Jakub Kicinski

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: A string buffer overrun vulnerability has been resolved in the Linux kernel. The issue occurs when copying `media name` and `if name` to `name parts`, which may overwrite the destination. This is due to the use of `strcpy()` with insufficient buffer size checks, as reported by Smatch. The vulnerable code is located in `bearer.c` at lines 166 and 167, where `media name` and `if name` are too large for `name parts->media name` and `name parts->if name`, respectively. The vulnerability was introduced by commit `b97bf3fd8f6a` ("[TIPC] Initial merge"). Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the vulnerability. As a temporary workaround, consider using `strscpy()` instead of `strcpy()` and failing if truncation occurs to prevent buffer overruns. Restrict access to the vulnerable `bearer name validate()` function until the issue is resolved. Avoid using the `media name` and `if name` variables in the affected code paths until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a possible null dereference in the Linux kernel when a PSE supports both c33 and PoDL, but only one of the netlink attributes is specified. The c33 or PoDL PSE capabilities are already validated in the `ethnl set pse validate()` call. This could potentially allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the ethtool in the Linux kernel, where the max channel check in the core gets skipped if the driver can't fetch the indirection table or when memory can't be allocated. This can lead to crashes if the indirection table contains channels with out of bounds IDs. The condition is rare but to be safe, the channel change should fail if these conditions occur. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to the version that includes the fix for the issue introduced in version 5 of TCP-AO patches **Description** The issue is related to a leak of `ao info` on the error path in the `net/tcp ao` component of the Linux kernel. It was introduced together with `TCP AO CMDF AO REQUIRED` in version 5 of the TCP-AO patches. The issue is frustrating given the existence of selftests, and the use of `kmemtest` and `kcov` was always pending. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.15.0-rc6+ Description: The issue is related to the ethtool component of the Linux kernel, where there is a short period between a net device starting to be unregistered and when it is actually gone, during which ethtool operations could still be performed, potentially leading to unwanted or undefined behaviors. This could result in NULL pointer exceptions and use-after-free errors. For example, adding Tx queues after unregistering a net device could lead to such errors. Recommendations: To resolve the issue, update the Linux kernel to a version that includes the patch for this vulnerability. As a temporary workaround, consider disabling ethtool operations on net devices that are being unregistered to minimize the risk of exploitation. Restrict access to the netlink part of the ethtool component, as the ioctl part is not affected by this issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an out-of-bounds access when the thread is preempted between two calls to `blk mq get ctx()`. This can cause the program to read garbage if the second context (`ctx`) came from a hardware context (`hctx`) with more contexts than the first one. The problem manifested as a UBSAN array index out-of-bounds error. The error occurred because `kyber bio merge()` gets the `ctx` for the current CPU again and uses it to get the corresponding Kyber context in the passed `hctx`. However, the thread may be preempted between the two calls to `blk mq get ctx()`, and the `ctx` returned the second time may no longer correspond to the passed `hctx`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** The issue is caused by synchronization errors when using a shared resource in the implementation of the IPv6 protocol in the Linux kernel. This can be exploited by a remote attacker to cause a denial of service or possibly other impacts. The vulnerability affects the function `inet6 stream ops/inet6 dgram ops` of the IPv6 Handler component, leading to a race condition. **Recommendations** To fix this issue, it is recommended to apply a patch. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free error in the bnxt component of the Linux kernel. This occurs when the `bnxt tx int()` function hands over the ownership of a completed skb to the PTP worker and the skb is used afterwards, potentially leading to a use-after-free condition. The worker may run before the rest of the code and free the skb, causing this issue. There is no information provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue is related to the protection check for psock vs ULP. The `inet csk has ulp(sk)` check was moved from `sk psock init()` to the new `tcp bpf update proto()` function, potentially allowing the creation of psocks for non-inet sockets. However, the destruction path for psock includes the ULP unwind, requiring the `sk psock init()` to fail if ULP is already present. Otherwise, it may result in the ULP looping its callbacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak issue was discovered in the Linux kernel's eBPF related to the Simulated networking device driver. This issue arises when a user utilizes BPF for the device in a way that the `nsim map alloc elem` function is called. As a result, a local user could exploit this flaw to gain unauthorized access to certain data. The vulnerability is associated with a lack of protection for internal data, which could allow an attacker to gain unauthorized access to the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.15.8 **Description** The issue is related to a refcount leak in the pep sock accept function in the Linux kernel. This leak is associated with insufficient protection of internal data. Exploitation of this issue may allow an attacker to gain unauthorized access to protected information. **Recommendations** For Linux kernel versions through 5.15.8, update to a version that contains a fix for this issue to resolve the refcount leak in the pep sock accept function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.