kernel: net: core: reject skb_copy(_expand) for fraglist GSO skbs

In the Linux kernel, the following vulnerability has been resolved: net: core: reject skbcopyexpand for fraglist GSO skbs SKBGSOFRAGLIST skbs must not be linearized, otherwise they become invalid. Return NULL if such an skb is passed to skbcopy or skbcopyexpand, in order to prevent a crash on a...

kernel: net/sched: act_skbmod: prevent kernel-infoleak

In the Linux kernel, the following vulnerability has been resolved: net/sched: actskbmod: prevent kernel-infoleak syzbot found that tcfskbmoddump was copying four bytes from kernel stack to user space 1. The issue here is that 'struct tcskbmod' has a four bytes hole. We need to clear the structur...

kernel: nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().

In the Linux kernel, the following vulnerability has been resolved: nsh: Restore skb-protocol,data,macheader for outer header in nshgsosegment. syzbot triggered various splats see 0 and links by a crafted GSO packet of VIRTIONETHDRGSOUDP layering the following protocols: ETHP8021AD + ETHPNSH +...

kernel: ipv4: Fix uninit-value access in __ip_make_skb()

In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix uninit-value access in ipmakeskb KMSAN reported uninit-value access in ipmakeskb 1. ipmakeskb tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a race condition. If calling setsockopt2 with...

kernel: atl1c: Work around the DMA RX overflow issue

In the Linux kernel, the following vulnerability has been resolved: atl1c: Work around the DMA RX overflow issue This is based on alx driver commit 881d0327db37 "net: alx: Work around the DMA RX overflow issue". The alx and atl1c drivers had RX overflow error which was why a custom allocator was...

kernel: TIPC message reassembly use-after-free remote code execution vulnerability

A use-after-free UAF flaw exists in the Linux Kernel within the reassembly of fragmented TIPC messages, specifically in the tipcbufappend function. The issue results due to a lack of checks in the error handling cleanup and can trigger a UAF on "struct skbuff", which may lead to remote code...

kernel: net: core: reject skb_copy(_expand) for fraglist GSO skbs

In the Linux kernel, the following vulnerability has been resolved: net: core: reject skbcopyexpand for fraglist GSO skbs SKBGSOFRAGLIST skbs must not be linearized, otherwise they become invalid. Return NULL if such an skb is passed to skbcopy or skbcopyexpand, in order to prevent a crash on a...

kernel: bnxt: prevent skb UAF after handing over to PTP worker

A possible use-after-free after handing over to PTP worker was found in the Linux kernel. This may lead to a crash...

SUSE CVE-2024-41046

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiqetop: fix double free in detach The number of the currently released descriptor is never incremented which results in the same skb being released multiple times...

SUSE CVE-2024-41048

In the Linux kernel, the following vulnerability has been resolved: skmsg: Skip zero length skb in skmsgrecvmsg When running BPF selftests ./testprogs -t sockmapbasic on a Loongarch platform, the following kernel panic occurs: ... Oops1: CPU: 22 PID: 2824 Comm: testprogs Tainted: G OE 6.10.0-rc2+...

kernel: net: amd-xgbe: Fix skb data length underflow

In the Linux kernel, the following vulnerability has been resolved: net: amd-xgbe: Fix skb data length underflow There will be BUGON triggered in include/linux/skbuff.h leading to intermittent kernel panic, when the skb length underflow is detected. Fix this by dropping the packet if such length...

DEBIAN-CVE-2024-41066

In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Add tx check to prevent skb leak Below is a summary of how the driver stores a reference to an skb during transmit: txbufffreemapconsumerindex-skb = newskb; freemapconsumerindex = IBMVNICINVALIDMAP; consumerindex ++; Whe...

DEBIAN-CVE-2024-41048

In the Linux kernel, the following vulnerability has been resolved: skmsg: Skip zero length skb in skmsgrecvmsg When running BPF selftests ./testprogs -t sockmapbasic on a Loongarch platform, the following kernel panic occurs: ... Oops1: CPU: 22 PID: 2824 Comm: testprogs Tainted: G OE 6.10.0-rc2+...

DEBIAN-CVE-2024-41046

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiqetop: fix double free in detach The number of the currently released descriptor is never incremented which results in the same skb being released multiple times...

kernel: net: amd-xgbe: Fix skb data length underflow

In the Linux kernel, the following vulnerability has been resolved: net: amd-xgbe: Fix skb data length underflow There will be BUGON triggered in include/linux/skbuff.h leading to intermittent kernel panic, when the skb length underflow is detected. Fix this by dropping the packet if such length...

SUSE CVE-2024-41091

In the Linux kernel, the following vulnerability has been resolved: tun: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tunxdpone path, which could cause a corrupted skb to be sent downstack. Even before the skb is...

SUSE CVE-2022-48794

In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: at86rf230: Stop leaking skb's Upon error the ieee802154xmitcomplete helper is not called. Only ieee802154wakequeue is called manually. In the Tx case we then leak the skb structure. Free the skb structure upon...

SUSE CVE-2022-48851

In the Linux kernel, the following vulnerability has been resolved: staging: gdm724x: fix use after free in gdmlterx The netifrxni function frees the skb so we can't dereference it to save the skb-len...

kernel: TIPC message reassembly use-after-free remote code execution vulnerability

A use-after-free UAF flaw exists in the Linux Kernel within the reassembly of fragmented TIPC messages, specifically in the tipcbufappend function. The issue results due to a lack of checks in the error handling cleanup and can trigger a UAF on "struct skbuff", which may lead to remote code...

DEBIAN-CVE-2022-48851

In the Linux kernel, the following vulnerability has been resolved: staging: gdm724x: fix use after free in gdmlterx The netifrxni function frees the skb so we can't dereference it to save the skb-len...