Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()<br /> <br /> page_pool_create() can return an ERR_PTR on failure. The return value<br /> is used unconditionally in the loop that follows, passing the error<br /> pointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),<br /> which dereferences it, causing a kernel oops.<br /> <br /> Add an IS_ERR check after page_pool_create() to return early on failure.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: s3c24xx: check the size of the SMBUS message before using it<br /> <br /> The first byte of an i2c SMBUS message is the size, and it should be<br /> verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX<br /> before processing it.<br /> <br /> This is the same logic that was added in commit a6e04f05ce0b ("i2c:<br /> tegra: check msg length in SMBUS block read") to the i2c tegra driver.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/CPU: Fix FPDSS on Zen1<br /> <br /> Zen1&amp;#39;s hardware divider can leave, under certain circumstances, partial<br /> results from previous operations. Those results can be leaked by<br /> another, attacker thread.<br /> <br /> Fix that with a chicken bit.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfc: llcp: add missing return after LLCP_CLOSED checks<br /> <br /> In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket<br /> state is LLCP_CLOSED, the code correctly calls release_sock() and<br /> nfc_llcp_sock_put() but fails to return. Execution falls through to<br /> the remainder of the function, which calls release_sock() and<br /> nfc_llcp_sock_put() again. This results in a double release_sock()<br /> and a refcount underflow via double nfc_llcp_sock_put(), leading to<br /> a use-after-free.<br /> <br /> Add the missing return statements after the LLCP_CLOSED branches<br /> in both functions to prevent the fall-through.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: proc: size address buffers for %pISpc output<br /> <br /> The AF_RXRPC procfs helpers format local and remote socket addresses into<br /> fixed 50-byte stack buffers with "%pISpc".<br /> <br /> That is too small for the longest current-tree IPv6-with-port form the<br /> formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a<br /> dotted-quad tail not only for v4mapped addresses, but also for ISATAP<br /> addresses via ipv6_addr_is_isatap().<br /> <br /> As a result, a case such as<br /> <br /> [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535<br /> <br /> is possible with the current formatter. That is 50 visible characters, so<br /> 51 bytes including the trailing NUL, which does not fit in the existing<br /> char[50] buffers used by net/rxrpc/proc.c.<br /> <br /> Size the buffers from the formatter&amp;#39;s maximum textual form and switch the<br /> call sites to scnprintf().<br /> <br /> Changes since v1:<br /> - correct the changelog to cite the actual maximum current-tree case<br /> explicitly<br /> - frame the proof around the ISATAP formatting path instead of the earlier<br /> mapped-v4 example

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix buffer overread in rxgk_do_verify_authenticator()<br /> <br /> Fix rxgk_do_verify_authenticator() to check the buffer size before checking<br /> the nonce.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix leak of rxgk context in rxgk_verify_response()<br /> <br /> Fix rxgk_verify_response() to clean up the rxgk context it creates.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix integer overflow in rxgk_verify_response()<br /> <br /> In rxgk_verify_response(), there&amp;#39;s a potential integer overflow due to<br /> rounding up token_len before checking it, thereby allowing the length check to<br /> be bypassed.<br /> <br /> Fix this by checking the unrounded value against len too (len is limited as<br /> the response must fit in a single UDP packet).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: fix reference count leak in rxrpc_server_keyring()<br /> <br /> This patch fixes a reference count leak in rxrpc_server_keyring()<br /> by checking if rx-&gt;securities is already set.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: fix oversized RESPONSE authenticator length check<br /> <br /> rxgk_verify_response() decodes auth_len from the packet and is supposed<br /> to verify that it fits in the remaining bytes. The existing check is<br /> inverted, so oversized RESPONSE authenticators are accepted and passed<br /> to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an<br /> impossible length and hit BUG_ON(len).<br /> <br /> Decoded from the original latest-net reproduction logs with<br /> scripts/decode_stacktrace.sh:<br /> <br /> RIP: __skb_to_sgvec()<br /> [net/core/skbuff.c:5285 (discriminator 1)]<br /> Call Trace:<br /> skb_to_sgvec() [net/core/skbuff.c:5305]<br /> rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81]<br /> rxgk_verify_response() [net/rxrpc/rxgk.c:1268]<br /> rxrpc_process_connection()<br /> [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364<br /> net/rxrpc/conn_event.c:386]<br /> process_one_work() [kernel/workqueue.c:3281]<br /> worker_thread()<br /> [kernel/workqueue.c:3353 kernel/workqueue.c:3440]<br /> kthread() [kernel/kthread.c:436]<br /> ret_from_fork() [arch/x86/kernel/process.c:164]<br /> <br /> Reject authenticator lengths that exceed the remaining packet payload.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: fix RESPONSE authenticator parser OOB read<br /> <br /> rxgk_verify_authenticator() copies auth_len bytes into a temporary<br /> buffer and then passes p + auth_len as the parser limit to<br /> rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the<br /> parser end pointer by a factor of four and lets malformed RESPONSE<br /> authenticators read past the kmalloc() buffer.<br /> <br /> Decoded from the original latest-net reproduction logs with<br /> scripts/decode_stacktrace.sh:<br /> <br /> BUG: KASAN: slab-out-of-bounds in rxgk_verify_response()<br /> Call Trace:<br /> dump_stack_lvl() [lib/dump_stack.c:123]<br /> print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482]<br /> kasan_report() [mm/kasan/report.c:597]<br /> rxgk_verify_response()<br /> [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167<br /> net/rxrpc/rxgk.c:1274]<br /> rxrpc_process_connection()<br /> [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364<br /> net/rxrpc/conn_event.c:386]<br /> process_one_work() [kernel/workqueue.c:3281]<br /> worker_thread()<br /> [kernel/workqueue.c:3353 kernel/workqueue.c:3440]<br /> kthread() [kernel/kthread.c:436]<br /> ret_from_fork() [arch/x86/kernel/process.c:164]<br /> <br /> Allocated by task 54:<br /> rxgk_verify_response()<br /> [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155<br /> net/rxrpc/rxgk.c:1274]<br /> rxrpc_process_connection()<br /> [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364<br /> net/rxrpc/conn_event.c:386]<br /> <br /> Convert the byte count to __be32 units before constructing the parser<br /> limit.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO<br /> <br /> Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide<br /> by zero error"), we also need to prevent that same crash from happening<br /> in the udlfb driver as it uses pixclock directly when dividing, which<br /> will crash.