Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: amd_sfh: free driver_data after destroying hid device<br /> <br /> HID driver callbacks aren&amp;#39;t called anymore once hid_destroy_device() has<br /> been called. Hence, hid driver_data should be freed only after the<br /> hid_destroy_device() function returned as driver_data is used in several<br /> callbacks.<br /> <br /> I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling<br /> KASAN to debug memory allocation, I got this output:<br /> <br /> [ 13.050438] ==================================================================<br /> [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh]<br /> [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3<br /> [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479<br /> <br /> [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0<br /> [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024<br /> [ 13.067860] Call Trace:<br /> [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8<br /> [ 13.071486] <br /> [ 13.071492] dump_stack_lvl+0x5d/0x80<br /> [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -&gt; 0002)<br /> [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]<br /> [ 13.082199] print_report+0x174/0x505<br /> [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]<br /> [ 13.097464] kasan_report+0xc8/0x150<br /> [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]<br /> [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]<br /> [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]<br /> [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]<br /> [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]<br /> [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]<br /> [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0<br /> [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]<br /> [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.150446] ? __devm_add_action+0x167/0x1d0<br /> [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]<br /> [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.161814] platform_probe+0xa2/0x150<br /> [ 13.165029] really_probe+0x1e3/0x8a0<br /> [ 13.168243] __driver_probe_device+0x18c/0x370<br /> [ 13.171500] driver_probe_device+0x4a/0x120<br /> [ 13.175000] __driver_attach+0x190/0x4a0<br /> [ 13.178521] ? __pfx___driver_attach+0x10/0x10<br /> [ 13.181771] bus_for_each_dev+0x106/0x180<br /> [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10<br /> [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10<br /> [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.194382] bus_add_driver+0x29e/0x4d0<br /> [ 13.197328] driver_register+0x1a5/0x360<br /> [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]<br /> [ 13.203362] do_one_initcall+0xa7/0x380<br /> [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10<br /> [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.213211] ? kasan_unpoison+0x44/0x70<br /> [ 13.216688] do_init_module+0x238/0x750<br /> [ 13.2196<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup<br /> <br /> report_fixup for the Cougar 500k Gaming Keyboard was not verifying<br /> that the report descriptor size was correct before accessing it

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: Add missing bridge lock to pci_bus_lock()<br /> <br /> One of the true positives that the cfg_access_lock lockdep effort<br /> identified is this sequence:<br /> <br /> WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70<br /> RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70<br /> Call Trace:<br /> <br /> ? __warn+0x8c/0x190<br /> ? pci_bridge_secondary_bus_reset+0x5d/0x70<br /> ? report_bug+0x1f8/0x200<br /> ? handle_bug+0x3c/0x70<br /> ? exc_invalid_op+0x18/0x70<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? pci_bridge_secondary_bus_reset+0x5d/0x70<br /> pci_reset_bus+0x1d8/0x270<br /> vmd_probe+0x778/0xa10<br /> pci_device_probe+0x95/0x120<br /> <br /> Where pci_reset_bus() users are triggering unlocked secondary bus resets.<br /> Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses<br /> pci_bus_lock() before issuing the reset which locks everything *but* the<br /> bridge itself.<br /> <br /> For the same motivation as adding:<br /> <br /> bridge = pci_upstream_bridge(dev);<br /> if (bridge)<br /> pci_dev_lock(bridge);<br /> <br /> to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add<br /> pci_dev_lock() for @bus-&gt;self to pci_bus_lock().<br /> <br /> [bhelgaas: squash in recursive locking deadlock fix from Keith Busch:<br /> https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix race between direct IO write and fsync when using same fd<br /> <br /> If we have 2 threads that are using the same file descriptor and one of<br /> them is doing direct IO writes while the other is doing fsync, we have a<br /> race where we can end up either:<br /> <br /> 1) Attempt a fsync without holding the inode&amp;#39;s lock, triggering an<br /> assertion failures when assertions are enabled;<br /> <br /> 2) Do an invalid memory access from the fsync task because the file private<br /> points to memory allocated on stack by the direct IO task and it may be<br /> used by the fsync task after the stack was destroyed.<br /> <br /> The race happens like this:<br /> <br /> 1) A user space program opens a file descriptor with O_DIRECT;<br /> <br /> 2) The program spawns 2 threads using libpthread for example;<br /> <br /> 3) One of the threads uses the file descriptor to do direct IO writes,<br /> while the other calls fsync using the same file descriptor.<br /> <br /> 4) Call task A the thread doing direct IO writes and task B the thread<br /> doing fsyncs;<br /> <br /> 5) Task A does a direct IO write, and at btrfs_direct_write() sets the<br /> file&amp;#39;s private to an on stack allocated private with the member<br /> &amp;#39;fsync_skip_inode_lock&amp;#39; set to true;<br /> <br /> 6) Task B enters btrfs_sync_file() and sees that there&amp;#39;s a private<br /> structure associated to the file which has &amp;#39;fsync_skip_inode_lock&amp;#39; set<br /> to true, so it skips locking the inode&amp;#39;s VFS lock;<br /> <br /> 7) Task A completes the direct IO write, and resets the file&amp;#39;s private to<br /> NULL since it had no prior private and our private was stack allocated.<br /> Then it unlocks the inode&amp;#39;s VFS lock;<br /> <br /> 8) Task B enters btrfs_get_ordered_extents_for_logging(), then the<br /> assertion that checks the inode&amp;#39;s VFS lock is held fails, since task B<br /> never locked it and task A has already unlocked it.<br /> <br /> The stack trace produced is the following:<br /> <br /> assertion failed: inode_is_locked(&amp;inode-&gt;vfs_inode), in fs/btrfs/ordered-data.c:983<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/btrfs/ordered-data.c:983!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 9 PID: 5072 Comm: worker Tainted: G U OE 6.10.5-1-default #1 openSUSE Tumbleweed 69f48d427608e1c09e60ea24c6c55e2ca1b049e8<br /> Hardware name: Acer Predator PH315-52/Covini_CFS, BIOS V1.12 07/28/2020<br /> RIP: 0010:btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs]<br /> Code: 50 d6 86 c0 e8 (...)<br /> RSP: 0018:ffff9e4a03dcfc78 EFLAGS: 00010246<br /> RAX: 0000000000000054 RBX: ffff9078a9868e98 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: ffff907dce4a7800 RDI: ffff907dce4a7800<br /> RBP: ffff907805518800 R08: 0000000000000000 R09: ffff9e4a03dcfb38<br /> R10: ffff9e4a03dcfb30 R11: 0000000000000003 R12: ffff907684ae7800<br /> R13: 0000000000000001 R14: ffff90774646b600 R15: 0000000000000000<br /> FS: 00007f04b96006c0(0000) GS:ffff907dce480000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f32acbfc000 CR3: 00000001fd4fa005 CR4: 00000000003726f0<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x14/0x24<br /> ? die+0x2e/0x50<br /> ? do_trap+0xca/0x110<br /> ? do_error_trap+0x6a/0x90<br /> ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a]<br /> ? exc_invalid_op+0x50/0x70<br /> ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a]<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a]<br /> ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a]<br /> btrfs_sync_file+0x21a/0x4d0 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a]<br /> ? __seccomp_filter+0x31d/0x4f0<br /> __x64_sys_fdatasync+0x4f/0x90<br /> do_syscall_64+0x82/0x160<br /> ? do_futex+0xcb/0x190<br /> ? __x64_sys_futex+0x10e/0x1d0<br /> ? switch_fpu_return+0x4f/0xd0<br /> ? syscall_exit_to_user_mode+0x72/0x220<br /> ? do_syscall_64+0x8e/0x160<br /> ? syscall_exit_to_user_mod<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Ensure array index tg_inst won&amp;#39;t be -1<br /> <br /> [WHY &amp; HOW]<br /> tg_inst will be a negative if timing_generator_count equals 0, which<br /> should be checked before used.<br /> <br /> This fixes 2 OVERRUN issues reported by Coverity.

