d5fdb47...
by
Edward Adam Davis <email address hidden>
jfs: fix uaf in jfs_evict_inode
When the execution of diMount(ipimap) fails, the object ipimap that has been
released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs
when rcu_core() calls jfs_free_node().
Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as
ipimap.
Reported-and-tested-by: <email address hidden>
Signed-off-by: Edward Adam Davis <email address hidden>
Signed-off-by: Dave Kleikamp <email address hidden>
CVE-2023-52600
(cherry picked from commit e0e1958f4c365e380b17ccb35617345b31ef7bf3)
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
6886d89...
by
Osama Muhammad <email address hidden>
The issue is caused when the value of fsi becomes less than -1.
The check to break the loop when fsi value becomes -1 is present
but syzbot was able to produce value less than -1 which cause the error.
This patch simply add the change for the values less than 0.
CVE-2023-52603
Signed-off-by: Manuel Diewald <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
d2a8df2...
by
Pablo Neira Ayuso <email address hidden>
netfilter: nft_set_rbtree: skip end interval element from gc
rbtree lazy gc on insert might collect an end interval element that has
been just added in this transactions, skip end interval elements that
are not yet active.
For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off
for validation. However, variable offset ptr alu is not prohibited
for this ptr kind. So the variable offset is not checked.
Fix this by rejecting ptr alu with variable offset on flow_keys.
Applying the patch rejects the program with "R7 pointer arithmetic
on flow_keys prohibited".
The following case can cause a crash due to missing attach_btf:
1) load rawtp program
2) load fentry program with rawtp as target_fd
3) create tracing link for fentry program with target_fd = 0
4) repeat 3
In the end we have:
- prog->aux->dst_trampoline == NULL
- tgt_prog == NULL (because we did not provide target_fd to link_create)
- prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X)
- the program was loaded for tgt_prog but we have no way to find out which one
On newer hardware, a queue's RB status / write pointer
can be bigger than 4095 (0xFFF), so we cannot mask the
value by 0xFFF unconditionally. Since anyway that's
only necessary on older hardware, move the masking to
the helper function and apply it only for older HW.
This also moves the endian conversion in to handle it
more easily.