Headline
CVE-2022-4662: [PATCH 5.4 053/108] USB: core: Prevent nested device-reset calls
A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.
From: Greg Kroah-Hartman [email protected] To: [email protected] Cc: Greg Kroah-Hartman [email protected], [email protected], Alan Stern [email protected], Rondreis [email protected] Subject: [PATCH 5.4 053/108] USB: core: Prevent nested device-reset calls Date: Tue, 13 Sep 2022 16:06:24 +0200 [thread overview] Message-ID: [email protected] (raw) In-Reply-To: <[email protected]>
From: Alan Stern [email protected]
commit 9c6d778800b921bde3bff3cff5003d1650f942d1 upstream.
Automatic kernel fuzzing revealed a recursive locking violation in usb-storage:
============================================ WARNING: possible recursive locking detected 5.18.0 #3 Not tainted
kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230
but task is already holding lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230
…
stack backtrace: CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] check_deadlock kernel/locking/lockdep.c:3031 [inline] validate_chain kernel/locking/lockdep.c:3816 [inline] __lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053 lock_acquire kernel/locking/lockdep.c:5665 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630 __mutex_lock_common kernel/locking/mutex.c:603 [inline] __mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747 usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 usb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109 r871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622 usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:545 [inline] device_remove+0x11f/0x170 drivers/base/dd.c:537 __device_release_driver drivers/base/dd.c:1222 [inline] device_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248 usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627 usb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118 usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114
This turned out not to be an error in usb-storage but rather a nested device reset attempt. That is, as the rtl8712 driver was being unbound from a composite device in preparation for an unrelated USB reset (that driver does not have pre_reset or post_reset callbacks), its ->remove routine called usb_reset_device() – thus nesting one reset call within another.
Performing a reset as part of disconnect processing is a questionable practice at best. However, the bug report points out that the USB core does not have any protection against nested resets. Adding a reset_in_progress flag and testing it will prevent such errors in the future.
Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9_0Tw4HQ6keN==voRbP0g@mail.gmail.com/ Cc: [email protected] Reported-and-tested-by: Rondreis [email protected] Signed-off-by: Alan Stern [email protected] Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman [email protected]
drivers/usb/core/hub.c | 10 ++++++++++ include/linux/usb.h | 2 ++ 2 files changed, 12 insertions(+)
— a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5923,6 +5923,11 @@ re_enumerate_no_bos: * the reset is over (using their post_reset method). * * Return: The same as for usb_reset_and_verify_device().
* However, if a reset is already in progress (for instance, if a
* driver doesn’t have pre_ or post_reset() callbacks, and while
* being unbound or re-bound during the ongoing reset its disconnect()
* or probe() routine tries to perform a second, nested reset), the
* routine returns -EINPROGRESS. * * Note: * The caller must own the device lock. For example, it’s safe to use @@ -5956,6 +5961,10 @@ int usb_reset_device(struct usb_device * return -EISDIR; }
if (udev->reset_in_progress)
return -EINPROGRESS;udev->reset_in_progress = 1;
port_dev = hub->ports[udev->portnum - 1];
/* @@ -6020,6 +6029,7 @@ int usb_reset_device(struct usb_device *
usb_autosuspend_device(udev); memalloc_noio_restore(noio_flag);
udev->reset_in_progress = 0; return ret; } EXPORT_SYMBOL_GPL(usb_reset_device); — a/include/linux/usb.h +++ b/include/linux/usb.h @@ -580,6 +580,7 @@ struct usb3_lpm_parameters { * @devaddr: device address, XHCI: assigned by HW, others: same as devnum * @can_submit: URBs may be submitted * @persist_enabled: USB_PERSIST enabled for this device
* @reset_in_progress: the device is being reset * @have_langid: whether string_langid is valid * @authorized: policy has said we can use it; * (user space) policy determines if we authorize this device to be @@ -665,6 +666,7 @@ struct usb_device {
unsigned can_submit:1; unsigned persist_enabled:1;
unsigned reset_in_progress:1; unsigned have_langid:1; unsigned authorized:1; unsigned authenticated:1;
next prev parent reply other threads:[~2022-09-13 15:01 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-09-13 14:05 [PATCH 5.4 000/108] 5.4.212-rc1 review Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 001/108] efi: capsule-loader: Fix use-after-free in efi_capsule_write Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 002/108] wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965_rs_fill_link_cmd() Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 003/108] net: mvpp2: debugfs: fix memory leak when using debugfs_lookup() Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 004/108] fs: only do a memory barrier for the first set_buffer_uptodate() Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 005/108] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 006/108] net: dp83822: disable false carrier interrupt Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 007/108] drm/msm/dsi: fix the inconsistent indenting Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 008/108] drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 009/108] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 010/108] iio: adc: mcp3911: make use of the sign bit Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 011/108] ieee802154/adf7242: defer destroy_workqueue call Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 