Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: cadence-quadspi: fix unclocked access on unbind<br /> <br /> Make sure that the controller is runtime resumed before disabling it<br /> during driver unbind to avoid an unclocked register access.<br /> <br /> This issue was flagged by Sashiko when reviewing a controller<br /> deregistration fix.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: validate dacloffset before building DACL pointers<br /> <br /> parse_sec_desc(), build_sec_desc(), and the chown path in<br /> id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd<br /> before proving a DACL header fits inside the returned security<br /> descriptor.<br /> <br /> On 32-bit builds a malicious server can return dacloffset near<br /> U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip<br /> past the later pointer-based bounds checks. build_sec_desc() and<br /> id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped<br /> pointer in the chmod/chown rewrite paths.<br /> <br /> Validate dacloffset numerically before building any DACL pointer and<br /> reuse the same helper at the three DACL entry points.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: validate SVM ioctl nattr against buffer size<br /> <br /> Validate nattr field against the buffer size, preventing<br /> out-of-bounds buffer access via user-controlled attribute count.<br /> <br /> (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> batman-adv: fix integer overflow on buff_pos<br /> <br /> Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size<br /> check is done using the int type in batadv_iv_ogm_aggr_packet whereas the<br /> buff_pos variable uses the s16 type. This could lead to an out-of-bound<br /> read.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg<br /> <br /> Check bounds against the end of the BO whenever we access the msg.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()<br /> <br /> When xe_dma_buf_init_obj() fails, the attachment from<br /> dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before<br /> returning the error. Note: we cannot use goto out_err here because<br /> xe_dma_buf_init_obj() already frees bo on failure, and out_err would<br /> double-free it.<br /> <br /> (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sound: ua101: fix division by zero at probe<br /> <br /> Add a missing sanity check for bNrChannels in detect_usb_format()<br /> to prevent a division by zero in playback_urb_complete() and<br /> capture_urb_complete().<br /> <br /> USB core does not validate class-specific descriptor fields such<br /> as bNrChannels, so drivers must verify them before use. If a<br /> device provides bNrChannels = 0, frame_bytes becomes zero and is<br /> later used as a divisor in the URB completion handlers, leading<br /> to a kernel crash.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: virtio_bt: validate rx pkt_type header length<br /> <br /> virtbt_rx_handle() reads the leading pkt_type byte from the RX skb<br /> and forwards the remainder to hci_recv_frame() for every<br /> event/ACL/SCO/ISO type, without checking that the remaining payload<br /> is at least the fixed HCI header for that type.<br /> <br /> After the preceding patch bounds the backend-supplied used.len to<br /> [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches<br /> hci_recv_frame() with skb-&gt;len already pulled to 0. If the byte<br /> happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification<br /> fast-path in hci_dev_classify_pkt_type() dereferences<br /> hci_acl_hdr(skb)-&gt;handle whenever the HCI device has an active<br /> CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of<br /> uninitialized RX-buffer data. The same hazard exists for every<br /> packet type the driver accepts because none of the switch cases in<br /> virtbt_rx_handle() check skb-&gt;len against the per-type minimum HCI<br /> header size before handing the frame to the core.<br /> <br /> After stripping pkt_type, require skb-&gt;len to cover the fixed<br /> header size for the selected type (event 2, ACL 4, SCO 3, ISO 4)<br /> before calling hci_recv_frame(); drop ratelimited otherwise.<br /> Unknown pkt_type values still take the original kfree_skb() default<br /> path.<br /> <br /> Use bt_dev_err_ratelimited() because both the length and pkt_type<br /> values come from an untrusted backend that can otherwise flood the<br /> kernel log.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rsi: fix kthread lifetime race between self-exit and external-stop<br /> <br /> RSI driver use both self-exit(kthread_complete_and_exit) and external-stop<br /> (kthread_stop) when killing a kthread. Generally, kthread_stop() is called<br /> first, and in this case, no particular issues occur.<br /> <br /> However, in rare instances where kthread_complete_and_exit() is called<br /> first and then kthread_stop() is called, a UAF occurs because the kthread<br /> object, which has already exited and been freed, is accessed again.<br /> <br /> Therefore, to prevent this with minimal modification, you must remove<br /> kthread_stop() and change the code to wait until the self-exit operation<br /> is completed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeon_ep_vf: add NULL check for napi_build_skb()<br /> <br /> napi_build_skb() can return NULL on allocation failure. In<br /> __octep_vf_oq_process_rx(), the result is used directly without a NULL<br /> check in both the single-buffer and multi-fragment paths, leading to a<br /> NULL pointer dereference.<br /> <br /> Add NULL checks after both napi_build_skb() calls, properly advancing<br /> descriptors and consuming remaining fragments on failure.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path<br /> <br /> Sashiko points out that pvrdma_uar_free() is already called within<br /> pvrdma_dealloc_ucontext(), so calling it before triggers a double free.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbcon: Avoid OOB font access if console rotation fails<br /> <br /> Clear the font buffer if the reallocation during console rotation fails<br /> in fbcon_rotate_font(). The putcs implementations for the rotated buffer<br /> will return early in this case. See [1] for an example.<br /> <br /> Currently, fbcon_rotate_font() keeps the old buffer, which is too small<br /> for the rotated font. Printing to the rotated console with a high-enough<br /> character code will overflow the font buffer.<br /> <br /> v2:<br /> - fix typos in commit message