{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.4.0-1114-kvm", "linux-image-5.4.0-1114-kvm", "linux-kvm-headers-5.4.0-1114", "linux-modules-5.4.0-1114-kvm" ], "removed": [ "linux-headers-5.4.0-1113-kvm", "linux-image-5.4.0-1113-kvm", "linux-kvm-headers-5.4.0-1113", "linux-modules-5.4.0-1113-kvm" ], "diff": [ "linux-headers-kvm", "linux-image-kvm", "linux-kvm" ] } }, "diff": { "deb": [ { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1113.109", "version": "5.4.0.1113.109" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1114.110", "version": "5.4.0.1114.110" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1114", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1114.110", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Thibault Ferrante ", "date": "Tue, 21 May 2024 10:41:12 +0200" } ], "notes": null }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1113.109", "version": "5.4.0.1113.109" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1114.110", "version": "5.4.0.1114.110" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1114", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1114.110", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Thibault Ferrante ", "date": "Tue, 21 May 2024 10:41:12 +0200" } ], "notes": null }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1113.109", "version": "5.4.0.1113.109" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1114.110", "version": "5.4.0.1114.110" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1114", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1114.110", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Thibault Ferrante ", "date": "Tue, 21 May 2024 10:41:12 +0200" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.4.0-1114-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1113.120", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1114.121", "version": "5.4.0-1114.121" }, "cves": [ { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2021-47063", "url": "https://ubuntu.com/security/CVE-2021-47063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block", "cve_priority": "medium", "cve_public_date": "2024-02-29 23:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2021-47070", "url": "https://ubuntu.com/security/CVE-2021-47070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix another memory leak in error handling paths Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe function is never freed in the error handling path. Add the missing 'vmbus_free_ring()' call. Note that it is already freed in the .remove function.", "cve_priority": "medium", "cve_public_date": "2024-03-01 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2063801, 2063812, 2061986, 2040948, 2058477, 2060216, 2060019 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2021-47063", "url": "https://ubuntu.com/security/CVE-2021-47063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block", "cve_priority": "medium", "cve_public_date": "2024-02-29 23:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2021-47070", "url": "https://ubuntu.com/security/CVE-2021-47070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix another memory leak in error handling paths Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe function is never freed in the error handling path. Add the missing 'vmbus_free_ring()' call. Note that it is already freed in the .remove function.", "cve_priority": "medium", "cve_public_date": "2024-03-01 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1114.121 -proposed tracker (LP: #2063801)", "", " [ Ubuntu: 5.4.0-186.206 ]", "", " * focal/linux: 5.4.0-186.206 -proposed tracker (LP: #2063812)", " * Mount CIFS fails with Permission denied (LP: #2061986)", " - cifs: fix ntlmssp auth when there is no key exchange", " * USB stick can't be detected (LP: #2040948)", " - usb: Disable USB3 LPM at shutdown", " * CVE-2024-26733", " - net: dev: Convert sa_data to flexible array in struct sockaddr", " - arp: Prevent overflow in arp_req_get().", " - stddef: Introduce DECLARE_FLEX_ARRAY() helper", " * CVE-2024-26712", " - powerpc/kasan: Fix addr error caused by page alignment", " * CVE-2023-52530", " - wifi: mac80211: fix potential key use-after-free", " * CVE-2021-47063", " - drm: bridge/panel: Cleanup connector on bridge detach", " * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output \"UBSAN: array-", " index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-", " hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41\" multiple times,", " especially during boot. (LP: #2058477)", " - hv: hyperv.h: Replace one-element array with flexible-array member", " * CVE-2024-26614", " - tcp: make sure init the accept_queue's spinlocks once", " - ipv6: init the accept_queue's spinlocks in inet6_create", " * Focal update: v5.4.271 upstream stable release (LP: #2060216)", " - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter", " - net: ip_tunnel: prevent perpetual headroom growth", " - tun: Fix xdp_rxq_info's queue_index when detaching", " - ipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()", " - lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is", " detected", " - net: usb: dm9601: fix wrong return value in dm9601_mdio_read", " - Bluetooth: Avoid potential use-after-free in hci_error_reset", " - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST", " - Bluetooth: Enforce validation on max value of connection interval", " - netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()", " - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back", " - efi/capsule-loader: fix incorrect allocation size", " - power: supply: bq27xxx-i2c: Do not free non existing IRQ", " - ALSA: Drop leftover snd-rtctimer stuff from Makefile", " - afs: Fix endless loop in directory parsing", " - gtp: fix use-after-free and null-ptr-deref in gtp_newlink()", " - wifi: nl80211: reject iftype change with mesh ID change", " - btrfs: dev-replace: properly validate device names", " - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", " - dmaengine: fsl-qdma: init irq after reg initialization", " - mmc: core: Fix eMMC initialization with 1-bit bus connection", " - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers", " - cachefiles: fix memory leak in cachefiles_add_cache()", " - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", " - gpio: 74x164: Enable output pins after registers are reset", " - Linux 5.4.271", " * Focal update: v5.4.270 upstream stable release (LP: #2060019)", " - KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()", " - KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler", " - net/sched: Retire CBQ qdisc", " - [Config] updateconfigs for NET_SCH_CBQ", " - net/sched: Retire ATM qdisc", " - [Config] updateconfigs for NET_SCH_ATM", " - net/sched: Retire dsmark qdisc", " - [Config] updateconfigs for NET_SCH_DSMARK", " - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset", " - memcg: add refcnt for pcpu stock to avoid UAF problem in drain_all_stock()", " - nilfs2: replace WARN_ONs for invalid DAT metadata block requests", " - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb", " - sched/rt: Fix sysctl_sched_rr_timeslice intial value", " - sched/rt: Disallow writing invalid values to sched_rt_period_us", " - scsi: target: core: Add TMF to tmr_list handling", " - dmaengine: shdma: increase size of 'dev_id'", " - dmaengine: fsl-qdma: increase size of 'irq_name'", " - wifi: cfg80211: fix missing interfaces when dumping", " - wifi: mac80211: fix race condition on enabling fast-xmit", " - fbdev: savage: Error out if pixclock equals zero", " - fbdev: sis: Error out if pixclock equals zero", " - ahci: asm1166: correct count of reported ports", " - ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers", " - ext4: avoid allocating blocks from corrupted group in", " ext4_mb_try_best_found()", " - ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()", " - regulator: pwm-regulator: Add validity checks in continuous .get_voltage", " - nvmet-tcp: fix nvme tcp ida memory leak", " - ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616", " - netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in", " sctp_new", " - nvmet-fc: abort command when there is no binding", " - hwmon: (coretemp) Enlarge per package core count limit", " - scsi: lpfc: Use unsigned type for num_sge", " - firewire: core: send bus reset promptly on gap count error", " - virtio-blk: Ensure no requests in virtqueues before deleting vqs.", " - s390/qeth: Fix potential loss of L3-IP@ in case of network issues", " - pmdomain: renesas: r8a77980-sysc: CR7 must be always on", " - tcp: factor out __tcp_close() helper", " - tcp: return EPOLLOUT from tcp_poll only when notsent_bytes is half the limit", " - tcp: add annotations around sk->sk_shutdown accesses", " - pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours", " - pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups", " - spi: mt7621: Fix an error message in mt7621_spi_probe()", " - net: bridge: clear bridge's private skb space on xmit", " - selftests/bpf: Avoid running unprivileged tests with alignment requirements", " - Revert \"drm/sun4i: dsi: Change the start delay calculation\"", " - drm/amdgpu: Check for valid number of registers to read", " - x86/alternatives: Disable KASAN in apply_alternatives()", " - dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata()", " - iomap: Set all uptodate bits for an Uptodate page", " - drm/amdgpu: Fix type of second parameter in trans_msg() callback", " - arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node", " - PCI: tegra: Fix reporting GPIO error value", " - PCI: tegra: Fix OF node reference leak", " - IB/hfi1: Fix sdma.h tx->num_descs off-by-one error", " - dm-crypt: don't modify the data when using authenticated encryption", " - gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()", " - PCI/MSI: Prevent MSI hardware interrupt number truncation", " - l2tp: pass correct message length to ip6_append_data", " - ARM: ep93xx: Add terminator to gpiod_lookup_table", " - usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()", " - usb: cdns3: fix memory double free when handle zero packet", " - usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs", " - usb: roles: don't get/set_role() when usb_role_switch is unregistered", " - IB/hfi1: Fix a memleak in init_credit_return", " - RDMA/bnxt_re: Return error for SRQ resize", " - RDMA/srpt: Make debug output more detailed", " - RDMA/srpt: fix function pointer cast warnings", " - scripts/bpf: teach bpf_helpers_doc.py to dump BPF helper definitions", " - bpf, scripts: Correct GPL license name", " - scsi: jazz_esp: Only build if SCSI core is builtin", " - nouveau: fix function cast warnings", " - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid", " - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid", " - afs: Increase buffer size in afs_update_volume_status()", " - ipv6: sr: fix possible use-after-free and null-ptr-deref", " - packet: move from strlcpy with unused retval to strscpy", " - s390: use the correct count for __iowrite64_copy()", " - tls: rx: jump to a more appropriate label", " - tls: rx: drop pointless else after goto", " - tls: stop recv() if initial process_rx_list gave us non-DATA", " - netfilter: nf_tables: set dormant flag on hook register failure", " - drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3", " - drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set", " - fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio", " - scripts/bpf: Fix xdp_md forward declaration typo", " - Linux 5.4.270", " * CVE-2023-47233", " - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", " * CVE-2021-47070", " - uio: uio_hv_generic: use devm_kzalloc() for private data alloc", " - uio_hv_generic: Fix another memory leak in error handling paths", " * CVE-2024-26622", " - tomoyo: fix UAF write bug in tomoyo_write_control()", "" ], "package": "linux-kvm", "version": "5.4.0-1114.121", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2063801, 2063812, 2061986, 2040948, 2058477, 2060216, 2060019 ], "author": "Thibault Ferrante ", "date": "Tue, 21 May 2024 10:17:56 +0200" } ], "notes": "linux-headers-5.4.0-1114-kvm version '5.4.0-1114.121' (source package linux-kvm version '5.4.0-1114.121') was added. linux-headers-5.4.0-1114-kvm version '5.4.0-1114.121' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1113-kvm. As such we can use the source package version of the removed package, '5.4.0-1113.120', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.4.0-1114-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1113.120", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1114.121", "version": "5.4.0-1114.121" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.4.0-1114.121", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.4.0-1114.121", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Thibault Ferrante ", "date": "Tue, 21 May 2024 10:41:17 +0200" } ], "notes": "linux-image-5.4.0-1114-kvm version '5.4.0-1114.121' (source package linux-signed-kvm version '5.4.0-1114.121') was added. linux-image-5.4.0-1114-kvm version '5.4.0-1114.121' has the same source package name, linux-signed-kvm, as removed package linux-image-5.4.0-1113-kvm. As such we can use the source package version of the removed package, '5.4.0-1113.120', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-kvm-headers-5.4.0-1114", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1113.120", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1114.121", "version": "5.4.0-1114.121" }, "cves": [ { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2021-47063", "url": "https://ubuntu.com/security/CVE-2021-47063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block", "cve_priority": "medium", "cve_public_date": "2024-02-29 23:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2021-47070", "url": "https://ubuntu.com/security/CVE-2021-47070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix another memory leak in error handling paths Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe function is never freed in the error handling path. Add the missing 'vmbus_free_ring()' call. Note that it is already freed in the .remove function.", "cve_priority": "medium", "cve_public_date": "2024-03-01 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2063801, 2063812, 2061986, 2040948, 2058477, 2060216, 2060019 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2021-47063", "url": "https://ubuntu.com/security/CVE-2021-47063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block", "cve_priority": "medium", "cve_public_date": "2024-02-29 23:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2021-47070", "url": "https://ubuntu.com/security/CVE-2021-47070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix another memory leak in error handling paths Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe function is never freed in the error handling path. Add the missing 'vmbus_free_ring()' call. Note that it is already freed in the .remove function.", "cve_priority": "medium", "cve_public_date": "2024-03-01 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1114.121 -proposed tracker (LP: #2063801)", "", " [ Ubuntu: 5.4.0-186.206 ]", "", " * focal/linux: 5.4.0-186.206 -proposed tracker (LP: #2063812)", " * Mount CIFS fails with Permission