Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/rsrc: reject zero-length fixed buffer import<br /> <br /> validate_fixed_range() admits buf_addr at the exact end of the<br /> registered region when len is zero, because the check uses strict<br /> greater-than (buf_end &gt; imu-&gt;ubuf + imu-&gt;len). io_import_fixed()<br /> then computes offset == imu-&gt;len, which causes the bvec skip logic<br /> to advance past the last bio_vec entry and read bv_offset from<br /> out-of-bounds slab memory.<br /> <br /> Return early from io_import_fixed() when len is zero. A zero-length<br /> import has no data to transfer and should not walk the bvec array<br /> at all.<br /> <br /> BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0<br /> Read of size 4 at addr ffff888002bcc254 by task poc/103<br /> Call Trace:<br /> io_import_reg_buf+0x697/0x7f0<br /> io_write_fixed+0xd9/0x250<br /> __io_issue_sqe+0xad/0x710<br /> io_issue_sqe+0x7d/0x1100<br /> io_submit_sqes+0x86a/0x23c0<br /> __do_sys_io_uring_enter+0xa98/0x1590<br /> Allocated by task 103:<br /> The buggy address is located 12 bytes to the right of<br /> allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)

Two heap-based out-of-bounds read vulnerabilities in the STL ASCII file parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 exist in RWStl_Reader::ReadAscii because buffers returned by Standard_ReadLineBuffer::ReadLine() are not properly length-validated before strncasecmp or direct byte access. User-assisted attackers can trigger these issues by persuading a victim to open a crafted STL file with extremely short lines, resulting in a denial of service or possible information disclosure.

An issue was discovered in VrmlData_IndexedFaceSet::TShape in the VRML V2.0 parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows attackers to cause a denial of service via a crafted VRML file. The issue occurs because malformed VRML input can trigger dereference of a corrupt or unvalidated pointer during shape construction in libTKDEVRML.so.

An out-of-bounds read vulnerability in VrmlData_IndexedLineSet::TShape in the VRML parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows attackers to cause a denial of service via a crafted VRML file. The issue occurs because coordIndex values from parsed input are used as direct array indices without validation against the size of the coordinate array during geometry processing.

A heap-based out-of-bounds read vulnerability in RWObj_Reader::read in the OBJ file parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows user-assisted attackers to cause a denial of service or obtain sensitive information by persuading a victim to open a crafted OBJ file. The issue occurs because Standard_ReadLineBuffer::ReadLine() can return a 1-byte buffer for a minimal OBJ line, and RWObj_Reader::read() calls pushIndices(aLine + 2) without validating the buffer length.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/xe_pagefault: Disallow writes to read-only VMAs<br /> <br /> The page fault handler should reject write/atomic access to read only<br /> VMAs. Add code to handle this in xe_pagefault_service after the VMA<br /> lookup.<br /> <br /> v2:<br /> - Apply max line length (Matthew)<br /> <br /> (cherry picked from commit 714ee6754ac5fa3dc078856a196a6b124cd797a0)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: ctxfi: Check the error for index mapping<br /> <br /> The ctxfi driver blindly assumed a proper value returned from<br /> daio_device_index(), but it&amp;#39;s not always true. Add a proper error<br /> check to deal with the error from the function.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()<br /> <br /> The memcpy function assumes the dynamic array notif-&gt;matches is at least<br /> as large as the number of bytes to copy. Otherwise, results-&gt;matches may<br /> contain unwanted data. To guarantee safety, extend the validation in one<br /> of the checks to ensure sufficient packet length.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: caiaq: fix stack out-of-bounds read in init_card<br /> <br /> The loop creates a whitespace-stripped copy of the card shortname<br /> where `len id)` is used for the bounds check. Since<br /> sizeof(card-&gt;id) is 16 and the local id buffer is also 16 bytes,<br /> writing 16 non-space characters fills the entire buffer,<br /> overwriting the terminating nullbyte.<br /> <br /> When this non-null-terminated string is later passed to<br /> snd_card_set_id() -&gt; copy_valid_id_string(), the function scans<br /> forward with `while (*nid &amp;&amp; ...)` and reads past the end of the<br /> stack buffer, reading the contents of the stack.<br /> <br /> A USB device with a product name containing many non-ASCII, non-space<br /> characters (e.g. multibyte UTF-8) will reliably trigger this as follows:<br /> <br /> BUG: KASAN: stack-out-of-bounds in copy_valid_id_string<br /> sound/core/init.c:696 [inline]<br /> BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c<br /> sound/core/init.c:718<br /> <br /> The off-by-one has been present since commit bafeee5b1f8d ("ALSA:<br /> snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1),<br /> which first introduced this whitespace-stripping loop. The original<br /> code never accounted for the null terminator when bounding the copy.<br /> <br /> Fix this by changing the loop bound to `sizeof(card-&gt;id) - 1`,<br /> ensuring at least one byte remains as the null terminator.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback<br /> <br /> aml_sfc_probe() registers the on-host NAND ECC engine, but teardown was<br /> missing from both probe unwind and remove-time cleanup. Add a devm cleanup<br /> action after successful registration so<br /> nand_ecc_unregister_on_host_hw_engine() runs automatically on probe<br /> failures and during device removal.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86: Fix potential bad container_of in intel_pmu_hw_config<br /> <br /> Auto counter reload may have a group of events with software events<br /> present within it. The software event PMU isn&amp;#39;t the x86_hybrid_pmu and<br /> a container_of operation in intel_pmu_set_acr_caused_constr (via the<br /> hybrid helper) could cause out of bound memory reads. Avoid this by<br /> guarding the call to intel_pmu_set_acr_caused_constr with an<br /> is_x86_event check.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ioc32: stop speculation on the drm_compat_ioctl path<br /> <br /> The drm compat ioctl path takes a user controlled pointer, and then<br /> dereferences it into a table of function pointers, the signature method<br /> of spectre problems. Fix this up by calling array_index_nospec() on the<br /> index to the function pointer list.