CVE-2024-50034

CVE-2024-50034 affects the Linux kernel net/smc, where INET_PROTOSW_ICSK can leave icsk_sync_mss unset for IPPROTO_SMC, triggering a NULL pointer dereference panic. The provided trace indicates a kernel oops when handling IPPROTO_SMC, with a failed icsk_mss synchronization. A patch sequence in st...

CVE-2024-50034 net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix lacks of icsksynmss with IPPROTOSMC Eric report a panic on IPPROTOSMC, and give the facts that when INETPROTOSWICSK was set, icsk-icsksyncmss must be set too. Bug: Unable to handle kernel NULL pointer dereference at...

CVE-2024-50033 slip: make slhc_remember() more robust against malicious packets

In the Linux kernel, the following vulnerability has been resolved: slip: make slhcremember more robust against malicious packets syzbot found that slhcremember was missing checks against malicious packets 1. slhcremember only checked the size of the packet was at least 20, which is not good...

CVE-2024-50033 slip: make slhc_remember() more robust against malicious packets

In the Linux kernel, the following vulnerability has been resolved: slip: make slhcremember more robust against malicious packets syzbot found that slhcremember was missing checks against malicious packets 1. slhcremember only checked the size of the packet was at least 20, which is not good...

CVE-2024-50034 net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix lacks of icsksynmss with IPPROTOSMC Eric report a panic on IPPROTOSMC, and give the facts that when INETPROTOSWICSK was set, icsk-icsksyncmss must be set too. Bug: Unable to handle kernel NULL pointer dereference at...

CVE-2024-49952 netfilter: nf_tables: prevent nf_skb_duplicated corruption

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: prevent nfskbduplicated corruption syzbot found that nfdupipv4 or nfdupipv6 could write per-cpu variable nfskbduplicated in an unsafe way 1. Disabling preemption as hinted by the splat is not enough, we have ...

CVE-2024-49950 Bluetooth: L2CAP: Fix uaf in l2cap_connect

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix uaf in l2capconnect Syzbot reported BUG: KASAN: slab-use-after-free in l2capconnect.constprop.0+0x10d8/0x1270 net/bluetooth/l2capcore.c:3949 Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54 CP...

CVE-2024-49946

CVE-2024-49946 affects the Linux kernel PPP stack. The issue arises in ppp_channel_bridge_input() when packets are backlogged to a socket owned by a user process and the code path can call sk_backlog_rcv()/__release_sock()/release_sock() in process context. This creates an inconsistent lock state...

CVE-2024-49946 ppp: do not assume bh is held in ppp_channel_bridge_input()

In the Linux kernel, the following vulnerability has been resolved: ppp: do not assume bh is held in pppchannelbridgeinput Networking receive path is usually handled from BH handler. However, some protocols need to acquire the socket lock, and packets might be stored in the socket backlog is the...

CVE-2024-49903 jfs: Fix uaf in dbFreeBits

In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uaf in dbFreeBits syzbot reported ================================================================== BUG: KASAN: slab-use-after-free in mutexlockcommon kernel/locking/mutex.c:587 inline BUG: KASAN: slab-use-after-free in...

CVE-2024-49867 btrfs: wait for fixup workers before stopping cleaner kthread during umount

In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at closectree, we have the following steps in this order: 1 Park the cleaner kthread - this doesn't destroy the kthread, it basically hal...

CVE-2024-49867 btrfs: wait for fixup workers before stopping cleaner kthread during umount

In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at closectree, we have the following steps in this order: 1 Park the cleaner kthread - this doesn't destroy the kthread, it basically hal...

CVE-2024-47719

In the Linux kernel, the following vulnerability has been resolved: iommufd: Protect against overflow of ALIGN during iova allocation Userspace can supply an iova and uptr such that the target iova alignment becomes really big and ALIGN overflows which corrupts the selected area range during...

CVE-2024-47719 iommufd: Protect against overflow of ALIGN() during iova allocation

In the Linux kernel, the following vulnerability has been resolved: iommufd: Protect against overflow of ALIGN during iova allocation Userspace can supply an iova and uptr such that the target iova alignment becomes really big and ALIGN overflows which corrupts the selected area range during...

CVE-2024-47707 ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid possible NULL deref in rt6uncachedlistflushdev Blamed commit accidentally removed a check for rt-rt6iidev being NULL, as spotted by syzbot: Oops: general protection fault, probably for non-canonical address...

CVE-2024-47707 ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid possible NULL deref in rt6uncachedlistflushdev Blamed commit accidentally removed a check for rt-rt6iidev being NULL, as spotted by syzbot: Oops: general protection fault, probably for non-canonical address...

CBL Mariner 2.0 Security Update: kernel (CVE-2024-44999)

The version of kernel installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-44999 advisory. - In the Linux kernel, the following vulnerability has been resolved: gtp: pull network headers in gtpdevxmit...

CBL Mariner 2.0 Security Update: kernel (CVE-2024-42114)

The version of kernel installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-42114 advisory. - In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: restrict...

CVE-2024-46782 ila: call nf_unregister_net_hooks() sooner

In the Linux kernel, the following vulnerability has been resolved: ila: call nfunregisternethooks sooner syzbot found an use-after-free Read in ilanfinput 1 Issue here is that ilaxlatexitnet frees the rhashtable, then call nfunregisternethooks. It should be done in the reverse way, with a...

CVE-2024-46782

CVE-2024-46782 affects Linux kernel’s ila subsystem (net/ipv6/ila/ila_xlat.c, ila_nf_input) where a use-after-free occurs: ila_xlat_exit_net() frees the rhashtable and then nf_unregister_net_hooks() is called. The issue is the hook removal should occur before freeing resources; the fix reorders a...