{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-118", "linux-headers-5.15.0-118-generic", "linux-image-5.15.0-118-generic", "linux-modules-5.15.0-118-generic" ], "removed": [ "linux-headers-5.15.0-117", "linux-headers-5.15.0-117-generic", "linux-image-5.15.0-117-generic", "linux-modules-5.15.0-117-generic" ], "diff": [ "libgssapi-krb5-2:ppc64el", "libk5crypto3:ppc64el", "libkrb5-3:ppc64el", "libkrb5support0:ppc64el", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual" ] } }, "diff": { "deb": [ { "name": "libgssapi-krb5-2:ppc64el", "from_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.3", "version": "1.19.2-2ubuntu0.3" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.4", "version": "1.19.2-2ubuntu0.4" }, "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Invalid token requests", " - debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS", " message token handling", " - CVE-2024-37370", " - CVE-2024-37371", "" ], "package": "krb5", "version": "1.19.2-2ubuntu0.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 15 Jul 2024 13:46:10 +1000" } ], "notes": null }, { "name": "libk5crypto3:ppc64el", "from_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.3", "version": "1.19.2-2ubuntu0.3" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.4", "version": "1.19.2-2ubuntu0.4" }, "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Invalid token requests", " - debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS", " message token handling", " - CVE-2024-37370", " - CVE-2024-37371", "" ], "package": "krb5", "version": "1.19.2-2ubuntu0.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 15 Jul 2024 13:46:10 +1000" } ], "notes": null }, { "name": "libkrb5-3:ppc64el", "from_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.3", "version": "1.19.2-2ubuntu0.3" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.4", "version": "1.19.2-2ubuntu0.4" }, "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Invalid token requests", " - debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS", " message token handling", " - CVE-2024-37370", " - CVE-2024-37371", "" ], "package": "krb5", "version": "1.19.2-2ubuntu0.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 15 Jul 2024 13:46:10 +1000" } ], "notes": null }, { "name": "libkrb5support0:ppc64el", "from_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.3", "version": "1.19.2-2ubuntu0.3" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.4", "version": "1.19.2-2ubuntu0.4" }, "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Invalid token requests", " - debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS", " message token handling", " - CVE-2024-37370", " - CVE-2024-37371", "" ], "package": "krb5", "version": "1.19.2-2ubuntu0.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 15 Jul 2024 13:46:10 +1000" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.117.117", "version": "5.15.0.117.117" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.118.118", "version": "5.15.0.118.118" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-118", "" ], "package": "linux-meta", "version": "5.15.0.118.118", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:17:55 +0200" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.117.117", "version": "5.15.0.117.117" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.118.118", "version": "5.15.0.118.118" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-118", "" ], "package": "linux-meta", "version": "5.15.0.118.118", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:17:55 +0200" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.117.117", "version": "5.15.0.117.117" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.118.118", "version": "5.15.0.118.118" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-118", "" ], "package": "linux-meta", "version": "5.15.0.118.118", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:17:55 +0200" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.117.117", "version": "5.15.0.117.117" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.118.118", "version": "5.15.0.118.118" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-118", "" ], "package": "linux-meta", "version": "5.15.0.118.118", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:17:55 +0200" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-118", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-117.127", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-118.128", "version": "5.15.0-118.128" }, "cves": [ { "cve": "CVE-2024-27017", "url": "https://ubuntu.com/security/CVE-2024-27017", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: walk over current view on netlink dump The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26952", "url": "https://ubuntu.com/security/CVE-2024-26952", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial out-of-bounds when buffer offset is invalid I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-25742", "url": "https://ubuntu.com/security/CVE-2024-25742", "cve_description": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", "cve_priority": "medium", "cve_public_date": "2024-05-17 22:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2072255, 2070292, 2070028, 2061091 ], "changes": [ { "cves": [ { "cve": "CVE-2024-27017", "url": "https://ubuntu.com/security/CVE-2024-27017", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: walk over current view on netlink dump The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26952", "url": "https://ubuntu.com/security/CVE-2024-26952", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial out-of-bounds when buffer offset is invalid I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-25742", "url": "https://ubuntu.com/security/CVE-2024-25742", "cve_description": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", "cve_priority": "medium", "cve_public_date": "2024-05-17 22:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-118.128 -proposed tracker (LP: #2072255)", "", " * Jammy update: v5.15.160 upstream stable release (LP: #2070292)", " - drm/amd/display: Fix division by zero in setup_dsc_config", " - pinctrl: core: handle radix_tree_insert() errors in", " pinctrl_register_one_pin()", " - nfsd: don't allow nfsd