Search for packages
| purl | pkg:deb/debian/linux@6.6.15-1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-14ak-evwq-2bex | kernel: PM / devfreq: Fix buffer overflow in trans_stat_show |
CVE-2023-52614
|
| VCID-192b-rfyw-nbdv | kernel: mm/sparsemem: fix race in accessing memory_section->usage |
CVE-2023-52489
|
| VCID-22kn-ncv1-87g1 | kernel: rpmsg: virtio: Free driver_override when rpmsg_remove() |
CVE-2023-52670
|
| VCID-28sa-wnbg-ubgf | In the Linux kernel, the following vulnerability has been resolved: serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed Returning an error code from .remove() makes the driver core emit the little helpful error message: remove callback returned a non-zero value. This will be ignored. and then remove the device anyhow. So all resources that were not freed are leaked in this case. Skipping serial8250_unregister_port() has the potential to keep enough of the UART around to trigger a use-after-free. So replace the error return (and with it the little helpful error message) by a more useful error message and continue to cleanup. |
CVE-2023-52457
|
| VCID-2ktk-z761-uyd7 | kernel: ALSA: scarlett2: Add missing error checks to *_ctl_get() |
CVE-2023-52680
|
| VCID-3gsd-1zzd-jkfz | kernel: drm/amd/pm: fix a double-free in si_dpm_init |
CVE-2023-52691
|
| VCID-3h89-dh3v-eye9 | kernel: null-ptr-deref in alloc_workqueue |
CVE-2023-52470
|
| VCID-3kxa-uwbn-mkdr | kernel: pipe: wakeup wr_wait after setting max_usage |
CVE-2023-52672
|
| VCID-3ypg-newc-n7fr | kernel: thermal: intel: hfi: Add syscore callbacks for system-wide PM |
CVE-2024-26646
|
| VCID-4bfe-ftea-zbhc | kernel: use-after-free in class_register() |
CVE-2023-52468
|
| VCID-4d8q-36h2-kkfx | kernel: PM: sleep: Fix possible deadlocks in core system-wide PM code |
CVE-2023-52498
|
| VCID-4qvh-m9dq-qqeu | kernel: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier |
CVE-2023-52449
|
| VCID-4rzc-jde2-kqen | kernel: erofs: fix lz4 inplace decompression |
CVE-2023-52497
|
| VCID-4wdt-2vxf-nbd7 | kernel: block: null pointer dereference in ioctl.c when length and logical block size are misaligned |
CVE-2023-52458
|
| VCID-4wnz-gjpx-mub1 | kernel: powerpc/powernv: Add a null pointer check in opal_powercap_init() |
CVE-2023-52696
|
| VCID-4wqs-d1dp-sbcq | kernel: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS |
CVE-2024-26589
|
| VCID-598a-ww2s-6fga | kernel: powerpc/powernv: Add a null pointer check to scom_debug_init_one() |
CVE-2023-52690
|
| VCID-5hdv-pgsr-cfbm | kernel: bpf: Guard stack limits against 32bit overflow |
CVE-2023-52676
|
| VCID-5jn4-rn7w-pydp | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid dirent corruption As Al reported in link[1]: f2fs_rename() ... if (old_dir != new_dir && !whiteout) f2fs_set_link(old_inode, old_dir_entry, old_dir_page, new_dir); else f2fs_put_page(old_dir_page, 0); You want correct inumber in the ".." link. And cross-directory rename does move the source to new parent, even if you'd been asked to leave a whiteout in the old place. [1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/ With below testcase, it may cause dirent corruption, due to it missed to call f2fs_set_link() to update ".." link to new directory. - mkdir -p dir/foo - renameat2 -w dir/foo bar [ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3] [FSCK] other corrupted bugs [Fail] |
CVE-2023-52444
|
| VCID-61fj-fbhb-afhu | kernel: dmaengine: fix NULL pointer in channel unregistration function |
CVE-2023-52492
|
| VCID-62j2-3w9j-v7cv | kernel: NULL pointer dereference in __nvmet_req_complete |
CVE-2023-6536
|
| VCID-63yv-1kxm-nkhx | kernel: binder: fix race between mmput() and do_exit() |
CVE-2023-52609
|
| VCID-66u3-ytw7-t3cg | kernel: bpf: Prevent out-of-bounds memory access on LoongArch |
CVE-2024-26588
|
| VCID-6p1m-h3bk-abf9 | kernel: netfs, fscache: Prevent Oops in fscache_put_cache() |