denied (LP: #2061986)", " - cifs: fix ntlmssp auth when there is no key exchange", " * USB stick can't be detected (LP: #2040948)", " - usb: Disable USB3 LPM at shutdown", " * CVE-2024-26733", " - net: dev: Convert sa_data to flexible array in struct sockaddr", " - arp: Prevent overflow in arp_req_get().", " - stddef: Introduce DECLARE_FLEX_ARRAY() helper", " * CVE-2024-26712", " - powerpc/kasan: Fix addr error caused by page alignment", " * CVE-2023-52530", " - wifi: mac80211: fix potential key use-after-free", " * CVE-2021-47063", " - drm: bridge/panel: Cleanup connector on bridge detach", " * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output \"UBSAN: array-", " index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-", " hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41\" multiple times,", " especially during boot. (LP: #2058477)", " - hv: hyperv.h: Replace one-element array with flexible-array member", " * CVE-2024-26614", " - tcp: make sure init the accept_queue's spinlocks once", " - ipv6: init the accept_queue's spinlocks in inet6_create", " * Focal update: v5.4.271 upstream stable release (LP: #2060216)", " - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter", " - net: ip_tunnel: prevent perpetual headroom growth", " - tun: Fix xdp_rxq_info's queue_index when detaching", " - ipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()", " - lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is", " detected", " - net: usb: dm9601: fix wrong return value in dm9601_mdio_read", " - Bluetooth: Avoid potential use-after-free in hci_error_reset", " - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST", " - Bluetooth: Enforce validation on max value of connection interval", " - netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()", " - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back", " - efi/capsule-loader: fix incorrect allocation size", " - power: supply: bq27xxx-i2c: Do not free non existing IRQ", " - ALSA: Drop leftover snd-rtctimer stuff from Makefile", " - afs: Fix endless loop in directory parsing", " - gtp: fix use-after-free and null-ptr-deref in gtp_newlink()", " - wifi: nl80211: reject iftype change with mesh ID change", " - btrfs: dev-replace: properly validate device names", " - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", " - dmaengine: fsl-qdma: init irq after reg initialization", " - mmc: core: Fix eMMC initialization with 1-bit bus connection", " - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers", " - cachefiles: fix memory leak in cachefiles_add_cache()", " - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", " - gpio: 74x164: Enable output pins after registers are reset", " - Linux 5.4.271", " * Focal update: v5.4.270 upstream stable release (LP: #2060019)", " - KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()", " - KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler", " - net/sched: Retire CBQ qdisc", " - [Config] updateconfigs for NET_SCH_CBQ", " - net/sched: Retire ATM qdisc", " - [Config] updateconfigs for NET_SCH_ATM", " - net/sched: Retire dsmark qdisc", " - [Config] updateconfigs for NET_SCH_DSMARK", " - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset", " - memcg: add refcnt for pcpu stock to avoid UAF problem in drain_all_stock()", " - nilfs2: replace WARN_ONs for invalid DAT metadata block requests", " - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb", " - sched/rt: Fix sysctl_sched_rr_timeslice intial value", " - sched/rt: Disallow writing invalid values to sched_rt_period_us", " - scsi: target: core: Add TMF to tmr_list handling", " - dmaengine: shdma: increase size of 'dev_id'", " - dmaengine: fsl-qdma: increase size of 'irq_name'", " - wifi: cfg80211: fix missing interfaces when dumping", " - wifi: mac80211: fix race condition on enabling fast-xmit", " - fbdev: savage: Error out if pixclock equals zero", " - fbdev: sis: Error out if pixclock equals zero", " - ahci: asm1166: correct count of reported ports", " - ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers", " - ext4: avoid allocating blocks from corrupted group in", " ext4_mb_try_best_found()", " - ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()", " - regulator: pwm-regulator: Add validity checks in continuous .get_voltage", " - nvmet-tcp: fix nvme tcp ida memory leak", " - ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616", " - netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in", " sctp_new", " - nvmet-fc: abort command when there is no binding", " - hwmon: (coretemp) Enlarge per package core count limit", " - scsi: lpfc: Use unsigned type for num_sge", " - firewire: core: send bus reset promptly on gap count error", " - virtio-blk: Ensure no requests in virtqueues before deleting vqs.", " - s390/qeth: Fix potential loss of L3-IP@ in case of network issues", " - pmdomain: renesas: r8a77980-sysc: CR7 must be always on", " - tcp: factor out __tcp_close() helper", " - tcp: return EPOLLOUT from tcp_poll only when notsent_bytes is half the limit", " - tcp: add annotations around sk->sk_shutdown