threads to be signalled.", " - KEYS: trusted: Fix memory leak in tpm2_key_encode()", " - Revert \"selftests: mm: fix map_hugetlb failure on 64K page size systems\"", " - net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access", " - net: bcmgenet: synchronize UMAC_CMD access", " - netlink: annotate lockless accesses to nlk->max_recvmsg_len", " - netlink: annotate data-races around sk->sk_err", " - KVM: x86: Clear \"has_error_code\", not \"error_code\", for RM exception", " injection", " - drm/amdgpu: Fix possible NULL dereference in", " amdgpu_ras_query_error_status_helper()", " - binder: fix max_thread type inconsistency", " - usb: typec: ucsi: displayport: Fix potential deadlock", " - serial: kgdboc: Fix NMI-safety problems from keyboard reset code", " - remoteproc: mediatek: Make sure IPI buffer fits in L2TCM", " - KEYS: trusted: Do not use WARN when encode fails", " - admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET", " - docs: kernel_include.py: Cope with docutils 0.21", " - Linux 5.15.160", "", " * Jammy update: v5.15.159 upstream stable release (LP: #2070028)", " - dmaengine: pl330: issue_pending waits until WFP state", " - dmaengine: Revert \"dmaengine: pl330: issue_pending waits until WFP state\"", " - wifi: nl80211: don't free NULL coalescing rule", " - ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf", " - ksmbd: validate request buffer size in smb2_allocate_rsp_buf()", " - ksmbd: clear RENAME_NOREPLACE before calling vfs_rename", " - eeprom: at24: Use dev_err_probe for nvmem register failure", " - eeprom: at24: Probe for DDR3 thermal sensor in the SPD case", " - eeprom: at24: fix memory corruption race condition", " - pinctrl: pinctrl-aspeed-g6: Fix register offset for pinconf of GPIOR-T", " - pinctrl/meson: fix typo in PDM's pin name", " - pinctrl: core: delete incorrect free in pinctrl_enable()", " - pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic", " - pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback", " - pinctrl: mediatek: paris: Rework support for", " PIN_CONFIG_{INPUT,OUTPUT}_ENABLE", " - sunrpc: add a struct rpc_stats arg to rpc_create_args", " - nfs: expose /proc/net/sunrpc/nfs in net namespaces", " - nfs: make the rpc_stat per net namespace", " - nfs: Handle error of rpc_proc_register() in nfs_net_init().", " - power: rt9455: hide unused rt9455_boost_voltage_values", " - power: supply: mt6360_charger: Fix of_match for usb-otg-vbus regulator", " - pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()", " - regulator: mt6360: De-capitalize devicetree regulator subnodes", " - bpf, kconfig: Fix DEBUG_INFO_BTF_MODULES Kconfig definition", " - bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue", " - bpf: Fix a verifier verbose message", " - spi: hisi-kunpeng: Delete the dump interface of data registers in debugfs", " - s390/mm: Fix storage key clearing for guest huge pages", " - s390/mm: Fix clearing storage keys for huge pages", " - xdp: Move conversion to xdp_frame out of map functions", " - xdp: Add xdp_do_redirect_frame() for pre-computed xdp_frames", " - xdp: use flags field to disambiguate broadcast redirect", " - bna: ensure the copied buf is NUL terminated", " - octeontx2-af: avoid off-by-one read from userspace", " - nsh: Restore skb->{protocol,data,mac_header} for outer header in", " nsh_gso_segment().", " - net l2tp: drop flow hash on forward", " - s390/vdso: Add CFI for RA register to asm macro vdso_func", " - net: qede: sanitize 'rc' in qede_add_tc_flower_fltr()", " - net: qede: use return from qede_parse_flow_attr() for flower", " - net: qede: use return from qede_parse_flow_attr() for flow_spec", " - net: qede: use return from qede_parse_actions()", " - ASoC: meson: axg-fifo: use FIELD helpers", " - ASoC: meson: axg-fifo: use threaded irq to check periods", " - ASoC: meson: axg-card: make links nonatomic", " - ASoC: meson: axg-tdm-interface: manage formatters in trigger", " - ASoC: meson: cards: select SND_DYNAMIC_MINORS", " - ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()", " - s390/cio: Ensure the copied buf is NUL terminated", " - cxgb4: Properly lock TX queue for the selftest.", " - net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341", " - net: bridge: fix multicast-to-unicast with fraglist GSO", " - net: core: reject skb_copy(_expand) for fraglist GSO skbs", " - tipc: fix a possible memleak in tipc_buf_append", " - s390/qeth: don't keep track of Input Queue count", " - s390/qeth: Fix kernel panic after setting hsuid", " - drm/panel: ili9341: Respect deferred probe", " - drm/panel: ili9341: Use predefined error codes", " - net: gro: add flush check in udp_gro_receive_segment", " - clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change", " - KVM: arm64: vgic-v2: Use cpuid from userspace as vcpu_id", " - KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()", " - scsi: lpfc: Move NPIV's transport unregistration to after resource clean up", " - scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic", " - scsi: lpfc: Replace hbalock with ndlp lock in lpfc_nvme_unregister_port()", " - gfs2: Fix invalid metadata access in punch_hole", " - wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc", " - wifi: cfg80211: fix rdev_dump_mpp() arguments order", " - net: mark racy access on sk->sk_rcvbuf", " - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload", " - btrfs: return accurate error code on open failure in open_fs_devices()", " - kbuild: Disable KCSAN for autogenerated *.mod.c intermediaries", " - ALSA: line6: Zero-initialize message buffers", " - net: bcmgenet: Reset RBUF on first open", " - ata: sata_gemini: Check clk_enable() result", " - firewire: ohci: mask bus reset interrupts between ISR and bottom half", " - tools/power turbostat: Fix added raw MSR output", " - tools/power turbostat: Fix Bzy_MHz documentation typo", " - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve", " - btrfs: always clear PERTRANS metadata during commit", " - scsi: target: Fix SELinux error when systemd-modules loads the target module", " - blk-iocost: avoid out of bounds shift", " - gpu: host1x: Do not setup DMA for virtual devices", " - MIPS: scall: Save thread_info.syscall unconditionally on entry", " - selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior", " - iommu: mtk: fix module autoloading", " - fs/9p: only translate RWX permissions for plain 9P2000", " - fs/9p: translate O_TRUNC into OTRUNC", " - 9p: explicitly deny setlease attempts", " - gpio: wcove: Use -ENOTSUPP consistently", " - gpio: crystalcove: Use -ENOTSUPP consistently", " - clk: Don't hold prepare_lock when calling kref_put()", " - fs/9p: drop inodes immediately on non-.L too", " - drm/nouveau/dp: Don't probe eDP ports twice harder", " - net:usb:qmi_wwan: support Rolling modules", " - bpf, sockmap: TCP data stall on recv before accept", " - bpf, sockmap: Handle fin correctly", " - bpf, sockmap: Convert schedule_work into delayed_work", " - bpf, sockmap: Reschedule is now done through backlog", " - bpf, sockmap: Improved check for empty queue", " - qibfs: fix dentry leak", " - xfrm: Preserve vlan tags for transport mode software GRO", " - ARM: 9381/1: kasan: clear stale stack poison", " - tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets", " - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().", " - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout", " - Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout", " - rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation", " - hwmon: (corsair-cpro) Use a separate buffer for sending commands", " - hwmon: (corsair-cpro) Use complete_all() instead of complete() in", " ccp_raw_event()", " - hwmon: (corsair-cpro) Protect ccp->wait_input_report with a spinlock", " - phonet: fix rtm_phonet_notify() skb allocation", " - net: bridge: fix corrupted ethernet header on multicast-to-unicast", " - ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()", " - net: hns3: PF support get unicast MAC address space assigned by firmware", " - net: hns3: using user configure after hardware reset", " - net: hns3: add log for workqueue scheduled late", " - net: hns3: add query vf ring and vector map relation", " - net: hns3: refactor function hclge_mbx_handler()", " - net: hns3: direct return when receive a unknown mailbox message", " - net: hns3: refactor hns3 makefile to support hns3_common module", " - net: hns3: create new cmdq hardware description structure hclge_comm_hw", " - net: hns3: create new set of unified hclge_comm_cmd_send APIs", " - net: hns3: refactor hclge_cmd_send with new hclge_comm_cmd_send API", " - net: hns3: change type of numa_node_mask as nodemask_t", " - net: hns3: use appropriate barrier function after setting a bit value", " - net: hns3: split function hclge_init_vlan_config()", " - net: hns3: fix port vlan filter not disabled issue", " - drm/meson: dw-hdmi: power up phy on device init", " - drm/meson: dw-hdmi: add bandgap setting for g12", " - drm/connector: Add \\n to message about demoting connector force-probes", " - drm/amd/display: Atom Integrated System Info v2_2 for DCN35", " - Revert \"Revert \"ACPI: CPPC: Use access_width over bit_width for system", " memory accesses\"\"", " - ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro", " - ACPI: CPPC: Fix access width used for PCC registers", " - btrfs: fix kvcalloc() arguments order in btrfs_ioctl_send()", " - firewire: nosy: ensure user_length is taken into account when fetching", " packet contents", " - Reapply \"drm/qxl: simplify qxl_fence_wait\"", " - arm64: dts: qcom: Fix 'interrupt-map' parent address cells", " - usb: typec: ucsi: Check for notifications after init", " - usb: typec: ucsi: Fix connector check on init", " - usb: Fix regression caused by invalid ep0 maxpacket in virtual SuperSpeed", " device", " - usb: ohci: Prevent missed ohci interrupts", " - usb: gadget: composite: fix OS descriptors w_value logic", " - usb: gadget: f_fs: Fix a race condition when processing setup packets.", " - usb: xhci-plat: Don't include xhci.h", " - usb: dwc3: core: Prevent phy suspend during init", " - ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU", " - btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()", " - mptcp: ensure snd_nxt is properly initialized on connect", " - dt-bindings: iio: health: maxim,max30102: fix compatible check", " - iio:imu: adis16475: Fix sync mode setting", " - iio: accel: mxc4005: Interrupt handling fixes", " - tipc: fix UAF in error path", " - net: bcmgenet: synchronize use of bcmgenet_set_rx_mode()", " - ASoC: tegra: Fix DSPK 16-bit playback", " - ASoC: ti: davinci-mcasp: Fix race condition during probe", " - dyndbg: fix old BUG_ON in >control parser", " - slimbus: qcom-ngd-ctrl: Add timeout for wait operation", " - mei: me: add lunar lake point M DID", " - drm/vmwgfx: Fix invalid reads in fence signaled events", " - net: fix out-of-bounds access in ops_init", " - hwmon: (pmbus/ucd9000) Increase delay from 250 to 500us", " - regulator: core: fix debugfs creation regression", " - Bluetooth: qca: add missing firmware sanity checks", " - Bluetooth: qca: fix NVM configuration parsing", " - Bluetooth: qca: fix firmware check error path", " - keys: Fix overwrite of key expiration on instantiation", " - md: fix kmemleak of rdev->serial", " - Linux 5.15.159", "", " * Freezing user space processes failed after 20.008 seconds (1 tasks refusing", " to freeze, wq_busy=0) (LP: #2061091)", " - ALSA: Fix deadlocks with kctl removals at disconnection", "", " * CVE-2024-27017", " - netfilter: nft_set_pipapo: constify lookup fn args where possible", " - netfilter: nft_set_pipapo: walk over current view on netlink dump", " - netfilter: nf_tables: missing iterator type in lookup walk", "", " * CVE-2024-26952", " - ksmbd: fix potencial out-of-bounds when buffer offset is invalid", "", " * CVE-2024-26886", " - Bluetooth: af_bluetooth: Fix deadlock", "", " * CVE-2023-52752", " - smb: client: fix use-after-free bug in cifs_debug_data_proc_show()", "", " * CVE-2024-25742", " - x86/sev: Harden #VC instruction emulation somewhat", " - x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler", "", " * CVE-2024-36016", " - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()", "" ], "package": "linux", "version": "5.15.0-118.128", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2072255, 2070292, 2070028, 2061091 ], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 10:53:52 +0200" } ], "notes": "linux-headers-5.15.0-118 version '5.15.0-118.128' (source package linux version '5.15.0-118.128') was