CVE-2024-26612
|
| VCID-6r6k-2yc1-3yez | kernel: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work |
CVE-2024-26631
|
| VCID-6vct-1ben-juc3 | kernel: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() |
CVE-2023-52675
|
| VCID-71va-jvwq-nub1 | In the Linux kernel, the following vulnerability has been resolved: erofs: fix inconsistent per-file compression format EROFS can select compression algorithms on a per-file basis, and each per-file compression algorithm needs to be marked in the on-disk superblock for initialization. However, syzkaller can generate inconsistent crafted images that use an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA algorithmtype even it's not set in `sbi->available_compr_algs`. This can lead to an unexpected "BUG: kernel NULL pointer dereference" if the corresponding decompressor isn't built-in. Fix this by checking against `sbi->available_compr_algs` for each m_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset bitmap is now fixed together since it was harmless previously. |
CVE-2024-26590
|
| VCID-73h5-3r7h-43hy | kernel: btrfs: don't abort filesystem when attempting to snapshot deleted subvolume |
CVE-2024-26644
|
| VCID-7r69-1yww-g3e4 | kernel: bpf: Defer the free of inner map when necessary |
CVE-2023-52447
|
| VCID-7v7u-3mp1-9ufh | kernel: null pointer derefrence in mpi_alloc |
CVE-2023-52472
|
| VCID-885e-g4an-h7e7 | kernel: null pointer dereference in of_syscon_register() |
CVE-2023-52467
|
| VCID-8nh6-pkxy-cucr | kernel: off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access |
CVE-2024-23849
|
| VCID-95xe-xtqt-r3b8 | kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption |
CVE-2024-26586
|
| VCID-97se-7zs6-3fhy | kernel: bpf: Fix re-attachment branch in bpf_tracing_prog_attach |
CVE-2024-26591
|
| VCID-9gmh-a1gy-nkhp | kernel: block: Fix iterating over an empty bio with bio_for_each_folio_all |
CVE-2024-26632
|
| VCID-9rab-1zfd-auet | kernel: ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx->headset_codec_dev = NULL |
CVE-2023-52697
|
| VCID-an3m-6tb1-8uht | kernel: btrfs: zoned: fix lock ordering in btrfs_zone_activate() |
CVE-2023-52668
|
| VCID-b1aj-jz4z-jqca | kernel: ksmbd: fix global oob in ksmbd_nl_policy |
CVE-2024-26608
|
| VCID-b6p5-z47e-dbcd | kernel: bpf: Fix a race condition between btf_put() and map_free() |
CVE-2023-52446
|
| VCID-ba9w-4y96-hbhm | kernel: drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment |
CVE-2023-52613
|
| VCID-c2cj-yepf-xub3 | kernel: nfsd: fix RELEASE_LOCKOWNER |
CVE-2024-26629
|
| VCID-c6v9-xutm-nyam | kernel: powerpc: Fix access beyond end of drmem array |
CVE-2023-52451
|
| VCID-c7ux-m2a3-euc6 | A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue. |
CVE-2024-24860
|
| VCID-d6th-8p9s-j7h7 | kernel: net/mlx5e: fix a potential double-free in fs_any_create_groups |
CVE-2023-52667
|
| VCID-d8nf-ph6v-e3fk | kernel: net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context |
CVE-2023-52626
|
| VCID-dbbk-9yvq-zueq | kernel: hwrng: core - Fix page fault dead lock on mmap-ed hwrng |
CVE-2023-52615
|
| VCID-dnty-4wac-bfhv | kernel: of: Fix double free in of_parse_phandle_with_args_map |
CVE-2023-52679
|
| VCID-dywv-cw4r-7kew | kernel: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() |
CVE-2024-35840
|
| VCID-enq7-6crc-zuh7 | kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c |
CVE-2023-52464
|
| VCID-ep2j-7cxc-7fes | kernel: ksmbd: validate mech token in session setup |
CVE-2024-26594
|
| VCID-er3j-h865-wbdc | kernel: net/mlx5e: Fix peer flow lists handling |
CVE-2023-52487
|
| VCID-fkxu-trqb-tkfd | kernel: iommu: Don't reserve 0-length IOVA region |
CVE-2023-52455
|
| VCID-fmj3-c8m8-tfe6 | kernel: ACPI: video: check for error while searching for backlight device parent |
CVE-2023-52693
|
| VCID-ftfu-d5td-mkg9 | kernel: xsk: fix usage of multi-buffer BPF helpers for ZC XDP |
CVE-2024-26611
|
| VCID-g2ke-rg2j-n3cm | kernel: crypto: scomp - fix req->dst buffer overflow |
CVE-2023-52612
|
| VCID-g5xk-qhrt-yygt | kernel: net/sched: act_ct: fix skb leak and crash on ooo frags |
CVE-2023-52610
|
| VCID-g67m-56gb-1bfc | kernel: iio: adc: ad7091r: Allow users to configure device events |
CVE-2023-52627
|
| VCID-g7bh-e9xf-quf3 | kernel: netfilter: bridge: replace physindev with physinif in nf_bridge_info |
CVE-2024-35839
|
| VCID-grk5-ty52-bfhw | kernel: efivarfs: force RO when remounting if SetVariable is not supported |
CVE-2023-52463
|
| VCID-gv8b-1ps3-dffk | kernel: NULL pointer dereference in zone registration error path |
CVE-2023-52473
|
| VCID-h1wn-ssuk-hbb5 | kernel: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain |
CVE-2024-26808
|
| VCID-h5kj-9afh-4fh4 | kernel: nbd: always initialize struct msghdr completely |
CVE-2024-26638
|
| VCID-h8ka-8a85-u3a2 | kernel: netdevsim: don't try to destroy PHC on VFs |
CVE-2024-26587
|
| VCID-hgrf-kx83-z7d2 | kernel: pvrusb2: fix use after free on context disconnection |
CVE-2023-52445
|
| VCID-hhey-efbu-eycr | kernel: ksmbd: fix UAF issue in ksmbd_tcp_new_connection() |
CVE-2024-26592
|
| VCID-hjp1-xu35-17h6 | kernel: tracing: Ensure visibility when inserting an element into tracing_map |
CVE-2024-26645
|
| VCID-j6kj-8t9f-gkfj | kernel: gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump |
CVE-2023-52448
|
| VCID-j7u6-nbzn-93ew | kernel: mm: migrate: fix getting incorrect page mapping during page migration |
CVE-2023-52490
|
| VCID-j843-2qbk-tkcz | kernel: arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD |
CVE-2024-26670
|
| VCID-j9ud-q26e-4qbk | kernel: kvm: Avoid potential UAF in LPI translation cache |
CVE-2024-26598
|
| VCID-jey8-21pc-1qde | kernel: bpf: fix check for attempt to corrupt spilled pointer |
CVE-2023-52462
|
| VCID-k2me-am4h-rqfm | kernel: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() |
CVE-2024-26633
|
| VCID-kbxq-kdu4-b3h8 | kernel: llc: make llc_ui_sendmsg() more robust against bonding changes |
CVE-2024-26636
|
| VCID-kg1f-schr-8fh4 | kernel: null pointer when load rlc firmware |
CVE-2024-26649
|
| VCID-khrd-ya2n-rygv | kernel: net/sched: flower: Fix chain template offload |
CVE-2024-26669
|
| VCID-mawz-x44q-dub5 | kernel: drm/bridge: sii902x: Fix probing race issue |
CVE-2024-26607
|
| VCID-me26-pr45-tfeg | kernel: use-after-free in kv_parse_power_table |
CVE-2023-52469
|
| VCID-mk44-xvr4-8ua4 | kernel: s390/vfio-ap: always filter entire AP matrix |
CVE-2024-26620
|
| VCID-mp3y-t88c-nug9 | kernel: net/smc: fix illegal rmb_desc access in SMC-D connection dump |
CVE-2024-26615
|
| VCID-mu8p-1shq-bqh5 | kernel: ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config() |
CVE-2023-52692
|
| VCID-n3w2-nens-ffbd | kernel: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path |
CVE-2024-26595
|
| VCID-nnnt-9vn7-rfc1 | kernel: bpf: Fix accesses to uninit stack slots |
CVE-2023-52452
|
| VCID-np8e-zufu-33aw | kernel: wifi: iwlwifi: fix a memory corruption |
CVE-2024-26610
|
| VCID-nssb-6rzg-33hf | kernel: bus: mhi: host: Drop chan lock before queuing buffers |
CVE-2023-52493
|
| VCID-p8d6-57uv-aqd7 | In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here. |
CVE-2024-26597
|
| VCID-p99d-kg7s-5bbq | kernel: nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length |
CVE-2023-52454
|
| VCID-phwd-czc2-mkaf | kernel: btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned |
CVE-2024-26616
|
| VCID-pk6c-h7ge-3yhh | kernel: media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run |
CVE-2023-52491
|
| VCID-q5zk-zz7q-j7bf | kernel: net: fix removing a namespace with conflicting altnames |
CVE-2024-26634
|
| VCID-qadn-y5ta-j7eq | kernel: f2fs: fix to wait on block writeback for post_read case |
CVE-2023-52682
|
| VCID-qh2c-fewm-z7c9 | kernel: soc: qcom: pmic_glink_altmode: fix port sanity check |
CVE-2023-52495
|
| VCID-qkq7-ws9x-43f7 | kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function |
CVE-2024-1086
|
| VCID-r2v4-9zgs-cub6 | kernel: crypto: s390/aes - Fix buffer overread in CTR mode |
CVE-2023-52669
|
| VCID-r4uw-g3ry-bqe5 | kernel: ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put() |
CVE-2023-52674
|
| VCID-raem-h5nr-g7cq | kernel: nf_tables: use-after-free vulnerability in the nft_setelem_catchall_deactivate() function |
CVE-2024-1085
|
| VCID-rsde-mtgv-qqg5 | kernel: ACPI: LPIT: Avoid u32 multiplication overflow |
CVE-2023-52683
|
| VCID-rsza-dehs-3bbe | kernel: wifi: rtw88: sdio: Honor the host max_req_size in the RX path |
CVE-2023-52611
|
| VCID-s9gw-1g91-7khp | kernel: netfilter: nft_limit: reject configurations that cause integer overflow |
CVE-2024-26668
|
| VCID-sz2h-3vjr-mybh | kernel: drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function |
CVE-2023-52694
|
| VCID-t8xa-q8y3-3qb5 | kernel: calipso: fix memory leak in netlbl_calipso_add_pass() |
CVE-2023-52698
|
| VCID-ty5y-knga-zug3 | kernel: NULL pointer dereference in nvmet_tcp_build_iovec |
CVE-2023-6356
|
| VCID-u9sz-26p7-a3cp | kernel: hisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume |
CVE-2023-52453
|
| VCID-v8b9-uzsr-jqhv | Linux: netback processing of zero-length transmit fragment |
CVE-2023-46838
|
| VCID-v9hp-qjkx-17ej | kernel: llc: Drop support for ETH_P_TR_802_2. |
CVE-2024-26635
|
| VCID-vxdy-qvan-vub3 | kernel: v4l: async: Fix duplicated list deletion |
CVE-2023-52459
|
| VCID-w1sh-qksx-myem | kernel: powerpc/powernv: Add a null pointer check in opal_event_init() |
CVE-2023-52686
|
| VCID-wfex-ezd9-8kc4 | kernel: drm/amdkfd: Confirm list is non-empty before utilizing list_first_entry in kfd_topology.c |
CVE-2023-52678
|
| VCID-wk4m-e3ac-1ffw | kernel: NULL pointer dereference in nvmet_tcp_execute_request |
CVE-2023-6535
|
| VCID-wwzp-ksz8-5ye3 | kernel: riscv: Check if the code to patch lies in the exit section |
CVE-2023-52677
|
| VCID-x6ay-s6a4-h3es | kernel: imx: fix tx statemachine deadlock |
CVE-2023-52456
|
| VCID-xjyd-dvr8-63hu | kernel: tcp: make sure init the accept_queue's spinlocks once |
CVE-2024-26614
|
| VCID-xq7x-2vd8-dua8 | kernel: crypto: safexcel - Add error handling for dma_map_sg() calls |
CVE-2023-52687
|
| VCID-xxke-mdpj-kfbm | kernel: crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init |
CVE-2023-52616
|
| VCID-xy3c-wcfm-qyd2 | kernel: firmware: arm_scmi: Check mailbox/SMT channel for consistency |
CVE-2023-52608
|
| VCID-y3xe-hy5b-3qhp | kernel: intel: Fix NULL pointer dereference issue in upi_fill_topology() |
CVE-2023-52450
|
| VCID-y4rv-zcef-zybh | kernel: bus: mhi: host: Add alignment check for event ring read pointer |
CVE-2023-52494
|
| VCID-ya9a-njf8-vbh2 | kernel: pwm: Fix out-of-bounds access in of_pwm_single_xlate() |
CVE-2024-26599
|
| VCID-ys7v-mmnm-jbc6 | In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: <TASK> ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside. AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org). |
CVE-2023-52443
|
| VCID-ysaq-2q5f-6qby | kernel: NULL check in edp_setup_replay() |
CVE-2024-26648
|
| VCID-yuk9-xu8a-tybr | kernel: drm: Don't unref the same fb many times by mistake due to deadlock handling |
CVE-2023-52486
|
| VCID-yvbs-th5a-ckdk | hw: arm64/sme: Always exit sme_alloc() early with existing storage |
CVE-2024-26618
|
| VCID-zaqm-hqu6-ukfj | kernel: null pointer dereference in smb2_probe |
CVE-2023-52465
|
| VCID-zdvy-ttxd-jbgt | kernel: serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO |
CVE-2023-52488
|
| VCID-zfke-knvh-pba5 | kernel: information leak in sec_attest_info |
CVE-2023-50431
|
| VCID-zz3n-jt5g-fuhh | kernel: drm/amd/display: Fix late dereference 'dsc' check in 'link_set_dsc_pps_packet()' |
CVE-2024-26647
|