accesses", " - pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours", " - pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups", " - spi: mt7621: Fix an error message in mt7621_spi_probe()", " - net: bridge: clear bridge's private skb space on xmit", " - selftests/bpf: Avoid running unprivileged tests with alignment requirements", " - Revert \"drm/sun4i: dsi: Change the start delay calculation\"", " - drm/amdgpu: Check for valid number of registers to read", " - x86/alternatives: Disable KASAN in apply_alternatives()", " - dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata()", " - iomap: Set all uptodate bits for an Uptodate page", " - drm/amdgpu: Fix type of second parameter in trans_msg() callback", " - arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node", " - PCI: tegra: Fix reporting GPIO error value", " - PCI: tegra: Fix OF node reference leak", " - IB/hfi1: Fix sdma.h tx->num_descs off-by-one error", " - dm-crypt: don't modify the data when using authenticated encryption", " - gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()", " - PCI/MSI: Prevent MSI hardware interrupt number truncation", " - l2tp: pass correct message length to ip6_append_data", " - ARM: ep93xx: Add terminator to gpiod_lookup_table", " - usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()", " - usb: cdns3: fix memory double free when handle zero packet", " - usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs", " - usb: roles: don't get/set_role() when usb_role_switch is unregistered", " - IB/hfi1: Fix a memleak in init_credit_return", " - RDMA/bnxt_re: Return error for SRQ resize", " - RDMA/srpt: Make debug output more detailed", " - RDMA/srpt: fix function pointer cast warnings", " - scripts/bpf: teach bpf_helpers_doc.py to dump BPF helper definitions", " - bpf, scripts: Correct GPL license name", " - scsi: jazz_esp: Only build if SCSI core is builtin", " - nouveau: fix function cast warnings", " - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid", " - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid", " - afs: Increase buffer size in afs_update_volume_status()", " - ipv6: sr: fix possible use-after-free and null-ptr-deref", " - packet: move from strlcpy with unused retval to strscpy", " - s390: use the correct count for __iowrite64_copy()", " - tls: rx: jump to a more appropriate label", " - tls: rx: drop pointless else after goto", " - tls: stop recv() if initial process_rx_list gave us non-DATA", " - netfilter: nf_tables: set dormant flag on hook register failure", " - drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3", " - drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set", " - fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio", " - scripts/bpf: Fix xdp_md forward declaration typo", " - Linux 5.4.270", " * CVE-2023-47233", " - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", " * CVE-2021-47070", " - uio: uio_hv_generic: use devm_kzalloc() for private data alloc", " - uio_hv_generic: Fix another memory leak in error handling paths", " * CVE-2024-26622", " - tomoyo: fix UAF write bug in tomoyo_write_control()", "" ], "package": "linux-kvm", "version": "5.4.0-1114.121", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2063801, 2063812, 2061986, 2040948, 2058477, 2060216, 2060019 ], "author": "Thibault Ferrante ", "date": "Tue, 21 May 2024 10:17:56 +0200" } ], "notes": "linux-kvm-headers-5.4.0-1114 version '5.4.0-1114.121' (source package linux-kvm version '5.4.0-1114.121') was added. linux-kvm-headers-5.4.0-1114 version '5.4.0-1114.121' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1113-kvm. As such we can use the source package version of the removed package, '5.4.0-1113.120', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.4.0-1114-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1113.120", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1114.121", "version": "5.4.0-1114.121" }, "cves": [ { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2021-47063", "url": "https://ubuntu.com/security/CVE-2021-47063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block", "cve_priority": "medium", "cve_public_date": "2024-02-29 23:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2021-47070", "url": "https://ubuntu.com/security/CVE-2021-47070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix another memory leak in error handling paths Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe function is never freed in the error handling path. Add the missing 'vmbus_free_ring()' call. Note that it is already freed in the .remove function.", "cve_priority": "medium", "cve_public_date": "2024-03-01 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2063801, 2063812, 2061986, 2040948, 2058477, 2060216, 2060019 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2021-47063", "url": "https://ubuntu.com/security/CVE-2021-47063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block", "cve_priority": "medium", "cve_public_date": "2024-02-29 23:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2021-47070", "url": "https://ubuntu.com/security/CVE-2021-47070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix another memory leak in error handling paths Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe function is never freed in the error handling path. Add the missing 'vmbus_free_ring()' call. Note that it is already freed in the .remove function.", "cve_priority": "medium", "cve_public_date": "2024-03-01 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1114.121 -proposed tracker (LP: #2063801)", "", " [ Ubuntu: 5.4.0-186.206 ]", "", " * focal/linux: 5.4.0-186.206 -proposed tracker (LP: #2063812)", " * Mount CIFS fails with Permission denied (LP: #2061986)", " - cifs: fix ntlmssp auth when there is no key exchange", " * USB stick can't be detected (LP: #2040948)", " - usb: Disable USB3 LPM at shutdown", " * CVE-2024-26733", " - net: dev: Convert sa_data to flexible array in struct sockaddr", " - arp: Prevent overflow in arp_req_get().", " - stddef: Introduce DECLARE_FLEX_ARRAY() helper", " * CVE-2024-26712", " - powerpc/kasan: Fix addr error caused by page alignment", " * CVE-2023-52530", " - wifi: mac80211: fix potential key use-after-free", " * CVE-2021-47063", " - drm: bridge/panel: Cleanup connector on bridge detach", " * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output \"UBSAN: array-", " index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-", " hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41\" multiple times,", " especially during boot. (LP: #2058477)", " - hv: hyperv.h: Replace one-element array with flexible-array member", " * CVE-2024-26614", " - tcp: make sure init the accept_queue's spinlocks once", " - ipv6: init the accept_queue's spinlocks in inet6_create", " * Focal update: v5.4.271 upstream stable release (LP: #2060216)", " - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter", " - net: ip_tunnel: prevent perpetual headroom growth", " - tun: Fix xdp_rxq_info's queue_index when detaching", " - ipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()", " - lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is", " detected", " - net: usb: dm9601: fix wrong return value in dm9601_mdio_read", " - Bluetooth: Avoid potential use-after-free in hci_error_reset", " - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST", " - Bluetooth: Enforce validation on max value of connection interval", " - netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()", " - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back", " - efi/capsule-loader: fix incorrect allocation size", " - power: supply: bq27xxx-i2c: Do not free non existing IRQ", " - ALSA: Drop leftover snd-rtctimer stuff from Makefile", " - afs: Fix endless loop in directory parsing", " - gtp: fix use-after-free and null-ptr-deref in gtp_newlink()", " - wifi: nl80211: reject iftype change with mesh ID change", " - btrfs: dev-replace: properly validate device names", " - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", " - dmaengine: fsl-qdma: init irq after reg initialization", " - mmc: core: Fix eMMC initialization with 1-bit bus connection", " - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers", " - cachefiles: fix memory leak in cachefiles_add_cache()", " - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", " - gpio: 74x164: Enable output pins after registers are reset", " - Linux 5.4.271", " * Focal update: v5.4.270 upstream stable release (LP: #2060019)", " - KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()", " - KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler", " - net/sched: Retire CBQ qdisc", " - [Config] updateconfigs for NET_SCH_CBQ", " - net/sched: Retire ATM qdisc", " - [Config] updateconfigs for NET_SCH_ATM", " - net/sched: Retire dsmark qdisc", " - [Config] updateconfigs for NET_SCH_DSMARK", " - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset", " - memcg: add refcnt for pcpu stock to avoid UAF problem in drain_all_stock()", " - nilfs2: replace WARN_ONs for invalid DAT metadata block requests", " - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb", " - sched/rt: Fix sysctl_sched_rr_timeslice intial value", " - sched/rt: Disallow writing invalid values to sched_rt_period_us", " - scsi: target: core: Add TMF to tmr_list handling", " - dmaengine: shdma: increase size of 'dev_id'", " - dmaengine: fsl-qdma: increase size of 'irq_name'", " - wifi: cfg80211: fix missing interfaces when dumping", " - wifi: mac80211: fix race condition on enabling fast-xmit", " - fbdev: savage: Error out if pixclock equals zero", " - fbdev: sis: Error out if pixclock equals zero", " - ahci: asm1166: correct count of reported ports", " - ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers", " - ext4: avoid allocating blocks from corrupted group in", " ext4_mb_try_best_found()", " - ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()", " - regulator: pwm-regulator: Add validity checks in continuous .get_voltage", " - nvmet-tcp: fix nvme tcp ida memory leak", " - ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616", " - netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in", " sctp_new", " - nvmet-fc: abort command when there is no binding", " - hwmon: (coretemp) Enlarge