Syzkaller

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified) Description The Linux kernel contained a flaw in the net/rose component where a NULL pointer dereference could occur in the `rose transmit link` function during a reconnect attempt. This issue arose because `rose connect()` lacked a check for the TCP SYN SENT state, allowing a second connection attempt while the first was in progress to overwrite `rose->neighbour` with NULL. Subsequently, closing the socket would lead to a call to `rose write internal()` and then `rose transmit link(skb, NULL)`, resulting in the NULL pointer dereference. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A race condition exists in the Linux kernel perf event subsystem during ring buffer management. The issue occurs in the `perf mmap()` function when a `mmap()` setup fails and a concurrent `mmap()` is performed on a dependent event. Specifically, the `ring buffer` (`rb`) is assigned to `event->rb` while holding the `mmap mutex`, but the mutex is released before calling `map range()`. If `map range()` fails, `perf mmap close()` is called for cleanup. Because the mutex was released, another thread can acquire it, see the valid `event->rb` pointer, and attempt to increment its reference count. If the cleanup process has already reduced the count to zero, it leads to a use-after-free (UAF) condition or a reference count saturation warning, which may result in a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw exists in the Linux kernel's NTFS3 implementation related to uninitialized memory after a failed `mi read` operation within `mi format new`. The issue stems from the `ntfs get bh()` function potentially receiving a buffer from `sb getblk()` that is not up-to-date. This could lead to adding a buffer containing uninitialized data to the Master File Table (MFT) record, triggering a Kernel Memory Safety Administration (KMSAN) error when attempting to load that record. The fix involves ensuring the buffer is marked as up-to-date before being used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Linux kernel versions prior to 6.15.8 **Description:** A flaw exists in the Linux kernel's ALSA timer functionality. Specifically, within the `snd utimer create()` function, a potential issue arises if the `kasprintf()` function returns NULL. This can lead to a call to `snd utimer put id()`, which subsequently attempts to free an unallocated ID (0) using `ida free()`. This condition was reported by the syzkaller fuzzer. **Recommendations:** Update to Linux kernel version 6.15.8 or later.

### Name of the Vulnerable Software and Affected Versions: Linux kernel versions 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 ### Description: The Linux kernel contains a flaw within the bpf subsystem. Specifically, the issue arises when creating a bpf program and the `fp->jit requested` variable depends on `bpf jit enable`. This occurs when `CONFIG BPF JIT ALWAYS ON` is not set and `bpf jit enable` is set to 1, causing the architecture to attempt JIT compilation of the program. If JIT compilation fails due to fault injection, the program is incorrectly treated as valid, leading to a call to the ` bpf prog ret0 warn` function and triggering a warning. ### Recommendations: Linux kernel version 6.15.0-rc4-syzkaller-00040-g8bac8898fe39: Ensure `CONFIG BPF JIT ALWAYS ON` is set, or if `bpf jit enable` is set to 1, verify that JIT compilation does not fail due to fault injection.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.13.0 Description: A use-after-free issue has been identified in the Linux kernel, specifically in the `geneve find dev()` function. This issue occurs when the `geneve configure()` function links the `struct geneve dev.next` to `net generic(net, geneve net id)->geneve list`, and the network namespace is dismantled, causing the device to be freed while its `geneve dev.next` is still linked to the backend UDP socket network namespace. This can lead to a use-after-free error when another geneve device is created in the network namespace. The issue is resolved by calling `geneve dellink()` instead of `geneve destroy tunnels()`. Recommendations: To resolve this issue, update the Linux kernel to a version that includes the fix for this vulnerability. As a temporary workaround, consider disabling the `geneve find dev()` function until a patch is available. Restrict access to the vulnerable `geneve dev` structure to minimize the risk of exploitation. Avoid using the `geneve configure()` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A use-after-free vulnerability has been identified in the Linux kernel, specifically in the ipvlan module. This issue arises when the linkwatch work is triggered for the ipvlan device, potentially resulting in the lower device being freed before the ipvlan device, leading to a use-after-free error in ipvlan get iflink(). The vulnerability can be addressed by delaying the unregistration of the lower device, similar to how it is handled in the vlan and macvlan modules. **Recommendations** Update to Linux kernel version 6.6.74 or later to resolve the issue. As a temporary workaround, consider disabling the linkwatch work for ipvlan devices until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.15.0 #12 **Description** A flaw exists in the Linux kernel related to the handling of High-Speed Resilient (HSR) frames. Receiving an HSR frame without sufficient space to accommodate the HSR tag within the skb (socket buffer) can lead to a kernel crash, specifically a kernel BUG triggered by an invalid opcode. This