**RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Inthe Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()We have observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()We have observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()We have observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()We have observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()We have observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()Wehave observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
A vulnerability classified as critical has been found in Linux Kernel up to 6.6.99/6.12.39/6.15.7 (Operating System).CWEis classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use.This is going to have an impact on availability.Upgrading to version 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability.Applying the patch 823d798900481875ba6c68217af028c5ffd2976b/7bb9ea515cda027c9e717e27fefcf34f092e7c41/fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b/85a3bce695b361d85fc528e6fbb33e4c8089c806 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
A vulnerability classified as critical has been found in Linux Kernel up to 6.6.99/6.12.39/6.15.7 (Operating System).CWEis classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use.This is going to have an impact on availability.Upgrading to version 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability.Applying the patch 823d798900481875ba6c68217af028c5ffd2976b/7bb9ea515cda027c9e717e27fefcf34f092e7c41/fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b/85a3bce695b361d85fc528e6fbb33e4c8089c806 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()Wehave observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()Wehave observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
A vulnerability classified as critical has been found in Linux Kernel up to 6.6.99/6.12.39/6.15.7 (Operating System).CWEis classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use.This is going to have an impact on availability.Upgrading to version 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability.Applying the patch 823d798900481875ba6c68217af028c5ffd2976b/7bb9ea515cda027c9e717e27fefcf34f092e7c41/fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b/85a3bce695b361d85fc528e6fbb33e4c8089c806 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
A vulnerability classified as critical has been found in Linux Kernel up to 6.6.99/6.12.39/6.15.7 (Operating System).CWEis classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use.This is going to have an impact on availability.Upgrading to version 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability.Applying the patch 823d798900481875ba6c68217af028c5ffd2976b/7bb9ea515cda027c9e717e27fefcf34f092e7c41/fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b/85a3bce695b361d85fc528e6fbb33e4c8089c806 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()Wehave observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()We have observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()We have observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()Wehave observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
A vulnerability classified as critical has been found in Linux Kernel up to 6.6.99/6.12.39/6.15.7 (Operating System).CWEis classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use.This is going to have an impact on availability.Upgrading to version 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability.Applying the patch 823d798900481875ba6c68217af028c5ffd2976b/7bb9ea515cda027c9e717e27fefcf34f092e7c41/fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b/85a3bce695b361d85fc528e6fbb33e4c8089c806 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
A vulnerability classified as critical has been found in Linux Kernel up to 6.6.99/6.12.39/6.15.7 (Operating System).CWEis classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use.This is going to have an impact on availability.Upgrading to version 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability.Applying the patch 823d798900481875ba6c68217af028c5ffd2976b/7bb9ea515cda027c9e717e27fefcf34f092e7c41/fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b/85a3bce695b361d85fc528e6fbb33e4c8089c806 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()Wehave observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
In the Linux kernel, the following vulnerability has been resolved:tracing/osnoise: Fix crash in timerlat_dump_stack()Wehave observed kernel panics when using timerlat with stack saving,with the following dmesg output:memcpy: detected buffer overflow: 88 byte write of buffer size 0WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0CPU: 2 UID: 0 PID: 8153Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e__timerlat_dump_stack() constructs the ftrace stack entry like this:struct stack_entry *entry;...memcpy(&entry->caller, fstack->calls, size);entry->size = fstack->nr_entries;Since commit e7186af7fb26 ( tracing: Add back FORTIFY_SOURCE logic tokernel_stack event structure ), struct stack_entry marks its callerfield with __counted_by(size). At the time of the memcpy, entry->sizecontains garbage from the ringbuffer, which under some circumstances iszero, triggering a kernel panic by buffer overflow.Populate the size field before the memcpy so that the out-of-boundscheck knows the correct size. This is analogous to__ftrace_trace_stack().
A vulnerability classified as critical has been found in Linux Kernel up to 6.6.99/6.12.39/6.15.7 (Operating System).CWEis classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use.This is going to have an impact on availability.Upgrading to version 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability.Applying the patch 823d798900481875ba6c68217af028c5ffd2976b/7bb9ea515cda027c9e717e27fefcf34f092e7c41/fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b/85a3bce695b361d85fc528e6fbb33e4c8089c806 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
