Taehee Yoo

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.10.0-rc2+ Description: The vulnerability is related to the ionic component of the Linux kernel. It occurs when the `netif napi del()` function is called, but the `.poll` pointer is not reset to NULL. As a result, the `ionic qcq enable()` function may call `napi enable()` for a queue that has already been unregistered, leading to a use-after-free error. This can cause a kernel bug and potentially allow an attacker to exploit the vulnerability. Recommendations: To resolve this issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, versions 6.10.0-rc2 and later should be used. At the moment, there is no information about a newer version that contains a fix for this vulnerability, other than updating to 6.10.0-rc2 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 6.9.0 **Description** The vulnerability is caused by the ionic driver sending a packet to the TX path with an rx page and corresponding dma address in the XDP TX path. After the transmission is done, the `ionic tx clean()` function frees the page, but the RX ring buffer is not reset to NULL, resulting in the use of a freed page and causing a kernel panic. The issue is related to the `ionic rx service()` and `ionic tx clean()` functions. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the ionic driver. As a temporary workaround, consider disabling the `ionic rx service()` function until a patch is available. Restrict access to the vulnerable `ionic` module to minimize the risk of exploitation. Avoid using the `dma` address in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 5.13.0+ **Description** The issue arises from the `skb tunnel info()` function returning a pointer of `lwtstate->data` as `ip tunnel info` type without validation. `lwtstate->data` can have various types, such as `mpls iptunnel encap`, which are not compatible with `ip tunnel info`. This leads to a slab-out-of-bounds error in `vxlan get route()`. The error is identified by the KASAN (Kernel Address Sanitizer) with a read of size 2 at a specific address by the task `ping`. The call trace includes functions like `dump stack lvl`, `print address description`, `vxlan get route`, `vxlan xmit one`, `vxlan xmit`, `dev hard start xmit`, ` dev queue xmit`, `neigh xmit`, `mpls xmit`, `lwtunnel xmit`, and `ip finish output2`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.12.0 **Description** A vulnerability in the Linux kernel has been resolved, which could cause a kernel panic when the headroom size is too large in the `mld newpack()` function. This function does not allow high-order page allocation, only order-0 allocation is allowed. If the headroom size exceeds the allowed limit, a kernel panic could occur in `skb put()`. The vulnerability can be triggered using specific test commands that create a network namespace and configure IPv6 addresses. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for the `mld newpack()` function. Specifically, versions prior to 5.12.0 are affected, so updating to 5.12.0 or later should resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability, other than updating to version 5.12.0 or later.