{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.4.0-182", "linux-headers-5.4.0-182-generic-lpae", "linux-image-5.4.0-182-generic-lpae", "linux-modules-5.4.0-182-generic-lpae" ], "removed": [ "linux-headers-5.4.0-177", "linux-headers-5.4.0-177-generic-lpae", "linux-image-5.4.0-177-generic-lpae", "linux-modules-5.4.0-177-generic-lpae" ], "diff": [ "libglib2.0-0:armhf", "libglib2.0-bin", "libglib2.0-data", "linux-generic-lpae", "linux-headers-generic-lpae", "linux-image-generic-lpae", "snapd", "ubuntu-advantage-tools", "ubuntu-pro-client", "ubuntu-pro-client-l10n" ] } }, "diff": { "deb": [ { "name": "libglib2.0-0:armhf", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.64.6-1~ubuntu20.04.6", "version": "2.64.6-1~ubuntu20.04.6" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.64.6-1~ubuntu20.04.7", "version": "2.64.6-1~ubuntu20.04.7" }, "cves": [ { "cve": "CVE-2024-34397", "url": "https://ubuntu.com/security/CVE-2024-34397", "cve_description": "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.", "cve_priority": "medium", "cve_public_date": "2024-05-07 18:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-34397", "url": "https://ubuntu.com/security/CVE-2024-34397", "cve_description": "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.", "cve_priority": "medium", "cve_public_date": "2024-05-07 18:15:00 UTC" } ], "log": [ "", " [ Marco Trevisan (Treviño) ]", " * debian/patches: Backport patches to handle CVE-2024-34397", "", " [ Marc Deslauriers ]", " * debian/patches/CVE-2024-34397/gdbusconnection-regression.patch: fix", " ibus regression.", "" ], "package": "glib2.0", "version": "2.64.6-1~ubuntu20.04.7", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 08 May 2024 13:30:11 -0400" } ], "notes": null }, { "name": "libglib2.0-bin", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.64.6-1~ubuntu20.04.6", "version": "2.64.6-1~ubuntu20.04.6" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.64.6-1~ubuntu20.04.7", "version": "2.64.6-1~ubuntu20.04.7" }, "cves": [ { "cve": "CVE-2024-34397", "url": "https://ubuntu.com/security/CVE-2024-34397", "cve_description": "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.", "cve_priority": "medium", "cve_public_date": "2024-05-07 18:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-34397", "url": "https://ubuntu.com/security/CVE-2024-34397", "cve_description": "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.", "cve_priority": "medium", "cve_public_date": "2024-05-07 18:15:00 UTC" } ], "log": [ "", " [ Marco Trevisan (Treviño) ]", " * debian/patches: Backport patches to handle CVE-2024-34397", "", " [ Marc Deslauriers ]", " * debian/patches/CVE-2024-34397/gdbusconnection-regression.patch: fix", " ibus regression.", "" ], "package": "glib2.0", "version": "2.64.6-1~ubuntu20.04.7", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 08 May 2024 13:30:11 -0400" } ], "notes": null }, { "name": "libglib2.0-data", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.64.6-1~ubuntu20.04.6", "version": "2.64.6-1~ubuntu20.04.6" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.64.6-1~ubuntu20.04.7", "version": "2.64.6-1~ubuntu20.04.7" }, "cves": [ { "cve": "CVE-2024-34397", "url": "https://ubuntu.com/security/CVE-2024-34397", "cve_description": "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.", "cve_priority": "medium", "cve_public_date": "2024-05-07 18:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-34397", "url": "https://ubuntu.com/security/CVE-2024-34397", "cve_description": "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.", "cve_priority": "medium", "cve_public_date": "2024-05-07 18:15:00 UTC" } ], "log": [ "", " [ Marco Trevisan (Treviño) ]", " * debian/patches: Backport patches to handle CVE-2024-34397", "", " [ Marc Deslauriers ]", " * debian/patches/CVE-2024-34397/gdbusconnection-regression.patch: fix", " ibus regression.", "" ], "package": "glib2.0", "version": "2.64.6-1~ubuntu20.04.7", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 08 May 2024 13:30:11 -0400" } ], "notes": null }, { "name": "linux-generic-lpae", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.177.175", "version": "5.4.0.177.175" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.182.180", "version": "5.4.0.182.180" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-182", "" ], "package": "linux-meta", "version": "5.4.0.182.180", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 26 Apr 2024 14:20:49 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-181", "" ], "package": "linux-meta", "version": "5.4.0.181.179", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Thu, 28 Mar 2024 15:40:09 +0100" } ], "notes": null }, { "name": "linux-headers-generic-lpae", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.177.175", "version": "5.4.0.177.175" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.182.180", "version": "5.4.0.182.180" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-182", "" ], "package": "linux-meta", "version": "5.4.0.182.180", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 26 Apr 2024 14:20:49 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-181", "" ], "package": "linux-meta", "version": "5.4.0.181.179", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Thu, 28 Mar 2024 15:40:09 +0100" } ], "notes": null }, { "name": "linux-image-generic-lpae", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.177.175", "version": "5.4.0.177.175" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.182.180", "version": "5.4.0.182.180" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-182", "" ], "package": "linux-meta", "version": "5.4.0.182.180", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 26 Apr 2024 14:20:49 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-181", "" ], "package": "linux-meta", "version": "5.4.0.181.179", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Thu, 28 Mar 2024 15:40:09 +0100" } ], "notes": null }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.61.3+20.04", "version": "2.61.3+20.04" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.62+20.04", "version": "2.62+20.04" }, "cves": [], "launchpad_bugs_fixed": [ 2058277, 2039017 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2058277", " - Aspects based configuration schema support (experimental)", " - Refresh app awareness support for UI (experimental)", " - Support for user daemons by introducing new control switches", " --user/--system/--users for service start/stop/restart", " (experimental)", " - Add AppArmor prompting experimental flag (feature currently", " unsupported)", " - Installation of local snap components of type test", " - Packaging of components with snap pack", " - Expose experimental features supported/enabled in snapd REST API", " endpoint /v2/system-info", " - Support creating and removing recovery systems for use by factory", " reset", " - Enable API route for creating and removing recovery systems using", " /v2/systems with action create and /v2/systems/{label} with action", " remove", " - Lift requirements for fde-setup hook for single boot install", " - Enable single reboot gadget update for UC20+", " - Allow core to be removed on classic systems", " - Support for remodeling on hybrid systems", " - Install desktop files on Ubuntu Core and update after snapd", " upgrade", " - Upgrade sandbox features to account for cgroup v2 device filtering", " - Support snaps to manage their own cgroups", " - Add support for AppArmor 4.0 unconfined profile mode", " - Add AppArmor based read access to /etc/default/keyboard", " - Upgrade to squashfuse 0.5.0", " - Support useradd utility to enable removing Perl dependency for", " UC24+", " - Support for recovery-chooser to use console-conf snap", " - Add support for --uid/--gid using strace-static", " - Add support for notices (from pebble) and expose via the snapd", " REST API endpoints /v2/notices and /v2/notice", " - Add polkit authentication for snapd REST API endpoints", " /v2/snaps/{snap}/conf and /v2/apps", " - Add refresh-inhibit field to snapd REST API endpoint /v2/snaps", " - Add refresh-inhibited select query to REST API endpoint /v2/snaps", " - Take into account validation sets during remodeling", " - Improve offline remodeling to use installed revisions of snaps to", " fulfill the remodel revision requirement", " - Add rpi configuration option sdtv_mode", " - When snapd snap is not installed, pin policy ABI to 4.0 or 3.0 if", " present on host", " - Fix gadget zero-sized disk mapping caused by not ignoring zero", " sized storage traits", " - Fix gadget install case where size of existing partition was not", " correctly taken into account", " - Fix trying to unmount early kernel mount if it does not exist", " - Fix restarting mount units on snapd start", " - Fix call to udev in preseed mode", " - Fix to ensure always setting up the device cgroup for base bare", " and core24+", " - Fix not copying data from newly set homedirs on revision change", " - Fix leaving behind empty snap home directories after snap is", " removed (resulting in broken symlink)", " - Fix to avoid using libzstd from host by adding to snapd snap", " - Fix autorefresh to correctly handle forever refresh hold", " - Fix username regex allowed for system-user assertion to not allow", " '+'", " - Fix incorrect application icon for notification after autorefresh", " completion", " - Fix to restart mount units when changed", " - Fix to support AppArmor running under incus", " - Fix case of snap-update-ns dropping synthetic mounts due to", " failure to match desired mount dependencies", " - Fix parsing of base snap version to enable pre-seeding of Ubuntu", " Core Desktop", " - Fix packaging and tests for various distributions", " - Add remoteproc interface to allow developers to interact with", " Remote Processor Framework which enables snaps to load firmware to", " ARM Cortex microcontrollers", " - Add kernel-control interface to enable controlling the kernel", " firmware search path", " - Add nfs-mount interface to allow mounting of NFS shares", " - Add ros-opt-data interface to allow snaps to access the host", " /opt/ros/ paths", " - Add snap-refresh-observe interface that provides refresh-app-", " awareness clients access to relevant snapd API endpoints", " - steam-support interface: generalize Pressure Vessel root paths and", " allow access to driver information, features and container", " versions", " - steam-support interface: make implicit on Ubuntu Core Desktop", " - desktop interface: improved support for Ubuntu Core Desktop and", " limit autoconnection to implicit slots", " - cups-control interface: make autoconnect depend on presence of", " cupsd on host to ensure it works on classic systems", " - opengl interface: allow read access to /usr/share/nvidia", " - personal-files interface: extend to support automatic creation of", " missing parent directories in write paths", " - network-control interface: allow creating /run/resolveconf", " - network-setup-control and network-setup-observe interfaces: allow", " busctl bind as required for systemd 254+", " - libvirt interface: allow r/w access to /run/libvirt/libvirt-sock-", " ro and read access to /var/lib/libvirt/dnsmasq/**", " - fwupd interface: allow access to IMPI devices (including locking", " of device nodes), sysfs attributes needed by amdgpu and the COD", " capsule update directory", " - uio interface: allow configuring UIO drivers from userspace", " libraries", " - serial-port interface: add support for NXP Layerscape SoC", " - lxd-support interface: add attribute enable-unconfined-mode to", " require LXD to opt-in to run unconfined", " - block-devices interface: add support for ZFS volumes", " - system-packages-doc interface: add support for reading jquery and", " sphinx documentation", " - system-packages-doc interface: workaround to prevent autoconnect", " failure for snaps using base bare", " - microceph-support interface: allow more types of block devices to", " be added as an OSD", " - mount-observe interface: allow read access to", " /proc/{pid}/task/{tid}/mounts and proc/{pid}/task/{tid}/mountinfo", " - polkit interface: changed to not be implicit on core because", " installing policy files is not possible", " - upower-observe interface: allow stats refresh", " - gpg-public-keys interface: allow creating lock file for certain", " gpg operations", " - shutdown interface: allow access to SetRebootParameter method", " - media-control interface: allow device file locking", " - u2f-devices interface: support for Trustkey G310H, JaCarta U2F,", " Kensington VeriMark Guard, RSA DS100, Google Titan v2", "" ], "package": "snapd", "version": "2.62+20.04", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2058277 ], "author": "Ernest Lotter ", "date": "Thu, 21 Mar 2024 22:06:09 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2039017", " - Install systemd files in correct location for 24.04", "" ], "package": "snapd", "version": "2.61.3", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2039017 ], "author": "Ernest Lotter ", "date": "Wed, 06 Mar 2024 23:18:11 +0200" } ], "notes": null }, { "name": "ubuntu-advantage-tools", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2.2~20.04", "version": "31.2.2~20.