added. linux-headers-5.15.0-118 version '5.15.0-118.128' has the same source package name, linux, as removed package linux-headers-5.15.0-117. As such we can use the source package version of the removed package, '5.15.0-117.127', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.15.0-118-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-117.127", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-118.128", "version": "5.15.0-118.128" }, "cves": [ { "cve": "CVE-2024-27017", "url": "https://ubuntu.com/security/CVE-2024-27017", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: walk over current view on netlink dump The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26952", "url": "https://ubuntu.com/security/CVE-2024-26952", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial out-of-bounds when buffer offset is invalid I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-25742", "url": "https://ubuntu.com/security/CVE-2024-25742", "cve_description": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", "cve_priority": "medium", "cve_public_date": "2024-05-17 22:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2072255, 2070292, 2070028, 2061091 ], "changes": [ { "cves": [ { "cve": "CVE-2024-27017", "url": "https://ubuntu.com/security/CVE-2024-27017", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: walk over current view on netlink dump The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26952", "url": "https://ubuntu.com/security/CVE-2024-26952", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial out-of-bounds when buffer offset is invalid I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-25742", "url": "https://ubuntu.com/security/CVE-2024-25742", "cve_description": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", "cve_priority": "medium", "cve_public_date": "2024-05-17 22:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-118.128 -proposed tracker (LP: #2072255)", "", " * Jammy update: v5.15.160 upstream stable release (LP: #2070292)", " - drm/amd/display: Fix division by zero in setup_dsc_config", " - pinctrl: core: handle radix_tree_insert() errors in", " pinctrl_register_one_pin()", " - nfsd: don't allow nfsd threads to be signalled.", " - KEYS: trusted: Fix memory leak in tpm2_key_encode()", " - Revert \"selftests: mm: fix map_hugetlb failure on 64K page size systems\"", " - net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access", " - net: bcmgenet: synchronize UMAC_CMD access", " - netlink: annotate lockless accesses to nlk->max_recvmsg_len", " - netlink: annotate data-races around sk->sk_err", " - KVM: x86: Clear \"has_error_code\", not \"error_code\", for RM exception", " injection", " - drm/amdgpu: Fix possible NULL dereference in", " amdgpu_ras_query_error_status_helper()", " - binder: fix max_thread type inconsistency", " - usb: typec: ucsi: displayport: Fix potential deadlock", " - serial: kgdboc: Fix NMI-safety problems from keyboard reset code", " - remoteproc: mediatek: Make sure IPI buffer fits in L2TCM", " - KEYS: trusted: Do not use WARN when encode fails", " - admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET", " - docs: kernel_include.py: Cope with docutils 0.21", " - Linux 5.15.160", "", " * Jammy update: v5.15.159 upstream stable release (LP: #2070028)", " - dmaengine: pl330: issue_pending waits until WFP state", " - dmaengine: Revert \"dmaengine: pl330: issue_pending waits until WFP state\"", " - wifi: nl80211: don't free NULL coalescing rule", " - ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf", " - ksmbd: validate request buffer size in smb2_allocate_rsp_buf()", " - ksmbd: clear RENAME_NOREPLACE before calling vfs_rename", " - eeprom: at24: Use dev_err_probe for nvmem register failure", " - eeprom: at24: Probe for DDR3 thermal sensor in the SPD case", " - eeprom: at24: fix memory corruption race condition", " - pinctrl: pinctrl-aspeed-g6: Fix register offset for pinconf of GPIOR-T", " - pinctrl/meson: fix typo in PDM's pin name", " - pinctrl: core: delete incorrect free in pinctrl_enable()", " - pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic", " - pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback", " - pinctrl: mediatek: paris: Rework support for", " PIN_CONFIG_{INPUT,OUTPUT}_ENABLE", " - sunrpc: add a struct rpc_stats arg to rpc_create_args", " - nfs: expose /proc/net/sunrpc/nfs in net namespaces", " - nfs: make the rpc_stat per net namespace", " - nfs: Handle error of rpc_proc_register() in nfs_net_init().", " - power: rt9455: hide unused rt9455_boost_voltage_values", " - power: supply: mt6360_charger: Fix of_match for usb-otg-vbus regulator", " - pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()", " - regulator: mt6360: De-capitalize devicetree regulator subnodes", " - bpf, kconfig: Fix DEBUG_INFO_BTF_MODULES Kconfig definition", " - bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue", " - bpf: Fix a verifier verbose message", " - spi: hisi-kunpeng: Delete the dump interface of data registers in debugfs", " - s390/mm: Fix storage key clearing for guest huge pages", " - s390/mm: Fix clearing storage keys for huge pages", " - xdp: Move conversion to xdp_frame out of map functions", " - xdp: Add xdp_do_redirect_frame() for pre-computed xdp_frames", " - xdp: use flags field to disambiguate broadcast redirect", " - bna: ensure the copied buf is NUL terminated", " - octeontx2-af: avoid off-by-one read from userspace", " - nsh: Restore skb->{protocol,data,mac_header} for outer header in", " nsh_gso_segment().", " - net l2tp: drop flow hash on forward", " - s390/vdso: Add CFI for RA register to asm macro vdso_func", " - net: qede: sanitize 'rc' in qede_add_tc_flower_fltr()", " - net: qede: use return from qede_parse_flow_attr() for flower", " - net: qede: use return from qede_parse_flow_attr() for flow_spec", " - net: qede: use return from qede_parse_actions()", " - ASoC: meson: axg-fifo: use FIELD helpers", " - ASoC: meson: axg-fifo: use threaded irq to check periods", " - ASoC: meson: axg-card: make links nonatomic", " - ASoC: meson: axg-tdm-interface: manage formatters in trigger", " - ASoC: meson: cards: select SND_DYNAMIC_MINORS", " - ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()", " - s390/cio: Ensure the copied buf is NUL