Vulnerabilities

In BnAudioPolicyService::onTransact of AudioPolicyService.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

In writeTypedArrayList and readTypedArrayList of Parcel.java, there is a possible escalation of privilege due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

In ResStringPool::setTo of ResourceTypes.cpp, it's possible for an attacker to control the value of mStringPoolSize to be out of bounds, causing information disclosure.

In impeg2d_mc_fullx_fully of impeg2d_mc.c there is a possible out of bound write due to missing bounds check. This could lead to remote arbitrary code execution with no additional execution privileges needed. User interaction is needed for exploitation.

In several functions of DescramblerImpl.cpp, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

In BnAudioPolicyService::onTransact of AudioPolicyService.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: Prevent a bad reference count on CPU nodes<br /> <br /> When populating cache leaves we previously fetched the CPU device node<br /> at the very beginning. But when ACPI is enabled we go through a<br /> specific branch which returns early and does not call &amp;#39;of_node_put&amp;#39; for<br /> the node that was acquired.<br /> <br /> Since we are not using a CPU device node for the ACPI code anyways, we<br /> can simply move the initialization of it just passed the ACPI block, and<br /> we are guaranteed to have an &amp;#39;of_node_put&amp;#39; call for the acquired node.<br /> This prevents a bad reference count of the CPU device node.<br /> <br /> Moreover, the previous function did not check for errors when acquiring<br /> the device node, so a return -ENOENT has been added for that case.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table()<br /> <br /> If per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop<br /> of iio_gts_build_avail_scale_table(), the err_free_out will fail to call<br /> kfree() each time when i is reduced to 0, so all the per_time_scales[0]<br /> and per_time_gains[0] will not be freed, which will cause memory leaks.<br /> <br /> Fix it by checking if i &gt;= 0.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rpcrdma: Always release the rpcrdma_device&amp;#39;s xa_array<br /> <br /> Dai pointed out that the xa_init_flags() in rpcrdma_add_one() needs<br /> to have a matching xa_destroy() in rpcrdma_remove_one() to release<br /> underlying memory that the xarray might have accrued during<br /> operation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/tegra: Fix NULL vs IS_ERR() check in probe()<br /> <br /> The iommu_paging_domain_alloc() function doesn&amp;#39;t return NULL pointers,<br /> it returns error pointers. Update the check to match.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/thp: fix deferred split unqueue naming and locking<br /> <br /> Recent changes are putting more pressure on THP deferred split queues:<br /> under load revealing long-standing races, causing list_del corruptions,<br /> "Bad page state"s and worse (I keep BUGs in both of those, so usually<br /> don&amp;#39;t get to see how badly they end up without). The relevant recent<br /> changes being 6.8&amp;#39;s mTHP, 6.10&amp;#39;s mTHP swapout, and 6.12&amp;#39;s mTHP swapin,<br /> improved swap allocation, and underused THP splitting.<br /> <br /> Before fixing locking: rename misleading folio_undo_large_rmappable(),<br /> which does not undo large_rmappable, to folio_unqueue_deferred_split(),<br /> which is what it does. But that and its out-of-line __callee are mm<br /> internals of very limited usability: add comment and WARN_ON_ONCEs to<br /> check usage; and return a bool to say if a deferred split was unqueued,<br /> which can then be used in WARN_ON_ONCEs around safety checks (sparing<br /> callers the arcane conditionals in __folio_unqueue_deferred_split()).<br /> <br /> Just omit the folio_unqueue_deferred_split() from free_unref_folios(), all<br /> of whose callers now call it beforehand (and if any forget then bad_page()<br /> will tell) - except for its caller put_pages_list(), which itself no<br /> longer has any callers (and will be deleted separately).<br /> <br /> Swapout: mem_cgroup_swapout() has been resetting folio-&gt;memcg_data 0<br /> without checking and unqueueing a THP folio from deferred split list;<br /> which is unfortunate, since the split_queue_lock depends on the memcg<br /> (when memcg is enabled); so swapout has been unqueueing such THPs later,<br /> when freeing the folio, using the pgdat&amp;#39;s lock instead: potentially<br /> corrupting the memcg&amp;#39;s list. __remove_mapping() has frozen refcount to 0<br /> here, so no problem with calling folio_unqueue_deferred_split() before<br /> resetting memcg_data.<br /> <br /> That goes back to 5.4 commit 87eaceb3faa5 ("mm: thp: make deferred split<br /> shrinker memcg aware"): which included a check on swapcache before adding<br /> to deferred queue, but no check on deferred queue before adding THP to<br /> swapcache. That worked fine with the usual sequence of events in reclaim<br /> (though there were a couple of rare ways in which a THP on deferred queue<br /> could have been swapped out), but 6.12 commit dafff3f4c850 ("mm: split<br /> underused THPs") avoids splitting underused THPs in reclaim, which makes<br /> swapcache THPs on deferred queue commonplace.<br /> <br /> Keep the check on swapcache before adding to deferred queue? Yes: it is<br /> no longer essential, but preserves the existing behaviour, and is likely<br /> to be a worthwhile optimization (vmstat showed much more traffic on the<br /> queue under swapping load if the check was removed); update its comment.<br /> <br /> Memcg-v1 move (deprecated): mem_cgroup_move_account() has been changing<br /> folio-&gt;memcg_data without checking and unqueueing a THP folio from the<br /> deferred list, sometimes corrupting "from" memcg&amp;#39;s list, like swapout. <br /> Refcount is non-zero here, so folio_unqueue_deferred_split() can only be<br /> used in a WARN_ON_ONCE to validate the fix, which must be done earlier:<br /> mem_cgroup_move_charge_pte_range() first try to split the THP (splitting<br /> of course unqueues), or skip it if that fails. Not ideal, but moving<br /> charge has been requested, and khugepaged should repair the THP later:<br /> nobody wants new custom unqueueing code just for this deprecated case.<br /> <br /> The 87eaceb3faa5 commit did have the code to move from one deferred list<br /> to another (but was not conscious of its unsafety while refcount non-0);<br /> but that was removed by 5.6 commit fac0516b5534 ("mm: thp: don&amp;#39;t need care<br /> deferred split queue in memcg charge move path"), which argued that the<br /> existence of a PMD mapping guarantees that the THP cannot be on a deferred<br /> list. As above, false in rare cases, and now commonly false.<br /> <br /> Backport to 6.11 should be straightforward. Earlier backports must take<br /> care that other _deferred_list fixes and dependencies are included. There<br /> is not a strong case for backports, but they can fix cornercases.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/panthor: Lock XArray when getting entries for the VM<br /> <br /> Similar to commit cac075706f29 ("drm/panthor: Fix race when converting<br /> group handle to group object") we need to use the XArray&amp;#39;s internal<br /> locking when retrieving a vm pointer from there.<br /> <br /> v2: Removed part of the patch that was trying to protect fetching<br /> the heap pointer from XArray, as that operation is protected by<br /> the @pool-&gt;lock.