ISHACK AI BOT

SUSE: CVE-2021-47102: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 08/16/2024 Added 08/09/2024 Modified 08/09/2024 Description In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix incorrect structure access In line: upper = info->upper_dev; We access upper_dev field, which is related only for particular events (e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memory access for another events, when ptr is not netdev_notifier_changeupper_info. The KASAN logs are as follows: [ 30.123165] BUG: KASAN: stack-out-of-bounds in prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [ 30.133336] Read of size 8 at addr ffff80000cf772b0 by task udevd/778 [ 30.139866] [ 30.141398] CPU: 0 PID: 778 Comm: udevd Not tainted 5.16.0-rc3 #6 [ 30.147588] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 30.153056] Call trace: [ 30.155547]dump_backtrace+0x0/0x2c0 [ 30.159320]show_stack+0x18/0x30 [ 30.162729]dump_stack_lvl+0x68/0x84 [ 30.166491]print_address_description.constprop.0+0x74/0x2b8 [ 30.172346]kasan_report+0x1e8/0x250 [ 30.176102]__asan_load8+0x98/0xe0 [ 30.179682]prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [ 30.186847]prestera_netdev_event_handler+0x1b4/0x1c0 [prestera] [ 30.193313]raw_notifier_call_chain+0x74/0xa0 [ 30.197860]call_netdevice_notifiers_info+0x68/0xc0 [ 30.202924]register_netdevice+0x3cc/0x760 [ 30.207190]register_netdev+0x24/0x50 [ 30.211015]prestera_device_register+0x8a0/0xba0 [prestera] Solution(s) suse-upgrade-cluster-md-kmp-64kb suse-upgrade-cluster-md-kmp-azure suse-upgrade-cluster-md-kmp-default suse-upgrade-cluster-md-kmp-rt suse-upgrade-dlm-kmp-64kb suse-upgrade-dlm-kmp-azure suse-upgrade-dlm-kmp-default suse-upgrade-dlm-kmp-rt suse-upgrade-dtb-allwinner suse-upgrade-dtb-altera suse-upgrade-dtb-amazon suse-upgrade-dtb-amd suse-upgrade-dtb-amlogic suse-upgrade-dtb-apm suse-upgrade-dtb-apple suse-upgrade-dtb-arm suse-upgrade-dtb-broadcom suse-upgrade-dtb-cavium suse-upgrade-dtb-exynos suse-upgrade-dtb-freescale suse-upgrade-dtb-hisilicon suse-upgrade-dtb-lg suse-upgrade-dtb-marvell suse-upgrade-dtb-mediatek suse-upgrade-dtb-nvidia suse-upgrade-dtb-qcom suse-upgrade-dtb-renesas suse-upgrade-dtb-rockchip suse-upgrade-dtb-socionext suse-upgrade-dtb-sprd suse-upgrade-dtb-xilinx suse-upgrade-gfs2-kmp-64kb suse-upgrade-gfs2-kmp-azure suse-upgrade-gfs2-kmp-default suse-upgrade-gfs2-kmp-rt suse-upgrade-kernel-64kb suse-upgrade-kernel-64kb-devel suse-upgrade-kernel-64kb-extra suse-upgrade-kernel-64kb-livepatch-devel suse-upgrade-kernel-64kb-optional suse-upgrade-kernel-azure suse-upgrade-kernel-azure-devel suse-upgrade-kernel-azure-extra suse-upgrade-kernel-azure-livepatch-devel suse-upgrade-kernel-azure-optional suse-upgrade-kernel-azure-vdso suse-upgrade-kernel-debug suse-upgrade-kernel-debug-devel suse-upgrade-kernel-debug-livepatch-devel suse-upgrade-kernel-debug-vdso suse-upgrade-kernel-default suse-upgrade-kernel-default-base suse-upgrade-kernel-default-base-rebuild suse-upgrade-kernel-default-devel suse-upgrade-kernel-default-extra suse-upgrade-kernel-default-livepatch suse-upgrade-kernel-default-livepatch-devel suse-upgrade-kernel-default-optional suse-upgrade-kernel-default-vdso suse-upgrade-kernel-devel suse-upgrade-kernel-devel-azure suse-upgrade-kernel-devel-rt suse-upgrade-kernel-docs suse-upgrade-kernel-docs-html suse-upgrade-kernel-kvmsmall suse-upgrade-kernel-kvmsmall-devel suse-upgrade-kernel-kvmsmall-livepatch-devel suse-upgrade-kernel-kvmsmall-vdso suse-upgrade-kernel-macros suse-upgrade-kernel-obs-build suse-upgrade-kernel-obs-qa suse-upgrade-kernel-rt suse-upgrade-kernel-rt-devel suse-upgrade-kernel-rt-extra suse-upgrade-kernel-rt-livepatch suse-upgrade-kernel-rt-livepatch-devel suse-upgrade-kernel-rt-optional suse-upgrade-kernel-rt-vdso suse-upgrade-kernel-rt_debug suse-upgrade-kernel-rt_debug-devel suse-upgrade-kernel-rt_debug-livepatch-devel suse-upgrade-kernel-rt_debug-vdso suse-upgrade-kernel-source suse-upgrade-kernel-source-azure suse-upgrade-kernel-source-rt suse-upgrade-kernel-source-vanilla suse-upgrade-kernel-syms suse-upgrade-kernel-syms-azure suse-upgrade-kernel-syms-rt suse-upgrade-kernel-zfcpdump suse-upgrade-kselftests-kmp-64kb suse-upgrade-kselftests-kmp-azure suse-upgrade-kselftests-kmp-default suse-upgrade-kselftests-kmp-rt suse-upgrade-ocfs2-kmp-64kb suse-upgrade-ocfs2-kmp-azure suse-upgrade-ocfs2-kmp-default suse-upgrade-ocfs2-kmp-rt suse-upgrade-reiserfs-kmp-64kb suse-upgrade-reiserfs-kmp-azure suse-upgrade-reiserfs-kmp-default suse-upgrade-reiserfs-kmp-rt References https://attackerkb.com/topics/cve-2021-47102 CVE - 2021-47102