issue arises from unintended transformations applied to the skb by the HSR layer when processing a corrupted HSR frame with an incomplete TAG. The reproducer utilizes AF PACKET, but the vulnerability could potentially be triggered by frames received over a network. **Recommendations** Update to a version newer than 6.15.0 #12 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.65 **Description** The Linux kernel had a vulnerability that has been resolved. Netlink supports iterative dumping of data, providing the following operations: `start`, `dump`, and `done`. The process is asynchronous, and repeated calls to `dump` are triggered in response to `recvmsg()` on the socket. This gives the user full control over the dump, but also means that the user can close the socket without getting to the end of the dump. To ensure that `start` is always paired with `done`, the kernel checks if there is an ongoing dump before freeing the socket and calls `done` if necessary. However, the use of a workqueue to defer the call does not work correctly, as it defers the release of a reference on the socket instead of the cleanup. Since only the user can interact with dumps, the kernel can clean up when the socket is closed, and close always happens in process context. **Recommendations** For Linux kernel versions prior to 6.6.65, update to version 6.6.65 or later to resolve the issue. As a temporary workaround, consider disabling the `dump` operation until a patch is available. Restrict access to the Netlink socket to minimize the risk of exploitation. Avoid using the `start` and `done` operations in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.52 **Description** A vulnerability in the Linux kernel has been resolved. The issue is related to the removal of a proc entry when a device is unregistered. Syzkaller reported a warning in the `bcm connect()` function. The vulnerability occurs when a BCM socket is connected, allocating a proc entry, and then the bound device is removed, resetting the `bcm sk(sk)->bound` value to 0. A subsequent connect attempt tries to allocate a proc entry with the same name, leading to a leak of the original proc entry. The proc entry is only available for connected sockets, so it should be cleaned up when the bound netdev is unregistered. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.52 or later. As a temporary workaround, consider disabling the `bcm connect()` function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `ifindex` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises when calling ioctl TIOCSSERIAL with an invalid baud base, resulting in uartclk being zero. This leads to a divide by zero error in uart get divisor(). To prevent this, the check for uartclk being zero in uart set info() needs to be done before other settings are made. The vulnerability can be exploited through the `ioctl` function, specifically the `TIOCSSERIAL` command, which can cause a divide by zero error in the `uart get divisor()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.43 **Description** The vulnerability is related to the Linux kernel's UDP implementation, specifically in the `udp lib get port()` function. The issue arises from the fact that the `SOCK RCU FREE` flag is set too early in the `udp v[46] early demux()` and `sk lookup()` functions, potentially leading to a small race window. This could allow an attacker to exploit the vulnerability, although the exact impact is not specified. The vulnerability was identified by syzkaller, a tool for finding bugs in the Linux kernel. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.43 or later. This update includes the fix for the vulnerability, which sets the `SOCK RCU FREE` flag earlier in the `udp lib get port()` function to prevent the race window.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.37 Description: The issue is related to the Linux kernel's handling of errors in the `rpc proc register()` function, which is called during the initialization of the NFS (Network File System) subsystem. When this function fails, the error is ignored, and the `nfs net init()` function may still succeed, leading to a potential issue when the `nfs net exit()` function is called during the destruction of network namespaces. This can cause a warning to be triggered due to an attempt to remove a non-existing proc directory entry. The problem has been made more visible by a recent commit that converted the procfs to per-netns. Recommendations: To resolve this issue, update the Linux kernel to version 6.6.37 or later. This update includes the necessary fix to properly handle the error of `rpc proc register()` in `nfs net init()`.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** A vulnerability in the Linux kernel has been resolved, specifically a shift-out-of-bounds issue in the `dctcp update alpha()` function. The vulnerability occurs when the `dctcp shift g` module parameter is set to a value that is too large, causing a shift exponent that is too large for a 32-bit type. This issue was triggered by the syzkaller tool, which started fuzzing module parameters. The vulnerability can be exploited by setting the `dctcp shift g` parameter to a value of 100, which is too large for the 32-bit type. To fix this issue, the maximum value of `dctcp shift g` has been limited using the `param set uint minmax()` function. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.37 or later. As a temporary workaround, consider limiting the maximum value of the `dctcp shift g` module parameter to prevent shift-out-of-bounds issues.