Eric Dumazet

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue is related to the ndisc send skb() function, which can be called without RTNL or RCU held, potentially leading to a use-after-free (UAF) condition. To address this, RCU protection has been extended in ndisc send skb() by acquiring rcu read lock() earlier, allowing the use of dev net rcu(). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue is related to the function `l3mdev l3 out()`, which can be called without RCU protection. This can lead to a potential use-after-free (UAF) issue. The vulnerability is exploited through a sequence of function calls, including `raw sendmsg()`, `ip push pending frames()`, `ip send skb()`, `ip local out()`, and ` ip local out()`, ultimately calling `l3mdev ip out()`. To address this, an `rcu read lock()` / `rcu read unlock()` pair has been added. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue concerns the ` ip rt update pmtu()` function, which must use RCU protection to prevent the net structure it reads from disappearing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue is related to the ndisc alloc skb() function, which can be called without RTNL or RCU being held, potentially leading to a use-after-free (UAF) condition. To address this, RCU protection has been added to ndisc alloc skb(). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue is related to the ` neigh notify()` function, which can be called without proper protection, potentially leading to a use-after-free (UAF) condition. To address this, RCU protection is used in ` neigh notify()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been identified, where the arp xmit() function can be called without proper protection, potentially leading to a use-after-free (UAF) issue. To address this, RCU protection is used in arp xmit() to prevent such problems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue is related to the openvswitch, specifically the `ovs vport cmd fill info()` function, which can be called without RTNL or RCU protection. This could lead to a potential use-after-free (UAF) issue. To address this, RCU protection and `dev net rcu()` are used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue concerns the Linux kernel's handling of IPv6 packets with extension headers. Specifically, it affects devices that advertise NETIF F IPV6 CSUM, which is a feature for checksumming plain TCP or UDP packets over IPv6. The problem arises when BIG TCP packets are used, introducing an IPV6 TLV JUMBO IPv6 extension header to communicate packet length. This header is not transmitted by physical devices but is present for PF PACKET taps like tcpdump. The change that caused the issue disabled hardware offload of IPv6 packets with extension headers on devices that support NETIF F IPV6 CSUM. The `ipv6 has hopopt jumbo()` function tests for the presence of this header and ensures it is the only extension header before a terminal (L4) header. The issue has been resolved by reenabling NETIF F IPV6 CSUM offload for BIG TCP packets. **Recommendations** For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider disabling the `skb warn bad offload()` function until a patch is available. Restrict access to the vulnerable `NETIF F IPV6 CSUM` feature to minimize the risk of exploitation. Avoid using the `IPV6 TLV JUMBO` extension header in BIG TCP packets until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.65 **Description** A division by zero error was reported in the MPTCP protocol of the Linux kernel. The root cause is the current bad handling of racing disconnect. After a specific commit, `sk wait data()` can return with an error and the underlying socket disconnected, resulting in a zero `rcv mss`. The error occurs when ` tcp select window()` is called, leading to a divide error. The issue is resolved by catching the error and returning without performing any additional operations on the current socket. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.65 or later. As a temporary workaround, consider disabling the `mptcp recvmsg()` function until a patch is available. Restrict access to the vulnerable `mptcp` protocol to minimize the risk of exploitation. Avoid using the `rcv mss` variable in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.61 Description: A slab-use-after-free bug has been identified in the Linux kernel, specifically in the netfilter: bpf component. This issue arises when the ` nf unregister net hook()` function is deferred after exit/close time, potentially due to a missing reference on the net namespace. The bug can be triggered through the `bpf nf link release()` function, leading to a read of size 8 at a specific memory address. Eric's analysis suggests that the `bpf nf link attach()` function assigns `link->net = net` without taking a reference on the net namespace, which may cause the netns to be dismantled or freed prematurely. Recommendations: To resolve this issue, update the Linux kernel to version 6.6.61 or later. As a temporary workaround, consider restricting the use of the `bpf nf link attach()` function until a patch is available. Additionally, avoid using the `link->net` variable in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A vulnerability in the Linux kernel has been resolved, specifically in the af packet module. The issue occurs after the sock init data() function is called in packet create(), where the allocated sk object is attached to the provided sock object. If an error occurs, packet create() frees the sk object, leaving a dangling pointer in the sock object. This can cause use-after-free errors if other code attempts to use the pointer. **Recommendations** For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider restricting access to the af packet module until a patch is available.