Bart Van Assche

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.50 Description: The issue is related to a use-after-free vulnerability in the RDMA/iwcm module of the Linux kernel. This vulnerability occurs when the `iw conn req handler()` function associates a new `struct rdma id private` (`conn id`) with an existing `struct iw cm id` (`cm id`). The `rdma destroy id()` function frees both the `cm id` and the `struct rdma id private`, but the `cm work handler()` function may still trigger a use-after-free if it tries to access the freed `struct rdma id private`. This could potentially allow an attacker to impact the confidentiality, integrity, and availability of protected information. Recommendations: To resolve this issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider restricting access to the RDMA/iwcm module to minimize the risk of exploitation. Avoid using the `cm id` and `conn id` structures in the affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to errors in resource management within the fs/aio component of the Linux kernel. Specifically, when `kiocb set cancel fn()` is called for I/O submitted via `io uring`, a kernel warning appears. The warning is due to the call trace involving `kiocb set cancel fn()`, `ffs epfile read iter()`, `io read()`, `io issue sqe()`, `io submit sqes()`, and other system calls. This issue can potentially allow an attacker to cause a denial of service. The fix involves setting the `IOCB AIO RW` flag for read and write I/O submitted by `libaio`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability has been resolved in the Linux kernel. The issue was triggered by blktests nvme/004 and resulted in a user-memory-access bug in the `blk mq complete request remote` function. The vulnerability was caused by a use-after-free complaint and was identified by the KASAN (Kernel Address Sanitizer) tool. The `nvmet` module was affected, and the issue was related to the `nvme loop execute work` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved, related to the handling of offline queues in the `blk mq alloc request hctx()` function. This issue could trigger an array-index-out-of-bounds error, as indicated by the UBSAN (Undefined Behavior Sanitizer) report, showing an index of 512 being out of range for a 'long unsigned int [512]' type. The error occurs in the `block/blk-mq.h` file at line 135, column 9. The call trace suggests that this issue is related to the NVMe (Non-Volatile Memory Express) subsystem, specifically involving functions like ` nvme submit sync cmd()` and `nvmf connect io queue()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.