terminated", " - cxgb4: Properly lock TX queue for the selftest.", " - net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341", " - net: bridge: fix multicast-to-unicast with fraglist GSO", " - net: core: reject skb_copy(_expand) for fraglist GSO skbs", " - tipc: fix a possible memleak in tipc_buf_append", " - s390/qeth: don't keep track of Input Queue count", " - s390/qeth: Fix kernel panic after setting hsuid", " - drm/panel: ili9341: Respect deferred probe", " - drm/panel: ili9341: Use predefined error codes", " - net: gro: add flush check in udp_gro_receive_segment", " - clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change", " - KVM: arm64: vgic-v2: Use cpuid from userspace as vcpu_id", " - KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()", " - scsi: lpfc: Move NPIV's transport unregistration to after resource clean up", " - scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic", " - scsi: lpfc: Replace hbalock with ndlp lock in lpfc_nvme_unregister_port()", " - gfs2: Fix invalid metadata access in punch_hole", " - wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc", " - wifi: cfg80211: fix rdev_dump_mpp() arguments order", " - net: mark racy access on sk->sk_rcvbuf", " - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload", " - btrfs: return accurate error code on open failure in open_fs_devices()", " - kbuild: Disable KCSAN for autogenerated *.mod.c intermediaries", " - ALSA: line6: Zero-initialize message buffers", " - net: bcmgenet: Reset RBUF on first open", " - ata: sata_gemini: Check clk_enable() result", " - firewire: ohci: mask bus reset interrupts between ISR and bottom half", " - tools/power turbostat: Fix added raw MSR output", " - tools/power turbostat: Fix Bzy_MHz documentation typo", " - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve", " - btrfs: always clear PERTRANS metadata during commit", " - scsi: target: Fix SELinux error when systemd-modules loads the target module", " - blk-iocost: avoid out of bounds shift", " - gpu: host1x: Do not setup DMA for virtual devices", " - MIPS: scall: Save thread_info.syscall unconditionally on entry", " - selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior", " - iommu: mtk: fix module autoloading", " - fs/9p: only translate RWX permissions for plain 9P2000", " - fs/9p: translate O_TRUNC into OTRUNC", " - 9p: explicitly deny setlease attempts", " - gpio: wcove: Use -ENOTSUPP consistently", " - gpio: crystalcove: Use -ENOTSUPP consistently", " - clk: Don't hold prepare_lock when calling kref_put()", " - fs/9p: drop inodes immediately on non-.L too", " - drm/nouveau/dp: Don't probe eDP ports twice harder", " - net:usb:qmi_wwan: support Rolling modules", " - bpf, sockmap: TCP data stall on recv before accept", " - bpf, sockmap: Handle fin correctly", " - bpf, sockmap: Convert schedule_work into delayed_work", " - bpf, sockmap: Reschedule is now done through backlog", " - bpf, sockmap: Improved check for empty queue", " - qibfs: fix dentry leak", " - xfrm: Preserve vlan tags for transport mode software GRO", " - ARM: 9381/1: kasan: clear stale stack poison", " - tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets", " - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().", " - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout", " - Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout", " - rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation", " - hwmon: (corsair-cpro) Use a separate buffer for sending commands", " - hwmon: (corsair-cpro) Use complete_all() instead of complete() in", " ccp_raw_event()", " - hwmon: (corsair-cpro) Protect ccp->wait_input_report with a spinlock", " - phonet: fix rtm_phonet_notify() skb allocation", " - net: bridge: fix corrupted ethernet header on multicast-to-unicast", " - ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()", " - net: hns3: PF support get unicast MAC address space assigned by firmware", " - net: hns3: using user configure after hardware reset", " - net: hns3: add log for workqueue scheduled late", " - net: hns3: add query vf ring and vector map relation", " - net: hns3: refactor function hclge_mbx_handler()", " - net: hns3: direct return when receive a unknown mailbox message", " - net: hns3: refactor hns3 makefile to support hns3_common module", " - net: hns3: create new cmdq hardware description structure hclge_comm_hw", " - net: hns3: create new set of unified hclge_comm_cmd_send APIs", " - net: hns3: refactor hclge_cmd_send with new hclge_comm_cmd_send API", " - net: hns3: change type of numa_node_mask as nodemask_t", " - net: hns3: use appropriate barrier function after setting a bit value", " - net: hns3: split function hclge_init_vlan_config()", " - net: hns3: fix port vlan filter not disabled issue", " - drm/meson: dw-hdmi: power up phy on device init", " - drm/meson: dw-hdmi: add bandgap setting for g12", " - drm/connector: Add \\n to message about demoting connector force-probes", " - drm/amd/display: Atom Integrated System Info v2_2 for DCN35", " - Revert \"Revert \"ACPI: CPPC: Use access_width over bit_width for system", " memory accesses\"\"", " - ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro", " - ACPI: CPPC: Fix access width used for PCC registers", " - btrfs: fix kvcalloc() arguments order in btrfs_ioctl_send()", " - firewire: nosy: ensure user_length is taken into account when fetching", " packet contents", " - Reapply \"drm/qxl: simplify qxl_fence_wait\"", " - arm64: dts: qcom: Fix 'interrupt-map' parent address cells", " - usb: typec: ucsi: Check for notifications after init", " - usb: typec: ucsi: Fix connector check on init", " - usb: Fix regression caused by invalid ep0 maxpacket in virtual SuperSpeed", " device", " - usb: ohci: Prevent missed ohci interrupts", " - usb: gadget: composite: fix OS descriptors w_value logic", " - usb: gadget: f_fs: Fix a race condition when processing setup packets.", " - usb: xhci-plat: Don't include xhci.h", " - usb: dwc3: core: Prevent phy suspend during init", " - ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU", " - btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()", " - mptcp: ensure snd_nxt is properly initialized on connect", " - dt-bindings: iio: health: maxim,max30102: fix compatible check", " - iio:imu: adis16475: Fix sync mode setting", " - iio: accel: mxc4005: Interrupt handling fixes", " - tipc: fix UAF in error path", " - net: bcmgenet: synchronize use of bcmgenet_set_rx_mode()", " - ASoC: tegra: Fix DSPK 16-bit playback", " - ASoC: ti: davinci-mcasp: Fix race condition during probe", " - dyndbg: fix old BUG_ON in >control parser", " - slimbus: qcom-ngd-ctrl: Add timeout for wait operation", " - mei: me: add lunar lake point M DID", " - drm/vmwgfx: Fix invalid reads in fence signaled events", " - net: fix out-of-bounds access in ops_init", " - hwmon: (pmbus/ucd9000) Increase delay from 250 to 500us", " - regulator: core: fix debugfs creation regression", " - Bluetooth: qca: add missing firmware sanity checks", " - Bluetooth: qca: fix NVM configuration parsing", " - Bluetooth: qca: fix firmware check error path", " - keys: Fix overwrite of key expiration on instantiation", " - md: fix kmemleak of rdev->serial", " - Linux 5.15.159", "", " * Freezing user space processes failed after 20.008 seconds (1 tasks refusing", " to freeze, wq_busy=0) (LP: #2061091)", " - ALSA: Fix deadlocks with kctl removals at disconnection", "", " * CVE-2024-27017", " - netfilter: nft_set_pipapo: constify lookup fn args where possible", " - netfilter: nft_set_pipapo: walk over current view on netlink dump", " - netfilter: nf_tables: missing iterator type in lookup walk", "", " * CVE-2024-26952", " - ksmbd: fix potencial out-of-bounds when buffer offset is invalid", "", " * CVE-2024-26886", " - Bluetooth: af_bluetooth: Fix deadlock", "", " * CVE-2023-52752", " - smb: client: fix use-after-free bug in cifs_debug_data_proc_show()", "", " * CVE-2024-25742", " - x86/sev: Harden #VC instruction emulation somewhat", " - x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler", "", " * CVE-2024-36016", " - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()", "" ], "package": "linux", "version": "5.15.0-118.128", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2072255, 2070292, 2070028, 2061091 ], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 10:53:52 +0200" } ], "notes": "linux-headers-5.15.0-118-generic version '5.15.0-118.128' (source package linux version '5.15.0-118.128') was added. linux-headers-5.15.0-118-generic version '5.15.0-118.128' has the same source package name, linux, as removed package linux-headers-5.15.0-117. As such we can use the source package version of the removed package, '5.15.0-117.127', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.15.0-118-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-117.127", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-118.128", "version": "5.15.0-118.128" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-118.128", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-118.128", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:17:32 +0200" } ], "notes": "linux-image-5.15.0-118-generic version '5.15.0-118.128' (source package linux-signed version '5.15.0-118.128') was added. linux-image-5.15.0-118-generic version '5.15.0-118.128' has the same source package name, linux-signed, as removed package linux-image-5.15.0-117-generic. As such we can use the source package version of the removed package, '5.15.0-117.127', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.15.0-118-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-117.127", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-118.128", "version": "5.15.0-118.128" }, "cves": [ { "cve": "CVE-2024-27017", "url": "https://ubuntu.com/security/CVE-2024-27017", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: walk over current view on netlink dump The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26952", "url": "https://ubuntu.com/security/CVE-2024-26952", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial out-of-bounds when buffer offset is invalid I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-25742", "url": "https://ubuntu.com/security/CVE-2024-25742", "cve_description": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", "cve_priority": "medium", "cve_public_date": "2024-05-17 22:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2072255, 2070292, 2070028, 2061091 ], "changes": [ { "cves": [ { "cve": "CVE-2024-27017", "url": "https://ubuntu.com/security/CVE-2024-27017", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: walk over current view on netlink dump The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26952", "url": "https://ubuntu.com/security/CVE-2024-26952", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial out-of-bounds when buffer offset is invalid I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-25742", "url": "https://ubuntu.com/security/CVE-2024-25742", "cve_description": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", "cve_priority": "medium", "cve_public_date": "2024-05-17 22:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-118.128 -proposed tracker (LP: #2072255)", "", " * Jammy update: v5.15.160 upstream stable release (LP: #2070292)", " - drm/amd/display: Fix division by zero in setup_dsc_config", " - pinctrl: core: handle radix_tree_insert() errors in", " pinctrl_register_one_pin()", " - nfsd: don't allow nfsd threads to be signalled.", " - KEYS: trusted: Fix memory leak in tpm2_key_encode()", " - Revert \"selftests: mm: fix map_hugetlb failure on 64K page size systems\"", " - net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access", " - net: bcmgenet: synchronize UMAC_CMD access", " - netlink: annotate lockless accesses to nlk->max_recvmsg_len", " - netlink: annotate data-races around sk->sk_err", " - KVM: x86: Clear \"has_error_code\", not \"error_code\", for RM exception", " injection", " - drm/amdgpu: Fix possible NULL dereference in", " amdgpu_ras_query_error_status_helper()", " - binder: fix max_thread type inconsistency", " - usb: typec: ucsi: displayport: Fix potential deadlock", " - serial: kgdboc: Fix NMI-safety problems from keyboard reset code", " - remoteproc: mediatek: Make sure IPI buffer fits in L2TCM", " - KEYS: trusted: Do not use WARN when encode fails", " - admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET", " - docs: kernel_include.py: Cope with docutils 0.21", " - Linux 5.15.160", "", " * Jammy update: v5.15.159 upstream stable