Brad Spengler

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A vulnerability in the Linux kernel has been resolved, related to the gtp net exit batch rtnl() function. The issue was reported by Brad Spengler and is caused by the potential for list del() corruption splat in gtp net exit batch rtnl(). This can occur when the for each netdev() loop in gtp net exit batch rtnl() destroys devices in each netns, leading to ->dellink() being called twice for the same device during ->exit batch rtnl(). Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue arises when copying a namespace in the Linux kernel. Specifically, the new copy is not added to the namespace rbtree until after the copy operation has succeeded. However, when `free mnt ns()` is called, it attempts to remove the copy from the rbtree, which is an invalid operation. To resolve this, the namespace skeleton is freed directly. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The Linux kernel has a vulnerability in the tracefs module, where the use of generic inode RCU for synchronizing freeing can cause a list del corruption when running the ftrace selftests. This can lead to a kernel BUG and an invalid opcode error. The vulnerability is caused by the overlapping of RCU-used or initialized-only-once members in the struct inode, such as i lru or i sb list, when structure layout randomization is enabled. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.50 or later. If updating is not possible, consider disabling the tracefs module or restricting its use to minimize the risk of exploitation. Additionally, ensure that any kernel modules that interact with the tracefs module are updated and configured correctly.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The vulnerability is related to the x86/xen paravirt call in the Linux kernel. Specifically, the `USERGS SYSRET64` call is used to return from a syscall via `SYSRET`, but a Xen PV guest will use the `IRET` hypercall instead, as there is no `sysret` PV hypercall defined. To resolve this, the `USERGS SYSRET64` call is dropped, and the `IRET` exit is used from the beginning. This change simplifies the code and allows `CLEAR CPU BUFFERS` to be explicitly added to the `syscall return via sysret` path. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 4.9.x and 4.10.x before 4.10.12 **Description** The issue is caused by incorrect interaction with the `CONFIG VMAP STACK` option in the Linux kernel, allowing local users to cause a denial of service, such as a system crash or memory corruption, by leveraging the use of more than one virtual page for a DMA scatterlist. This is due to a buffer overflow in memory. **Recommendations** For Linux kernel versions 4.9.x and 4.10.x before 4.10.12, update to version 4.10.12 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 4.9.x through 4.10.x before 4.10.12 **Description** The issue is caused by a buffer overflow in the `drivers/media/usb/dvb-usb/cxusb.c` driver of the Linux kernel. It can be exploited by a local attacker who interacts incorrectly with the `CONFIG VMAP STACK` parameter, potentially causing a denial of service, such as a system crash, or possibly other unspecified impacts. This is achieved by leveraging the use of more than one virtual page for a DMA scatterlist. **Recommendations** For Linux kernel versions 4.9.x through 4.10.x before 4.10.12, update to version 4.10.12 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.3 **Description** The issue is related to the mm subsystem in the Linux kernel, which does not properly enforce the CONFIG STRICT DEVMEM protection mechanism. This allows local users to read or write to kernel memory locations in the first megabyte, bypassing slab-allocation access restrictions, by opening the /dev/mem file. The affected files are arch/x86/mm/init.c and drivers/char/mem.c. **Recommendations** For Linux kernel versions prior to 3.3, consider restricting access to the /dev/mem file as a temporary workaround until a patch is available. Additionally, review system configurations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 4.9.x through 4.10.6 **Description** The issue is caused by incorrect interaction with the `CONFIG VMAP STACK` option in the Linux kernel, allowing local users to cause a denial of service, such as a system crash or memory corruption, by leveraging the use of more than one virtual page for a DMA scatterlist. This is due to a buffer overflow in memory. **Recommendations** For Linux kernel versions 4.9.x through 4.10.6, update to version 4.10.7 or later to resolve the issue. As a temporary workaround, consider disabling the `CONFIG VMAP STACK` option until a patch is available. Restrict access to the vulnerable driver `dvb-usb-firmware.c` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.9.11 **Description** The issue is caused by a buffer overflow in the Linux kernel's drivers/net/usb/catc.c driver. It allows a local attacker to cause a denial of service, such as a system crash or memory corruption, by interacting incorrectly with the `CONFIG VMAP STACK` parameter and using more than one virtual page for a DMA scatterlist. **Recommendations** For Linux kernel versions prior to 4.9.11, update to version 4.9.11 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `CONFIG VMAP STACK` option to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 4.4.x through 4.4.190 Linux kernel versions 4.9.x through 4.9.190 Linux kernel versions 4.14.x through 4.14.141 Linux kernel versions 4.19.x through 4.19.69 Linux kernel versions 5.2.x through 5.2.11 **Description** The issue is related to errors in implementing protections against Spectre class vulnerabilities in the Linux kernel's ptrace subsystem. Exploitation of this issue may allow an attacker to disclose protected information. A backporting error in the Linux stable/longterm kernel reintroduced a Spectre vulnerability that was supposed to be eliminated. This occurred due to the misuse of an upstream commit and the swapping of two correctly ordered code lines. **Recommendations** For Linux kernel versions 4.4.x through 4.4.190, update to a version after 4.4.190 to resolve the issue. For Linux kernel versions 4.9.x through 4.9.190, update to a version after 4.9.190 to resolve the issue. For Linux kernel versions 4.14.x through 4.14.141, update to a version after 4.14.141 to resolve the issue. For Linux kernel versions 4.19.x through 4.19.69, update to a version after 4.19.69 to resolve the issue. For Linux kernel versions 5.2.x through 5.2.11, update to a version after 5.2.11 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.6.5 **Description** The issue is related to a lack of error checking in the `do video set spu palette` function, which could potentially allow local users to access sensitive information from kernel stack memory. This can be achieved through a crafted `VIDEO SET SPU PALETTE` ioctl call on a `/dev/dvb` device. **Recommendations** For Linux kernel versions prior to 3.6.5, update to version 3.6.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.6 **Description** The issue exists due to the lack of initialization of certain structures in the net/xfrm/xfrm user.c file of the Linux kernel. This allows local users with the CAP NET ADMIN capability to obtain sensitive information from kernel memory. **Recommendations** For Linux kernel versions prior to 3.6, update to version 3.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the CAP NET ADMIN capability to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.8.6 **Description** The issue concerns multiple vulnerabilities in the Linux operating system, specifically in the Debian GNU/Linux package, which can be exploited by a local attacker to compromise the confidentiality, integrity, and availability of protected information. A heap-based buffer overflow vulnerability exists in the `tg3 read vpd` function in the Linux kernel, allowing physically proximate attackers to cause a denial of service or possibly execute arbitrary code via crafted firmware. **Recommendations** For Linux kernel versions prior to 3.8.6, update to version 3.8.6 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39-rc1 kernel-kdumppae (affected versions not specified) **Description** The issue concerns a function in the Linux kernel that does not perform an expected uid check, making it easier for local users to defeat the ASLR protection mechanism. This can be done by reading specific fields in the /proc/#####/stat file for a process executing a PIE binary. Additionally, there are multiple vulnerabilities in the kernel-kdumppae package of SUSE Linux Enterprise that can lead to disruption of protected information and can be exploited remotely. **Recommendations** For Linux kernel versions prior to 2.6.39-rc1, update to version 2.6.39-rc1 or later to resolve the issue. For kernel-kdumppae, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.37 **Description** The issue allows local users to cause a denial of service due to memory consumption via a crafted exec system call. This is related to the handling of stack memory by arrays representing arguments and environment variables in the fs/exec.c file. **Recommendations** For versions prior to 2.6.37, update to version 2.6.37 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.36 **Description** The issue is related to the setup arg pages function in fs/exec.c, which does not properly restrict stack memory consumption for 32-bit applications on 64-bit platforms when CONFIG STACK GROWSDOWN is used. This allows local users to cause a denial of service, resulting in a system crash, via a crafted exec system call. **Recommendations** For Linux kernel versions prior to 2.6.36, update to version 2.6.36 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.36-rc3-next-20100831 cpint-kmp-default (affected versions not specified) cloop-kmp-default (affected versions not specified) drbd-kmp-default (affected versions not specified) **Description** The issue allows local users to obtain potentially sensitive information from kernel heap memory due to an off-by-one error in the `ioctl standard iw point` function. This can be achieved via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size. Multiple vulnerabilities in the cpint-kmp-default, cloop-kmp-default, and drbd-kmp-default packages of the SUSE Linux Enterprise and openSUSE operating systems can lead to disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited locally. **Recommendations** For Linux kernel versions prior to 2.6.36-rc3-next-20100831, update to a version after 2.6.36-rc3-next-20100831 to resolve the issue. For cpint-kmp-default, cloop-kmp-default, and drbd-kmp-default, at the moment, there is no information about a newer version that contains a fix for this vulnerability.