This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Linux First view 2005-03-14
Product Linux Kernel Last view 2024-02-22
Version 2.6.16.55 Type Os
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:o:linux:linux_kernel

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
5.5 2024-02-22 CVE-2024-26591

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix re-attachment branch in bpf_tracing_prog_attach

The following case can cause a crash due to missing attach_btf:

1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3

In the end we have:

- prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one

BUG: kernel NULL pointer dereference, address: 0000000000000058
Call Trace:

? __die+0x20/0x70
? page_fault_oops+0x15b/0x430
? fixup_exception+0x22/0x330
? exc_page_fault+0x6f/0x170
? asm_exc_page_fault+0x22/0x30
? bpf_tracing_prog_attach+0x279/0x560
? btf_obj_id+0x5/0x10
bpf_tracing_prog_attach+0x439/0x560
__sys_bpf+0x1cf4/0x2de0
__x64_sys_bpf+0x1c/0x30
do_syscall_64+0x41/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76

Return -EINVAL in this situation.

5.5 2024-02-22 CVE-2024-26590

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix inconsistent per-file compression format

EROFS can select compression algorithms on a per-file basis, and each per-file compression algorithm needs to be marked in the on-disk superblock for initialization.

However, syzkaller can generate inconsistent crafted images that use an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA algorithmtype even it's not set in `sbi->available_compr_algs`. This can lead to an unexpected "BUG: kernel NULL pointer dereference" if the corresponding decompressor isn't built-in.

Fix this by checking against `sbi->available_compr_algs` for each m_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset bitmap is now fixed together since it was harmless previously.

7.8 2024-02-22 CVE-2024-26589

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked.

The following prog is accepted:

func#0 @0
0: R1=ctx() R10=fp0
0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()
1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()
2: (b7) r8 = 1024 ; R8_w=1024
3: (37) r8 /= 1 ; R8_w=scalar()
4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0,
smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))
5: (0f) r7 += r8
mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1
mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024
mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1
mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024
6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off
=(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,
var_off=(0x0; 0x400))
6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()
7: (95) exit

This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access:

BUG: unable to handle page fault for address: ffffc90014c80038
[...]
Call Trace:

bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]
bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991
bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
__sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475
__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
__x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with "R7 pointer arithmetic on flow_keys prohibited".

7.8 2024-02-22 CVE-2024-26588

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: BPF: Prevent out-of-bounds memory access

The test_tag test triggers an unhandled page fault:

# ./test_tag
[ 130.640218] CPU 0 Unable to handle kernel paging request at virtual address ffff80001b898004, era == 9000000003137f7c, ra == 9000000003139e70
[ 130.640501] Oops[#3]:
[ 130.640553] CPU: 0 PID: 1326 Comm: test_tag Tainted: G D O 6.7.0-rc4-loong-devel-gb62ab1a397cf #47 61985c1d94084daa2432f771daa45b56b10d8d2a
[ 130.640764] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022
[ 130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb4000 sp 9000000104cb7a40
[ 130.641001] a0 ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 0000000000000000
[ 130.641128] a4 000000006ba210be a5 00000000000000f1 a6 00000000000000b3 a7 0000000000000000
[ 130.641256] t0 0000000000000000 t1 00000000000007f6 t2 0000000000000000 t3 9000000004091b70
[ 130.641387] t4 000000006ba210be t5 0000000000000004 t6 fffffffffffffff0 t7 90000000040913e0
[ 130.641512] t8 0000000000000005 u0 0000000000000dc0 s9 0000000000000009 s0 9000000104cb7ae0
[ 130.641641] s1 00000000000007f6 s2 0000000000000009 s3 0000000000000095 s4 0000000000000000
[ 130.641771] s5 ffff80001b894000 s6 ffff80001b897fb0 s7 9000000004090c50 s8 0000000000000000
[ 130.641900] ra: 9000000003139e70 build_body+0x1fcc/0x4988
[ 130.642007] ERA: 9000000003137f7c build_body+0xd8/0x4988
[ 130.642112] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
[ 130.642261] PRMD: 00000004 (PPLV0 +PIE -PWE)
[ 130.642353] EUEN: 00000003 (+FPE +SXE -ASXE -BTE)
[ 130.642458] ECFG: 00071c1c (LIE=2-4,10-12 VS=7)
[ 130.642554] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)
[ 130.642658] BADV: ffff80001b898004
[ 130.642719] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
[ 130.642815] Modules linked in: [last unloaded: bpf_testmod(O)]
[ 130.642924] Process test_tag (pid: 1326, threadinfo=00000000f7f4015f, task=000000006499f9fd)
[ 130.643062] Stack : 0000000000000000 9000000003380724 0000000000000000 0000000104cb7be8
[ 130.643213] 0000000000000000 25af8d9b6e600558 9000000106250ea0 9000000104cb7ae0
[ 130.643378] 0000000000000000 0000000000000000 9000000104cb7be8 90000000049f6000
[ 130.643538] 0000000000000090 9000000106250ea0 ffff80001b894000 ffff80001b894000
[ 130.643685] 00007ffffb917790 900000000313ca94 0000000000000000 0000000000000000
[ 130.643831] ffff80001b894000 0000000000000ff7 0000000000000000 9000000100468000
[ 130.643983] 0000000000000000 0000000000000000 0000000000000040 25af8d9b6e600558
[ 130.644131] 0000000000000bb7 ffff80001b894048 0000000000000000 0000000000000000
[ 130.644276] 9000000104cb7be8 90000000049f6000 0000000000000090 9000000104cb7bdc
[ 130.644423] ffff80001b894000 0000000000000000 00007ffffb917790 90000000032acfb0
[ 130.644572] ...
[ 130.644629] Call Trace:
[ 130.644641] [<9000000003137f7c>] build_body+0xd8/0x4988
[ 130.644785] [<900000000313ca94>] bpf_int_jit_compile+0x228/0x4ec
[ 130.644891] [<90000000032acfb0>] bpf_prog_select_runtime+0x158/0x1b0
[ 130.645003] [<90000000032b3504>] bpf_prog_load+0x760/0xb44
[ 130.645089] [<90000000032b6744>] __sys_bpf+0xbb8/0x2588
[ 130.645175] [<90000000032b8388>] sys_bpf+0x20/0x2c
[ 130.645259] [<9000000003f6ab38>] do_syscall+0x7c/0x94
[ 130.645369] [<9000000003121c5c>] handle_syscall+0xbc/0x158
[ 130.645507]
[ 130.645539] Code: 380839f6 380831f9 28412bae <24000ca6> 004081ad 0014cb50 004083e8 02bff34c 58008e91
[ 130.645729]
[ 130.646418] ---[ end trace 0000000000000000 ]---

On my machine, which has CONFIG_PAGE_SIZE_16KB=y, the test failed at loading a BPF prog with 2039 instructions:

prog = (struct bpf_prog *)ffff80001b894000
insn = (struct bpf_insn *)(prog->insnsi)fff ---truncated---

5.5 2024-02-22 CVE-2024-26587

In the Linux kernel, the following vulnerability has been resolved:

net: netdevsim: don't try to destroy PHC on VFs

PHC gets initialized in nsim_init_netdevsim(), which is only called if (nsim_dev_port_is_pf()).

Create a counterpart of nsim_init_netdevsim() and move the mock_phc_destroy() there.

This fixes a crash trying to destroy netdevsim with VFs instantiated, as caught by running the devlink.sh test:

BUG: kernel NULL pointer dereference, address: 00000000000000b8
RIP: 0010:mock_phc_destroy+0xd/0x30
Call Trace:

nsim_destroy+0x4a/0x70 [netdevsim]
__nsim_dev_port_del+0x47/0x70 [netdevsim]
nsim_dev_reload_destroy+0x105/0x120 [netdevsim]
nsim_drv_remove+0x2f/0xb0 [netdevsim]
device_release_driver_internal+0x1a1/0x210
bus_remove_device+0xd5/0x120
device_del+0x159/0x490
device_unregister+0x12/0x30
del_device_store+0x11a/0x1a0 [netdevsim]
kernfs_fop_write_iter+0x130/0x1d0
vfs_write+0x30b/0x4b0
ksys_write+0x69/0xf0
do_syscall_64+0xcc/0x1e0
entry_SYSCALL_64_after_hwframe+0x6f/0x77

7.8 2024-02-22 CVE-2024-26586

In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrum_acl_tcam: Fix stack corruption

When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found.

One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage.

In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required.

Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register.

Add a test case to make sure the machine does not crash when this condition is hit.

[1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...]
dump_stack_lvl+0x36/0x50
panic+0x305/0x330
__stack_chk_fail+0x15/0x20
mlxsw_sp_acl_tcam_group_update+0x116/0x120
mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110
mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20
mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0
mlxsw_sp_acl_rule_add+0x47/0x240
mlxsw_sp_flower_replace+0x1a9/0x1d0
tc_setup_cb_add+0xdc/0x1c0
fl_hw_replace_filter+0x146/0x1f0
fl_change+0xc17/0x1360
tc_new_tfilter+0x472/0xb90
rtnetlink_rcv_msg+0x313/0x3b0
netlink_rcv_skb+0x58/0x100
netlink_unicast+0x244/0x390
netlink_sendmsg+0x1e4/0x440
____sys_sendmsg+0x164/0x260
___sys_sendmsg+0x9a/0xe0
__sys_sendmsg+0x7a/0xc0
do_syscall_64+0x40/0xe0
entry_SYSCALL_64_after_hwframe+0x63/0x6b

7.8 2024-02-22 CVE-2023-52452

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix accesses to uninit stack slots

Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already "large enough", the access was permitted, but otherwise the access was rejected instead of being allowed to "grow the stack". This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn't be updated - global_func16 - because it can't run unprivileged for other reasons.

This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they're inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function's needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it.

Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead.

This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue.

A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.

7.8 2024-02-22 CVE-2023-52451

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/memhp: Fix access beyond end of drmem array

dlpar_memory_remove_by_index() may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the last valid entry in the array. The debug message at the end of the function then dereferences this pointer:

pr_debug("Failed to hot-remove memory at %llx\n",
lmb->base_addr);

This was found by inspection and confirmed with KASAN:

pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234
==================================================================
BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658
Read of size 8 at addr c000000364e97fd0 by task bash/949

dump_stack_lvl+0xa4/0xfc (unreliable)
print_report+0x214/0x63c
kasan_report+0x140/0x2e0
__asan_load8+0xa8/0xe0
dlpar_memory+0x298/0x1658
handle_dlpar_errorlog+0x130/0x1d0
dlpar_store+0x18c/0x3e0
kobj_attr_store+0x68/0xa0
sysfs_kf_write+0xc4/0x110
kernfs_fop_write_iter+0x26c/0x390
vfs_write+0x2d4/0x4e0
ksys_write+0xac/0x1a0
system_call_exception+0x268/0x530
system_call_vectored_common+0x15c/0x2ec

Allocated by task 1:
kasan_save_stack+0x48/0x80
kasan_set_track+0x34/0x50
kasan_save_alloc_info+0x34/0x50
__kasan_kmalloc+0xd0/0x120
__kmalloc+0x8c/0x320
kmalloc_array.constprop.0+0x48/0x5c
drmem_init+0x2a0/0x41c
do_one_initcall+0xe0/0x5c0
kernel_init_freeable+0x4ec/0x5a0
kernel_init+0x30/0x1e0
ret_from_kernel_user_thread+0x14/0x1c

The buggy address belongs to the object at c000000364e80000
which belongs to the cache kmalloc-128k of size 131072
The buggy address is located 0 bytes to the right of
allocated 98256-byte region [c000000364e80000, c000000364e97fd0)

==================================================================
pseries-hotplug-mem: Failed to hot-remove memory at 0

Log failed lookups with a separate message and dereference the cursor only when it points to a valid entry.

5.5 2024-02-22 CVE-2023-52450

In the Linux kernel, the following vulnerability has been resolved:

perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology()

Get logical socket id instead of physical id in discover_upi_topology() to avoid out-of-bound access on 'upi = &type->topology[nid][idx];' line that leads to NULL pointer dereference in upi_fill_topology()

5.5 2024-02-22 CVE-2023-52449

In the Linux kernel, the following vulnerability has been resolved:

mtd: Fix gluebi NULL pointer dereference caused by ftl notifier

If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read().

ubi_gluebi_init
ubi_register_volume_notifier
ubi_enumerate_volumes
ubi_notify_all
gluebi_notify nb->notifier_call()
gluebi_create
mtd_device_register
mtd_device_parse_register
add_mtd_device
blktrans_notify_add not->add()
ftl_add_mtd tr->add_mtd()
scan_header
mtd_read
mtd_read_oob
mtd_read_oob_std
gluebi_read mtd->read()
gluebi->desc - NULL

Detailed reproduction information available at the Link [1],

In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference.

The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME.

5.5 2024-02-22 CVE-2023-52448

In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

Syzkaller has reported a NULL pointer dereference when accessing rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating rgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in gfs2_rgrp_dump() to prevent that.

7.8 2024-02-22 CVE-2023-52447

In the Linux kernel, the following vulnerability has been resolved:

bpf: Defer the free of inner map when necessary

When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem.

Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map.

7.8 2024-02-22 CVE-2023-52446

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a race condition between btf_put() and map_free()

When running `./test_progs -j` in my local vm with latest kernel, I once hit a kasan error like below:

[ 1887.184724] BUG: KASAN: slab-use-after-free in bpf_rb_root_free+0x1f8/0x2b0
[ 1887.185599] Read of size 4 at addr ffff888106806910 by task kworker/u12:2/2830
[ 1887.186498]
[ 1887.186712] CPU: 3 PID: 2830 Comm: kworker/u12:2 Tainted: G OEL 6.7.0-rc3-00699-g90679706d486-dirty #494
[ 1887.188034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 1887.189618] Workqueue: events_unbound bpf_map_free_deferred
[ 1887.190341] Call Trace:
[ 1887.190666]
[ 1887.190949] dump_stack_lvl+0xac/0xe0
[ 1887.191423] ? nf_tcp_handle_invalid+0x1b0/0x1b0
[ 1887.192019] ? panic+0x3c0/0x3c0
[ 1887.192449] print_report+0x14f/0x720
[ 1887.192930] ? preempt_count_sub+0x1c/0xd0
[ 1887.193459] ? __virt_addr_valid+0xac/0x120
[ 1887.194004] ? bpf_rb_root_free+0x1f8/0x2b0
[ 1887.194572] kasan_report+0xc3/0x100
[ 1887.195085] ? bpf_rb_root_free+0x1f8/0x2b0
[ 1887.195668] bpf_rb_root_free+0x1f8/0x2b0
[ 1887.196183] ? __bpf_obj_drop_impl+0xb0/0xb0
[ 1887.196736] ? preempt_count_sub+0x1c/0xd0
[ 1887.197270] ? preempt_count_sub+0x1c/0xd0
[ 1887.197802] ? _raw_spin_unlock+0x1f/0x40
[ 1887.198319] bpf_obj_free_fields+0x1d4/0x260
[ 1887.198883] array_map_free+0x1a3/0x260
[ 1887.199380] bpf_map_free_deferred+0x7b/0xe0
[ 1887.199943] process_scheduled_works+0x3a2/0x6c0
[ 1887.200549] worker_thread+0x633/0x890
[ 1887.201047] ? __kthread_parkme+0xd7/0xf0
[ 1887.201574] ? kthread+0x102/0x1d0
[ 1887.202020] kthread+0x1ab/0x1d0
[ 1887.202447] ? pr_cont_work+0x270/0x270
[ 1887.202954] ? kthread_blkcg+0x50/0x50
[ 1887.203444] ret_from_fork+0x34/0x50
[ 1887.203914] ? kthread_blkcg+0x50/0x50
[ 1887.204397] ret_from_fork_asm+0x11/0x20
[ 1887.204913]

[ 1887.204913]
[ 1887.205209]
[ 1887.205416] Allocated by task 2197:
[ 1887.205881] kasan_set_track+0x3f/0x60
[ 1887.206366] __kasan_kmalloc+0x6e/0x80
[ 1887.206856] __kmalloc+0xac/0x1a0
[ 1887.207293] btf_parse_fields+0xa15/0x1480
[ 1887.207836] btf_parse_struct_metas+0x566/0x670
[ 1887.208387] btf_new_fd+0x294/0x4d0
[ 1887.208851] __sys_bpf+0x4ba/0x600
[ 1887.209292] __x64_sys_bpf+0x41/0x50
[ 1887.209762] do_syscall_64+0x4c/0xf0
[ 1887.210222] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 1887.210868]
[ 1887.211074] Freed by task 36:
[ 1887.211460] kasan_set_track+0x3f/0x60
[ 1887.211951] kasan_save_free_info+0x28/0x40
[ 1887.212485] ____kasan_slab_free+0x101/0x180
[ 1887.213027] __kmem_cache_free+0xe4/0x210
[ 1887.213514] btf_free+0x5b/0x130
[ 1887.213918] rcu_core+0x638/0xcc0
[ 1887.214347] __do_softirq+0x114/0x37e

The error happens at bpf_rb_root_free+0x1f8/0x2b0:

00000000000034c0 :
; {
34c0: f3 0f 1e fa endbr64
34c4: e8 00 00 00 00 callq 0x34c9
34c9: 55 pushq %rbp
34ca: 48 89 e5 movq %rsp, %rbp
...
; if (rec && rec->refcount_off >= 0 &&
36aa: 4d 85 ed testq %r13, %r13
36ad: 74 a9 je 0x3658
36af: 49 8d 7d 10 leaq 0x10(%r13), %rdi
36b3: e8 00 00 00 00 callq 0x36b8
<==== kasan function
36b8: 45 8b 7d 10 movl 0x10(%r13), %r15d
<==== use-after-free load
36bc: 45 85 ff testl %r15d, %r15d
36bf: 78 8c js 0x364d

So the problem ---truncated---

7.8 2024-02-22 CVE-2023-52445

In the Linux kernel, the following vulnerability has been resolved:

media: pvrusb2: fix use after free on context disconnection

Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack.

7.8 2024-02-22 CVE-2023-52444

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid dirent corruption

As Al reported in link[1]:

f2fs_rename() ...
if (old_dir != new_dir && !whiteout)
f2fs_set_link(old_inode, old_dir_entry,
old_dir_page, new_dir);
else
f2fs_put_page(old_dir_page, 0);

You want correct inumber in the ".." link. And cross-directory rename does move the source to new parent, even if you'd been asked to leave a whiteout in the old place.

[1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/

With below testcase, it may cause dirent corruption, due to it missed to call f2fs_set_link() to update ".." link to new directory. - mkdir -p dir/foo - renameat2 -w dir/foo bar

[ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3] [FSCK] other corrupted bugs [Fail]

5.5 2024-02-22 CVE-2023-52443

In the Linux kernel, the following vulnerability has been resolved:

apparmor: avoid crash when parsed profile name is empty

When processing a packed profile in unpack_profile() described like

"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}"

a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname().

aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now.

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace:

? strlen+0x1e/0xa0
aa_policy_init+0x1bb/0x230
aa_alloc_profile+0xb1/0x480
unpack_profile+0x3bc/0x4960
aa_unpack+0x309/0x15e0
aa_replace_profiles+0x213/0x33c0
policy_update+0x261/0x370
profile_replace+0x20e/0x2a0
vfs_write+0x2af/0xe00
ksys_write+0x126/0x250
do_syscall_64+0x46/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0

It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside.

AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace.

Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message.

Found by Linux Verification Center (linuxtesting.org).

4.7 2024-02-21 CVE-2024-26585

In the Linux kernel, the following vulnerability has been resolved:

tls: fix race between tx work scheduling and socket close

Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.

4.7 2024-02-21 CVE-2024-26583

In the Linux kernel, the following vulnerability has been resolved:

tls: fix race between async notify and socket close

The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data.

Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization.

Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.

7.8 2024-02-21 CVE-2024-26582

In the Linux kernel, the following vulnerability has been resolved:

net: tls: fix use-after-free with partial reads and async decrypt

tls_decrypt_sg doesn't take a reference on the pages from clear_skb, so the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when we try to read from the partially-read skb.

7.8 2024-02-21 CVE-2023-52441

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix out of bounds in init_smb2_rsp_hdr()

If client send smb2 negotiate request and then send smb1 negotiate request, init_smb2_rsp_hdr is called for smb1 negotiate request since need_neg is set to false. This patch ignore smb1 packets after ->need_neg is set to false.

7.8 2024-02-21 CVE-2023-52440

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()

If authblob->SessionKey.Length is bigger than session key size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes. cifs_arc4_crypt copy to session key array from SessionKey from client.

7.8 2024-02-20 CVE-2023-52439

In the Linux kernel, the following vulnerability has been resolved:

uio: Fix use-after-free in uio_open

core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open
idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release
get_device(&idev->dev) kfree(idev) uio_free_minor(minor)
uio_release
put_device(&idev->dev)
kfree(idev) -------------------------------------------------------

In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double
freed.

To address this issue, we can get idev atomic & inc idev reference with minor_lock.

7.8 2024-02-20 CVE-2023-52438

In the Linux kernel, the following vulnerability has been resolved:

binder: fix use-after-free in shinker's callback

The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated.

I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF:

==================================================================
BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8
Read of size 8 at addr ffff356ed50e50f0 by task bash/478

CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70
Hardware name: linux,dummy-virt (DT)
Call trace:
zap_page_range_single+0x470/0x4b8
binder_alloc_free_page+0x608/0xadc
__list_lru_walk_one+0x130/0x3b0
list_lru_walk_node+0xc4/0x22c
binder_shrink_scan+0x108/0x1dc
shrinker_debugfs_scan_write+0x2b4/0x500
full_proxy_write+0xd4/0x140
vfs_write+0x1ac/0x758
ksys_write+0xf0/0x1dc
__arm64_sys_write+0x6c/0x9c

Allocated by task 492:
kmem_cache_alloc+0x130/0x368
vm_area_alloc+0x2c/0x190
mmap_region+0x258/0x18bc
do_mmap+0x694/0xa60
vm_mmap_pgoff+0x170/0x29c
ksys_mmap_pgoff+0x290/0x3a0
__arm64_sys_mmap+0xcc/0x144

Freed by task 491:
kmem_cache_free+0x17c/0x3c8
vm_area_free_rcu_cb+0x74/0x98
rcu_core+0xa38/0x26d4
rcu_core_si+0x10/0x1c
__do_softirq+0x2fc/0xd24

Last potentially related work creation:
__call_rcu_common.constprop.0+0x6c/0xba0
call_rcu+0x10/0x1c
vm_area_free+0x18/0x24
remove_vma+0xe4/0x118
do_vmi_align_munmap.isra.0+0x718/0xb5c
do_vmi_munmap+0xdc/0x1fc
__vm_munmap+0x10c/0x278
__arm64_sys_munmap+0x58/0x7c

Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway.

5.5 2024-02-20 CVE-2023-52435

In the Linux kernel, the following vulnerability has been resolved:

net: prevent mss overflow in skb_segment()

Once again syzbot is able to crash the kernel in skb_segment() [1]

GSO_BY_FRAGS is a forbidden value, but unfortunately the following computation in skb_segment() can reach it quite easily :

mss = mss * partial_segs;

65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to a bad final result.

Make sure to limit segmentation so that the new mss value is smaller than GSO_BY_FRAGS.

[1]

general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0 R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046 FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626 __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 __sys_sendto+0x255/0x340 net/socket.c:2190 __do_sys_sendto net/socket.c:2202 [inline] __se_sys_sendto net/socket.c:2198 [inline] __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f8692032aa9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9 RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480 R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R0 ---truncated---

8 2024-02-20 CVE-2023-52434

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential OOBs in smb2_parse_contexts()

Validate offsets and lengths before dereferencing create contexts in smb2_parse_contexts().

This fixes following oops when accessing invalid create contexts from server:

BUG: unable to handle page fault for address: ffff8881178d8cc3
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 4a01067 P4D 4a01067 PUD 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]
Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00
00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7
7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00
RSP: 0018:ffffc900007939e0 EFLAGS: 00010216
RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90
RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000
RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000
R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000
R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22
FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:

? __die+0x23/0x70
? page_fault_oops+0x181/0x480
? search_module_extables+0x19/0x60
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x1b6/0x1c0
? asm_exc_page_fault+0x26/0x30
? smb2_parse_contexts+0xa0/0x3a0 [cifs]
SMB2_open+0x38d/0x5f0 [cifs]
? smb2_is_path_accessible+0x138/0x260 [cifs]
smb2_is_path_accessible+0x138/0x260 [cifs]
cifs_is_path_remote+0x8d/0x230 [cifs]
cifs_mount+0x7e/0x350 [cifs]
cifs_smb3_do_mount+0x128/0x780 [cifs]
smb3_get_tree+0xd9/0x290 [cifs]
vfs_get_tree+0x2c/0x100
? capable+0x37/0x70
path_mount+0x2d7/0xb80
? srso_alias_return_thunk+0x5/0xfbef5
? _raw_spin_unlock_irqrestore+0x44/0x60
__x64_sys_mount+0x11a/0x150
do_syscall_64+0x47/0xf0
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f8737657b1e

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
14% (335) CWE-416 Use After Free
10% (238) CWE-476 NULL Pointer Dereference
8% (188) CWE-362 Race Condition
7% (183) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
7% (166) CWE-200 Information Exposure
5% (134) CWE-20 Improper Input Validation
5% (126) CWE-787 Out-of-bounds Write
4% (105) CWE-399 Resource Management Errors
4% (104) CWE-125 Out-of-bounds Read
4% (96) CWE-264 Permissions, Privileges, and Access Controls
3% (91) CWE-401 Failure to Release Memory Before Removing Last Reference ('Memory L...
2% (68) CWE-190 Integer Overflow or Wraparound
2% (52) CWE-189 Numeric Errors
1% (46) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
1% (31) CWE-415 Double Free
1% (31) CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflo...
1% (27) CWE-269 Improper Privilege Management
1% (26) CWE-667 Insufficient Locking
0% (14) CWE-665 Improper Initialization
0% (13) CWE-772 Missing Release of Resource after Effective Lifetime
0% (12) CWE-369 Divide By Zero
0% (12) CWE-17 Code
0% (10) CWE-284 Access Control (Authorization) Issues
0% (9) CWE-770 Allocation of Resources Without Limits or Throttling
0% (9) CWE-310 Cryptographic Issues

CAPEC : Common Attack Pattern Enumeration & Classification

id Name
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC-8 Buffer Overflow in an API Call
CAPEC-9 Buffer Overflow in Local Command-Line Utilities
CAPEC-10 Buffer Overflow via Environment Variables
CAPEC-14 Client-side Injection-induced Buffer Overflow
CAPEC-17 Accessing, Modifying or Executing Executable Files
CAPEC-24 Filter Failure through Buffer Overflow
CAPEC-42 MIME Conversion
CAPEC-44 Overflow Binary Resource File
CAPEC-45 Buffer Overflow via Symbolic Links
CAPEC-46 Overflow Variables and Tags
CAPEC-47 Buffer Overflow via Parameter Expansion
CAPEC-59 Session Credential Falsification through Prediction
CAPEC-60 Reusing Session IDs (aka Session Replay)
CAPEC-61 Session Fixation
CAPEC-62 Cross Site Request Forgery (aka Session Riding)
CAPEC-100 Overflow Buffers
CAPEC-112 Brute Force
CAPEC-122 Exploitation of Authorization
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-232 Exploitation of Privilege/Trust
CAPEC-234 Hijacking a privileged process
CAPEC-281 Analytic Attacks

SAINT Exploits

Description Link
Linux kernel __sock_diag_rcv_msg Netlink message privilege elevation More info here
Ubuntu overlayfs privilege elevation More info here
Linux kernel futex_requeue privilege elevation More info here
Linux Dirty COW Local File Overwrite More info here

Open Source Vulnerability Database (OSVDB)

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
78509 Linux Kernel /proc/<pid>/mem Access Restriction Weakness Local Privileg...
78303 Linux Kernel sctp_rcv() / sctp_accept() Socket Lock Race Remote DoS
78302 Linux Kernel m_stop() Implementation Local DoS
78301 Linux Kernel NSF O_Direct Implementation Local DoS
78264 Linux Kernel KVM syscall Instruction Executable Handling Local DoS
78226 Linux Kernel fs/xfs/xfs_acl.c xfs_acl_from_disk() Function Memory Corruption
78225 Linux Kernel net/ipv4/igmp.c igmp_heard_query() Function IGMP Query Parsing R...
78014 Linux Kernel SG_IO SCSI IOCTL Command Parsing Local Privilege Escalation
77780 Linux Kernel B.A.T.M.A.N. net/batman/icmp_socket.c bat_socket_read() Packet P...
77684 Linux Kernel OMAP4 Bridge Networking Interface Network Packet Parsing Remote DoS
77683 Linux Kernel HFS File System Mount Local Privilege Escalation
77626 Linux Kernel kvm_vm_ioctl_assign_device Function /dev/kym Local DoS
77625 Linux Kernel NFSv4 Mount mknod(2) Syscall Local DoS
77485 Linux Kernel /mm/oom_kill.c Local Overflow
77452 OpenFabrics Enterprise Distribution (OFED) RDS_FLAG_CONG_BITMAP Flagged RDS M...
77360 Linux Kernel TX_SKB_SHARING Local DoS
77355 Linux Kernel clock_gettime() Call Parsing Local DoS
77295 Linux Kernel UFO IPv6 UDP Datagram Parsing Remote DoS
77293 Linux Kernel b43 Driver Wireless Interface Frame Parsing Remote DoS
76805 Linux Kernel net/core/net_namespace.c Network Namespace Cleanup Weakness Remo...
76796 Linux Kernel taskstats Access Restriction Weakness Local Information Disclosure
76793 Linux Kernel security/apparmor/lsm.c apparmor_setprocattr() Function /attr/cu...
76666 Linux Kernel ext4 Extent Splitting BUG_ON() Local DoS
76641 Linux Kernel fs/xfs/xfs_vnodeops.c xfs_readlink() Function XFS Image Handling...
76639 Linux Kernel NULL Pointer Dereference ghash Algorithm Local DoS

ExploitDB Exploits

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
35370 Linux Kernel libfutex Local Root for RHEL/CentOS 7.0.1406
35161 Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper #2
34923 Linux Kernel remount FUSE Exploit
34134 Linux Kernel ptrace/sysret - Local Privilege Escalation
33824 Linux Kernel <= 3.13 - Local Privilege Escalation PoC (gid)
33516 Linux kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition...
33336 Linux Kernel 3.3-3.8 - SOCK_DIAG Local Root Exploit
32926 Linux group_info refcounter - Overflow Memory Corruption
31574 Linux ARM - Local Root Exploit
31347 linux 3.4+ local root (CONFIG_X86_X32=y)
31346 Linux 3.4+ Arbitrary write with CONFIG_X86_X32
30605 Linux Kernel 2.6.x ALSA snd-page-alloc Local Proc File Information Disclosure...
29822 Man Command -H Flag Local Buffer Overflow Vulnerability
26131 Linux kernel perf_swevent_init - Local root Exploit
18411 Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit
18378 Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
17787 Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit
16973 Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT Leak Exploit
16952 Linux Kernel < 2.6.37-rc2 TCP_MAXSEG Kernel Panic DoS
16263 Linux Kernel <= 2.6.37 Local Kernel Denial of Service
15774 Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation
15704 Linux Kernel <= 2.6.37 - Local Privilege Escalation
15344 Linux Kernel VIDIOCSMICROCODE IOCTL Local Memory Overwrite Vulnerability
15285 Linux RDS Protocol Local Privilege Escalation
15150 Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure

OpenVAS Exploits

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2013-09-18 Name : Debian Security Advisory DSA 2389-1 (linux-2.6 - privilege escalation/denial ...
File : nvt/deb_2389_1.nasl
2013-09-18 Name : Debian Security Advisory DSA 2443-1 (linux-2.6 - privilege escalation/denial ...
File : nvt/deb_2443_1.nasl
2013-09-18 Name : Debian Security Advisory DSA 2469-1 (linux-2.6 - privilege escalation/denial ...
File : nvt/deb_2469_1.nasl
2012-12-26 Name : CentOS Update for kernel CESA-2012:1580 centos6
File : nvt/gb_CESA-2012_1580_kernel_centos6.nasl
2012-12-26 Name : RedHat Update for kernel RHSA-2012:1580-01
File : nvt/gb_RHSA-2012_1580-01_kernel.nasl
2012-12-26 Name : Ubuntu Update for linux USN-1669-1
File : nvt/gb_ubuntu_USN_1669_1.nasl
2012-12-26 Name : Ubuntu Update for linux-ti-omap4 USN-1670-1
File : nvt/gb_ubuntu_USN_1670_1.nasl
2012-12-26 Name : Ubuntu Update for linux USN-1671-1
File : nvt/gb_ubuntu_USN_1671_1.nasl
2012-12-26 Name : Ubuntu Update for linux-ti-omap4 USN-1673-1
File : nvt/gb_ubuntu_USN_1673_1.nasl
2012-12-26 Name : Ubuntu Update for linux USN-1677-1
File : nvt/gb_ubuntu_USN_1677_1.nasl
2012-12-26 Name : Ubuntu Update for linux-lts-backport-oneiric USN-1678-1
File : nvt/gb_ubuntu_USN_1678_1.nasl
2012-12-26 Name : Ubuntu Update for linux-ti-omap4 USN-1679-1
File : nvt/gb_ubuntu_USN_1679_1.nasl
2012-12-18 Name : Fedora Update for kernel FEDORA-2012-20240
File : nvt/gb_fedora_2012_20240_kernel_fc16.nasl
2012-12-14 Name : Ubuntu Update for linux-ec2 USN-1664-1
File : nvt/gb_ubuntu_USN_1664_1.nasl
2012-12-11 Name : Ubuntu Update for linux USN-1660-1
File : nvt/gb_ubuntu_USN_1660_1.nasl
2012-12-11 Name : Ubuntu Update for linux USN-1661-1
File : nvt/gb_ubuntu_USN_1661_1.nasl
2012-12-06 Name : CentOS Update for kernel CESA-2012:1540 centos5
File : nvt/gb_CESA-2012_1540_kernel_centos5.nasl
2012-12-06 Name : RedHat Update for kernel RHSA-2012:1540-01
File : nvt/gb_RHSA-2012_1540-01_kernel.nasl
2012-12-06 Name : Ubuntu Update for linux-ec2 USN-1653-1
File : nvt/gb_ubuntu_USN_1653_1.nasl
2012-12-04 Name : Fedora Update for kernel FEDORA-2012-19337
File : nvt/gb_fedora_2012_19337_kernel_fc17.nasl
2012-12-04 Name : Ubuntu Update for linux USN-1644-1
File : nvt/gb_ubuntu_USN_1644_1.nasl
2012-12-04 Name : Ubuntu Update for linux-ti-omap4 USN-1645-1
File : nvt/gb_ubuntu_USN_1645_1.nasl
2012-12-04 Name : Ubuntu Update for linux USN-1646-1
File : nvt/gb_ubuntu_USN_1646_1.nasl
2012-12-04 Name : Ubuntu Update for linux-ti-omap4 USN-1647-1
File : nvt/gb_ubuntu_USN_1647_1.nasl
2012-12-04 Name : Ubuntu Update for linux USN-1648-1
File : nvt/gb_ubuntu_USN_1648_1.nasl

Information Assurance Vulnerability Management (IAVM)

id Description
2015-A-0150 Multiple Security Vulnerabilities in Juniper Networks CTPView
Severity: Category I - VMSKEY: V0061073
2012-A-0153 Multiple Vulnerabilities in VMware ESX 4.0 and ESXi 4.0
Severity: Category I - VMSKEY: V0033884
2012-A-0148 Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1
Severity: Category I - VMSKEY: V0033794
2012-A-0136 Multiple Vulnerabilities in Juniper Network Management Products
Severity: Category I - VMSKEY: V0033662
2012-A-0073 Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1
Severity: Category I - VMSKEY: V0032171
2012-A-0056 Multiple Vulnerabilities in VMWare ESX 4.0 and ESXi 4.0
Severity: Category I - VMSKEY: V0031979
2012-A-0020 Multiple Vulnerabilities in VMware ESX 4.1 and ESXi 4.1
Severity: Category I - VMSKEY: V0031252
2011-A-0147 Multiple Vulnerabilities in VMware ESX and ESXi
Severity: Category I - VMSKEY: V0030545
2011-A-0075 Multiple Vulnerabilities in VMware Products
Severity: Category I - VMSKEY: V0028311
2011-A-0066 Multiple Vulnerabilities in VMware Products
Severity: Category I - VMSKEY: V0027158
2010-B-0085 Linux Kernel Privilege Escalation Vulnerability
Severity: Category I - VMSKEY: V0025410
2010-A-0015 Multiple Vulnerabilities in Red Hat Linux Kernel
Severity: Category I - VMSKEY: V0022631
2010-A-0001 Multiple Vulnerabilities in Linux Kernel
Severity: Category I - VMSKEY: V0022180
2009-A-0105 Multiple Vulnerabilities in VMware Products
Severity: Category I - VMSKEY: V0021867

Snort® IPS/IDS

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
Date Description
2014-01-10 IPv6 packets encapsulated in IPv4
RuleID : 8446 - Type : POLICY-OTHER - Revision : 8
2020-11-19 Linux kernel af_packet tpacket_rcv integer overflow attempt
RuleID : 56052 - Type : OS-LINUX - Revision : 1
2020-11-19 Linux kernel af_packet tpacket_rcv integer overflow attempt
RuleID : 56051 - Type : OS-LINUX - Revision : 1
2019-09-26 Google Android Kernel local denial of service attempt
RuleID : 51291 - Type : OS-MOBILE - Revision : 1
2019-09-26 Google Android Kernel local denial of service attempt
RuleID : 51290 - Type : OS-MOBILE - Revision : 1
2017-11-21 Linux kernel nfsd nfsd4_layout_verify out of bounds read attempt
RuleID : 44638 - Type : PROTOCOL-RPC - Revision : 1
2017-11-21 Linux kernel nfsd nfsd4_layout_verify out of bounds read attempt
RuleID : 44637 - Type : PROTOCOL-RPC - Revision : 1
2017-10-10 Linux kernel sctp_rcv_ootb invalid chunk length DoS attempt
RuleID : 44309 - Type : OS-LINUX - Revision : 1
2017-10-10 Linux kernel sctp_rcv_ootb invalid chunk length DoS attempt
RuleID : 44308 - Type : OS-LINUX - Revision : 1
2017-08-24 Linux kernel SCTP invalid chunk length denial of service attempt
RuleID : 43692 - Type : OS-LINUX - Revision : 1
2017-07-18 Linux kernel NFSv3 malformed WRITE arbitrary memory read attempt
RuleID : 43189 - Type : PROTOCOL-RPC - Revision : 2
2017-07-18 Linux kernel NFSv2 malformed WRITE arbitrary memory read attempt
RuleID : 43188 - Type : PROTOCOL-RPC - Revision : 2
2017-01-18 Linux net af_packet.c tpacket version race condition use after free attempt
RuleID : 41028 - Type : OS-LINUX - Revision : 2
2017-01-18 Linux net af_packet.c tpacket version race condition use after free attempt
RuleID : 41027 - Type : OS-LINUX - Revision : 2
2016-11-30 Linux kernel madvise race condition attempt
RuleID : 40566 - Type : OS-LINUX - Revision : 2
2016-11-30 Linux kernel madvise race condition attempt
RuleID : 40565 - Type : OS-LINUX - Revision : 2
2016-11-30 Linux kernel madvise race condition attempt
RuleID : 40564 - Type : OS-LINUX - Revision : 2
2016-11-30 Linux kernel madvise race condition attempt
RuleID : 40563 - Type : OS-LINUX - Revision : 2
2016-11-30 Linux kernel madvise race condition attempt
RuleID : 40562 - Type : OS-LINUX - Revision : 2
2016-11-30 Linux kernel madvise race condition attempt
RuleID : 40561 - Type : OS-LINUX - Revision : 2
2016-11-30 Linux kernel madvise race condition attempt
RuleID : 40560 - Type : OS-LINUX - Revision : 2
2016-11-30 Linux kernel madvise race condition attempt
RuleID : 40543 - Type : OS-LINUX - Revision : 2
2016-11-30 Linux kernel madvise race condition attempt
RuleID : 40542 - Type : OS-LINUX - Revision : 2
2018-05-23 Linux Kernel Challenge ACK provocation attempt
RuleID : 40063-community - Type : OS-LINUX - Revision : 5
2016-10-11 Linux Kernel Challenge ACK provocation attempt
RuleID : 40063 - Type : OS-LINUX - Revision : 5

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-17 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2019-509c133845.nasl - Type: ACT_GATHER_INFO
2019-01-17 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2019-f812c9fb22.nasl - Type: ACT_GATHER_INFO
2019-01-15 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2019-337484d88b.nasl - Type: ACT_GATHER_INFO
2019-01-15 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2019-b0f7a7b74b.nasl - Type: ACT_GATHER_INFO
2019-01-14 Name: The remote Virtuozzo host is missing multiple security updates.
File: Virtuozzo_VZA-2016-104.nasl - Type: ACT_GATHER_INFO
2019-01-14 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2019-1145.nasl - Type: ACT_GATHER_INFO
2019-01-11 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZA-2018-072.nasl - Type: ACT_GATHER_INFO
2019-01-11 Name: The remote Virtuozzo host is missing multiple security updates.
File: Virtuozzo_VZA-2018-075.nasl - Type: ACT_GATHER_INFO
2019-01-11 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZA-2018-077.nasl - Type: ACT_GATHER_INFO
2019-01-11 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZA-2018-085.nasl - Type: ACT_GATHER_INFO
2019-01-11 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZA-2018-086.nasl - Type: ACT_GATHER_INFO
2019-01-11 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZA-2018-088.nasl - Type: ACT_GATHER_INFO
2019-01-11 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZA-2018-089.nasl - Type: ACT_GATHER_INFO
2019-01-10 Name: The remote Amazon Linux 2 host is missing a security update.
File: al2_ALAS-2019-1145.nasl - Type: ACT_GATHER_INFO
2019-01-10 Name: The remote device is affected by multiple vulnerabilities.
File: juniper_space_jsa10917_183R1.nasl - Type: ACT_GATHER_INFO
2019-01-10 Name: The remote device is affected by multiple vulnerabilities.
File: juniper_space_jsa10917_184R1.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-0edb45d9db.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-1621b2204a.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-272cf2f9f4.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-2c6bd93875.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-3857a8b41a.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-50075276e8.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-5453baa4af.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-5904d0794d.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-5926c0ffc8.nasl - Type: ACT_GATHER_INFO