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.11.0-rc7-syzkaller-g5f5673607153 Description: The issue is related to a panic on IPPROTO SMC in the Linux kernel. When INET PROTOSW ICSK is set, icsk->icsk sync mss must also be set. The problem occurs due to a lack of synchronization of MSS within sys connect file for AF SMC. This can lead to a kernel NULL pointer dereference. A patch has been added to prevent such panic by performing a simple return, laying the groundwork for future support of this feature for IPPROTO SMC. Recommendations: For Linux kernel versions prior to 6.11.0-rc7-syzkaller-g5f5673607153, consider applying the patch that adds a toy implementation to prevent the panic. This patch performs a simple return to prevent the kernel NULL pointer dereference, providing a temporary solution until full support for synchronizing MSS within sys connect file for AF SMC is implemented.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: The issue arises from insufficient sanity checks in the `qdisc pkt len init()` function, specifically when handling `SKB GSO DODGY` packets. The `virtio net hdr to skb()` function does not fully dissect TCP headers, only ensuring they are at least 20 bytes long. This allows a user to craft a malicious 'GSO' packet with a total length of 80 bytes, comprising a 20-byte IPv4 header, a 60-byte TCP header, and a small `gso size` like 8. As a result, `virtio net hdr to skb()` would incorrectly identify this packet as a normal GSO packet due to the perceived payload size being larger than `gso size`. This can lead to an underflow in `qdisc skb cb(skb)->pkt len`. Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider implementing additional sanity checks for `SKB GSO DODGY` packets to prevent underflow in `qdisc skb cb(skb)->pkt len`. Restrict the use of `virtio net hdr to skb()` function until the update is applied to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a data leakage vulnerability in the Linux kernel's net: dpaa component. When sending packets under 60 bytes, up to three bytes of the buffer following the data may be leaked. This can be avoided by extending all packets to ETH ZLEN, ensuring nothing is leaked in the padding. The bug can be reproduced by running $ ping -s 11 destination. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to the use of memory after it has been freed in the ip6 finish output2 function of the Linux kernel. This can lead to a denial of service. The problem occurs when skb expand head() returns NULL, indicating that the skb has been freed, and the associated dst/idev could also have been freed. To prevent this, it is necessary to hold rcu read lock() to ensure that the dst and associated idev are alive. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.50 or later. As a temporary workaround, consider restricting access to the ip6 finish output2 function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to a possible use-after-free (UAF) vulnerability in the `ip6 xmit()` function of the Linux kernel. If `skb expand head()` returns NULL, it indicates that the `skb` has been freed, and the associated `dst/idev` could also have been freed. To prevent a possible UAF, it is necessary to use `rcu read lock()`. The exploitation of this vulnerability may allow an attacker to cause a denial of service. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider using `rcu read lock()` to prevent a possible UAF in the `ip6 xmit()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel's TCP component, where a TCP socket using TCP USER TIMEOUT can retransmit packets every two jiffies (2 ms for HZ=1000) for about 4 minutes after TCP USER TIMEOUT has expired, if the other peer retracts its window to zero. The fix involves making sure tcp rtx probe0 timed out() takes icsk->icsk user timeout into account. Before a specific commit, the socket would not timeout after icsk->icsk user timeout, but would use standard exponential backoff for the retransmits. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the tipc component of the Linux kernel, which has a problem with incorrect input validation. This can lead to a stack overflow when a node receives and processes domain record structs from peer nodes. The function `tipc mon rcv()` is used to receive and process these structs, and it is called from the function `tipc link proto rcv()`, where a 32-bit message data length field is read into a uint16. To prevent bit overflow, an extra sanity check is added to this function. The problem was identified by Eric Dumazet. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the function `gue gro receive()` in the Linux kernel, which has a problem with incorrect input validation. This can potentially impact the confidentiality, integrity, and availability of protected information. The vulnerability is related to the handling of unsupported protocols in the `gue gro receive()` function. A packet can be easily constructed to trigger a warning, which was previously reduced from `WARN ON` to `WARN ON ONCE`. The warning has been removed as it is expected and not actionable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `ila output()` function in the Linux kernel, which can be called from `lwtunnel output()` possibly from process context, and under `rcu read lock()`. This can lead to a race condition where the function is interrupted by a softirq, causing corruption of `dst cache` data structures. The problem arises because `net/core/dst cache.c` helpers need to be called with BH disabled. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.