Like some others, llcuisendmsg...

CVE-2024-26641 ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()

In the Linux kernel, the following vulnerability has been resolved: ip6tunnel: make sure to pull inner header in ip6tnlrcv syzbot found ip6tnlrcv could access unitiliazed data 1. Call pskbinetmaypull to fix this, and initialize ipv6h variable after this call as it can change skb-head. 1 BUG: KMSA...

CVE-2024-26641 ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()

In the Linux kernel, the following vulnerability has been resolved: ip6tunnel: make sure to pull inner header in ip6tnlrcv syzbot found ip6tnlrcv could access unitiliazed data 1. Call pskbinetmaypull to fix this, and initialize ipv6h variable after this call as it can change skb-head. 1 BUG: KMSA...