Vulnerabilities

A heap-based out-of-bounds read vulnerability in RWObj_Reader::read in the OBJ file parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows user-assisted attackers to cause a denial of service or obtain sensitive information by persuading a victim to open a crafted OBJ file. The issue occurs because Standard_ReadLineBuffer::ReadLine() can return a 1-byte buffer for a minimal OBJ line, and RWObj_Reader::read() calls pushIndices(aLine + 2) without validating the buffer length.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/xe_pagefault: Disallow writes to read-only VMAs<br /> <br /> The page fault handler should reject write/atomic access to read only<br /> VMAs. Add code to handle this in xe_pagefault_service after the VMA<br /> lookup.<br /> <br /> v2:<br /> - Apply max line length (Matthew)<br /> <br /> (cherry picked from commit 714ee6754ac5fa3dc078856a196a6b124cd797a0)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: ctxfi: Check the error for index mapping<br /> <br /> The ctxfi driver blindly assumed a proper value returned from<br /> daio_device_index(), but it&amp;#39;s not always true. Add a proper error<br /> check to deal with the error from the function.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()<br /> <br /> The memcpy function assumes the dynamic array notif-&gt;matches is at least<br /> as large as the number of bytes to copy. Otherwise, results-&gt;matches may<br /> contain unwanted data. To guarantee safety, extend the validation in one<br /> of the checks to ensure sufficient packet length.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: caiaq: fix stack out-of-bounds read in init_card<br /> <br /> The loop creates a whitespace-stripped copy of the card shortname<br /> where `len id)` is used for the bounds check. Since<br /> sizeof(card-&gt;id) is 16 and the local id buffer is also 16 bytes,<br /> writing 16 non-space characters fills the entire buffer,<br /> overwriting the terminating nullbyte.<br /> <br /> When this non-null-terminated string is later passed to<br /> snd_card_set_id() -&gt; copy_valid_id_string(), the function scans<br /> forward with `while (*nid &amp;&amp; ...)` and reads past the end of the<br /> stack buffer, reading the contents of the stack.<br /> <br /> A USB device with a product name containing many non-ASCII, non-space<br /> characters (e.g. multibyte UTF-8) will reliably trigger this as follows:<br /> <br /> BUG: KASAN: stack-out-of-bounds in copy_valid_id_string<br /> sound/core/init.c:696 [inline]<br /> BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c<br /> sound/core/init.c:718<br /> <br /> The off-by-one has been present since commit bafeee5b1f8d ("ALSA:<br /> snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1),<br /> which first introduced this whitespace-stripping loop. The original<br /> code never accounted for the null terminator when bounding the copy.<br /> <br /> Fix this by changing the loop bound to `sizeof(card-&gt;id) - 1`,<br /> ensuring at least one byte remains as the null terminator.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback<br /> <br /> aml_sfc_probe() registers the on-host NAND ECC engine, but teardown was<br /> missing from both probe unwind and remove-time cleanup. Add a devm cleanup<br /> action after successful registration so<br /> nand_ecc_unregister_on_host_hw_engine() runs automatically on probe<br /> failures and during device removal.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86: Fix potential bad container_of in intel_pmu_hw_config<br /> <br /> Auto counter reload may have a group of events with software events<br /> present within it. The software event PMU isn&amp;#39;t the x86_hybrid_pmu and<br /> a container_of operation in intel_pmu_set_acr_caused_constr (via the<br /> hybrid helper) could cause out of bound memory reads. Avoid this by<br /> guarding the call to intel_pmu_set_acr_caused_constr with an<br /> is_x86_event check.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ioc32: stop speculation on the drm_compat_ioctl path<br /> <br /> The drm compat ioctl path takes a user controlled pointer, and then<br /> dereferences it into a table of function pointers, the signature method<br /> of spectre problems. Fix this up by calling array_index_nospec() on the<br /> index to the function pointer list.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation<br /> <br /> The variable valuesize is declared as u8 but accumulates the total<br /> length of all SSIDs to scan. Each SSID contributes up to 33 bytes<br /> (IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)<br /> SSIDs the total can reach 330, which wraps around to 74 when stored<br /> in a u8.<br /> <br /> This causes kmalloc to allocate only 75 bytes while the subsequent<br /> memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte<br /> heap buffer overflow.<br /> <br /> Widen valuesize from u8 to u32 to accommodate the full range.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/pxp: Clear restart flag in pxp_start after jumping back<br /> <br /> If we don&amp;#39;t clear the flag we&amp;#39;ll keep jumping back at the beginning of<br /> the function once we reach the end.<br /> <br /> (cherry picked from commit 0850ec7bb2459602351639dccf7a68a03c9d1ee0)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: ctxfi: Fix missing SPDIFI1 index handling<br /> <br /> SPDIF1 DAIO type isn&amp;#39;t properly handled in daio_device_index() for<br /> hw20k2, and it returned -EINVAL, which ended up with the out-of-bounds<br /> array access. Follow the hw20k1 pattern and return the proper index<br /> for this type, too.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: ctxfi: Don&amp;#39;t enumerate SPDIF1 at DAIO initialization<br /> <br /> The recent refactoring of xfi driver changed the assignment of<br /> atc-&gt;daios[] at atc_get_resources(); now it loops over all enum<br /> DAIOTYP entries while it looped formerly only a part of them.<br /> The problem is that the last entry, SPDIF1, is a special type that<br /> is used only for hw20k1 CTSB073X model (as a replacement of SPDIFIO),<br /> and there is no corresponding definition for hw20k2. Due to the lack<br /> of the info, it caused a kernel crash on hw20k2, which was already<br /> worked around by the commit b045ab3dff97 ("ALSA: ctxfi: Fix missing<br /> SPDIFI1 index handling").<br /> <br /> This patch addresses the root cause of the regression above properly,<br /> simply by skipping the incorrect SPDIF1 type in the parser loop.<br /> <br /> For making the change clearer, the code is slightly arranged, too.