CVE-2024-50256

CVE-2024-50256 affects the Linux kernel netfilter path nf_reject_ipv6. The issue arises in nf_send_reset6() when a zero or insufficient hardware header length (dev->hard_header_len) leads to attempting to push an Ethernet header, crash, and kernel BUG in skbuff.c. The provided trace shows skb_...

CVE-2024-50256 netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfrejectipv6: fix potential crash in nfsendreset6 I got a syzbot report without a repro 1 crashing in nfsendreset6 I think the issue is that dev-hardheaderlen is zero, and we attempt later to push an Ethernet header. U...

CVE-2024-50155

In the Linux kernel, the following vulnerability has been resolved: netdevsim: use condresched in nsimdevtrapreportwork I am still seeing many syzbot reports hinting that syzbot might fool nsimdevtrapreportwork with hundreds of ports 1 Lets use condresched, and systemunboundwq instead of implicit...

CVE-2024-50083 tcp: fix mptcp DSS corruption due to large pmtu xmit

In the Linux kernel, the following vulnerability has been resolved: tcp: fix mptcp DSS corruption due to large pmtu xmit Syzkaller was able to trigger a DSS corruption: TCP: requestsocksubflowv4: Possible SYN flooding on port :::20002. Sending cookies. ------------ cut here ------------ WARNING:...

CVE-2024-50034

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix lacks of icsksynmss with IPPROTOSMC Eric report a panic on IPPROTOSMC, and give the facts that when INETPROTOSWICSK was set, icsk-icsksyncmss must be set too. Bug: Unable to handle kernel NULL pointer dereference at...

CVE-2024-50035

In the Linux kernel, the following vulnerability has been resolved: ppp: fix pppasyncencode illegal access syzbot reported an issue in pppasyncencode 1 In this case, pppoesendmsg is called with a zero size. Then pppasyncencode is called with an empty skb. BUG: KMSAN: uninit-value in pppasyncencod...

CVE-2024-50033

In the Linux kernel, the following vulnerability has been resolved: slip: make slhcremember more robust against malicious packets syzbot found that slhcremember was missing checks against malicious packets 1. slhcremember only checked the size of the packet was at least 20, which is not good...

CVE-2022-49014 net: tun: Fix use-after-free in tun_detach()

In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix use-after-free in tundetach syzbot reported use-after-free in tundetach 1. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in...

CVE-2022-48956 ipv6: avoid use-after-free in ip6_fragment()

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6fragment Blamed commit claimed rcureadlock was held by ip6fragment callers. It seems to not be always true, at least for UDP stack. syzbot reported: BUG: KASAN: use-after-free in ip6dstidev...

CVE-2022-48956 ipv6: avoid use-after-free in ip6_fragment()

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6fragment Blamed commit claimed rcureadlock was held by ip6fragment callers. It seems to not be always true, at least for UDP stack. syzbot reported: BUG: KASAN: use-after-free in ip6dstidev...

CVE-2024-50035 ppp: fix ppp_async_encode() illegal access

In the Linux kernel, the following vulnerability has been resolved: ppp: fix pppasyncencode illegal access syzbot reported an issue in pppasyncencode 1 In this case, pppoesendmsg is called with a zero size. Then pppasyncencode is called with an empty skb. BUG: KMSAN: uninit-value in pppasyncencod...

CVE-2024-50035

CVE-2024-50035 affects the Linux kernel PPP path, specifically a fault in ppp_async_encode() that can be triggered by a zero-size pppoe_sendmsg() followed by an empty skb, leading to a possible uninitialized access (KMSAN) in drivers/net/ppp/ppp_async.c. The issue was fixed in upstream Linux comm...

CVE-2024-50033

CVE-2024-50033 relates to the Linux kernel slip/slhc.c, where slhc_remember() failed to validate packets against malicious inputs. The issue allowed uninit reads due to insufficient checks on packet contents beyond a 20-byte minimum, risking exposure via PPP/SLIP processing when IPv4 and TCP head...

CVE-2024-50034

CVE-2024-50034 affects the Linux kernel net/smc, where INET_PROTOSW_ICSK can leave icsk_sync_mss unset for IPPROTO_SMC, triggering a NULL pointer dereference panic. The provided trace indicates a kernel oops when handling IPPROTO_SMC, with a failed icsk_mss synchronization. A patch sequence in st...

CVE-2024-50033 slip: make slhc_remember() more robust against malicious packets

In the Linux kernel, the following vulnerability has been resolved: slip: make slhcremember more robust against malicious packets syzbot found that slhcremember was missing checks against malicious packets 1. slhcremember only checked the size of the packet was at least 20, which is not good...

CVE-2024-50034 net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix lacks of icsksynmss with IPPROTOSMC Eric report a panic on IPPROTOSMC, and give the facts that when INETPROTOSWICSK was set, icsk-icsksyncmss must be set too. Bug: Unable to handle kernel NULL pointer dereference at...

CVE-2024-50033 slip: make slhc_remember() more robust against malicious packets

In the Linux kernel, the following vulnerability has been resolved: slip: make slhcremember more robust against malicious packets syzbot found that slhcremember was missing checks against malicious packets 1. slhcremember only checked the size of the packet was at least 20, which is not good...

CVE-2024-50034 net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix lacks of icsksynmss with IPPROTOSMC Eric report a panic on IPPROTOSMC, and give the facts that when INETPROTOSWICSK was set, icsk-icsksyncmss must be set too. Bug: Unable to handle kernel NULL pointer dereference at...

CVE-2024-49952 netfilter: nf_tables: prevent nf_skb_duplicated corruption

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: prevent nfskbduplicated corruption syzbot found that nfdupipv4 or nfdupipv6 could write per-cpu variable nfskbduplicated in an unsafe way 1. Disabling preemption as hinted by the splat is not enough, we have ...

CVE-2024-49950 Bluetooth: L2CAP: Fix uaf in l2cap_connect

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix uaf in l2capconnect Syzbot reported BUG: KASAN: slab-use-after-free in l2capconnect.constprop.0+0x10d8/0x1270 net/bluetooth/l2capcore.c:3949 Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54 CP...