Hou Tao

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue concerns a vulnerability in the Linux kernel where the function `bpf iter bits new()` does not properly check the validity of `nr words`. This can lead to stack corruption due to `bpf probe read kernel common()` when `nr words` causes a multiplication overflow, resulting in an incorrect `nr bits` value. For example, when `nr words` equals 0x0400-0001, `nr bits` becomes 64, potentially causing issues. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. Recommendations: To resolve the issue, limit the maximum value of `nr words` to 511, as derived from the current BPF memory allocator implementation. Use the helper function `bpf mem alloc check size()` to check if `nr bytes` is too large and return -E2BIG instead of -ENOMEM for oversized `nr bytes`. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.65 **Description** The issue is related to the Linux kernel, where a newly-added link type that doesn't invoke BPF LINK TYPE() can cause an out-of-bounds access when accessing bpf link type strs[link->type]. To address this, the validity of link->type in bpf link show fdinfo() is checked, and a warning is emitted when such invocations are missed. **Recommendations** For Linux kernel versions prior to 6.6.65, update to version 6.6.65 or later to resolve the issue. As a temporary workaround, consider restricting access to the bpf link show fdinfo() function until a patch is available.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: There is an out-of-bounds read in `bpf link show fdinfo()` for the sockmap link fd. The issue is resolved by adding the missing `BPF LINK TYPE` invocation for sockmap link. Additionally, comments are added for `bpf link type` to prevent missing updates in the future. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.43 **Description** The vulnerability is related to a slab-use-after-free issue in the `cachefiles withdraw cookie()` function. This issue can be triggered by a race condition between the `cachefiles daemon release()` and `cachefiles withdraw cache()` functions, leading to a use-after-free error. The vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.43 or later. As a temporary workaround, consider disabling the `cachefiles withdraw cookie()` function until a patch is available. However, this may have unintended consequences and should be carefully evaluated before implementation. Note: At the moment, there is no information about other versions that contain a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the use of memory after it has been freed in the cachefiles function of the Linux kernel. This can lead to a use-after-free problem when the ondemand object worker function is run after the object has been freed. The problem occurs when the cachefiles object is not pinned and may be freed when a pending read request is completed and the related erofs is umounted. Technical details about exploitation include: - The `cachefiles ondemand send req()` function sends a read request. - The `cachefiles ondemand fd release()` function closes the ondemand fd and sets the object as CLOSE. - The `cachefiles ondemand daemon read()` function sets the object as REOPENING and queues the `ondemand object worker()` function. - The `queue work(fscache wq, &info->ondemand work)` function queues the work for the ondemand object worker. - The `cachefiles put object()` function frees the object. - The `kmem cache free(object)` function frees the object's memory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.8.0-rc7-dirty #542 **Description** The issue is caused by a slab-use-after-free vulnerability in the `cachefiles ondemand daemon read` function. This occurs when a restore command is issued while the daemon is still alive, resulting in a request being processed multiple times and triggering a use-after-free (UAF) error. The vulnerability can be exploited by issuing a restore command when the daemon is still alive. Technical details about exploitation include: - The `cachefiles ondemand get fd` function is vulnerable to a UAF error. - The `REQ A` variable is used to store a request, and its `done` field is waited on using `wait for completion`. - The `cachefiles ondemand daemon read` function reads data from a file descriptor, and the `copy to user` function is used to copy data to a user-space buffer. - The `xas for each` function is used to iterate over a set of requests, and the `xas set mark` function is used to set a mark on a request. - The `cachefiles ondemand restore` function is used to restore a request, and the `xa erase` function is used to erase a request from a cache. **Recommendations** To resolve the issue, add an additional reference count to `cachefiles req`, which is held while waiting and reading, and then released when the waiting and reading is over. As a temporary workaround, consider disabling the `cachefiles ondemand daemon read` function until a patch is available. Restrict access to the vulnerable `cachefiles ondemand get fd` function to minimize the risk of exploitation. Avoid using the `REQ A` variable in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the use of memory after it has been freed in the cachefiles module of the Linux kernel. This can cause a cache Use After Free (UAF) condition. The problem arises when an anonymous file descriptor is installed and then closed, potentially before the reference count of the cache is obtained. To resolve this, the cache reference count should be grabbed before installing the file descriptor. By kernel convention, the file descriptor is taken over by user land after installation, and the kernel should not call close on it after that. The fix involves calling fd install after everything is ready, specifically after copy to user succeeds. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions from v5.8 to v6.6 **Description** The issue is related to a use-after-free problem in the Linux kernel, specifically in the bpf (Berkeley Packet Filter) subsystem. When updating or deleting an inner map in a map array or map htab, the map may still be accessed by non-sleepable or sleepable programs. The `bpf map fd put ptr()` function decreases the ref-counter of the inner map directly through `bpf map put()`, which can lead to the inner map being freed by `ops->map free()` in a kworker. However, most `.map free()` callbacks do not use `synchronize rcu()` or its variants to wait for the elapse of a RCU (Read-Copy Update) grace period, resulting in a potential use-after-free problem. The estimated number of potentially affected devices worldwide is not specified. There are reports of proof-of-concept (PoC) exploits being released, demonstrating the vulnerability's potential for container escape. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the vulnerability. Specifically, versions prior to v5.8 and after v6.6 are not affected. For versions between v5.8 and v6.6, apply the patch that fixes the use-after-free problem in the bpf subsystem. As a temporary workaround, consider disabling the `bpf map put()` function or restricting access to the vulnerable bpf subsystem until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A size overflow issue has been identified in the Linux kernel, specifically in the libbpf component when handling ringbuf mmap. The maximum size of ringbuf is 2GB on x86-64 hosts, which can cause an overflow of u32 when mapping producer pages and data pages. This issue affects 32-bit applications running on 64-bit kernels, where the size of the read-only mmap region can also overflow size t. The fix involves casting the size of the read-only mmap region to u64 and checking for potential overflows during mmap. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.14.0+ **Description** A race condition exists between the `nbd alloc config()` function and the removal of the nbd module. When the nbd module is being removed, `nbd alloc config()` may be called concurrently by `nbd genl connect()`, leading to a potential leak of `nbd config` and its related resources, such as `recv workq`. This can cause a kernel NULL pointer dereference and an oops in `nbd read stat()` due to the unload of the nbd module. **Recommendations** For Linux kernel versions prior to 5.14.0+, update to a newer version that includes the fix for the race condition between `nbd alloc config()` and module removal. As a temporary workaround, consider disabling the `nbd` module until a patch is available. Restrict access to the `nbd` module to minimize the risk of exploitation. Avoid using the `nbd genl connect()` function in conjunction with the `nbd alloc config()` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.14.0-rc4 **Description** A race condition exists between module removal and the handling of netlink commands in the Linux kernel, which can lead to a kernel NULL pointer dereference. This issue is related to the `nbd` module and can cause an oops error, as shown in the provided stack trace. The error occurs when `genl unregister family()` is not called before `nbd cleanup()`, allowing for a potential race condition. **Recommendations** For Linux kernel versions prior to 5.14.0-rc4, consider updating to a newer version that includes the fix for this issue. As a temporary workaround, ensure that `genl unregister family()` is called before `nbd cleanup()` to prevent the race condition.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability has been resolved in the Linux kernel related to the dm btree remove function. The issue occurs when the `remove raw()` function in `dm btree remove()` fails due to an IO read error, causing the `shadow spine::root` value to be uninitialized. This uninitialized value is then assigned to `new root`, leading to potential out-of-bound memory access when trying to read the `details info` tree again. This can result in a general protection fault. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions through 5.0.4 Description: An issue was discovered in aio poll() in fs/aio.c. A file may be released by aio poll wake() if an expected event is triggered immediately, for example, by the close of a pair of pipes, after the return of vfs poll(), causing a use-after-free. Recommendations: For Linux kernel versions through 5.0.4, update to a version later than 5.0.4 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific issue.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 4.11 Description: The issue is related to the blkcg init queue function in the Linux kernel, specifically in the block/blk-cgroup.c file. It is caused by a double free error, which can be exploited by local users. This exploitation may lead to a denial of service or potentially other unspecified impacts. Recommendations: For Linux kernel versions prior to 4.11, update to version 4.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the blkcg init queue function to minimize the risk of exploitation.