Bing-Jhong Billy Jheng

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the BPF ring buffer in the Linux kernel, which is implemented as a power-of-2 sized circular buffer with two logical and ever-increasing counters: `consumer pos` and `producer pos`. The vulnerability allows an attacker to make a second allocated memory chunk overlapping with the first chunk, enabling the BPF program to edit the first chunk's header. This can cause `bpf ringbuf commit()` to refer to the wrong page and potentially lead to a crash. The fix involves calculating the oldest pending position and checking whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size, rejecting the request if necessary. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's net/sched: cls fw component can be exploited to achieve local privilege escalation. When `fw change()` is called on an existing filter, the whole `tcf result` struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as `tcf unbind filter()` is always called on the old instance in the success path, decreasing `filter cnt` of the still referenced class and allowing it to be deleted, leading to a use-after-free. **Recommendations** Upgrade past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's net/sched: cls route component can be exploited to achieve local privilege escalation. When `route4 change()` is called on an existing filter, the whole `tcf result` struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as `tcf unbind filter()` is always called on the old instance in the success path, decreasing `filter cnt` of the still referenced class and allowing it to be deleted, leading to a use-after-free. **Recommendations** Upgrade past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 to resolve the issue. As a temporary workaround, consider restricting access to the `net/sched: cls route` component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's af unix component can be exploited to achieve local privilege escalation. The `unix stream sendpage()` function tries to add data to the last skb in the peer's recv queue without locking the queue, resulting in a race where `unix stream sendpage()` could access an skb locklessly that is being released by garbage collection, leading to use-after-free. **Recommendations** Upgrade past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `unix stream sendpage()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to the version containing commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859 **Description** The issue is related to a double free vulnerability in the Linux kernel, specifically with the io uring feature. This vulnerability can be exploited to cause a denial of service. The `io uring` use `work flags` to determine which identity needs to be grabbed from the calling process to ensure consistency when executing `IORING OP`. However, some operations are missing certain types, leading to incorrect reference counts and potentially resulting in a double free. **Recommendations** To resolve the issue, upgrade the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859. As a temporary workaround, consider restricting the use of the `io uring` feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux Kernel io uring system can be exploited to achieve local privilege escalation. The `io file get fixed` function lacks the presence of `ctx->uring lock` which can lead to a use-after-free vulnerability due to a race condition with fixed files getting unregistered. **Recommendations** Upgrade past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8 to resolve the issue. As a temporary workaround, consider restricting access to the `io uring` system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel versions prior to 5.4.189 **Description** The issue is related to an integer overflow in the io uring interface of the Linux Kernel, which can be exploited by a local attacker to cause memory corruption and escalate privileges to the root level. **Recommendations** For Linux Kernel versions prior to 5.4.189, update to version 5.4.189 or later to resolve the issue.