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2.3~20.04", "version": "31.2.3~20.04" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2059952, 2059952, 2057937 ], "changes": [ { "cves": [], "log": [ "", " * Backport new upstream release to focal (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3~20.04", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Fri, 05 Apr 2024 10:08:58 -0300" }, { "cves": [], "log": [ "", " * daemon: wait for cloud-init.service to fully activate (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Tue, 02 Apr 2024 10:13:32 -0300" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2build1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 00:15:29 +0000" }, { "cves": [], "log": [ "", " * version.py: fix internal version to match ubuntu package version (it was", " missed in the previous upload, so 31.2.1 is \"burned\" now)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Andreas Hasenack ", "date": "Sun, 24 Mar 2024 10:52:02 -0300" }, { "cves": [], "log": [ "", " * apt-news.service: ignore apparmor errors when starting (LP: #2057937)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2057937 ], "author": "Andreas Hasenack ", "date": "Tue, 19 Mar 2024 11:02:58 -0300" } ], "notes": null }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2.2~20.04", "version": "31.2.2~20.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2.3~20.04", "version": "31.2.3~20.04" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2059952, 2059952, 2057937 ], "changes": [ { "cves": [], "log": [ "", " * Backport new upstream release to focal (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3~20.04", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Fri, 05 Apr 2024 10:08:58 -0300" }, { "cves": [], "log": [ "", " * daemon: wait for cloud-init.service to fully activate (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Tue, 02 Apr 2024 10:13:32 -0300" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2build1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 00:15:29 +0000" }, { "cves": [], "log": [ "", " * version.py: fix internal version to match ubuntu package version (it was", " missed in the previous upload, so 31.2.1 is \"burned\" now)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Andreas Hasenack ", "date": "Sun, 24 Mar 2024 10:52:02 -0300" }, { "cves": [], "log": [ "", " * apt-news.service: ignore apparmor errors when starting (LP: #2057937)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2057937 ], "author": "Andreas Hasenack ", "date": "Tue, 19 Mar 2024 11:02:58 -0300" } ], "notes": null }, { "name": "ubuntu-pro-client-l10n", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2.2~20.04", "version": "31.2.2~20.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2.3~20.04", "version": "31.2.3~20.04" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2059952, 2059952, 2057937 ], "changes": [ { "cves": [], "log": [ "", " * Backport new upstream release to focal (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3~20.04", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Fri, 05 Apr 2024 10:08:58 -0300" }, { "cves": [], "log": [ "", " * daemon: wait for cloud-init.service to fully activate (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Tue, 02 Apr 2024 10:13:32 -0300" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2build1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 00:15:29 +0000" }, { "cves": [], "log": [ "", " * version.py: fix internal version to match ubuntu package version (it was", " missed in the previous upload, so 31.2.1 is \"burned\" now)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Andreas Hasenack ", "date": "Sun, 24 Mar 2024 10:52:02 -0300" }, { "cves": [], "log": [ "", " * apt-news.service: ignore apparmor errors when starting (LP: #2057937)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2057937 ], "author": "Andreas Hasenack ", "date": "Tue, 19 Mar 2024 11:02:58 -0300" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.4.0-182", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-177.197", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-182.202", "version": "5.4.0-182.202" }, "cves": [ { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-24023", "url": "https://ubuntu.com/security/CVE-2023-24023", "cve_description": "Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.", "cve_priority": "medium", "cve_public_date": "2023-11-28 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2063685, 2059549, 1786013, 2055083, 2059143, 2058948, 2058948 ], "changes": [ { "cves": [ { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-182.202 -proposed tracker (LP: #2063685)", "", " * CVE-2023-52530", " - wifi: mac80211: fix potential key use-after-free", "", " * CVE-2024-26622", " - tomoyo: fix UAF write bug in tomoyo_write_control()", "", " * CVE-2024-26614", " - tcp: make sure init the accept_queue's spinlocks once", " - ipv6: init the accept_queue's spinlocks in inet6_create", "", " * CVE-2023-47233", " - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", "" ], "package": "linux", "version": "5.4.0-182.202", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2063685 ], "author": "Stefan Bader ", "date": "Fri, 26 Apr 2024 13:36:15 +0200" }, { "cves": [ { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-24023", "url": "https://ubuntu.com/security/CVE-2023-24023", "cve_description": "Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.", "cve_priority": "medium", "cve_public_date": "2023-11-28 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-181.201 -proposed tracker (LP: #2059549)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] drop getabis data", "", " * Drop fips-checks script from trees (LP: #2055083)", " - [Packaging] Remove fips-checks script", "", " * Remove getabis scripts (LP: #2059143)", " - [Packaging] Remove getabis", "", " * Focal update: v5.4.269 upstream stable release (LP: #2058948)", " - PCI: mediatek: Clear interrupt status before dispatching handler", " - include/linux/units.h: add helpers for kelvin to/from Celsius conversion", " - units: Add Watt units", " - units: change from 'L' to 'UL'", " - units: add the HZ macros", " - serial: sc16is7xx: set safe default SPI clock frequency", " - spi: introduce SPI_MODE_X_MASK macro", " - serial: sc16is7xx: add check for unsupported SPI modes during probe", " - ext4: allow for the last group to be marked as trimmed", " - crypto: api - Disallow identical driver names", " - PM: hibernate: Enforce ordering during image compression/decompression", " - hwrng: core - Fix page fault dead lock on mmap-ed hwrng", " - rpmsg: virtio: Free driver_override when rpmsg_remove()", " - parisc/firmware: Fix F-extend for PDC addresses", " - arm64: dts: qcom: sdm845: fix USB wakeup interrupt types", " - mmc: core: Use mrq.sbc in close-ended ffu", " - nouveau/vmm: don't set addr on the fail path to avoid warning", " - ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path", " - rename(): fix the locking of subdirectories", " - block: Remove special-casing of compound pages", " - mtd: spinand: macronix: Fix MX35LFxGE4AD page size", " - fs: add mode_strip_sgid() helper", " - fs: move S_ISGID stripping into the vfs_*() helpers", " - powerpc: Use always instead of always-y in for crtsavres.o", " - x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum", " - net/smc: fix illegal rmb_desc access in SMC-D connection dump", " - vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING", " - llc: make llc_ui_sendmsg() more robust against bonding changes", " - llc: Drop support for ETH_P_TR_802_2.", " - net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv", " - tracing: Ensure visibility when inserting an element into tracing_map", " - afs: Hide silly-rename files from userspace", " - tcp: Add memory barrier to tcp_push()", " - netlink: fix potential sleeping issue in mqueue_flush_file", " - net/mlx5: DR, Use the right GVMI number for drop action", " - net/mlx5: Use kfree(ft->g) in arfs_create_groups()", " - net/mlx5e: fix a double-free in arfs_create_groups", " - netfilter: nf_tables: restrict anonymous set and map names to 16 bytes", " - netfilter: nf_tables: validate NFPROTO_* family", " - fjes: fix memleaks in fjes_hw_setup", " - net: fec: fix the unhandled context fault from smmu", " - btrfs: ref-verify: free ref cache before clearing mount opt", " - btrfs: tree-checker: fix inline ref size in error messages", " - btrfs: don't warn if discard range is not aligned to sector", " - btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args", " - rbd: don't move requests to the running list on errors", " - gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04", " - drm: Don't unref the same fb many times by mistake due to deadlock handling", " - drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking", " - drm/bridge: nxp-ptn3460: simplify some error checking", " - drm/exynos: fix accidental on-stack copy of exynos_drm_plane", " - drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume", " - gpio: eic-sprd: Clear interrupt after set the interrupt type", " - spi: bcm-qspi: fix SFDP BFPT read by usig mspi read", " - mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan", " - tick/sched: Preserve number of idle sleeps across CPU hotplug events", " - x86/entry/ia32: Ensure s32 is sign extended to s64", " - powerpc/mm: Fix null-pointer dereference in pgtable_cache_add", " - powerpc: Fix build error due to is_valid_bugaddr()", " - powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()", " - powerpc: pmd_move_must_withdraw() is only needed for", " CONFIG_TRANSPARENT_HUGEPAGE", " - powerpc/lib: Validate size for vector operations", " - x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel", " - perf/core: Fix narrow startup race when creating the perf nr_addr_filters", " sysfs file", " - regulator: core: Only increment use_count when enable_count