Marc Dionne

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A bug in the Linux kernel's AF RXRPC listen() handler allows the backlog to be set too high, causing an oops when the socket is closed. This happens because the preallocation circular buffers have 32 slots, but one slot must be a dead slot due to the use of CIRC CNT(). As a result, listen(rxrpc sock, 32) will cause a kernel NULL pointer dereference when the socket is closed. The issue is resolved by setting the maximum backlog to RXRPC BACKLOG MAX - 1 to match the ring capacity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A vulnerability in the Linux kernel has been resolved, related to missing locking in the rxrpc module, which can cause hanging calls. If a call is aborted between being queued for connection and the I/O thread picking it up, the abort may be prioritized over the connection, and the call may be removed from the list without a lock being held. This can lead to other calls on the list disappearing if a race occurs. The issue is fixed by taking the client call lock when removing a call from the list. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.0.11 **Description** The issue is related to a memory leak caused by the `afs put server` function in the Linux kernel. Specifically, the `atomic read` was accidentally replaced with `atomic inc return`, which prevents the server from getting cleaned up and causes `rmmod` to hang with a warning. This warning is indicated by the message "Can't purge s=00000001". The estimated number of potentially affected devices is not provided. **Recommendations** For Linux kernel versions prior to 6.0.11, upgrade to a version 6.0.11 or later to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the `afs put server` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel has been resolved, related to the dynamic root getattr in the afs module. The problem occurred when the afs getattr function consulted the server without accounting for pseudo-inodes employed by the dynamic root-type afs superblock, which do not have a volume or server to access. This resulted in a kernel NULL pointer dereference when a directory in /afs was stat'd. The error manifested as an oops with a BUG message indicating a kernel NULL pointer dereference. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel has been resolved, related to the rxrpc call struct timer. The timer can be started from packet input routines running in softirq mode with only the RCU read lock held, allowing the call to be destroyed at the same time a packet is processed, causing the timer to be restarted after being stopped. This can lead to an oops if the timer is deallocated first. The issue is fixed by taking a ref on the rxrpc call struct and passing it to the timer, which is then passed to the call's work item when queued. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a page leak in the Linux kernel, specifically in the `afs extend writeback()` function. This function has a loop that adds extra pages to a write to improve efficiency, but it stops if a page cannot be written back immediately, without releasing the speculatively acquired page reference. The leak occurs because the cleanup loop was removed when the code switched from using `find get pages contig()` to xarray scanning. The issue was found by the `generic/074` test and leaks approximately 4GiB of RAM each time it is run, which can be observed using "top". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenAFS versions prior to 1.6.17 **Description** The issue is related to the improper initialization of certain structures in the client, specifically `AFSStoreStatus`, `AFSStoreVolumeStatus`, `VldbListByAttributes`, and `ListAddrByAttributes`. This could potentially allow remote attackers to obtain sensitive memory information by accessing RPC call traffic. **Recommendations** For versions prior to 1.6.17, update to version 1.6.17 or later to resolve the issue.