release (LP: #2070028)", " - dmaengine: pl330: issue_pending waits until WFP state", " - dmaengine: Revert \"dmaengine: pl330: issue_pending waits until WFP state\"", " - wifi: nl80211: don't free NULL coalescing rule", " - ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf", " - ksmbd: validate request buffer size in smb2_allocate_rsp_buf()", " - ksmbd: clear RENAME_NOREPLACE before calling vfs_rename", " - eeprom: at24: Use dev_err_probe for nvmem register failure", " - eeprom: at24: Probe for DDR3 thermal sensor in the SPD case", " - eeprom: at24: fix memory corruption race condition", " - pinctrl: pinctrl-aspeed-g6: Fix register offset for pinconf of GPIOR-T", " - pinctrl/meson: fix typo in PDM's pin name", " - pinctrl: core: delete incorrect free in pinctrl_enable()", " - pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic", " - pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback", " - pinctrl: mediatek: paris: Rework support for", " PIN_CONFIG_{INPUT,OUTPUT}_ENABLE", " - sunrpc: add a struct rpc_stats arg to rpc_create_args", " - nfs: expose /proc/net/sunrpc/nfs in net namespaces", " - nfs: make the rpc_stat per net namespace", " - nfs: Handle error of rpc_proc_register() in nfs_net_init().", " - power: rt9455: hide unused rt9455_boost_voltage_values", " - power: supply: mt6360_charger: Fix of_match for usb-otg-vbus regulator", " - pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()", " - regulator: mt6360: De-capitalize devicetree regulator subnodes", " - bpf, kconfig: Fix DEBUG_INFO_BTF_MODULES Kconfig definition", " - bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue", " - bpf: Fix a verifier verbose message", " - spi: hisi-kunpeng: Delete the dump interface of data registers in debugfs", " - s390/mm: Fix storage key clearing for guest huge pages", " - s390/mm: Fix clearing storage keys for huge pages", " - xdp: Move conversion to xdp_frame out of map functions", " - xdp: Add xdp_do_redirect_frame() for pre-computed xdp_frames", " - xdp: use flags field to disambiguate broadcast redirect", " - bna: ensure the copied buf is NUL terminated", " - octeontx2-af: avoid off-by-one read from userspace", " - nsh: Restore skb->{protocol,data,mac_header} for outer header in", " nsh_gso_segment().", " - net l2tp: drop flow hash on forward", " - s390/vdso: Add CFI for RA register to asm macro vdso_func", " - net: qede: sanitize 'rc' in qede_add_tc_flower_fltr()", " - net: qede: use return from qede_parse_flow_attr() for flower", " - net: qede: use return from qede_parse_flow_attr() for flow_spec", " - net: qede: use return from qede_parse_actions()", " - ASoC: meson: axg-fifo: use FIELD helpers", " - ASoC: meson: axg-fifo: use threaded irq to check periods", " - ASoC: meson: axg-card: make links nonatomic", " - ASoC: meson: axg-tdm-interface: manage formatters in trigger", " - ASoC: meson: cards: select SND_DYNAMIC_MINORS", " - ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()", " - s390/cio: Ensure the copied buf is NUL terminated", " - cxgb4: Properly lock TX queue for the selftest.", " - net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341", " - net: bridge: fix multicast-to-unicast with fraglist GSO", " - net: core: reject skb_copy(_expand) for fraglist GSO skbs", " - tipc: fix a possible memleak in tipc_buf_append", " - s390/qeth: don't keep track of Input Queue count", " - s390/qeth: Fix kernel panic after setting hsuid", " - drm/panel: ili9341: Respect deferred probe", " - drm/panel: ili9341: Use predefined error codes", " - net: gro: add flush check in udp_gro_receive_segment", " - clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change", " - KVM: arm64: vgic-v2: Use cpuid from userspace as vcpu_id", " - KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()", " - scsi: lpfc: Move NPIV's transport unregistration to after resource clean up", " - scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic", " - scsi: lpfc: Replace hbalock with ndlp lock in lpfc_nvme_unregister_port()", " - gfs2: Fix invalid metadata access in punch_hole", " - wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc", " - wifi: cfg80211: fix rdev_dump_mpp() arguments order", " - net: mark racy access on sk->sk_rcvbuf", " - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload", " - btrfs: return accurate error code on open failure in open_fs_devices()", " - kbuild: Disable KCSAN for autogenerated *.mod.c intermediaries", " - ALSA: line6: Zero-initialize message buffers", " - net: bcmgenet: Reset RBUF on first open", " - ata: sata_gemini: Check clk_enable() result", " - firewire: ohci: mask bus reset interrupts between ISR and bottom half", " - tools/power turbostat: Fix added raw MSR output", " - tools/power turbostat: Fix Bzy_MHz documentation typo", " - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve", " - btrfs: always clear PERTRANS metadata during commit", " - scsi: target: Fix SELinux error when systemd-modules loads the target module", " - blk-iocost: avoid out of bounds shift", " - gpu: host1x: Do not setup DMA for virtual devices", " - MIPS: scall: Save thread_info.syscall unconditionally on entry", " - selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior", " - iommu: mtk: fix module autoloading", " - fs/9p: only translate RWX permissions for plain 9P2000", " - fs/9p: translate O_TRUNC into OTRUNC", " - 9p: explicitly deny setlease attempts", " - gpio: wcove: Use -ENOTSUPP consistently", " - gpio: crystalcove: Use -ENOTSUPP consistently", " - clk: Don't hold prepare_lock when calling kref_put()", " - fs/9p: drop inodes immediately on non-.L too", " - drm/nouveau/dp: Don't probe eDP ports twice harder", " - net:usb:qmi_wwan: support Rolling modules", " - bpf, sockmap: TCP data stall on recv before accept", " - bpf, sockmap: Handle fin correctly", " - bpf, sockmap: Convert schedule_work into delayed_work", " - bpf, sockmap: Reschedule is now done through backlog", " - bpf, sockmap: Improved check for empty queue", " - qibfs: fix dentry leak", " - xfrm: Preserve vlan tags for transport mode software GRO", " - ARM: 9381/1: kasan: clear stale stack poison", " - tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets", " - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().", " - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout", " - Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout", " - rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation", " - hwmon: (corsair-cpro) Use a separate buffer for sending commands", " - hwmon: (corsair-cpro) Use complete_all() instead of complete() in", " ccp_raw_event()", " - hwmon: (corsair-cpro) Protect ccp->wait_input_report with a spinlock", " - phonet: fix rtm_phonet_notify() skb allocation", " - net: bridge: fix corrupted ethernet header on multicast-to-unicast", " - ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()", " - net: hns3: PF support get unicast MAC address space assigned by firmware", " - net: hns3: using user configure after hardware reset", " - net: hns3: add log for workqueue scheduled late", " - net: hns3: add query vf ring and vector map relation", " - net: hns3: refactor function hclge_mbx_handler()", " - net: hns3: direct return when receive a unknown mailbox message", " - net: hns3: refactor hns3 makefile to support hns3_common module", " - net: hns3: create new cmdq hardware description structure hclge_comm_hw", " - net: hns3: create new set of unified hclge_comm_cmd_send APIs", " - net: hns3: refactor hclge_cmd_send with new hclge_comm_cmd_send API", " - net: hns3: change type of numa_node_mask as nodemask_t", " - net: hns3: use appropriate barrier function after setting a bit value", " - net: hns3: split function hclge_init_vlan_config()", " - net: hns3: fix port vlan filter not disabled issue", " - drm/meson: dw-hdmi: power up phy on device init", " - drm/meson: dw-hdmi: add bandgap setting for g12", " - drm/connector: Add \\n to message about demoting connector force-probes", " - drm/amd/display: Atom Integrated System Info v2_2 for DCN35", " - Revert \"Revert \"ACPI: CPPC: Use access_width over bit_width for system", " memory accesses\"\"", " - ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro", " - ACPI: CPPC: Fix access width used for PCC registers", " - btrfs: fix kvcalloc() arguments order in btrfs_ioctl_send()", " - firewire: nosy: ensure user_length is taken into account when fetching", " packet contents", " - Reapply \"drm/qxl: simplify qxl_fence_wait\"", " - arm64: dts: qcom: Fix 'interrupt-map' parent address cells", " - usb: typec: ucsi: Check for notifications after init", " - usb: typec: ucsi: Fix connector check on init", " - usb: Fix regression caused by invalid ep0 maxpacket in virtual SuperSpeed", " device", " - usb: ohci: Prevent missed ohci interrupts", " - usb: gadget: composite: fix OS descriptors w_value logic", " - usb: gadget: f_fs: Fix a race condition when processing setup packets.", " - usb: xhci-plat: Don't include xhci.h", " - usb: dwc3: core: Prevent phy suspend during init", " - ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU", " - btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()", " - mptcp: ensure snd_nxt is properly initialized on connect", " - dt-bindings: iio: health: maxim,max30102: fix compatible check", " - iio:imu: adis16475: Fix sync mode setting", " - iio: accel: mxc4005: Interrupt handling fixes", " - tipc: fix UAF in error path", " - net: bcmgenet: synchronize use of bcmgenet_set_rx_mode()", " - ASoC: tegra: Fix DSPK 16-bit playback", " - ASoC: ti: davinci-mcasp: Fix race condition during probe", " - dyndbg: fix old BUG_ON in >control parser", " - slimbus: qcom-ngd-ctrl: Add timeout for wait operation", " - mei: me: add lunar lake point M DID", " - drm/vmwgfx: Fix invalid reads in fence signaled events", " - net: fix out-of-bounds access in ops_init", " - hwmon: (pmbus/ucd9000) Increase delay from 250 to 500us", " - regulator: core: fix debugfs creation regression", " - Bluetooth: qca: add missing firmware sanity checks", " - Bluetooth: qca: fix NVM configuration parsing", " - Bluetooth: qca: fix firmware check error path", " - keys: Fix overwrite of key expiration on instantiation", " - md: fix kmemleak of rdev->serial", " - Linux 5.15.159", "", " * Freezing user space processes failed after 20.008 seconds (1 tasks refusing", " to freeze, wq_busy=0) (LP: #2061091)", " - ALSA: Fix deadlocks with kctl removals at disconnection", "", " * CVE-2024-27017", " - netfilter: nft_set_pipapo: constify lookup fn args where possible", " - netfilter: nft_set_pipapo: walk over current view on netlink dump", " - netfilter: nf_tables: missing iterator type in lookup walk", "", " * CVE-2024-26952", " - ksmbd: fix potencial out-of-bounds when buffer offset is invalid", "", " * CVE-2024-26886", " - Bluetooth: af_bluetooth: Fix deadlock", "", " * CVE-2023-52752", " - smb: client: fix use-after-free bug in cifs_debug_data_proc_show()", "", " * CVE-2024-25742", " - x86/sev: Harden #VC instruction emulation somewhat", " - x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler", "", " * CVE-2024-36016", " - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()", "" ], "package": "linux", "version": "5.15.0-118.128", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2072255, 2070292, 2070028, 2061091 ], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 10:53:52 +0200" } ], "notes": "linux-modules-5.15.0-118-generic version '5.15.0-118.128' (source package linux version '5.15.0-118.128') was added. linux-modules-5.15.0-118-generic version '5.15.0-118.128' has the same source package name, linux, as removed package linux-headers-5.15.0-117. As such we can use the source package version of the removed package, '5.15.0-117.127', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-117", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-117.127", "version": "5.15.0-117.127" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.15.0-117-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-117.127", "version": "5.15.0-117.127" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.15.0-117-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-117.127", "version": "5.15.0-117.127" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.15.0-117-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-117.127", "version": "5.15.0-117.127" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20240806 to 20240808", "from_series": "jammy", "to_series": "jammy", "from_serial": "20240806", "to_serial": "20240808", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }