Martin Kafai Lau

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.61 Description: A use-after-free vulnerability was reported in the Linux kernel's TCP timer handling. The issue occurs when the `req->sk` is closed before the timer expiration, which is 63 seconds by default. This can happen in a scenario where `inet csk complete hashdance()` calls `inet csk reqsk queue drop()`, but `del timer sync()` is missed, allowing the reqsk timer to continue running and sending multiple SYN+ACKs until it expires. The vulnerability can be exploited by attaching a BPF program to `trace tcp retransmit synack`, which passes the `req->sk` to the `bpf sk storage get tracing` kernel helper. Recommendations: To resolve the issue, update the Linux kernel to version 6.6.61 or later. As a temporary workaround, consider disabling the `bpf sk storage get tracing` function until a patch is available. Restrict access to the vulnerable `reqsk queue unlink` function to minimize the risk of exploitation. Avoid using the `timer pending()` function in `reqsk queue unlink()` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel, where the lwt seg6 related BPF ops can be invoked via `bpf test run()` without entering `input action end bpf()` first. This is because the per-CPU variable `seg6 bpf srh states::srh` is never assigned in the self test case, but each BPF function expects it. The problem probably didn't work since it was introduced in commit 04d4b274e2a ("ipv6: sr: Add seg6local action End.BPF"). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a race condition between `bpf timer cancel and free` and `bpf timer cancel` in the Linux kernel, which can lead to a Use After Free (UAF) on the `timer->timer`. This occurs when `bpf timer cancel` and `bpf timer cancel and free` are called concurrently, causing the `timer->timer` to be accessed after it has been freed. The patch resolves this issue by freeing the `timer->timer` after a rcu grace period in `bpf timer cancel and free`, and adding a `rcu read lock` in `bpf timer cancel` to prevent the race condition. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.3.3 **Description** The issue allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field in the ext4 journal stop function. **Recommendations** For versions prior to 4.3.3, update to version 4.3.3 or later to resolve the issue.