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** A vulnerability has been resolved in the Linux kernel, specifically in the ipv4 module. The issue is related to an uninit-value access in the ` ip make skb()` function. This function tests the `HDRINCL` flag to determine if the socket buffer (`skb`) has an ICMP header (`icmphdr`). However, the `HDRINCL` flag can cause a race condition. If the `setsockopt(2)` function is called with `IP HDRINCL` while ` ip make skb()` is running, it can change the `HDRINCL` flag, leading to the function accessing `icmphdr` in the `skb` even if it is not included. This issue was reported by KMSAN. To fix this, the code now checks `FLOWI FLAG KNOWN NH` on `fl4->flowi4 flags` instead of testing `HDRINCL` on the socket. Additionally, `fl4->fl4 icmp type` and `fl4->fl4 icmp code` are not initialized and are part of a union in `struct flowi4`. These are implicitly initialized by `flowi4 init output()`, but the code should not rely on a specific union layout. Therefore, these variables are now explicitly initialized in `raw sendmsg()`. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.37 or later. This update includes the fix for the uninit-value access in ` ip make skb()` and ensures that `fl4->fl4 icmp type` and `fl4->fl4 icmp code` are properly initialized.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a use-after-free vulnerability in the `reqsk timer handler()` function. This vulnerability can be triggered when a `reqsk` timer is fired and a use-after-free (UAF) occurs while freeing the `reqsk`. The scenario involves creating a per netns TCP listener using `unshare(CLONE NEWNET)` and `rds tcp listen init()`, then connecting to it using `syz-executor` and creating a `reqsk`. When `syz-executor` exits immediately, the netns is dismantled, and the `reqsk` timer is fired, leading to the UAF. The `reqsk` assumes that the listener guarantees netns safety until all `reqsk` timers are expired by holding the listener's refcount. However, this was not the case for kernel sockets. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.1.74 Description: The vulnerability is related to a buffer overflow in the `arp req get()` function in the Linux kernel. When the `ioctl(SIOCGARP)` command is issued, the function looks up a neighbor entry and copies the `neigh->ha` value to the `struct arpreq.arp ha.sa data` buffer. However, the `arp ha` buffer is only 14 bytes long, which can lead to a buffer overflow when the `dev->addr len` is greater than 22. This can cause the `arp netmask` value to be overwritten, potentially allowing an attacker to gain elevated privileges. The vulnerability can be exploited by issuing the `ioctl(SIOCGARP)` command with a specially crafted `struct arpreq` buffer, which can lead to a buffer overflow and potentially allow an attacker to execute arbitrary code. Recommendations: To resolve the issue, update the Linux kernel to a version that includes the fix for the vulnerability. Specifically, update to a version that includes the commit `b5f0de6df6dc` ("net: dev: Convert sa data to flexible array in struct sockaddr") or later. As a temporary workaround, consider disabling the `arp req get()` function until a patch is available. However, this may have unintended consequences and should be carefully evaluated before implementation. Note: The provided information does not include details about the existence of a patch or a fixed version for all affected systems. Therefore, the recommendation to update to a newer version is based on the assumption that such a version exists and is available for the specific system in question.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The vulnerability is related to a resource management issue in the `dg dispatch as host()` function of the VMCI component in the Linux kernel. The issue arises from a `memcpy()` operation that performs a field-spanning write, which can lead to a runtime warning. This warning is seen when fuzzing with Syzkaller, a tool used for finding bugs in the Linux kernel. The problem occurs because the `memcpy()` function copies data across multiple members of a structure, which is not allowed under `FORTIFY SOURCE`. The vulnerable code is located in the `vmci datagram.c` file at line 237. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A double-free flaw was found in the Linux kernel’s TUN/TAP device driver functionality. This issue occurs when a user registers the device and the register netdevice function fails, specifically with the NETDEV REGISTER notifier. The flaw allows a local user to crash or potentially escalate their privileges on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.16.0-rc1+ **Description** The vulnerability is related to a division error in the netem enqueue function, which occurs when the skb->len and skb->data len are both zero. This error is caused by a lack of check on the len parameter, allowing an empty skb to be processed. The issue is resolved by adding a check on the len parameter to prevent empty skbs. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix, which is version 5.16.0-rc1 or later. If updating is not possible, consider disabling the netem enqueue function or restricting its use to minimize the risk of exploitation. However, these are temporary workarounds, and updating the kernel is the recommended solution. At the moment, there is no information about a newer version that contains a fix for this vulnerability in the provided input descriptions, but based on the context, it seems the fix is included in version 5.16.0-rc1 or later.