Hidden functionality issue in multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings.

OMFLOW from The SYSCOM Group has a vulnerability involving the exposure of sensitive data. This allows remote attackers who have logged into the system to obtain password hashes of all users and administrators.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix qgroup reserve leaks in cow_file_range<br /> <br /> In the buffered write path, the dirty page owns the qgroup reserve until<br /> it creates an ordered_extent.<br /> <br /> Therefore, any errors that occur before the ordered_extent is created<br /> must free that reservation, or else the space is leaked. The fstest<br /> generic/475 exercises various IO error paths, and is able to trigger<br /> errors in cow_file_range where we fail to get to allocating the ordered<br /> extent. Note that because we *do* clear delalloc, we are likely to<br /> remove the inode from the delalloc list, so the inodes/pages to not have<br /> invalidate/launder called on them in the commit abort path.<br /> <br /> This results in failures at the unmount stage of the test that look like:<br /> <br /> BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure<br /> BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure<br /> BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs]<br /> Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq<br /> CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W 6.10.0-rc7-gab56fde445b8 #21<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014<br /> RIP: 0010:close_ctree+0x222/0x4d0 [btrfs]<br /> RSP: 0018:ffffb4465283be00 EFLAGS: 00010202<br /> RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001<br /> RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8<br /> RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000<br /> R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> FS: 00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> ? close_ctree+0x222/0x4d0 [btrfs]<br /> ? __warn.cold+0x8e/0xea<br /> ? close_ctree+0x222/0x4d0 [btrfs]<br /> ? report_bug+0xff/0x140<br /> ? handle_bug+0x3b/0x70<br /> ? exc_invalid_op+0x17/0x70<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? close_ctree+0x222/0x4d0 [btrfs]<br /> generic_shutdown_super+0x70/0x160<br /> kill_anon_super+0x11/0x40<br /> btrfs_kill_super+0x11/0x20 [btrfs]<br /> deactivate_locked_super+0x2e/0xa0<br /> cleanup_mnt+0xb5/0x150<br /> task_work_run+0x57/0x80<br /> syscall_exit_to_user_mode+0x121/0x130<br /> do_syscall_64+0xab/0x1a0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f916847a887<br /> ---[ end trace 0000000000000000 ]---<br /> BTRFS error (device dm-8 state EA): qgroup reserved space leaked<br /> <br /> Cases 2 and 3 in the out_reserve path both pertain to this type of leak<br /> and must free the reserved qgroup data. Because it is already an error<br /> path, I opted not to handle the possible errors in<br /> btrfs_free_qgroup_data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/pm: fix the Out-of-bounds read warning<br /> <br /> using index i - 1U may beyond element index<br /> for mc_data[] when i = 0.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Assign linear_pitch_alignment even for VM<br /> <br /> [Description]<br /> Assign linear_pitch_alignment so we don&amp;#39;t cause a divide by 0<br /> error in VM environments

OS command injection vulnerability in multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Don&amp;#39;t overmap identity VRAM mapping<br /> <br /> Overmapping the identity VRAM mapping is triggering hardware bugs on<br /> certain platforms. Use 2M pages for the last unaligned (to 1G) VRAM<br /> chunk.<br /> <br /> v2:<br /> - Always use 2M pages for last chunk (Fei Yang)<br /> - break loop when 2M pages are used<br /> - Add assert for usable_size being 2M aligned<br /> v3:<br /> - Fix checkpatch