per package core count limit", " - scsi: lpfc: Use unsigned type for num_sge", " - firewire: core: send bus reset promptly on gap count error", " - virtio-blk: Ensure no requests in virtqueues before deleting vqs.", " - s390/qeth: Fix potential loss of L3-IP@ in case of network issues", " - pmdomain: renesas: r8a77980-sysc: CR7 must be always on", " - tcp: factor out __tcp_close() helper", " - tcp: return EPOLLOUT from tcp_poll only when notsent_bytes is half the limit", " - tcp: add annotations around sk->sk_shutdown accesses", " - pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours", " - pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups", " - spi: mt7621: Fix an error message in mt7621_spi_probe()", " - net: bridge: clear bridge's private skb space on xmit", " - selftests/bpf: Avoid running unprivileged tests with alignment requirements", " - Revert \"drm/sun4i: dsi: Change the start delay calculation\"", " - drm/amdgpu: Check for valid number of registers to read", " - x86/alternatives: Disable KASAN in apply_alternatives()", " - dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata()", " - iomap: Set all uptodate bits for an Uptodate page", " - drm/amdgpu: Fix type of second parameter in trans_msg() callback", " - arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node", " - PCI: tegra: Fix reporting GPIO error value", " - PCI: tegra: Fix OF node reference leak", " - IB/hfi1: Fix sdma.h tx->num_descs off-by-one error", " - dm-crypt: don't modify the data when using authenticated encryption", " - gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()", " - PCI/MSI: Prevent MSI hardware interrupt number truncation", " - l2tp: pass correct message length to ip6_append_data", " - ARM: ep93xx: Add terminator to gpiod_lookup_table", " - usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()", " - usb: cdns3: fix memory double free when handle zero packet", " - usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs", " - usb: roles: don't get/set_role() when usb_role_switch is unregistered", " - IB/hfi1: Fix a memleak in init_credit_return", " - RDMA/bnxt_re: Return error for SRQ resize", " - RDMA/srpt: Make debug output more detailed", " - RDMA/srpt: fix function pointer cast warnings", " - scripts/bpf: teach bpf_helpers_doc.py to dump BPF helper definitions", " - bpf, scripts: Correct GPL license name", " - scsi: jazz_esp: Only build if SCSI core is builtin", " - nouveau: fix function cast warnings", " - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid", " - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid", " - afs: Increase buffer size in afs_update_volume_status()", " - ipv6: sr: fix possible use-after-free and null-ptr-deref", " - packet: move from strlcpy with unused retval to strscpy", " - s390: use the correct count for __iowrite64_copy()", " - tls: rx: jump to a more appropriate label", " - tls: rx: drop pointless else after goto", " - tls: stop recv() if initial process_rx_list gave us non-DATA", " - netfilter: nf_tables: set dormant flag on hook register failure", " - drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3", " - drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set", " - fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio", " - scripts/bpf: Fix xdp_md forward declaration typo", " - Linux 5.4.270", " * CVE-2023-47233", " - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", " * CVE-2021-47070", " - uio: uio_hv_generic: use devm_kzalloc() for private data alloc", " - uio_hv_generic: Fix another memory leak in error handling paths", " * CVE-2024-26622", " - tomoyo: fix UAF write bug in tomoyo_write_control()", "" ], "package": "linux-kvm", "version": "5.4.0-1114.121", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2063801, 2063812, 2061986, 2040948, 2058477, 2060216, 2060019 ], "author": "Thibault Ferrante ", "date": "Tue, 21 May 2024 10:17:56 +0200" } ], "notes": "linux-modules-5.4.0-1114-kvm version '5.4.0-1114.121' (source package linux-kvm version '5.4.0-1114.121') was added. linux-modules-5.4.0-1114-kvm version '5.4.0-1114.121' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1113-kvm. As such we can use the source package version of the removed package, '5.4.0-1113.120', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.4.0-1113-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1113.120", "version": "5.4.0-1113.120" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.4.0-1113-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1113.120", "version": "5.4.0-1113.120" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-kvm-headers-5.4.0-1113", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1113.120", "version": "5.4.0-1113.120" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.4.0-1113-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1113.120", "version": "5.4.0-1113.120" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from release image serial 20240606 to 20240613", "from_series": "focal", "to_series": "focal", "from_serial": "20240606", "to_serial": "20240613", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }