David Howells

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel has been resolved, related to the handling of received connection aborts in the rxrpc module. The problem occurs when a connection abort is received but not properly propagated to the calls on that connection, causing them to hang as they are not woken up to process their termination. Tracing has been added for logging connection aborts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.12.0-rc2-build3+ **Description** The issue is related to lock recursion in the Linux kernel, specifically in the `afs wake up async call()` function. This function can incur lock recursion when called from AF RXRPC while holding the `->notify lock`. The problem arises when it tries to take a reference on the `afs call` struct to pass it to a work queue, but if `afs call` is already queued, an extraneous reference is created. Calling `afs put call()` may call back into AF RXRPC through `rxrpc kernel shutdown call()`, which might try taking the `->notify lock` again. This case is not very common, so it is deferred to a workqueue. **Recommendations** To resolve the issue, update to a version of the Linux kernel that includes the fix for the lock recursion vulnerability. As a temporary workaround, consider disabling the `afs wake up async call()` function until a patch is available. Restrict access to the `rxrpc input call event()` function to minimize the risk of exploitation. Avoid using the `afs call` struct in the affected work queue until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.61 Description: The issue is related to a buffer overflow in the SMB2 IOCTL request handling. When using encryption, the client will squash all compound request buffers down for encryption into a single iov in `smb2 set next command()`. If the user passes an input buffer that is greater than 328 bytes, `smb2 set next command()` will end up writing off the end of `@rqst->iov[0].iov base`. This can be triggered by creating a symbolic link with a long name on a mounted CIFS share with the `seal` option. Recommendations: To resolve the issue, update the Linux kernel to version 6.6.61 or later. As a temporary workaround, consider avoiding the use of the `seal` mount option for CIFS shares until the update is applied. Additionally, restrict access to the vulnerable `smb2 set next command()` function and related API endpoints, such as `/mnt/link`, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises from the `netfs page mkwrite()` function not checking if `folio->mapping` is valid after taking the folio lock, similar to `filemap page mkwrite()`. This can cause a kernel NULL pointer dereference when `invalidate inode pages2 range()` interferes with mmap'd writes at the end of a DIO write, leading to occasional oopses. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.7.0 **Description** The vulnerability is related to the NFS component of the Linux kernel. It is caused by incorrect locking in the `nfs netfs issue read()` function, which can lead to a deadlock when interrupts are not disabled while iterating through pages in the xarray to submit for NFS read. This issue can be reproduced with a specific test and may cause inconsistent lock state warnings on a lockdep-enabled kernel. The problem can occur when another page in the mapping is processed for writeback inside an interrupt, leading to a potential deadlock. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for the `nfs netfs issue read()` xarray locking for writeback interrupt. As a temporary workaround, consider disabling the `nfs netfs issue read()` function until a patch is available. However, this may have performance implications and should be carefully evaluated before implementation. Note: The provided information does not specify the exact fixed version, so it is recommended to update to the latest available kernel version to ensure the inclusion of the necessary fix.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a regression introduced by a commit that added general notification queue support, which caused resized pipes to lock up under certain conditions. This occurred because the commit resizing the pipe ring size was moved to a different function, resulting in the wakeup for `pipe->wr wait` being triggered before actually raising `pipe->max usage`. If a pipe was full before the resize occurred, it would result in the wakeup never actually triggering `pipe write`. The vulnerability is associated with incorrect blocking in the `pipe resize ring()` and `pipe set size()` functions in `fs/pipe.c`. Exploitation of this vulnerability could allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to temporary data corruption in the collapse range of the smb3 module. The collapse range does not discard the affected cached region, which can risk temporarily corrupting file data. This issue is fixed by a patch that also includes a minor cleanup to avoid rereading inode size repeatedly unnecessarily. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue concerns temporary data corruption in the insert range of the smb3 module. The insert range does not discard the affected cached region, which can risk temporarily corrupting file data. Additionally, some minor cleanup has been done to avoid rereading the inode size repeatedly and unnecessarily. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 2.6 **Description** The issue is related to the `user update` function in the Linux kernel, which allows local users to cause a denial of service. This can be achieved through vectors related to a user-defined key and updating a negative key into a fully instantiated key, resulting in a NULL pointer dereference and kernel oops. **Recommendations** For Linux kernel version 2.6, as a temporary workaround, consider disabling the `user update` function until a patch is available. Restrict access to the `security/keys/user defined.c` module to minimize the risk of exploitation. Avoid using the `user defined` key in the affected kernel version until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.16 **Description** The issue is related to the strnlen user function in the Linux kernel, which can return an incorrect value. This allows local users to cause a denial of service via unknown vectors. **Recommendations** For versions prior to 2.6.16, update to version 2.6.16 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 2.6.12.5 Description: The issue is related to the KEYCTL JOIN SESSION KEYRING operation in the Linux kernel, which contains an error path that does not properly release the session management semaphore. This allows local users or remote attackers to cause a denial of service (semaphore hang) via a new session keyring under certain conditions, such as an empty name string, a long name string, when the key quota is reached, or when an ENOMEM error occurs. Recommendations: For Linux kernel versions prior to 2.6.12.5, update to version 2.6.12.5 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 2.6.12.5 Description: The issue allows local users or remote attackers to cause a denial of service (kernel oops) via a keyring with a payload that is not empty. This happens because the kernel does not properly destroy a keyring that is not instantiated properly, leading to a null dereference in the keyring destructor. Recommendations: For Linux kernel versions prior to 2.6.12.5, update to version 2.6.12.5 or later to resolve the issue.