Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: set the cipher for secured NDP ranging<br /> <br /> The cipher pointer is not set, but is derefereced trying to set its<br /> content, which leads to a NULL pointer dereference.<br /> Fix it by pointing to the cipher parameter before dereferencing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powercap: intel_rapl: Fix off by one in get_rpi()<br /> <br /> The rp-&gt;priv-&gt;rpi array is either rpi_msr or rpi_tpmi which have<br /> NR_RAPL_PRIMITIVES number of elements. Thus the &gt; needs to be &gt;=<br /> to prevent an off by one access.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix helper writes to read-only maps<br /> <br /> Lonial found an issue that despite user- and BPF-side frozen BPF map<br /> (like in case of .rodata), it was still possible to write into it from<br /> a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}<br /> as arguments.<br /> <br /> In check_func_arg() when the argument is as mentioned, the meta-&gt;raw_mode<br /> is never set. Later, check_helper_mem_access(), under the case of<br /> PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the<br /> subsequent call to check_map_access_type() and given the BPF map is<br /> read-only it succeeds.<br /> <br /> The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT<br /> when results are written into them as opposed to read out of them. The<br /> latter indicates that it&amp;#39;s okay to pass a pointer to uninitialized memory<br /> as the memory is written to anyway.<br /> <br /> However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM<br /> just with additional alignment requirement. So it is better to just get<br /> rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the<br /> fixed size memory types. For this, add MEM_ALIGNED to additionally ensure<br /> alignment given these helpers write directly into the args via * = val.<br /> The .arg*_size has been initialized reflecting the actual sizeof(*).<br /> <br /> MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated<br /> argument types, since in !MEM_FIXED_SIZE cases the verifier does not know<br /> the buffer size a priori and therefore cannot blindly write * = val.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: arm_scmi: Fix double free in OPTEE transport<br /> <br /> Channels can be shared between protocols, avoid freeing the same channel<br /> descriptors twice when unloading the stack.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block, bfq: fix uaf for accessing waker_bfqq after splitting<br /> <br /> After commit 42c306ed7233 ("block, bfq: don&amp;#39;t break merge chain in<br /> bfq_split_bfqq()"), if the current procress is the last holder of bfqq,<br /> the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and<br /> then access bfqq-&gt;waker_bfqq may trigger UAF. What&amp;#39;s more, the waker_bfqq<br /> may in the merge chain of bfqq, hence just recored waker_bfqq is still<br /> not safe.<br /> <br /> Fix the problem by adding a helper bfq_waker_bfqq() to check if<br /> bfqq-&gt;waker_bfqq is in the merge chain, and current procress is the only<br /> holder.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nbd: fix race between timeout and normal completion<br /> <br /> If request timetout is handled by nbd_requeue_cmd(), normal completion<br /> has to be stopped for avoiding to complete this requeued request, other<br /> use-after-free can be triggered.<br /> <br /> Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime<br /> make sure that cmd-&gt;lock is grabbed for clearing the flag and the<br /> requeue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/sgx: Fix deadlock in SGX NUMA node search<br /> <br /> When the current node doesn&amp;#39;t have an EPC section configured by firmware<br /> and all other EPC sections are used up, CPU can get stuck inside the<br /> while loop that looks for an available EPC page from remote nodes<br /> indefinitely, leading to a soft lockup. Note how nid_of_current will<br /> never be equal to nid in that while loop because nid_of_current is not<br /> set in sgx_numa_mask.<br /> <br /> Also worth mentioning is that it&amp;#39;s perfectly fine for the firmware not<br /> to setup an EPC section on a node. While setting up an EPC section on<br /> each node can enhance performance, it is not a requirement for<br /> functionality.<br /> <br /> Rework the loop to start and end on *a* node that has SGX memory. This<br /> avoids the deadlock looking for the current SGX-lacking node to show up<br /> in the loop when it never will.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption<br /> <br /> The TPM event log table is a Linux specific construct, where the data<br /> produced by the GetEventLog() boot service is cached in memory, and<br /> passed on to the OS using an EFI configuration table.<br /> <br /> The use of EFI_LOADER_DATA here results in the region being left<br /> unreserved in the E820 memory map constructed by the EFI stub, and this<br /> is the memory description that is passed on to the incoming kernel by<br /> kexec, which is therefore unaware that the region should be reserved.<br /> <br /> Even though the utility of the TPM2 event log after a kexec is<br /> questionable, any corruption might send the parsing code off into the<br /> weeds and crash the kernel. So let&amp;#39;s use EFI_ACPI_RECLAIM_MEMORY<br /> instead, which is always treated as reserved by the E820 conversion<br /> logic.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to check atomic_file in f2fs ioctl interfaces<br /> <br /> Some f2fs ioctl interfaces like f2fs_ioc_set_pin_file(),<br /> f2fs_move_file_range(), and f2fs_defragment_range() missed to<br /> check atomic_write status, which may cause potential race issue,<br /> fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: sysfs: validate return type of _STR method<br /> <br /> Only buffer objects are valid return values of _STR.<br /> <br /> If something else is returned description_show() will access invalid<br /> memory.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Fix H264 stateless decoder smatch warning<br /> <br /> Fix a smatch static checker warning on vdec_h264_req_if.c.<br /> Which leads to a kernel crash when fb is NULL.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.