Red Hat JBossEAP: Excessive Platform Resource Consumption within a Loop (CVE-2024-4068) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 03/04/2024 Created 09/20/2024 Added 09/19/2024 Modified 12/20/2024 Description The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.. A flaw was found in the NPM package `braces.` It fails to limit the number of characters it can handle, which could lead to memory exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, causing the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. Solution(s) red-hat-jboss-eap-upgrade-latest References https://attackerkb.com/topics/cve-2024-4068 CVE - 2024-4068 https://access.redhat.com/security/cve/CVE-2024-4068 https://bugzilla.redhat.com/show_bug.cgi?id=2280600 https://devhub.checkmarx.com/cve-details/CVE-2024-4068/ https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308 https://github.com/micromatch/braces/issues/35 https://access.redhat.com/errata/RHSA-2024:8075 https://access.redhat.com/errata/RHSA-2024:8076 https://access.redhat.com/errata/RHSA-2024:8077 https://access.redhat.com/errata/RHSA-2024:8080 View more

VMware Photon OS: CVE-2021-47087 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 03/04/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix incorrect page free bug Pointer to the allocated pages (struct page *page) has already progressed towards the end of allocation. It is incorrect to perform __free_pages(page, order) using this pointer as we would free any arbitrary pages. Fix this by stop modifying the page pointer. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2021-47087 CVE - 2021-47087

Amazon Linux AMI 2: CVE-2021-47082: Security patch for kernel (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 03/04/2024 Created 08/03/2024 Added 08/02/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: tun: avoid double free in tun_free_netdev Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine (tun_net_init()) that will be called by register_netdevice(). ndo_init is paired with the desctructor (tun_free_netdev()), so if there's an error in register_netdevice() the destructor will handle the frees. BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372 ____kasan_slab_free mm/kasan/common.c:346 [inline] __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook mm/slub.c:1749 [inline] slab_free mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 security_tun_dev_free_security+0x4f/0x90 security/security.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Solution(s) amazon-linux-ami-2-upgrade-bpftool amazon-linux-ami-2-upgrade-bpftool-debuginfo amazon-linux-ami-2-upgrade-kernel amazon-linux-ami-2-upgrade-kernel-debuginfo amazon-linux-ami-2-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-ami-2-upgrade-kernel-debuginfo-common-x86_64 amazon-linux-ami-2-upgrade-kernel-devel amazon-linux-ami-2-upgrade-kernel-headers amazon-linux-ami-2-upgrade-kernel-livepatch-5-10-144-127-601 amazon-linux-ami-2-upgrade-kernel-tools amazon-linux-ami-2-upgrade-kernel-tools-debuginfo amazon-linux-ami-2-upgrade-kernel-tools-devel amazon-linux-ami-2-upgrade-perf amazon-linux-ami-2-upgrade-perf-debuginfo amazon-linux-ami-2-upgrade-python-perf amazon-linux-ami-2-upgrade-python-perf-debuginfo References https://attackerkb.com/topics/cve-2021-47082 AL2/ALASKERNEL-5.10-2022-020 AL2/ALASKERNEL-5.4-2023-044 CVE - 2021-47082

VMware Photon OS: CVE-2021-47082 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 03/04/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: tun: avoid double free in tun_free_netdev Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine (tun_net_init()) that will be called by register_netdevice(). ndo_init is paired with the desctructor (tun_free_netdev()), so if there's an error in register_netdevice() the destructor will handle the frees. BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372 ____kasan_slab_free mm/kasan/common.c:346 [inline] __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook mm/slub.c:1749 [inline] slab_free mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 security_tun_dev_free_security+0x4f/0x90 security/security.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2021-47082 CVE - 2021-47082

VMware Photon OS: CVE-2021-47093 Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 03/04/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel_pmc_core: fix memleak on registration failure In case device registration fails during module initialisation, the platform device structure needs to be freed using platform_device_put() to properly free all resources (e.g. the device name). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2021-47093 CVE - 2021-47093

Amazon Linux AMI 2: CVE-2021-47097: Security patch for kernel (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 08/03/2024 Added 08/02/2024 Modified 08/02/2024 Description In the Linux kernel, the following vulnerability has been resolved: Input: elantech - fix stack out of bound access in elantech_change_report_id() The array param[] in elantech_change_report_id() must be at least 3 bytes, because elantech_read_reg_params() is calling ps2_command() with PSMOUSE_CMD_GETINFO, that is going to access 3 bytes from param[], but it's defined in the stack as an array of 2 bytes, therefore we have a potential stack out-of-bounds access here, also confirmed by KASAN: [6.512374] BUG: KASAN: stack-out-of-bounds in __ps2_command+0x372/0x7e0 [6.512397] Read of size 1 at addr ffff8881024d77c2 by task kworker/2:1/118 [6.512416] CPU: 2 PID: 118 Comm: kworker/2:1 Not tainted 5.13.0-22-generic #22+arighi20211110 [6.512428] Hardware name: LENOVO 20T8000QGE/20T8000QGE, BIOS R1AET32W (1.08 ) 08/14/2020 [6.512436] Workqueue: events_long serio_handle_event [6.512453] Call Trace: [6.512462]show_stack+0x52/0x58 [6.512474]dump_stack+0xa1/0xd3 [6.512487]print_address_description.constprop.0+0x1d/0x140 [6.512502]? __ps2_command+0x372/0x7e0 [6.512516]__kasan_report.cold+0x7d/0x112 [6.512527]? _raw_write_lock_irq+0x20/0xd0 [6.512539]? __ps2_command+0x372/0x7e0 [6.512552]kasan_report+0x3c/0x50 [6.512564]__asan_load1+0x6a/0x70 [6.512575]__ps2_command+0x372/0x7e0 [6.512589]? ps2_drain+0x240/0x240 [6.512601]? dev_printk_emit+0xa2/0xd3 [6.512612]? dev_vprintk_emit+0xc5/0xc5 [6.512621]? __kasan_check_write+0x14/0x20 [6.512634]? mutex_lock+0x8f/0xe0 [6.512643]? __mutex_lock_slowpath+0x20/0x20 [6.512655]ps2_command+0x52/0x90 [6.512670]elantech_ps2_command+0x4f/0xc0 [psmouse] [6.512734]elantech_change_report_id+0x1e6/0x256 [psmouse] [6.512799]? elantech_report_trackpoint.constprop.0.cold+0xd/0xd [psmouse] [6.512863]? ps2_command+0x7f/0x90 [6.512877]elantech_query_info.cold+0x6bd/0x9ed [psmouse] [6.512943]? elantech_setup_ps2+0x460/0x460 [psmouse] [6.513005]? psmouse_reset+0x69/0xb0 [psmouse] [6.513064]? psmouse_attr_set_helper+0x2a0/0x2a0 [psmouse] [6.513122]? phys_pmd_init+0x30e/0x521 [6.513137]elantech_init+0x8a/0x200 [psmouse] [6.513200]? elantech_init_ps2+0xf0/0xf0 [psmouse] [6.513249]? elantech_query_info+0x440/0x440 [psmouse] [6.513296]? synaptics_send_cmd+0x60/0x60 [psmouse] [6.513342]? elantech_query_info+0x440/0x440 [psmouse] [6.513388]? psmouse_try_protocol+0x11e/0x170 [psmouse] [6.513432]psmouse_extensions+0x65d/0x6e0 [psmouse] [6.513476]? psmouse_try_protocol+0x170/0x170 [psmouse] [6.513519]? mutex_unlock+0x22/0x40 [6.513526]? ps2_command+0x7f/0x90 [6.513536]? psmouse_probe+0xa3/0xf0 [psmouse] [6.513580]psmouse_switch_protocol+0x27d/0x2e0 [psmouse] [6.513624]psmouse_connect+0x272/0x530 [psmouse] [6.513669]serio_driver_probe+0x55/0x70 [6.513679]really_probe+0x190/0x720 [6.513689]driver_probe_device+0x160/0x1f0 [6.513697]device_driver_attach+0x119/0x130 [6.513705]? device_driver_attach+0x130/0x130 [6.513713]__driver_attach+0xe7/0x1a0 [6.513720]? device_driver_attach+0x130/0x130 [6.513728]bus_for_each_dev+0xfb/0x150 [6.513738]? subsys_dev_iter_exit+0x10/0x10 [6.513748]? _raw_write_unlock_bh+0x30/0x30 [6.513757]driver_attach+0x2d/0x40 [6.513764]serio_handle_event+0x199/0x3d0 [6.513775]process_one_work+0x471/0x740 [6.513785]worker_thread+0x2d2/0x790 [6.513794]? process_one_work+0x740/0x740 [6.513802]kthread+0x1b4/0x1e0 [6.513809]? set_kthread_struct+0x80/0x80 [6.513816]ret_from_fork+0x22/0x30 [6.513832] The buggy address belongs to the page: [6.513838] page:00000000bc35e189 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d7 [6.513847] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) [6.513860] raw: 0 ---truncated--- Solution(s) amazon-linux-ami-2-upgrade-bpftool amazon-linux-ami-2-upgrade-bpftool-debuginfo amazon-linux-ami-2-upgrade-kernel amazon-linux-ami-2-upgrade-kernel-debuginfo amazon-linux-ami-2-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-ami-2-upgrade-kernel-debuginfo-common-x86_64 amazon-linux-ami-2-upgrade-kernel-devel amazon-linux-ami-2-upgrade-kernel-headers amazon-linux-ami-2-upgrade-kernel-livepatch-5-10-93-87-444 amazon-linux-ami-2-upgrade-kernel-tools amazon-linux-ami-2-upgrade-kernel-tools-debuginfo amazon-linux-ami-2-upgrade-kernel-tools-devel amazon-linux-ami-2-upgrade-perf amazon-linux-ami-2-upgrade-perf-debuginfo amazon-linux-ami-2-upgrade-python-perf amazon-linux-ami-2-upgrade-python-perf-debuginfo References https://attackerkb.com/topics/cve-2021-47097 AL2/ALASKERNEL-5.10-2022-009 AL2/ALASKERNEL-5.4-2022-021 CVE - 2021-47097

Ubuntu: (Multiple Advisories) (CVE-2024-26622): Linux kernel vulnerabilities Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 03/04/2024 Created 05/18/2024 Added 05/17/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held.Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Solution(s) ubuntu-upgrade-linux-image-4-15-0-1131-oracle ubuntu-upgrade-linux-image-4-15-0-1152-kvm ubuntu-upgrade-linux-image-4-15-0-1162-gcp ubuntu-upgrade-linux-image-4-15-0-1168-aws ubuntu-upgrade-linux-image-4-15-0-1177-azure ubuntu-upgrade-linux-image-4-15-0-225-generic ubuntu-upgrade-linux-image-4-15-0-225-lowlatency ubuntu-upgrade-linux-image-4-4-0-1131-aws ubuntu-upgrade-linux-image-4-4-0-1132-kvm ubuntu-upgrade-linux-image-4-4-0-1169-aws ubuntu-upgrade-linux-image-4-4-0-254-generic ubuntu-upgrade-linux-image-4-4-0-254-lowlatency ubuntu-upgrade-linux-image-5-15-0-1045-gkeop ubuntu-upgrade-linux-image-5-15-0-1055-ibm ubuntu-upgrade-linux-image-5-15-0-1055-nvidia ubuntu-upgrade-linux-image-5-15-0-1055-nvidia-lowlatency ubuntu-upgrade-linux-image-5-15-0-1055-raspi ubuntu-upgrade-linux-image-5-15-0-1057-intel-iotg ubuntu-upgrade-linux-image-5-15-0-1058-intel-iotg ubuntu-upgrade-linux-image-5-15-0-1059-gke ubuntu-upgrade-linux-image-5-15-0-1059-kvm ubuntu-upgrade-linux-image-5-15-0-1060-gcp ubuntu-upgrade-linux-image-5-15-0-1060-oracle ubuntu-upgrade-linux-image-5-15-0-1062-aws ubuntu-upgrade-linux-image-5-15-0-1064-azure ubuntu-upgrade-linux-image-5-15-0-1064-azure-fde ubuntu-upgrade-linux-image-5-15-0-107-generic ubuntu-upgrade-linux-image-5-15-0-107-generic-64k ubuntu-upgrade-linux-image-5-15-0-107-generic-lpae ubuntu-upgrade-linux-image-5-15-0-107-lowlatency ubuntu-upgrade-linux-image-5-15-0-107-lowlatency-64k ubuntu-upgrade-linux-image-5-4-0-1037-iot ubuntu-upgrade-linux-image-5-4-0-1044-xilinx-zynqmp ubuntu-upgrade-linux-image-5-4-0-1072-ibm ubuntu-upgrade-linux-image-5-4-0-1085-bluefield ubuntu-upgrade-linux-image-5-4-0-1092-gkeop ubuntu-upgrade-linux-image-5-4-0-1109-raspi ubuntu-upgrade-linux-image-5-4-0-1113-kvm ubuntu-upgrade-linux-image-5-4-0-1124-oracle ubuntu-upgrade-linux-image-5-4-0-1125-aws ubuntu-upgrade-linux-image-5-4-0-1129-gcp ubuntu-upgrade-linux-image-5-4-0-1130-azure ubuntu-upgrade-linux-image-5-4-0-182-generic ubuntu-upgrade-linux-image-5-4-0-182-generic-lpae ubuntu-upgrade-linux-image-5-4-0-182-lowlatency ubuntu-upgrade-linux-image-6-5-0-1014-starfive ubuntu-upgrade-linux-image-6-5-0-1016-laptop ubuntu-upgrade-linux-image-6-5-0-1017-raspi ubuntu-upgrade-linux-image-6-5-0-1019-nvidia ubuntu-upgrade-linux-image-6-5-0-1019-nvidia-64k ubuntu-upgrade-linux-image-6-5-0-1020-aws ubuntu-upgrade-linux-image-6-5-0-1020-gcp ubuntu-upgrade-linux-image-6-5-0-1021-azure ubuntu-upgrade-linux-image-6-5-0-1021-azure-fde ubuntu-upgrade-linux-image-6-5-0-1023-oem ubuntu-upgrade-linux-image-6-5-0-1023-oracle ubuntu-upgrade-linux-image-6-5-0-1023-oracle-64k ubuntu-upgrade-linux-image-6-5-0-35-generic ubuntu-upgrade-linux-image-6-5-0-35-generic-64k ubuntu-upgrade-linux-image-6-5-0-35-lowlatency ubuntu-upgrade-linux-image-6-5-0-35-lowlatency-64k ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-aws-hwe ubuntu-upgrade-linux-image-aws-lts-18-04 ubuntu-upgrade-linux-image-aws-lts-20-04 ubuntu-upgrade-linux-image-aws-lts-22-04 ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-cvm ubuntu-upgrade-linux-image-azure-fde ubuntu-upgrade-linux-image-azure-fde-lts-22-04 ubuntu-upgrade-linux-image-azure-lts-18-04 ubuntu-upgrade-linux-image-azure-lts-20-04 ubuntu-upgrade-linux-image-azure-lts-22-04 ubuntu-upgrade-linux-image-bluefield ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-gcp-lts-18-04 ubuntu-upgrade-linux-image-gcp-lts-20-04 ubuntu-upgrade-linux-image-gcp-lts-22-04 ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-64k ubuntu-upgrade-linux-image-generic-64k-hwe-20-04 ubuntu-upgrade-linux-image-generic-64k-hwe-22-04 ubuntu-upgrade-linux-image-generic-hwe-16-04 ubuntu-upgrade-linux-image-generic-hwe-18-04 ubuntu-upgrade-linux-image-generic-hwe-20-04 ubuntu-upgrade-linux-image-generic-hwe-22-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-generic-lpae-hwe-20-04 ubuntu-upgrade-linux-image-generic-lts-xenial ubuntu-upgrade-linux-image-gke ubuntu-upgrade-linux-image-gke-5-15 ubuntu-upgrade-linux-image-gkeop ubuntu-upgrade-linux-image-gkeop-5-15 ubuntu-upgrade-linux-image-gkeop-5-4 ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-ibm-lts-20-04 ubuntu-upgrade-linux-image-intel ubuntu-upgrade-linux-image-intel-iotg ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-laptop-23-10 ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-64k ubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04 ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04 ubuntu-upgrade-linux-image-lowlatency-hwe-16-04 ubuntu-upgrade-linux-image-lowlatency-hwe-18-04 ubuntu-upgrade-linux-image-lowlatency-hwe-20-04 ubuntu-upgrade-linux-image-lowlatency-hwe-22-04 ubuntu-upgrade-linux-image-lowlatency-lts-xenial ubuntu-upgrade-linux-image-nvidia ubuntu-upgrade-linux-image-nvidia-6-5 ubuntu-upgrade-linux-image-nvidia-64k-6-5 ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04 ubuntu-upgrade-linux-image-nvidia-hwe-22-04 ubuntu-upgrade-linux-image-nvidia-lowlatency ubuntu-upgrade-linux-image-oem ubuntu-upgrade-linux-image-oem-20-04 ubuntu-upgrade-linux-image-oem-20-04b ubuntu-upgrade-linux-image-oem-20-04c ubuntu-upgrade-linux-image-oem-20-04d ubuntu-upgrade-linux-image-oem-22-04 ubuntu-upgrade-linux-image-oem-22-04a ubuntu-upgrade-linux-image-oem-22-04b ubuntu-upgrade-linux-image-oem-22-04c ubuntu-upgrade-linux-image-oem-22-04d ubuntu-upgrade-linux-image-oem-osp1 ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-oracle-64k ubuntu-upgrade-linux-image-oracle-lts-18-04 ubuntu-upgrade-linux-image-oracle-lts-20-04 ubuntu-upgrade-linux-image-oracle-lts-22-04 ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-raspi-hwe-18-04 ubuntu-upgrade-linux-image-raspi-nolpae ubuntu-upgrade-linux-image-raspi2 ubuntu-upgrade-linux-image-snapdragon-hwe-18-04 ubuntu-upgrade-linux-image-starfive ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-16-04 ubuntu-upgrade-linux-image-virtual-hwe-18-04 ubuntu-upgrade-linux-image-virtual-hwe-20-04 ubuntu-upgrade-linux-image-virtual-hwe-22-04 ubuntu-upgrade-linux-image-virtual-lts-xenial ubuntu-upgrade-linux-image-xilinx-zynqmp References https://attackerkb.com/topics/cve-2024-26622 CVE - 2024-26622 USN-6774-1 USN-6775-1 USN-6775-2 USN-6776-1 USN-6777-1 USN-6777-2 USN-6777-3 USN-6777-4 USN-6778-1 USN-6795-1 USN-6828-1 View more

Huawei EulerOS: CVE-2021-47101: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 07/17/2024 Added 07/17/2024 Modified 02/06/2025 Description In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized. Fail log: BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2021-47101 CVE - 2021-47101 EulerOS-SA-2024-1937

Huawei EulerOS: CVE-2021-47082: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 03/04/2024 Created 07/17/2024 Added 07/17/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: tun: avoid double free in tun_free_netdev Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine (tun_net_init()) that will be called by register_netdevice(). ndo_init is paired with the desctructor (tun_free_netdev()), so if there's an error in register_netdevice() the destructor will handle the frees. BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372 ____kasan_slab_free mm/kasan/common.c:346 [inline] __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook mm/slub.c:1749 [inline] slab_free mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 security_tun_dev_free_security+0x4f/0x90 security/security.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2021-47082 CVE - 2021-47082 EulerOS-SA-2024-1964

Huawei EulerOS: CVE-2021-47091: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 07/23/2024 Added 07/23/2024 Modified 02/06/2025 Description In the Linux kernel, the following vulnerability has been resolved: mac80211: fix locking in ieee80211_start_ap error path We need to hold the local->mtx to release the channel context, as even encoded by the lockdep_assert_held() there. Fix it. Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2021-47091 CVE - 2021-47091 EulerOS-SA-2024-2476

Debian: CVE-2021-47086: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: phonet/pep: refuse to enable an unbound pipe This ioctl() implicitly assumed that the socket was already bound to a valid local socket name, i.e. Phonet object. If the socket was not bound, two separate problems would occur: 1) We'd send an pipe enablement request with an invalid source object. 2) Later socket calls could BUG on the socket unexpectedly being connected yet not bound to a valid object. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47086 CVE - 2021-47086

Debian: CVE-2021-47093: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel_pmc_core: fix memleak on registration failure In case device registration fails during module initialisation, the platform device structure needs to be freed using platform_device_put() to properly free all resources (e.g. the device name). Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47093 CVE - 2021-47093

Debian: CVE-2021-47088: linux -- security update Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: mm/damon/dbgfs: protect targets destructions with kdamond_lock DAMON debugfs interface iterates current monitoring targets in 'dbgfs_target_ids_read()' while holding the corresponding 'kdamond_lock'.However, it also destructs the monitoring targets in 'dbgfs_before_terminate()' without holding the lock.This can result in a use_after_free bug.This commit avoids the race by protecting the destruction with the corresponding 'kdamond_lock'. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47088 CVE - 2021-47088

Debian: CVE-2021-47095: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: ipmi: ssif: initialize ssif_info->client early During probe ssif_info->client is dereferenced in error path. However, it is set when some of the error checking has already been done. This causes following kernel crash if an error path is taken: [ 30.645593][T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present [ 30.657616][T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088 ... [ 30.657723][T674] pc : __dev_printk+0x28/0xa0 [ 30.657732][T674] lr : _dev_err+0x7c/0xa0 ... [ 30.657772][T674] Call trace: [ 30.657775][T674]__dev_printk+0x28/0xa0 [ 30.657778][T674]_dev_err+0x7c/0xa0 [ 30.657781][T674]ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e] [ 30.657791][T674]i2c_device_probe+0x37c/0x3c0 ... Initialize ssif_info->client before any error path can be taken. Clear i2c_client data in the error path to prevent the dangling pointer from leaking. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47095 CVE - 2021-47095

Debian: CVE-2021-47096: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 07/30/2024 Description In the Linux kernel, the following vulnerability has been resolved: ALSA: rawmidi - fix the uninitalized user_pversion The user_pversion was uninitialized for the user space file structure in the open function, because the file private structure use kmalloc for the allocation. The kernel ALSA sequencer code clears the file structure, so no additional fixes are required. BugLink: https://github.com/alsa-project/alsa-lib/issues/178 Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47096 CVE - 2021-47096

Debian: CVE-2021-47098: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 02/06/2025 Description In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations Commit b50aa49638c7 ("hwmon: (lm90) Prevent integer underflows of temperature calculations") addressed a number of underflow situations when writing temperature limits. However, it missed one situation, seen when an attempt is made to set the hysteresis value to MAX_LONG and the critical temperature limit is negative. Use clamp_val() when setting the hysteresis temperature to ensure that the provided value can never overflow or underflow. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47098 CVE - 2021-47098

Debian: CVE-2021-47101: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 02/06/2025 Description In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized. Fail log: BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47101 CVE - 2021-47101

Debian: CVE-2021-47102: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 07/30/2024 Description In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix incorrect structure access In line: upper = info->upper_dev; We access upper_dev field, which is related only for particular events (e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memory access for another events, when ptr is not netdev_notifier_changeupper_info. The KASAN logs are as follows: [ 30.123165] BUG: KASAN: stack-out-of-bounds in prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [ 30.133336] Read of size 8 at addr ffff80000cf772b0 by task udevd/778 [ 30.139866] [ 30.141398] CPU: 0 PID: 778 Comm: udevd Not tainted 5.16.0-rc3 #6 [ 30.147588] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 30.153056] Call trace: [ 30.155547]dump_backtrace+0x0/0x2c0 [ 30.159320]show_stack+0x18/0x30 [ 30.162729]dump_stack_lvl+0x68/0x84 [ 30.166491]print_address_description.constprop.0+0x74/0x2b8 [ 30.172346]kasan_report+0x1e8/0x250 [ 30.176102]__asan_load8+0x98/0xe0 [ 30.179682]prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [ 30.186847]prestera_netdev_event_handler+0x1b4/0x1c0 [prestera] [ 30.193313]raw_notifier_call_chain+0x74/0xa0 [ 30.197860]call_netdevice_notifiers_info+0x68/0xc0 [ 30.202924]register_netdevice+0x3cc/0x760 [ 30.207190]register_netdev+0x24/0x50 [ 30.211015]prestera_device_register+0x8a0/0xba0 [prestera] Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47102 CVE - 2021-47102

Debian: CVE-2021-47104: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() The wrong goto label was used for the error case and missed cleanup of the pkt allocation. Addresses-Coverity-ID: 1493352 ("Resource leak") Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47104 CVE - 2021-47104

Debian: CVE-2021-47089: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 07/30/2024 Description In the Linux kernel, the following vulnerability has been resolved: kfence: fix memory leak when cat kfence objects Hulk robot reported a kmemleak problem: unreferenced object 0xffff93d1d8cc02e8 (size 248): comm "cat", pid 23327, jiffies 4624670141 (age 495992.217s) hex dump (first 32 bytes): 00 40 85 19 d4 93 ff ff 00 10 00 00 00 00 00 00.@.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ backtrace: seq_open+0x2a/0x80 full_proxy_open+0x167/0x1e0 do_dentry_open+0x1e1/0x3a0 path_openat+0x961/0xa20 do_filp_open+0xae/0x120 do_sys_openat2+0x216/0x2f0 do_sys_open+0x57/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 unreferenced object 0xffff93d419854000 (size 4096): comm "cat", pid 23327, jiffies 4624670141 (age 495992.217s) hex dump (first 32 bytes): 6b 66 65 6e 63 65 2d 23 32 35 30 3a 20 30 78 30kfence-#250: 0x0 30 30 30 30 30 30 30 37 35 34 62 64 61 31 32 2d0000000754bda12- backtrace: seq_read_iter+0x313/0x440 seq_read+0x14b/0x1a0 full_proxy_read+0x56/0x80 vfs_read+0xa5/0x1b0 ksys_read+0xa0/0xf0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 I find that we can easily reproduce this problem with the following commands: cat /sys/kernel/debug/kfence/objects echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak The leaked memory is allocated in the stack below: do_syscall_64 do_sys_open do_dentry_open full_proxy_open seq_open---> alloc seq_file vfs_read full_proxy_read seq_read seq_read_iter traverse---> alloc seq_buf And it should have been released in the following process: do_syscall_64 syscall_exit_to_user_mode exit_to_user_mode_prepare task_work_run ____fput __fput full_proxy_release---> free here However, the release function corresponding to file_operations is not implemented in kfence.As a result, a memory leak occurs.Therefore, the solution to this problem is to implement the corresponding release function. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47089 CVE - 2021-47089

Debian: CVE-2021-47105: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 07/30/2024 Description In the Linux kernel, the following vulnerability has been resolved: ice: xsk: return xsk buffers back to pool when cleaning the ring Currently we only NULL the xdp_buff pointer in the internal SW ring but we never give it back to the xsk buffer pool. This means that buffers can be leaked out of the buff pool and never be used again. Add missing xsk_buff_free() call to the routine that is supposed to clean the entries that are left in the ring so that these buffers in the umem can be used by other sockets. Also, only go through the space that is actually left to be cleaned instead of a whole ring. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47105 CVE - 2021-47105

Debian: CVE-2021-47107: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/04/2024 Created 07/31/2024 Added 07/30/2024 Modified 07/30/2024 Description In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix READDIR buffer overflow If a client sends a READDIR count argument that is too small (say, zero), then the buffer size calculation in the new init_dirlist helper functions results in an underflow, allowing the XDR stream functions to write beyond the actual buffer. This calculation has always been suspect. NFSD has never sanity- checked the READDIR count argument, but the old entry encoders managed the problem correctly. With the commits below, entry encoding changed, exposing the underflow to the pointer arithmetic in xdr_reserve_space(). Modern NFS clients attempt to retrieve as much data as possible for each READDIR request. Also, we have no unit tests that exercise the behavior of READDIR at the lower bound of @count values. Thus this case was missed during testing. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47107 CVE - 2021-47107

Judge0 sandbox escape Disclosed 03/04/2024 Created 11/21/2024 Description Judge0 does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. Author(s) Tanto Security Takahiro Yokoyama Platform Linux Development Source Code History

JetBrains TeamCity Unauthenticated Remote Code Execution Disclosed 03/04/2024 Created 03/14/2024 Description This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist so the exploit will instead create a new administrator account before uploading a plugin. Older version of TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed, however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code execution instead, as this is supported on all versions tested. Author(s) sfewer-r7 Platform Java,Linux,Unix,Windows Architectures java, cmd Development Source Code History