Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: flowtable_offload: fix using __this_cpu_add in preemptible<br /> <br /> flow_offload_queue_work() can be called in workqueue without<br /> bh disabled, like the call trace showed in my act_ct testing,<br /> calling NF_FLOW_TABLE_STAT_INC() there would cause a call<br /> trace:<br /> <br /> BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560<br /> caller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]<br /> Workqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x33/0x46<br /> check_preemption_disabled+0xc3/0xf0<br /> flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]<br /> nf_flow_table_iterate+0x138/0x170 [nf_flow_table]<br /> nf_flow_table_free+0x140/0x1a0 [nf_flow_table]<br /> tcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct]<br /> process_one_work+0x6a3/0x1030<br /> worker_thread+0x8a/0xdf0<br /> <br /> This patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC()<br /> instead in flow_offload_queue_work().<br /> <br /> Note that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(),<br /> it may not be called in preemptible path, but it&amp;#39;s good to use<br /> NF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in<br /> flow_offload_queue_work().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: af_can: fix NULL pointer dereference in can_rcv_filter<br /> <br /> Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer<br /> dereference in can_rx_register()") we need to check for a missing<br /> initialization of ml_priv in the receive path of CAN frames.<br /> <br /> Since commit 4e096a18867a ("net: introduce CAN specific pointer in the<br /> struct net_device") the check for dev-&gt;type to be ARPHRD_CAN is not<br /> sufficient anymore since bonding or tun netdevices claim to be CAN<br /> devices but do not initialize ml_priv accordingly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: core: fix shift-out-of-bounds in hid_report_raw_event<br /> <br /> Syzbot reported shift-out-of-bounds in hid_report_raw_event.<br /> <br /> microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) &gt;<br /> 32! (swapper/0)<br /> ======================================================================<br /> UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20<br /> shift exponent 127 is too large for 32-bit type &amp;#39;int&amp;#39;<br /> CPU: 0 PID: 0 Comm: swapper/0 Not tainted<br /> 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0<br /> Hardware name: Google Compute Engine/Google Compute Engine, BIOS<br /> Google 10/26/2022<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106<br /> ubsan_epilogue lib/ubsan.c:151 [inline]<br /> __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322<br /> snto32 drivers/hid/hid-core.c:1323 [inline]<br /> hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]<br /> hid_process_report drivers/hid/hid-core.c:1665 [inline]<br /> hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998<br /> hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066<br /> hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284<br /> __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671<br /> dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988<br /> call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474<br /> expire_timers kernel/time/timer.c:1519 [inline]<br /> __run_timers+0x76a/0x980 kernel/time/timer.c:1790<br /> run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803<br /> __do_softirq+0x277/0x75b kernel/softirq.c:571<br /> __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650<br /> irq_exit_rcu+0x5/0x20 kernel/softirq.c:662<br /> sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107<br /> ======================================================================<br /> <br /> If the size of the integer (unsigned n) is bigger than 32 in snto32(),<br /> shift exponent will be too large for 32-bit type &amp;#39;int&amp;#39;, resulting in a<br /> shift-out-of-bounds bug.<br /> Fix this by adding a check on the size of the integer (unsigned n) in<br /> snto32(). To add support for n greater than 32 bits, set n to 32, if n<br /> is greater than 32.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: fix array index out of bound error in DCN32 DML<br /> <br /> [Why&amp;How]<br /> LinkCapacitySupport array is indexed with the number of voltage states and<br /> not the number of max DPPs. Fix the error by changing the array<br /> declaration to use the correct (larger) array size of total number of<br /> voltage states.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hisilicon: Fix potential use-after-free in hisi_femac_rx()<br /> <br /> The skb is delivered to napi_gro_receive() which may free it, after<br /> calling this, dereferencing skb may trigger use-after-free.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: wwan: iosm: fix memory leak in ipc_mux_init()<br /> <br /> When failed to alloc ipc_mux-&gt;ul_adb.pp_qlt in ipc_mux_init(), ipc_mux<br /> is not released.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ravb: Fix potential use-after-free in ravb_rx_gbeth()<br /> <br /> The skb is delivered to napi_gro_receive() which may free it, after calling this,<br /> dereferencing skb may trigger use-after-free.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio/rockchip: fix refcount leak in rockchip_gpiolib_register()<br /> <br /> The node returned by of_get_parent() with refcount incremented,<br /> of_node_put() needs be called when finish using it. So add it in the<br /> end of of_pinctrl_get().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mvneta: Prevent out of bounds read in mvneta_config_rss()<br /> <br /> The pp-&gt;indir[0] value comes from the user. It is passed to:<br /> <br /> if (cpu_online(pp-&gt;rxq_def))<br /> <br /> inside the mvneta_percpu_elect() function. It needs bounds checkeding<br /> to ensure that it is not beyond the end of the cpu bitmap.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFC: nci: Bounds check struct nfc_target arrays<br /> <br /> While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported:<br /> <br /> memcpy: detected field-spanning write (size 129) of single field "target-&gt;sensf_res" at net/nfc/nci/ntf.c:260 (size 18)<br /> <br /> This appears to be a legitimate lack of bounds checking in<br /> nci_add_new_protocol(). Add the missing checks.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-pf: Fix potential memory leak in otx2_init_tc()<br /> <br /> In otx2_init_tc(), if rhashtable_init() failed, it does not free<br /> tc-&gt;tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()<br /> <br /> The cmd_buff needs to be freed when error happened in<br /> dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().