012/108] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 013/108] Revert “xhci: turn off port power in shutdown” Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 014/108] net: sched: tbf: dont call qdisc_put() while holding tree lock Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 015/108] ethernet: rocker: fix sleep in atomic context bug in neigh_timer_handler Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 016/108] kcm: fix strp_init() order and cleanup Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 017/108] sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 018/108] tcp: annotate data-race around challenge_timestamp Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 019/108] Revert “sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb” Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 020/108] net/smc: Remove redundant refcount increase Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 021/108] serial: fsl_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 022/108] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 023/108] powerpc: align syscall table for ppc32 Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 024/108] vt: Clear selection before changing the font Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 025/108] tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 026/108] Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 027/108] iio: adc: mcp3911: use correct formula for AD conversion Greg Kroah-Hartman 2022-09-13 14:05 ` [PATCH 5.4 028/108] misc: fastrpc: fix memory corruption on probe Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 029/108] misc: fastrpc: fix memory corruption on open Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 030/108] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 031/108] binder: fix UAF of ref->proc caused by race condition Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 032/108] usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 033/108] drm/i915/reg: Fix spelling mistake “Unsupport” -> “Unsupported” Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 034/108] clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 035/108] Revert “clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops” Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 036/108] clk: core: Fix runtime PM sequence in clk_core_unprepare() Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 037/108] Input: rk805-pwrkey - fix module autoloading Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 038/108] clk: bcm: rpi: Fix error handling of raspberrypi_fw_get_rate Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 039/108] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 040/108] gpio: pca953x: Add mutex_lock for regcache sync in PM Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 041/108] thunderbolt: Use the actual buffer in tb_async_error() Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 042/108] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 043/108] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 044/108] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 045/108] USB: serial: option: add Quectel EM060K modem Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 046/108] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 047/108] usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 048/108] usb: dwc2: fix wrong order of phy_power_on and phy_init Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 049/108] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 050/108] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 051/108] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 052/108] s390: fix nospec table alignments Greg Kroah-Hartman 2022-09-13 14:06 ` Greg Kroah-Hartman [this message] 2022-09-13 14:06 ` [PATCH 5.4 054/108] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 055/108] driver core: Dont probe devices after bus_type.match() probe deferral Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 056/108] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 057/108] ip: fix triggering of icmp redirect Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 058/108] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 059/108] ALSA: seq: oss: Fix data-race for max_midi_devs access Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 060/108] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 061/108] drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 062/108] btrfs: harden identification of a stale device Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 063/108] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 064/108] usb: dwc3: disable USB core PHY management Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 065/108] USB: serial: ch341: fix lost character on LCR updates Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 066/108] USB: serial: ch341: fix disabled rx timer on older devices Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 067/108] scsi: megaraid_sas: Fix double kfree() Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 068/108] drm/gem: Fix GEM handle release errors Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 069/108] drm/amdgpu: Check num_gfx_rings for gfx v9_0 rb setup Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 070/108] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 071/108] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 072/108] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 073/108] arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 074/108] arm64/signal: Raise limit on stack frames Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 075/108] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 076/108] drm/amdgpu: mmVM_L2_CNTL3 register not initialized correctly Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 077/108] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 078/108] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 079/108] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 080/108] kprobes: Prohibit probes in gate area Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 081/108] debugfs: add debugfs_lookup_and_remove() Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 082/108] nvmet: fix a use-after-free Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 083/108] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 084/108] scsi: lpfc: Add missing destroy_workqueue() in error path Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 085/108] cgroup: Optimize single thread migration Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 086/108] cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty subtree Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 087/108] cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock Greg Kroah-Hartman 2022-09-13 14:06 ` [PATCH 5.4 088/108] smb3: missing inode locks in punch hole Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 089/108] ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 090/108] regulator: core: Clean up on enable failure Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 091/108] RDMA/cma: Fix arguments order in net device validation Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 092/108] soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 093/108] RDMA/hns: Fix supported page size Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 094/108] netfilter: br_netfilter: Drop dst references before setting Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 095/108] netfilter: nf_conntrack_irc: Fix forged IP logic Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 096/108] rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2() Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 097/108] afs: Use the operation issue time instead of the reply time for callbacks Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 098/108] sch_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 099/108] tipc: fix shift wrapping bug in map_get() Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 100/108] i40e: Fix kernel crash during module removal Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 101/108] RDMA/siw: Pass a pointer to virt_to_page() Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 102/108] ipv6: sr: fix out-of-bounds read when setting HMAC data Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 103/108] RDMA/mlx5: Set local port to one when accessing counters Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 104/108] nvme-tcp: fix UAF when detecting digest errors Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 105/108] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 106/108] sch_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 107/108] x86/nospec: Fix i386 RSB stuffing Greg Kroah-Hartman 2022-09-13 14:07 ` [PATCH 5.4 108/108] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman 2022-09-14 9:37 ` [PATCH 5.4 000/108] 5.4.212-rc1 review Sudip Mukherjee 2022-09-14 11:43 ` Naresh Kamboju 2022-09-14 20:19 ` Florian Fainelli 2022-09-15 0:14 ` Guenter Roeck 2022-09-17 3:06 ` zhouzhixiu
Reply instructions:
You may reply publicly to this message via plain-text email using any one of the following methods:
* Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the –to, –cc, and –in-reply-to switches of git-send-email(1):
git send-email \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ /path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.
Related news
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Ubuntu Security Notice 6071-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel did not properly perform filter deactivation in some situations. A local attacker could possibly use this to gain elevated privileges. Please note that with the fix for this CVE, kernel support for the TCINDEX classifier has been removed. Lin Ma discovered a race condition in the io_uring subsystem in the Linux kernel, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 6014-1 - Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu discovered that the TCP implementation in the Linux kernel did not properly handle IPID assignment. A remote attacker could use this to cause a denial of service or inject forged data. Ke Sun, Alyssa Milburn, Henrique Kawakami, Emma Benoit, Igor Chervatyuk, Lisa Aichele, and Thais Moreira Hamasaki discovered that the Spectre Variant 2 mitigations for AMD processors on Linux were insufficient in some situations. A local attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 6013-1 - Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu discovered that the TCP implementation in the Linux kernel did not properly handle IPID assignment. A remote attacker could use this to cause a denial of service or inject forged data. Ke Sun, Alyssa Milburn, Henrique Kawakami, Emma Benoit, Igor Chervatyuk, Lisa Aichele, and Thais Moreira Hamasaki discovered that the Spectre Variant 2 mitigations for AMD processors on Linux were insufficient in some situations. A local attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 6001-1 - Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu discovered that the TCP implementation in the Linux kernel did not properly handle IPID assignment. A remote attacker could use this to cause a denial of service or inject forged data. Ke Sun, Alyssa Milburn, Henrique Kawakami, Emma Benoit, Igor Chervatyuk, Lisa Aichele, and Thais Moreira Hamasaki discovered that the Spectre Variant 2 mitigations for AMD processors on Linux were insufficient in some situations. A local attacker could possibly use this to expose sensitive information.
The kernel subsystem function check_permission_for_set_tokenid within OpenHarmony-v3.1.5 and prior versions has an UAF vulnerability which local attackers can exploit this vulnerability to escalate the privilege to root.
Ubuntu Security Notice 5877-1 - Kyle Zeng discovered that the sysctl implementation in the Linux kernel contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service or execute arbitrary code. Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]