Kuan-Wei Chiu

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.12.0-rc4+ **Description** A Use-After-Free (UAF) bug has been fixed in the Linux kernel's KUnit string stream function. The issue occurs when `alloc string stream()` fails in the `kunit suite for each test case()` loop, causing the `suite->log` stream memory to be freed but not set to NULL. This leads to a UAF bug when `string stream clear()` is called later. The error path only frees the `suite->log` stream memory but not sets it to NULL, resulting in a UAF bug. Technical details about exploitation include: - The `string stream clear()` function is vulnerable. - The `alloc string stream()` function fails in the `kunit suite for each test case()` loop. - The `suite->log` stream memory is freed but not set to NULL. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the UAF bug. As a temporary workaround, consider disabling the `string stream clear()` function until a patch is available. Restrict access to the vulnerable `kunit debugfs create suite()` function to minimize the risk of exploitation. Avoid using the `suite->log` stream in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A signed integer overflow issue has been identified in the Linux kernel, specifically in the printk function when defining LOG BUF LEN MAX. This occurs due to shifting 1 << 31 on a 32-bit int, causing undefined behavior. The issue is resolved by casting 1 to an unsigned 32-bit integer before performing the shift, ensuring well-defined behavior. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: The issue arises from the `bpftool` in the Linux kernel, where `qsort` is called with a NULL pointer when netfilter has no entry to display, resulting in undefined behavior. This is reported by UBSan as a runtime error due to a null pointer being passed as an argument. The C standard implies that passing invalid arguments, including null pointers, to functions leads to undefined behavior. To mitigate this, an early return is added when `nf link info` is NULL to prevent calling `qsort` with a NULL pointer. Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider modifying the code to add an early return when `nf link info` is NULL to prevent calling `qsort` with a NULL pointer.