changes", " - audit: Send netlink ACK before setting connection in auditd_set", " - ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop", " - PNP: ACPI: fix fortify warning", " - ACPI: extlog: fix NULL pointer dereference check", " - FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree", " - jfs: fix slab-out-of-bounds Read in dtSearch", " - jfs: fix array-index-out-of-bounds in dbAdjTree", " - pstore/ram: Fix crash when setting number of cpus to an odd number", " - crypto: stm32/crc32 - fix parsing list of devices", " - afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()", " - rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()", " - jfs: fix array-index-out-of-bounds in diNewExt", " - s390/ptrace: handle setting of fpc register correctly", " - KVM: s390: fix setting of fpc register", " - SUNRPC: Fix a suspicious RCU usage warning", " - ecryptfs: Reject casefold directory inodes", " - ext4: fix inconsistent between segment fstrim and full fstrim", " - ext4: unify the type of flexbg_size to unsigned int", " - ext4: remove unnecessary check from alloc_flex_gd()", " - ext4: avoid online resizing failures due to oversized flex bg", " - wifi: rt2x00: restart beacon queue when hardware reset", " - selftests/bpf: satisfy compiler by having explicit return in btf test", " - selftests/bpf: Fix pyperf180 compilation failure with clang18", " - scsi: lpfc: Fix possible file string name overflow when updating firmware", " - PCI: Add no PM reset quirk for NVIDIA Spectrum devices", " - bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk", " - ARM: dts: imx7d: Fix coresight funnel ports", " - ARM: dts: imx7s: Fix lcdif compatible", " - ARM: dts: imx7s: Fix nand-controller #size-cells", " - wifi: ath9k: Fix potential array-index-out-of-bounds read in", " ath9k_htc_txstatus()", " - bpf: Add map and need_defer parameters to .map_fd_put_ptr()", " - scsi: libfc: Don't schedule abort twice", " - scsi: libfc: Fix up timeout error in fc_fcp_rec_error()", " - ARM: dts: rockchip: fix rk3036 hdmi ports node", " - ARM: dts: imx25/27-eukrea: Fix RTC node name", " - ARM: dts: imx: Use flash@0,0 pattern", " - ARM: dts: imx27: Fix sram node", " - ARM: dts: imx1: Fix sram node", " - ARM: dts: imx25/27: Pass timing0", " - ARM: dts: imx27-apf27dev: Fix LED name", " - ARM: dts: imx23-sansa: Use preferred i2c-gpios properties", " - ARM: dts: imx23/28: Fix the DMA controller node name", " - block: prevent an integer overflow in bvec_try_merge_hw_page", " - md: Whenassemble the array, consult the superblock of the freshest device", " - arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property", " - arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property", " - wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices", " - wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()", " - wifi: cfg80211: free beacon_ies when overridden from hidden BSS", " - f2fs: fix to check return value of f2fs_reserve_new_block()", " - ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument", " - fast_dput(): handle underflows gracefully", " - RDMA/IPoIB: Fix error code return in ipoib_mcast_join", " - drm/drm_file: fix use of uninitialized variable", " - drm/framebuffer: Fix use of uninitialized variable", " - drm/mipi-dsi: Fix detach call without attach", " - media: stk1160: Fixed high volume of stk1160_dbg messages", " - media: rockchip: rga: fix swizzling for RGB formats", " - PCI: add INTEL_HDA_ARL to pci_ids.h", " - ALSA: hda: Intel: add HDA_ARL PCI ID support", " - drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time", " - IB/ipoib: Fix mcast list locking", " - media: ddbridge: fix an error code problem in ddb_probe", " - drm/msm/dpu: Ratelimit framedone timeout msgs", " - clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()", " - clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()", " - drm/amdgpu: Let KFD sync with VM fences", " - drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'", " - leds: trigger: panic: Don't register panic notifier if creating the trigger", " failed", " - um: Fix naming clash between UML and scheduler", " - um: Don't use vfprintf() for os_info()", " - um: net: Fix return type of uml_net_start_xmit()", " - i3c: master: cdns: Update maximum prescaler value for i2c clock", " - mfd: ti_am335x_tscadc: Fix TI SoC dependencies", " - [Config] updateconfigs for MFD_TI_AM335X_TSCADC", " - PCI: Only override AMD USB controller if required", " - PCI: switchtec: Fix stdev_release() crash after surprise hot remove", " - usb: hub: Replace hardcoded quirk value with BIT() macro", " - fs/kernfs/dir: obey S_ISGID", " - PCI/AER: Decode Requester ID when no error info found", " - libsubcmd: Fix memory leak in uniq()", " - virtio_net: Fix \"‘%d’ directive writing between 1 and 11 bytes into a region", " of size 10\" warnings", " - blk-mq: fix IO hang from sbitmap wakeup race", " - ceph: fix deadlock or deadcode of misusing dget()", " - drm/amdgpu: Release 'adev->pm.fw' before return in", " 'amdgpu_device_need_post()'", " - perf: Fix the nr_addr_filters fix", " - wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update", " - scsi: isci: Fix an error code problem in isci_io_request_build()", " - net: remove unneeded break", " - ixgbe: Remove non-inclusive language", " - ixgbe: Refactor returning internal error codes", " - ixgbe: Refactor overtemp event handling", " - ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()", " - ipv6: Ensure natural alignment of const ipv6 loopback and router addresses", " - llc: call sock_orphan() at release time", " - netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger", " - netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom", " expectations", " - net: ipv4: fix a memleak in ip_setup_cork", " - af_unix: fix lockdep positive in sk_diag_dump_icons()", " - SAUCE: Sync apparmor copy of af_unix.c", " - net: sysfs: Fix /sys/class/net/ path", " - HID: apple: Add support for the 2021 Magic Keyboard", " - HID: apple: Swap the Fn and Left Control keys on Apple keyboards", " - HID: apple: Add 2021 magic keyboard FN key mapping", " - bonding: remove print in bond_verify_device_path", " - dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA", " - dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA", " - phy: renesas: rcar-gen3-usb2: Fix returning wrong error code", " - dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV", " - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP", " - net: stmmac: xgmac: fix handling of DPP safety error for DMA channels", " - selftests: net: avoid just another constant wait", " - atm: idt77252: fix a memleak in open_card_ubr0", " - hwmon: (aspeed-pwm-tacho) mutex for tach reading", " - hwmon: (coretemp) Fix out-of-bounds memory access", " - hwmon: (coretemp) Fix bogus core_id to attr name mapping", " - inet: read sk->sk_family once in inet_recv_error()", " - rxrpc: Fix response to PING RESPONSE ACKs to a dead call", " - tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()", " - ppp_async: limit MRU to 64K", " - netfilter: nft_compat: reject unused compat flag", " - netfilter: nft_compat: restrict match/target protocol to u16", " - netfilter: nft_ct: reject direction for ct id", " - net/af_iucv: clean up a try_then_request_module()", " - USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e", " - USB: serial: option: add Fibocom FM101-GL variant", " - USB: serial: cp210x: add ID for IMST iM871A-USB", " - hrtimer: Report offline hrtimer enqueue", " - Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID", " - net: stmmac: xgmac: use #define for string constants", " - net: stmmac: xgmac: fix a typo of register name in DPP safety handling", " - btrfs: forbid creating subvol qgroups", " - btrfs: forbid deleting live subvol qgroup", " - btrfs: send: return EOPNOTSUPP on unknown flags", " - of: unittest: add overlay gpio test to catch gpio hog problem", " - of: unittest: Fix compile in the non-dynamic case", " - spi: ppc4xx: Drop write-only variable", " - ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()", " - MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler", " - i40e: Fix waiting for queues of all VSIs to be disabled", " - tracing/trigger: Fix to return error if failed to alloc snapshot", " - mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again", " - HID: wacom: generic: Avoid reporting a serial of '0' to userspace", " - HID: wacom: Do not register input devices until after hid_hw_start", " - USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT", " - usb: f_mass_storage: forbid async queue when shutdown happen", " - i2c: i801: Remove i801_set_block_buffer_mode", " - i2c: i801: Fix block process call transactions", " - scsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"", " - firewire: core: correct documentation of fw_csr_string() kernel API", " - kbuild: Fix changing ELF file type for output of gen_btf for big endian", " - nfc: nci: free rx_data_reassembly skb on NCI device cleanup", " - xen-netback: properly sync TX responses", " - ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL", " - binder: signal epoll threads of self-work", " - misc: fastrpc: Mark all sessions as invalid in cb_remove", " - ext4: fix double-free of blocks due to wrong extents moved_len", " - tracing: Fix wasted memory in saved_cmdlines logic", " - staging: iio: ad5933: fix type mismatch regression", " - iio: magnetometer: rm3100: add boundary check for the value read from", " RM3100_REG_TMRC", " - ring-buffer: Clean ring_buffer_poll_wait() error return", " - serial: max310x: set default value when reading clock ready bit", " - serial: max310x: improve crystal stable clock detection", " - x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6", " - x86/mm/ident_map: Use gbpages only where full GB page should be mapped.", " - mmc: slot-gpio: Allow non-sleeping GPIO ro", " - ALSA: hda/conexant: Add quirk for SWS JS201D", " - nilfs2: fix data corruption in dsync block recovery for small block sizes", " - nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()", " - nfp: use correct macro for LengthSelect in BAR config", " - nfp: flower: prevent re-adding mac index for bonded port", " - irqchip/irq-brcmstb-l2: Add write memory barrier before exit", " - can: j1939: Fix UAF in j1939_sk_match_filter during", " setsockopt(SO_J1939_FILTER)", " - pmdomain: core: Move the unused cleanup to a _sync initcall", " - tracing: Inform kmemleak of saved_cmdlines allocation", " - Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"", " - bus: moxtet: Add spi device table", " - arch, mm: remove stale mentions of DISCONIGMEM", " - mips: Fix max_mapnr being uninitialized on early stages", " - KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache", " - netfilter: ipset: fix performance regression in swap operation", " - netfilter: ipset: Missing gc cancellations fixed", " - net: prevent mss overflow in skb_segment()", " - sched/membarrier: reduce the ability to hammer on sys_membarrier", " - nilfs2: fix potential bug in end_buffer_async_write", " - PM: runtime: add devm_pm_runtime_enable helper", " - PM: runtime: Have devm_pm_runtime_enable() handle", " pm_runtime_dont_use_autosuspend()", " - drm/msm/dsi: Enable runtime PM", " - lsm: new security_file_ioctl_compat() hook", " - Revert \"Revert \"mtd: rawnand: gpmi: Fix setting busy timeout setting\"\"", " - net: bcmgenet: Fix EEE implementation", " - of: unittest: fix EXPECT text for gpio hog errors", " - of: gpio unittest kfree() wrong object", " - Linux 5.4.269", "", " * Focal update: v5.4.269 upstream stable release (LP: #2058948) //", " CVE-2023-52603", " - UBSAN: array-index-out-of-bounds in dtSplitRoot", "", " * CVE-2023-52600", " - jfs: fix uaf in jfs_evict_inode", "", " * CVE-2023-24023", " - Bluetooth: Add more enc key size check", "", " * CVE-2024-26581", " - netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure", " - netfilter: nft_set_rbtree: skip end interval element from gc", "", " * CVE-2024-26589", " - bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS", "" ], "package": "linux", "version": "5.4.0-181.201", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2059549, 1786013, 2055083, 2059143, 2058948, 2058948 ], "author": "Roxana Nicolescu ", "date": "Thu, 28 Mar 2024 15:36:38 +0100" } ], "notes": "linux-headers-5.4.0-182 version '5.4.0-182.202' (source package linux version '5.4.0-182.202') was added. linux-headers-5.4.0-182 version '5.4.0-182.202' has the same source package name, linux, as removed package linux-headers-5.4.0-177. As such we can use the source package version of the removed package, '5.4.0-177.197', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.4.0-182-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-177.197", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-182.202", "version": "5.4.0-182.202" }, "cves": [ { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-24023", "url": "https://ubuntu.com/security/CVE-2023-24023", "cve_description": "Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.", "cve_priority": "medium", "cve_public_date": "2023-11-28 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2063685, 2059549, 1786013, 2055083, 2059143, 2058948, 2058948 ], "changes": [ { "cves": [ { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-182.202 -proposed tracker (LP: #2063685)", "", " * CVE-2023-52530", " - wifi: mac80211: fix potential key use-after-free", "", " * CVE-2024-26622", " - tomoyo: fix UAF write bug in tomoyo_write_control()", "", " * CVE-2024-26614", " - tcp: make sure init the accept_queue's spinlocks once", " - ipv6: init the accept_queue's spinlocks in inet6_create", "", " * CVE-2023-47233", " - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", "" ], "package": "linux", "version": "5.4.0-182.202", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2063685 ], "author": "Stefan Bader ", "date": "Fri, 26 Apr 2024 13:36:15 +0200" }, { "cves": [ { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-24023", "url": "https://ubuntu.com/security/CVE-2023-24023", "cve_description": "Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.", "cve_priority": "medium", "cve_public_date": "2023-11-28 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-181.201 -proposed tracker (LP: #2059549)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] drop getabis data", "", " * Drop fips-checks script from trees (LP: #2055083)", " - [Packaging] Remove fips-checks script", "", " * Remove getabis scripts (LP: #2059143)", " - [Packaging] Remove getabis", "", " * Focal update: v5.4.269 upstream stable release (LP: #2058948)", " - PCI: mediatek: Clear interrupt status before dispatching handler", " - include/linux/units.h: add helpers for kelvin to/from Celsius conversion", " - units: Add Watt units", " - units: change from 'L' to 'UL'", " - units: add the HZ macros", " - serial: sc16is7xx: set safe default SPI clock frequency", " - spi: introduce SPI_MODE_X_MASK macro", " - serial: sc16is7xx: add check for unsupported SPI modes during probe", " - ext4: allow for the last group to be marked as trimmed", " - crypto: api - Disallow identical driver names", " - PM: hibernate: Enforce ordering during image compression/decompression", " - hwrng: core - Fix page fault dead lock on mmap-ed hwrng", " - rpmsg: virtio: Free driver_override when rpmsg_remove()", " - parisc/firmware: Fix F-extend for PDC addresses", " - arm64: dts: qcom: sdm845: fix USB wakeup interrupt types", " - mmc: core: Use mrq.sbc in close-ended ffu", " - nouveau/vmm: don't set addr on the fail path to avoid warning", " - ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path", " - rename(): fix the locking of subdirectories", " - block: Remove special-casing of compound pages", " - mtd: spinand: macronix: Fix MX35LFxGE4AD page size", " - fs: add mode_strip_sgid() helper", " - fs: move S_ISGID stripping into the vfs_*() helpers", " - powerpc: Use always instead of always-y in for crtsavres.o", " - x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum", " - net/smc: fix illegal rmb_desc access in SMC-D connection dump", " - vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING", " - llc: make llc_ui_sendmsg() more robust against bonding changes", " - llc: Drop support for ETH_P_TR_802_2.", " - net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv", " - tracing: Ensure visibility when inserting an element into tracing_map", " - afs: Hide silly-rename files from userspace", " - tcp: Add memory barrier to tcp_push()", " - netlink: fix potential sleeping issue in mqueue_flush_file", " - net/mlx5: DR, Use the right GVMI number for drop action", " - net/mlx5: Use kfree(ft->g) in arfs_create_groups()", " - net/mlx5e: fix a double-free in arfs_create_groups", " - netfilter: nf_tables: restrict anonymous set and map names to 16 bytes", " - netfilter: nf_tables: validate NFPROTO_* family", " - fjes: fix memleaks in fjes_hw_setup", " - net: fec: fix the unhandled context fault from smmu", " - btrfs: ref-verify: free ref cache before clearing mount opt", " - btrfs: tree-checker: fix inline ref size in error messages", " - btrfs: don't warn if discard range is not aligned to sector", " - btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args", " - rbd: don't move requests to the running list on errors", " - gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04", " - drm: Don't unref the same fb many times by mistake due to deadlock handling", " - drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking", " - drm/bridge: nxp-ptn3460: simplify some error checking", " - drm/exynos: fix accidental on-stack copy of exynos_drm_plane", " - drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume", " - gpio: eic-sprd: Clear interrupt after set the interrupt type", " - spi: bcm-qspi: fix SFDP BFPT read by usig mspi read", " - mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan", " - tick/sched: Preserve number of idle sleeps across CPU hotplug events", " - x86/entry/ia32: Ensure s32 is sign extended to s64", " - powerpc/mm: Fix null-pointer dereference in pgtable_cache_add", " - powerpc: Fix build error due to is_valid_bugaddr()", " - powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()", " - powerpc: pmd_move_must_withdraw() is only needed for", " CONFIG_TRANSPARENT_HUGEPAGE", " - powerpc/lib: Validate size for vector operations", " - x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel", " - perf/core: Fix narrow startup race when creating the perf nr_addr_filters", " sysfs file", " - regulator: core: Only increment use_count when enable_count changes", " - audit: Send netlink ACK before setting connection in auditd_set", " - ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop", " - PNP: ACPI: fix fortify warning", " - ACPI: extlog: fix NULL pointer dereference check", " - FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree", " - jfs: fix slab-out-of-bounds Read in dtSearch", " - jfs: fix array-index-out-of-bounds in dbAdjTree", " - pstore/ram: Fix crash when setting number of cpus to an odd number", " - crypto: stm32/crc32 - fix parsing list of devices", " - afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()", " - rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()", " - jfs: fix array-index-out-of-bounds in diNewExt", " - s390/ptrace: handle setting of fpc register correctly", " - KVM: s390: fix setting of fpc register", " - SUNRPC: Fix a suspicious RCU usage warning", " - ecryptfs: Reject casefold directory inodes", " - ext4: fix inconsistent between segment fstrim and full fstrim", " - ext4: unify the type of flexbg_size to unsigned int", " - ext4: remove unnecessary check from alloc_flex_gd()", " - ext4: avoid online resizing failures due to oversized flex bg", " - wifi: rt2x00: restart beacon queue when hardware reset", " - selftests/bpf: satisfy compiler by having explicit return in btf test", " - selftests/bpf: Fix pyperf180 compilation failure with clang18", " - scsi: lpfc: Fix possible file string name overflow when updating firmware", " - PCI: Add no PM reset quirk for NVIDIA Spectrum devices", " - bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk", " - ARM: dts: imx7d: Fix coresight funnel ports", " - ARM: dts: imx7s: Fix lcdif compatible", " - ARM: dts: imx7s: Fix nand-controller #size-cells", " - wifi: ath9k: Fix potential array-index-out-of-bounds read in", " ath9k_htc_txstatus()", " - bpf: Add map and need_defer parameters to .map_fd_put_ptr()", " - scsi: libfc: Don't schedule abort twice", " - scsi: libfc: Fix up timeout error in fc_fcp_rec_error()", " - ARM: dts: rockchip: fix rk3036 hdmi ports node", " - ARM: dts: imx25/27-eukrea: Fix RTC node name", " - ARM: dts: imx: Use flash@0,0 pattern", " - ARM: dts: imx27: Fix sram node", " - ARM: dts: imx1: Fix sram node", " - ARM: dts: imx25/27: Pass timing0", " - ARM: dts: imx27-apf27dev: Fix LED name", " - ARM: dts: imx23-sansa: Use preferred i2c-gpios properties", " - ARM: dts: imx23/28: Fix the DMA controller node name", " - block: prevent an integer overflow in bvec_try_merge_hw_page", " - md: Whenassemble the array, consult the superblock of the freshest device", " - arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property", " - arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property", " - wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices", " - wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()", " - wifi: cfg80211: free beacon_ies when overridden from hidden BSS", " - f2fs: fix to check return value of f2fs_reserve_new_block()", " - ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument", " - fast_dput(): handle underflows gracefully", " - RDMA/IPoIB: Fix error code return in ipoib_mcast_join", " - drm/drm_file: fix use of uninitialized variable", " - drm/framebuffer: Fix use of uninitialized variable", " - drm/mipi-dsi: Fix detach call without attach", " - media: stk1160: Fixed high volume of stk1160_dbg messages", " - media: rockchip: rga: fix swizzling for RGB formats", " - PCI: add INTEL_HDA_ARL to pci_ids.h", " - ALSA: hda: Intel: add HDA_ARL PCI ID support", " - drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time", " - IB/ipoib: Fix mcast list locking", " - media: ddbridge: fix an error code problem in ddb_probe", " - drm/msm/dpu: Ratelimit framedone timeout msgs", " - clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()", " - clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()", " - drm/amdgpu: Let KFD sync with VM fences", " - drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'", " - leds: trigger: panic: Don't register panic notifier if creating the trigger", " failed", " - um: Fix naming clash between UML and scheduler", " - um: Don't use vfprintf() for os_info()", " - um: net: Fix return type of uml_net_start_xmit()", " - i3c: master: cdns: Update maximum prescaler value for i2c clock", " - mfd: ti_am335x_tscadc: Fix TI SoC dependencies", " - [Config] updateconfigs for MFD_TI_AM335X_TSCADC", " - PCI: Only override AMD USB controller if required", " - PCI: switchtec: Fix stdev_release() crash after surprise hot remove", " - usb: hub: Replace hardcoded quirk value with BIT() macro", " - fs/kernfs/dir: obey S_ISGID", " - PCI/AER: Decode Requester ID when no error info found", " - libsubcmd: Fix memory leak in uniq()", " - virtio_net: Fix \"‘%d’ directive writing between 1 and 11 bytes into a region", " of size 10\" warnings", " - blk-mq: fix IO hang from sbitmap wakeup race", " - ceph: fix deadlock or deadcode of misusing dget()", " - drm/amdgpu: Release 'adev->pm.fw' before return in", " 'amdgpu_device_need_post()'", " - perf: Fix the nr_addr_filters fix", " - wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update", " - scsi: isci: Fix an error code problem in isci_io_request_build()", " - net: remove unneeded break", " - ixgbe: Remove non-inclusive language", " - ixgbe: Refactor returning internal error codes", " - ixgbe: Refactor overtemp event handling", " - ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()", " - ipv6: Ensure natural alignment of const ipv6 loopback and router addresses", " - llc: call sock_orphan() at release time", " - netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger", " - netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom", " expectations", " - net: ipv4: fix a memleak in ip_setup_cork", " - af_unix: fix lockdep positive in sk_diag_dump_icons()", " - SAUCE: Sync apparmor copy of af_unix.c", " - net: sysfs: Fix /sys/class/net/ path", " - HID: apple: Add support for the 2021 Magic Keyboard", " - HID: apple: Swap the Fn and Left Control keys on Apple keyboards", " - HID: apple: Add 2021 magic keyboard FN key mapping", " - bonding: remove print in bond_verify_device_path", " - dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA", " - dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA", " - phy: renesas: rcar-gen3-usb2: Fix returning wrong error code", " - dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV", " - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP", " - net: stmmac: xgmac: fix handling of DPP safety error for DMA channels", " - selftests: net: avoid just another constant wait", " - atm: idt77252: fix a memleak in open_card_ubr0", " - hwmon: (aspeed-pwm-tacho) mutex for tach reading", " - hwmon: (coretemp) Fix out-of-bounds memory access", " - hwmon: (coretemp) Fix bogus core_id to attr name mapping", " - inet: read sk->sk_family once in inet_recv_error()", " - rxrpc: Fix response to PING RESPONSE ACKs to a dead call", " - tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()", " - ppp_async: limit MRU to 64K", " - netfilter: nft_compat: reject unused compat flag", " - netfilter: nft_compat: restrict match/target protocol to u16", " - netfilter: nft_ct: reject direction for ct id", " - net/af_iucv: clean up a try_then_request_module()", " - USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e", " - USB: serial: option: add Fibocom FM101-GL variant", " - USB: serial: cp210x: add ID for IMST iM871A-USB", " - hrtimer: Report offline hrtimer enqueue", " - Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID", " - net: stmmac: xgmac: use #define for string constants", " - net: stmmac: xgmac: fix a typo of register name in DPP safety handling", " - btrfs: forbid creating subvol qgroups", " - btrfs: forbid deleting live subvol qgroup", " - btrfs: send: return EOPNOTSUPP on unknown flags", " - of: unittest: add overlay gpio test to catch gpio hog problem", " - of: unittest: Fix compile in the non-dynamic case", " - spi: ppc4xx: Drop write-only variable", " - ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()", " - MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler", " - i40e: Fix waiting for queues of all VSIs to be disabled", " - tracing/trigger: Fix to return error if failed to alloc snapshot", " - mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again", " - HID: wacom: generic: Avoid reporting a serial of '0' to userspace", " - HID: wacom: Do not register input devices until after hid_hw_start", " - USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT", " - usb: f_mass_storage: forbid async queue when shutdown happen", " - i2c: i801: Remove i801_set_block_buffer_mode", " - i2c: i801: Fix block process call transactions", " - scsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"", " - firewire: core: correct documentation of fw_csr_string() kernel API", " - kbuild: Fix changing ELF file type for output of gen_btf for big endian", " - nfc: nci: free rx_data_reassembly skb on NCI device cleanup", " - xen-netback: properly sync TX responses", " - ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL", " - binder: signal epoll threads of self-work", " - misc: fastrpc: Mark all sessions as invalid in cb_remove", " - ext4: fix double-free of blocks due to wrong extents moved_len", " - tracing: Fix wasted memory in saved_cmdlines logic", " - staging: iio: ad5933: fix type mismatch regression", " - iio: magnetometer: rm3100: add boundary check for the value read from", " RM3100_REG_TMRC", " - ring-buffer: Clean ring_buffer_poll_wait() error return", " - serial: max310x: set default value when reading clock ready bit", " - serial: max310x: improve crystal stable clock detection", " - x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6", " - x86/mm/ident_map: Use gbpages only where full GB page should be mapped.", " - mmc: slot-gpio: Allow non-sleeping GPIO ro", " - ALSA: hda/conexant: Add quirk for SWS JS201D", " - nilfs2: fix data corruption in dsync block recovery for small block sizes", " - nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()", " - nfp: use correct macro for LengthSelect in BAR config", " - nfp: flower: prevent re-adding mac index for bonded port", " - irqchip/irq-brcmstb-l2: Add write memory barrier before exit", " - can: j1939: Fix UAF in j1939_sk_match_filter during", " setsockopt(SO_J1939_FILTER)", " - pmdomain: core: Move the unused cleanup to a _sync initcall", " - tracing: Inform kmemleak of saved_cmdlines allocation", " - Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"", " - bus: moxtet: Add spi device table", " - arch, mm: remove stale mentions of DISCONIGMEM", " - mips: Fix max_mapnr being uninitialized on early stages", " - KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache", " - netfilter: ipset: fix performance regression in swap operation", " - netfilter: ipset: Missing gc cancellations fixed", " - net: prevent mss overflow in skb_segment()", " - sched/membarrier: reduce the ability to hammer on sys_membarrier", " - nilfs2: fix potential bug in end_buffer_async_write", " - PM: runtime: add devm_pm_runtime_enable helper", " - PM: runtime: Have devm_pm_runtime_enable() handle", " pm_runtime_dont_use_autosuspend()", " - drm/msm/dsi: Enable runtime PM", " - lsm: new security_file_ioctl_compat() hook", " - Revert \"Revert \"mtd: rawnand: gpmi: Fix setting busy timeout setting\"\"", " - net: bcmgenet: Fix EEE implementation", " - of: unittest: fix EXPECT text for gpio hog errors", " - of: gpio unittest kfree() wrong object", " - Linux 5.4.269", "", " * Focal update: v5.4.269 upstream stable release (LP: #2058948) //", " CVE-2023-52603", " - UBSAN: array-index-out-of-bounds in dtSplitRoot", "", " * CVE-2023-52600", " - jfs: fix uaf in jfs_evict_inode", "", " * CVE-2023-24023", " - Bluetooth: Add more enc key size check", "", " * CVE-2024-26581", " - netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure", " - netfilter: nft_set_rbtree: skip end interval element from gc", "", " * CVE-2024-26589", " - bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS", "" ], "package": "linux", "version": "5.4.0-181.201", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2059549, 1786013, 2055083, 2059143, 2058948, 2058948 ], "author": "Roxana Nicolescu ", "date": "Thu, 28 Mar 2024 15:36:38 +0100" } ], "notes": "linux-headers-5.4.0-182-generic-lpae version '5.4.0-182.202' (source package linux version '5.4.0-182.202') was added. linux-headers-5.4.0-182-generic-lpae version '5.4.0-182.202' has the same source package name, linux, as removed package linux-headers-5.4.0-177. As such we can use the source package version of the removed package, '5.4.0-177.197', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.4.0-182-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-177.197", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-182.202", "version": "5.4.0-182.202" }, "cves": [ { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-24023", "url": "https://ubuntu.com/security/CVE-2023-24023", "cve_description": "Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.", "cve_priority": "medium", "cve_public_date": "2023-11-28 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2063685, 2059549, 1786013, 2055083, 2059143, 2058948, 2058948 ], "changes": [ { "cves": [ { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-182.202 -proposed tracker (LP: #2063685)", "", " * CVE-2023-52530", " - wifi: mac80211: fix potential key use-after-free", "", " * CVE-2024-26622", " - tomoyo: fix UAF write bug in tomoyo_write_control()", "", " * CVE-2024-26614", " - tcp: make sure init the accept_queue's spinlocks once", " - ipv6: init the accept_queue's spinlocks in inet6_create", "", " * CVE-2023-47233", " - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", "" ], "package": "linux", "version": "5.4.0-182.202", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2063685 ], "author": "Stefan Bader ", "date": "Fri, 26 Apr 2024 13:36:15 +0200" }, { "cves": [ { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-24023", "url": "https://ubuntu.com/security/CVE-2023-24023", "cve_description": "Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.", "cve_priority": "medium", "cve_public_date": "2023-11-28 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-181.201 -proposed tracker (LP: #2059549)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] drop getabis data", "", " * Drop fips-checks script from trees (LP: #2055083)", " - [Packaging] Remove fips-checks script", "", " * Remove getabis scripts (LP: #2059143)", " - [Packaging] Remove getabis", "", " * Focal update: v5.4.269 upstream stable release (LP: #2058948)", " - PCI: mediatek: Clear interrupt status before dispatching handler", " - include/linux/units.h: add helpers for kelvin to/from Celsius conversion", " - units: Add Watt units", " - units: change from 'L' to 'UL'", " - units: add the HZ macros", " - serial: sc16is7xx: set safe default SPI clock frequency", " - spi: introduce SPI_MODE_X_MASK macro", " - serial: sc16is7xx: add check for unsupported SPI modes during probe", " - ext4: allow for the last group to be marked as trimmed", " - crypto: api - Disallow identical driver names", " - PM: hibernate: Enforce ordering during image compression/decompression", " - hwrng: core - Fix page fault dead lock on mmap-ed hwrng", " - rpmsg: virtio: Free driver_override when rpmsg_remove()", " - parisc/firmware: Fix F-extend for PDC addresses", " - arm64: dts: qcom: sdm845: fix USB wakeup interrupt types", " - mmc: core: Use mrq.sbc in close-ended ffu", " - nouveau/vmm: don't set addr on the fail path to avoid warning", " - ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path", " - rename(): fix the locking of subdirectories", " - block: Remove special-casing of compound pages", " - mtd: spinand: macronix: Fix MX35LFxGE4AD page size", " - fs: add mode_strip_sgid() helper", " - fs: move S_ISGID stripping into the vfs_*() helpers", " - powerpc: Use always instead of always-y in for crtsavres.o", " - x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum", " - net/smc: fix illegal rmb_desc access in SMC-D connection dump", " - vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING", " - llc: make llc_ui_sendmsg() more robust against bonding changes", " - llc: Drop support for ETH_P_TR_802_2.", " - net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv", " - tracing: Ensure visibility when inserting an element into tracing_map", " - afs: Hide silly-rename files from userspace", " - tcp: Add memory barrier to tcp_push()", " - netlink: fix potential sleeping issue in mqueue_flush_file", " - net/mlx5: DR, Use the right GVMI number for drop action", " - net/mlx5: Use kfree(ft->g) in arfs_create_groups()", " - net/mlx5e: fix a double-free in arfs_create_groups", " - netfilter: nf_tables: restrict anonymous set and map names to 16 bytes", " - netfilter: nf_tables: validate NFPROTO_* family", " - fjes: fix memleaks in fjes_hw_setup", " - net: fec: fix the unhandled context fault from smmu", " - btrfs: ref-verify: free ref cache before clearing mount opt", " - btrfs: tree-checker: fix inline ref size in error messages", " - btrfs: don't warn if discard range is not aligned to sector", " - btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args", " - rbd: don't move requests to the running list on errors", " - gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04", " - drm: Don't unref the same fb many times by mistake due to deadlock handling", " - drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking", " - drm/bridge: nxp-ptn3460: simplify some error checking", " - drm/exynos: fix accidental on-stack copy of exynos_drm_plane", " - drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume", " - gpio: eic-sprd: Clear interrupt after set the interrupt type", " - spi: bcm-qspi: fix SFDP BFPT read by usig mspi read", " - mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan", " - tick/sched: Preserve number of idle sleeps across CPU hotplug events", " - x86/entry/ia32: Ensure s32 is sign extended to s64", " - powerpc/mm: Fix null-pointer dereference in pgtable_cache_add", " - powerpc: Fix build error due to is_valid_bugaddr()", " - powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()", " - powerpc: pmd_move_must_withdraw() is only needed for", " CONFIG_TRANSPARENT_HUGEPAGE", " - powerpc/lib: Validate size for vector operations", " - x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel", " - perf/core: Fix narrow startup race when creating the perf nr_addr_filters", " sysfs file", " - regulator: core: Only increment use_count when enable_count changes", " - audit: Send netlink ACK before setting connection in auditd_set", " - ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop", " - PNP: ACPI: fix fortify warning", " - ACPI: extlog: fix NULL pointer dereference check", " - FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree", " - jfs: fix slab-out-of-bounds Read in dtSearch", " - jfs: fix array-index-out-of-bounds in dbAdjTree", " - pstore/ram: Fix crash when setting number of cpus to an odd number", " - crypto: stm32/crc32 - fix parsing list of devices", " - afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()", " - rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()", " - jfs: fix array-index-out-of-bounds in diNewExt", " - s390/ptrace: handle setting of fpc register correctly", " - KVM: s390: fix setting of fpc register", " - SUNRPC: Fix a suspicious RCU usage warning", " - ecryptfs: Reject casefold directory inodes", " - ext4: fix inconsistent between segment fstrim and full fstrim", " - ext4: unify the type of flexbg_size to unsigned int", " - ext4: remove unnecessary check from alloc_flex_gd()", " - ext4: avoid online resizing failures due to oversized flex bg", " - wifi: rt2x00: restart beacon queue when hardware reset", " - selftests/bpf: satisfy compiler by having explicit return in btf test", " - selftests/bpf: Fix pyperf180 compilation failure with clang18", " - scsi: lpfc: Fix possible file string name overflow when updating firmware", " - PCI: Add no PM reset quirk for NVIDIA Spectrum devices", " - bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk", " - ARM: dts: imx7d: Fix coresight funnel ports", " - ARM: dts: imx7s: Fix lcdif compatible", " - ARM: dts: imx7s: Fix nand-controller #size-cells", " - wifi: ath9k: Fix potential array-index-out-of-bounds read in", " ath9k_htc_txstatus()", " - bpf: Add map and need_defer parameters to .map_fd_put_ptr()", " - scsi: libfc: Don't schedule abort twice", " - scsi: libfc: Fix up timeout error in fc_fcp_rec_error()", " - ARM: dts: rockchip: fix rk3036 hdmi ports node", " - ARM: dts: imx25/27-eukrea: Fix RTC node name", " - ARM: dts: imx: Use flash@0,0 pattern", " - ARM: dts: imx27: Fix sram node", " - ARM: dts: imx1: Fix sram node", " - ARM: dts: imx25/27: Pass timing0", " - ARM: dts: imx27-apf27dev: Fix LED name", " - ARM: dts: imx23-sansa: Use preferred i2c-gpios properties", " - ARM: dts: imx23/28: Fix the DMA controller node name", " - block: prevent an integer overflow in bvec_try_merge_hw_page", " - md: Whenassemble the array, consult the superblock of the freshest device", " - arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property", " - arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property", " - wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices", " - wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()", " - wifi: cfg80211: free beacon_ies when overridden from hidden BSS", " - f2fs: fix to check return value of f2fs_reserve_new_block()", " - ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument", " - fast_dput(): handle underflows gracefully", " - RDMA/IPoIB: Fix error code return in ipoib_mcast_join", " - drm/drm_file: fix use of uninitialized variable", " - drm/framebuffer: Fix use of uninitialized variable", " - drm/mipi-dsi: Fix detach call without attach", " - media: stk1160: Fixed high volume of stk1160_dbg messages", " - media: rockchip: rga: fix swizzling for RGB formats", " - PCI: add INTEL_HDA_ARL to pci_ids.h", " - ALSA: hda: Intel: add HDA_ARL PCI ID support", " - drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time", " - IB/ipoib: Fix mcast list locking", " - media: ddbridge: fix an error code problem in ddb_probe", " - drm/msm/dpu: Ratelimit framedone timeout msgs", " - clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()", " - clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()", " - drm/amdgpu: Let KFD sync with VM fences", " - drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'", " - leds: trigger: panic: Don't register panic notifier if creating the trigger", " failed", " - um: Fix naming clash between UML and scheduler", " - um: Don't use vfprintf() for os_info()", " - um: net: Fix return type of uml_net_start_xmit()", " - i3c: master: cdns: Update maximum prescaler value for i2c clock", " - mfd: ti_am335x_tscadc: Fix TI SoC dependencies", " - [Config] updateconfigs for MFD_TI_AM335X_TSCADC", " - PCI: Only override AMD USB controller if required", " - PCI: switchtec: Fix stdev_release() crash after surprise hot remove", " - usb: hub: Replace hardcoded quirk value with BIT() macro", " - fs/kernfs/dir: obey S_ISGID", " - PCI/AER: Decode Requester ID when no error info found", " - libsubcmd: Fix memory leak in uniq()", " - virtio_net: Fix \"‘%d’ directive writing between 1 and 11 bytes into a region", " of size 10\" warnings", " - blk-mq: fix IO hang from sbitmap wakeup race", " - ceph: fix deadlock or deadcode of misusing dget()", " - drm/amdgpu: Release 'adev->pm.fw' before return in", " 'amdgpu_device_need_post()'", " - perf: Fix the nr_addr_filters fix", " - wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update", " - scsi: isci: Fix an error code problem in isci_io_request_build()", " - net: remove unneeded break", " - ixgbe: Remove non-inclusive language", " - ixgbe: Refactor returning internal error codes", " - ixgbe: Refactor overtemp event handling", " - ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()", " - ipv6: Ensure natural alignment of const ipv6 loopback and router addresses", " - llc: call sock_orphan() at release time", " - netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger", " - netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom", " expectations", " - net: ipv4: fix a memleak in ip_setup_cork", " - af_unix: fix lockdep positive in sk_diag_dump_icons()", " - SAUCE: Sync apparmor copy of af_unix.c", " - net: sysfs: Fix /sys/class/net/ path", " - HID: apple: Add support for the 2021 Magic Keyboard", " - HID: apple: Swap the Fn and Left Control keys on Apple keyboards", " - HID: apple: Add 2021 magic keyboard FN key mapping", " - bonding: remove print in bond_verify_device_path", " - dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA", " - dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA", " - phy: renesas: rcar-gen3-usb2: Fix returning wrong error code", " - dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV", " - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP", " - net: stmmac: xgmac: fix handling of DPP safety error for DMA channels", " - selftests: net: avoid just another constant wait", " - atm: idt77252: fix a memleak in open_card_ubr0", " - hwmon: (aspeed-pwm-tacho) mutex for tach reading", " - hwmon: (coretemp) Fix out-of-bounds memory access", " - hwmon: (coretemp) Fix bogus core_id to attr name mapping", " - inet: read sk->sk_family once in inet_recv_error()", " - rxrpc: Fix response to PING RESPONSE ACKs to a dead call", " - tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()", " - ppp_async: limit MRU to 64K", " - netfilter: nft_compat: reject unused compat flag", " - netfilter: nft_compat: restrict match/target protocol to u16", " - netfilter: nft_ct: reject direction for ct id", " - net/af_iucv: clean up a try_then_request_module()", " - USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e", " - USB: serial: option: add Fibocom FM101-GL variant", " - USB: serial: cp210x: add ID for IMST iM871A-USB", " - hrtimer: Report offline hrtimer enqueue", " - Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID", " - net: stmmac: xgmac: use #define for string constants", " - net: stmmac: xgmac: fix a typo of register name in DPP safety handling", " - btrfs: forbid creating subvol qgroups", " - btrfs: forbid deleting live subvol qgroup", " - btrfs: send: return EOPNOTSUPP on unknown flags", " - of: unittest: add overlay gpio test to catch gpio hog problem", " - of: unittest: Fix compile in the non-dynamic case", " - spi: ppc4xx: Drop write-only variable", " - ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()", " - MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler", " - i40e: Fix waiting for queues of all VSIs to be disabled", " - tracing/trigger: Fix to return error if failed to alloc snapshot", " - mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again", " - HID: wacom: generic: Avoid reporting a serial of '0' to userspace", " - HID: wacom: Do not register input devices until after hid_hw_start", " - USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT", " - usb: f_mass_storage: forbid async queue when shutdown happen", " - i2c: i801: Remove i801_set_block_buffer_mode", " - i2c: i801: Fix block process call transactions", " - scsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"", " - firewire: core: correct documentation of fw_csr_string() kernel API", " - kbuild: Fix changing ELF file type for output of gen_btf for big endian", " - nfc: nci: free rx_data_reassembly skb on NCI device cleanup", " - xen-netback: properly sync TX responses", " - ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL", " - binder: signal epoll threads of self-work", " - misc: fastrpc: Mark all sessions as invalid in cb_remove", " - ext4: fix double-free of blocks due to wrong extents moved_len", " - tracing: Fix wasted memory in saved_cmdlines logic", " - staging: iio: ad5933: fix type mismatch regression", " - iio: magnetometer: rm3100: add boundary check for the value read from", " RM3100_REG_TMRC", " - ring-buffer: Clean ring_buffer_poll_wait() error return", " - serial: max310x: set default value when reading clock ready bit", " - serial: max310x: improve crystal stable clock detection", " - x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6", " - x86/mm/ident_map: Use gbpages only where full GB page should be mapped.", " - mmc: slot-gpio: Allow non-sleeping GPIO ro", " - ALSA: hda/conexant: Add quirk for SWS JS201D", " - nilfs2: fix data corruption in dsync block recovery for small block sizes", " - nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()", " - nfp: use correct macro for LengthSelect in BAR config", " - nfp: flower: prevent re-adding mac index for bonded port", " - irqchip/irq-brcmstb-l2: Add write memory barrier before exit", " - can: j1939: Fix UAF in j1939_sk_match_filter during", " setsockopt(SO_J1939_FILTER)", " - pmdomain: core: Move the unused cleanup to a _sync initcall", " - tracing: Inform kmemleak of saved_cmdlines allocation", " - Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"", " - bus: moxtet: Add spi device table", " - arch, mm: remove stale mentions of DISCONIGMEM", " - mips: Fix max_mapnr being uninitialized on early stages", " - KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache", " - netfilter: ipset: fix performance regression in swap operation", " - netfilter: ipset: Missing gc cancellations fixed", " - net: prevent mss overflow in skb_segment()", " - sched/membarrier: reduce the ability to hammer on sys_membarrier", " - nilfs2: fix potential bug in end_buffer_async_write", " - PM: runtime: add devm_pm_runtime_enable helper", " - PM: runtime: Have devm_pm_runtime_enable() handle", " pm_runtime_dont_use_autosuspend()", " - drm/msm/dsi: Enable runtime PM", " - lsm: new security_file_ioctl_compat() hook", " - Revert \"Revert \"mtd: rawnand: gpmi: Fix setting busy timeout setting\"\"", " - net: bcmgenet: Fix EEE implementation", " - of: unittest: fix EXPECT text for gpio hog errors", " - of: gpio unittest kfree() wrong object", " - Linux 5.4.269", "", " * Focal update: v5.4.269 upstream stable release (LP: #2058948) //", " CVE-2023-52603", " - UBSAN: array-index-out-of-bounds in dtSplitRoot", "", " * CVE-2023-52600", " - jfs: fix uaf in jfs_evict_inode", "", " * CVE-2023-24023", " - Bluetooth: Add more enc key size check", "", " * CVE-2024-26581", " - netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure", " - netfilter: nft_set_rbtree: skip end interval element from gc", "", " * CVE-2024-26589", " - bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS", "" ], "package": "linux", "version": "5.4.0-181.201", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2059549, 1786013, 2055083, 2059143, 2058948, 2058948 ], "author": "Roxana Nicolescu ", "date": "Thu, 28 Mar 2024 15:36:38 +0100" } ], "notes": "linux-image-5.4.0-182-generic-lpae version '5.4.0-182.202' (source package linux version '5.4.0-182.202') was added. linux-image-5.4.0-182-generic-lpae version '5.4.0-182.202' has the same source package name, linux, as removed package linux-headers-5.4.0-177. As such we can use the source package version of the removed package, '5.4.0-177.197', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.4.0-182-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-177.197", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-182.202", "version": "5.4.0-182.202" }, "cves": [ { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-24023", "url": "https://ubuntu.com/security/CVE-2023-24023", "cve_description": "Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.", "cve_priority": "medium", "cve_public_date": "2023-11-28 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2063685, 2059549, 1786013, 2055083, 2059143, 2058948, 2058948 ], "changes": [ { "cves": [ { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" }, { "cve": "CVE-2024-26614", "url": "https://ubuntu.com/security/CVE-2024-26614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-03-11 18:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-182.202 -proposed tracker (LP: #2063685)", "", " * CVE-2023-52530", " - wifi: mac80211: fix potential key use-after-free", "", " * CVE-2024-26622", " - tomoyo: fix UAF write bug in tomoyo_write_control()", "", " * CVE-2024-26614", " - tcp: make sure init the accept_queue's spinlocks once", " - ipv6: init the accept_queue's spinlocks in inet6_create", "", " * CVE-2023-47233", " - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", "" ], "package": "linux", "version": "5.4.0-182.202", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2063685 ], "author": "Stefan Bader ", "date": "Fri, 26 Apr 2024 13:36:15 +0200" }, { "cves": [ { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-24023", "url": "https://ubuntu.com/security/CVE-2023-24023", "cve_description": "Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.", "cve_priority": "medium", "cve_public_date": "2023-11-28 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-181.201 -proposed tracker (LP: #2059549)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] drop getabis data", "", " * Drop fips-checks script from trees (LP: #2055083)", " - [Packaging] Remove fips-checks script", "", " * Remove getabis scripts (LP: #2059143)", " - [Packaging] Remove getabis", "", " * Focal update: v5.4.269 upstream stable release (LP: #2058948)", " - PCI: mediatek: Clear interrupt status before dispatching handler", " - include/linux/units.h: add helpers for kelvin to/from Celsius conversion", " - units: Add Watt units", " - units: change from 'L' to 'UL'", " - units: add the HZ macros", " - serial: sc16is7xx: set safe default SPI clock frequency", " - spi: introduce SPI_MODE_X_MASK macro", " - serial: sc16is7xx: add check for unsupported SPI modes during probe", " - ext4: allow for the last group to be marked as trimmed", " - crypto: api - Disallow identical driver names", " - PM: hibernate: Enforce ordering during image compression/decompression", " - hwrng: core - Fix page fault dead lock on mmap-ed hwrng", " - rpmsg: virtio: Free driver_override when rpmsg_remove()", " - parisc/firmware: Fix F-extend for PDC addresses", " - arm64: dts: qcom: sdm845: fix USB wakeup interrupt types", " - mmc: core: Use mrq.sbc in close-ended ffu", " - nouveau/vmm: don't set addr on the fail path to avoid warning", " - ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path", " - rename(): fix the locking of subdirectories", " - block: Remove special-casing of compound pages", " - mtd: spinand: macronix: Fix MX35LFxGE4AD page size", " - fs: add mode_strip_sgid() helper", " - fs: move S_ISGID stripping into the vfs_*() helpers", " - powerpc: Use always instead of always-y in for crtsavres.o", " - x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum", " - net/smc: fix illegal rmb_desc access in SMC-D connection dump", " - vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING", " - llc: make llc_ui_sendmsg() more robust against bonding changes", " - llc: Drop support for ETH_P_TR_802_2.", " - net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv", " - tracing: Ensure visibility when inserting an element into tracing_map", " - afs: Hide silly-rename files from userspace", " - tcp: Add memory barrier to tcp_push()", " - netlink: fix potential sleeping issue in mqueue_flush_file", " - net/mlx5: DR, Use the right GVMI number for drop action", " - net/mlx5: Use kfree(ft->g) in arfs_create_groups()", " - net/mlx5e: fix a double-free in arfs_create_groups", " - netfilter: nf_tables: restrict anonymous set and map names to 16 bytes", " - netfilter: nf_tables: validate NFPROTO_* family", " - fjes: fix memleaks in fjes_hw_setup", " - net: fec: fix the unhandled context fault from smmu", " - btrfs: ref-verify: free ref cache before clearing mount opt", " - btrfs: tree-checker: fix inline ref size in error messages", " - btrfs: don't warn if discard range is not aligned to sector", " - btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args", " - rbd: don't move requests to the running list on errors", " - gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04", " - drm: Don't unref the same fb many times by mistake due to deadlock handling", " - drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking", " - drm/bridge: nxp-ptn3460: simplify some error checking", " - drm/exynos: fix accidental on-stack copy of exynos_drm_plane", " - drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume", " - gpio: eic-sprd: Clear interrupt after set the interrupt type", " - spi: bcm-qspi: fix SFDP BFPT read by usig mspi read", " - mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan", " - tick/sched: Preserve number of idle sleeps across CPU hotplug events", " - x86/entry/ia32: Ensure s32 is sign extended to s64", " - powerpc/mm: Fix null-pointer dereference in pgtable_cache_add", " - powerpc: Fix build error due to is_valid_bugaddr()", " - powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()", " - powerpc: pmd_move_must_withdraw() is only needed for", " CONFIG_TRANSPARENT_HUGEPAGE", " - powerpc/lib: Validate size for vector operations", " - x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel", " - perf/core: Fix narrow startup race when creating the perf nr_addr_filters", " sysfs file", " - regulator: core: Only increment use_count when enable_count changes", " - audit: Send netlink ACK before setting connection in auditd_set", " - ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop", " - PNP: ACPI: fix fortify warning", " - ACPI: extlog: fix NULL pointer dereference check", " - FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree", " - jfs: fix slab-out-of-bounds Read in dtSearch", " - jfs: fix array-index-out-of-bounds in dbAdjTree", " - pstore/ram: Fix crash when setting number of cpus to an odd number", " - crypto: stm32/crc32 - fix parsing list of devices", " - afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()", " - rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()", " - jfs: fix array-index-out-of-bounds in diNewExt", " - s390/ptrace: handle setting of fpc register correctly", " - KVM: s390: fix setting of fpc register", " - SUNRPC: Fix a suspicious RCU usage warning", " - ecryptfs: Reject casefold directory inodes", " - ext4: fix inconsistent between segment fstrim and full fstrim", " - ext4: unify the type of flexbg_size to unsigned int", " - ext4: remove unnecessary check from alloc_flex_gd()", " - ext4: avoid online resizing failures due to oversized flex bg", " - wifi: rt2x00: restart beacon queue when hardware reset", " - selftests/bpf: satisfy compiler by having explicit return in btf test", " - selftests/bpf: Fix pyperf180 compilation failure with clang18", " - scsi: lpfc: Fix possible file string name overflow when updating firmware", " - PCI: Add no PM reset quirk for NVIDIA Spectrum devices", " - bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk", " - ARM: dts: imx7d: Fix coresight funnel ports", " - ARM: dts: imx7s: Fix lcdif compatible", " - ARM: dts: imx7s: Fix nand-controller #size-cells", " - wifi: ath9k: Fix potential array-index-out-of-bounds read in", " ath9k_htc_txstatus()", " - bpf: Add map and need_defer parameters to .map_fd_put_ptr()", " - scsi: libfc: Don't schedule abort twice", " - scsi: libfc: Fix up timeout error in fc_fcp_rec_error()", " - ARM: dts: rockchip: fix rk3036 hdmi ports node", " - ARM: dts: imx25/27-eukrea: Fix RTC node name", " - ARM: dts: imx: Use flash@0,0 pattern", " - ARM: dts: imx27: Fix sram node", " - ARM: dts: imx1: Fix sram node", " - ARM: dts: imx25/27: Pass timing0", " - ARM: dts: imx27-apf27dev: Fix LED name", " - ARM: dts: imx23-sansa: Use preferred i2c-gpios properties", " - ARM: dts: imx23/28: Fix the DMA controller node name", " - block: prevent an integer overflow in bvec_try_merge_hw_page", " - md: Whenassemble the array, consult the superblock of the freshest device", " - arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property", " - arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property", " - wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices", " - wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()", " - wifi: cfg80211: free beacon_ies when overridden from hidden BSS", " - f2fs: fix to check return value of f2fs_reserve_new_block()", " - ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument", " - fast_dput(): handle underflows gracefully", " - RDMA/IPoIB: Fix error code return in ipoib_mcast_join", " - drm/drm_file: fix use of uninitialized variable", " - drm/framebuffer: Fix use of uninitialized variable", " - drm/mipi-dsi: Fix detach call without attach", " - media: stk1160: Fixed high volume of stk1160_dbg messages", " - media: rockchip: rga: fix swizzling for RGB formats", " - PCI: add INTEL_HDA_ARL to pci_ids.h", " - ALSA: hda: Intel: add HDA_ARL PCI ID support", " - drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time", " - IB/ipoib: Fix mcast list locking", " - media: ddbridge: fix an error code problem in ddb_probe", " - drm/msm/dpu: Ratelimit framedone timeout msgs", " - clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()", " - clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()", " - drm/amdgpu: Let KFD sync with VM fences", " - drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'", " - leds: trigger: panic: Don't register panic notifier if creating the trigger", " failed", " - um: Fix naming clash between UML and scheduler", " - um: Don't use vfprintf() for os_info()", " - um: net: Fix return type of uml_net_start_xmit()", " - i3c: master: cdns: Update maximum prescaler value for i2c clock", " - mfd: ti_am335x_tscadc: Fix TI SoC dependencies", " - [Config] updateconfigs for MFD_TI_AM335X_TSCADC", " - PCI: Only override AMD USB controller if required", " - PCI: switchtec: Fix stdev_release() crash after surprise hot remove", " - usb: hub: Replace hardcoded quirk value with BIT() macro", " - fs/kernfs/dir: obey S_ISGID", " - PCI/AER: Decode Requester ID when no error info found", " - libsubcmd: Fix memory leak in uniq()", " - virtio_net: Fix \"‘%d’ directive writing between 1 and 11 bytes into a region", " of size 10\" warnings", " - blk-mq: fix IO hang from sbitmap wakeup race", " - ceph: fix deadlock or deadcode of misusing dget()", " - drm/amdgpu: Release 'adev->pm.fw' before return in", " 'amdgpu_device_need_post()'", " - perf: Fix the nr_addr_filters fix", " - wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update", " - scsi: isci: Fix an error code problem in isci_io_request_build()", " - net: remove unneeded break", " - ixgbe: Remove non-inclusive language", " - ixgbe: Refactor returning internal error codes", " - ixgbe: Refactor overtemp event handling", " - ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()", " - ipv6: Ensure natural alignment of const ipv6 loopback and router addresses", " - llc: call sock_orphan() at release time", " - netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger", " - netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom", " expectations", " - net: ipv4: fix a memleak in ip_setup_cork", " - af_unix: fix lockdep positive in sk_diag_dump_icons()", " - SAUCE: Sync apparmor copy of af_unix.c", " - net: sysfs: Fix /sys/class/net/ path", " - HID: apple: Add support for the 2021 Magic Keyboard", " - HID: apple: Swap the Fn and Left Control keys on Apple keyboards", " - HID: apple: Add 2021 magic keyboard FN key mapping", " - bonding: remove print in bond_verify_device_path", " - dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA", " - dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA", " - phy: renesas: rcar-gen3-usb2: Fix returning wrong error code", " - dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV", " - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP", " - net: stmmac: xgmac: fix handling of DPP safety error for DMA channels", " - selftests: net: avoid just another constant wait", " - atm: idt77252: fix a memleak in open_card_ubr0", " - hwmon: (aspeed-pwm-tacho) mutex for tach reading", " - hwmon: (coretemp) Fix out-of-bounds memory access", " - hwmon: (coretemp) Fix bogus core_id to attr name mapping", " - inet: read sk->sk_family once in inet_recv_error()", " - rxrpc: Fix response to PING RESPONSE ACKs to a dead call", " - tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()", " - ppp_async: limit MRU to 64K", " - netfilter: nft_compat: reject unused compat flag", " - netfilter: nft_compat: restrict match/target protocol to u16", " - netfilter: nft_ct: reject direction for ct id", " - net/af_iucv: clean up a try_then_request_module()", " - USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e", " - USB: serial: option: add Fibocom FM101-GL variant", " - USB: serial: cp210x: add ID for IMST iM871A-USB", " - hrtimer: Report offline hrtimer enqueue", " - Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID", " - net: stmmac: xgmac: use #define for string constants", " - net: stmmac: xgmac: fix a typo of register name in DPP safety handling", " - btrfs: forbid creating subvol qgroups", " - btrfs: forbid deleting live subvol qgroup", " - btrfs: send: return EOPNOTSUPP on unknown flags", " - of: unittest: add overlay gpio test to catch gpio hog problem", " - of: unittest: Fix compile in the non-dynamic case", " - spi: ppc4xx: Drop write-only variable", " - ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()", " - MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler", " - i40e: Fix waiting for queues of all VSIs to be disabled", " - tracing/trigger: Fix to return error if failed to alloc snapshot", " - mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again", " - HID: wacom: generic: Avoid reporting a serial of '0' to userspace", " - HID: wacom: Do not register input devices until after hid_hw_start", " - USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT", " - usb: f_mass_storage: forbid async queue when shutdown happen", " - i2c: i801: Remove i801_set_block_buffer_mode", " - i2c: i801: Fix block process call transactions", " - scsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"", " - firewire: core: correct documentation of fw_csr_string() kernel API", " - kbuild: Fix changing ELF file type for output of gen_btf for big endian", " - nfc: nci: free rx_data_reassembly skb on NCI device cleanup", " - xen-netback: properly sync TX responses", " - ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL", " - binder: signal epoll threads of self-work", " - misc: fastrpc: Mark all sessions as invalid in cb_remove", " - ext4: fix double-free of blocks due to wrong extents moved_len", " - tracing: Fix wasted memory in saved_cmdlines logic", " - staging: iio: ad5933: fix type mismatch regression", " - iio: magnetometer: rm3100: add boundary check for the value read from", " RM3100_REG_TMRC", " - ring-buffer: Clean ring_buffer_poll_wait() error return", " - serial: max310x: set default value when reading clock ready bit", " - serial: max310x: improve crystal stable clock detection", " - x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6", " - x86/mm/ident_map: Use gbpages only where full GB page should be mapped.", " - mmc: slot-gpio: Allow non-sleeping GPIO ro", " - ALSA: hda/conexant: Add quirk for SWS JS201D", " - nilfs2: fix data corruption in dsync block recovery for small block sizes", " - nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()", " - nfp: use correct macro for LengthSelect in BAR config", " - nfp: flower: prevent re-adding mac index for bonded port", " - irqchip/irq-brcmstb-l2: Add write memory barrier before exit", " - can: j1939: Fix UAF in j1939_sk_match_filter during", " setsockopt(SO_J1939_FILTER)", " - pmdomain: core: Move the unused cleanup to a _sync initcall", " - tracing: Inform kmemleak of saved_cmdlines allocation", " - Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"", " - bus: moxtet: Add spi device table", " - arch, mm: remove stale mentions of DISCONIGMEM", " - mips: Fix max_mapnr being uninitialized on early stages", " - KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache", " - netfilter: ipset: fix performance regression in swap operation", " - netfilter: ipset: Missing gc cancellations fixed", " - net: prevent mss overflow in skb_segment()", " - sched/membarrier: reduce the ability to hammer on sys_membarrier", " - nilfs2: fix potential bug in end_buffer_async_write", " - PM: runtime: add devm_pm_runtime_enable helper", " - PM: runtime: Have devm_pm_runtime_enable() handle", " pm_runtime_dont_use_autosuspend()", " - drm/msm/dsi: Enable runtime PM", " - lsm: new security_file_ioctl_compat() hook", " - Revert \"Revert \"mtd: rawnand: gpmi: Fix setting busy timeout setting\"\"", " - net: bcmgenet: Fix EEE implementation", " - of: unittest: fix EXPECT text for gpio hog errors", " - of: gpio unittest kfree() wrong object", " - Linux 5.4.269", "", " * Focal update: v5.4.269 upstream stable release (LP: #2058948) //", " CVE-2023-52603", " - UBSAN: array-index-out-of-bounds in dtSplitRoot", "", " * CVE-2023-52600", " - jfs: fix uaf in jfs_evict_inode", "", " * CVE-2023-24023", " - Bluetooth: Add more enc key size check", "", " * CVE-2024-26581", " - netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure", " - netfilter: nft_set_rbtree: skip end interval element from gc", "", " * CVE-2024-26589", " - bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS", "" ], "package": "linux", "version": "5.4.0-181.201", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2059549, 1786013, 2055083, 2059143, 2058948, 2058948 ], "author": "Roxana Nicolescu ", "date": "Thu, 28 Mar 2024 15:36:38 +0100" } ], "notes": "linux-modules-5.4.0-182-generic-lpae version '5.4.0-182.202' (source package linux version '5.4.0-182.202') was added. linux-modules-5.4.0-182-generic-lpae version '5.4.0-182.202' has the same source package name, linux, as removed package linux-headers-5.4.0-177. As such we can use the source package version of the removed package, '5.4.0-177.197', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.4.0-177", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-177.197", "version": "5.4.0-177.197" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.4.0-177-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-177.197", "version": "5.4.0-177.197" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.4.0-177-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-177.197", "version": "5.4.0-177.197" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.4.0-177-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-177.197", "version": "5.4.0-177.197" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from daily image serial 20240502 to 20240513", "from_series": "focal", "to_series": "focal", "from_serial": "20240502", "to_serial": "20240513", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }