Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: usbtmc: Fix direction for 0-length ioctl control messages<br /> <br /> The syzbot fuzzer found a problem in the usbtmc driver: When a user<br /> submits an ioctl for a 0-length control transfer, the driver does not<br /> check that the direction is set to OUT:<br /> <br /> ------------[ cut here ]------------<br /> usb 3-1: BOGUS control dir, pipe 80000b80 doesn&amp;#39;t match bRequestType fd<br /> WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411<br /> Modules linked in:<br /> CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023<br /> RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411<br /> Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41<br /> RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000<br /> RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001<br /> RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528<br /> R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100<br /> FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58<br /> usb_internal_control_msg drivers/usb/core/message.c:102 [inline]<br /> usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153<br /> usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]<br /> usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097<br /> <br /> To fix this, we must override the direction in the bRequestType field<br /> of the control request structure when the length is 0.

*** Pendiente de traducción *** Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF<br /> <br /> After a call to console_unlock() in vcs_write() the vc_data struct can be<br /> freed by vc_port_destruct(). Because of that, the struct vc_data pointer<br /> must be reloaded in the while loop in vcs_write() after console_lock() to<br /> avoid a UAF when vcs_size() is called.<br /> <br /> Syzkaller reported a UAF in vcs_size().<br /> <br /> BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)<br /> Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119<br /> <br /> Call Trace:<br /> <br /> __asan_report_load4_noabort (mm/kasan/report_generic.c:380)<br /> vcs_size (drivers/tty/vt/vc_screen.c:215)<br /> vcs_write (drivers/tty/vt/vc_screen.c:664)<br /> vfs_write (fs/read_write.c:582 fs/read_write.c:564)<br /> ...<br /> <br /> <br /> Allocated by task 1213:<br /> kmalloc_trace (mm/slab_common.c:1064)<br /> vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680<br /> drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)<br /> con_install (drivers/tty/vt/vt.c:3334)<br /> tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415<br /> drivers/tty/tty_io.c:1392)<br /> tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)<br /> chrdev_open (fs/char_dev.c:415)<br /> do_dentry_open (fs/open.c:921)<br /> vfs_open (fs/open.c:1052)<br /> ...<br /> <br /> Freed by task 4116:<br /> kfree (mm/slab_common.c:1016)<br /> vc_port_destruct (drivers/tty/vt/vt.c:1044)<br /> tty_port_destructor (drivers/tty/tty_port.c:296)<br /> tty_port_put (drivers/tty/tty_port.c:312)<br /> vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))<br /> vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)<br /> tty_ioctl (drivers/tty/tty_io.c:2778)<br /> ...<br /> <br /> The buggy address belongs to the object at ffff8880beab8800<br /> which belongs to the cache kmalloc-1k of size 1024<br /> The buggy address is located 424 bytes inside of<br /> freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)<br /> <br /> The buggy address belongs to the physical page:<br /> page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000<br /> index:0x0 pfn:0xbeab8<br /> head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0<br /> pincount:0<br /> flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)<br /> page_type: 0xffffffff()<br /> raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002<br /> raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt;ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ==================================================================<br /> Disabling lock debugging due to kernel taint

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup<br /> <br /> variable *nplanes is provided by user via system call argument. The<br /> possible value of q_data-&gt;fmt-&gt;num_planes is 1-3, while the value<br /> of *nplanes can be 1-8. The array access by index i can cause array<br /> out-of-bounds.<br /> <br /> Fix this bug by checking *nplanes against the array size.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: freescale: Fix a memory out of bounds when num_configs is 1<br /> <br /> The config passed in by pad wakeup is 1, when num_configs is 1,<br /> Configuration [1] should not be fetched, which will be detected<br /> by KASAN as a memory out of bounds condition. Modify to get<br /> configs[1] when num_configs is 2.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname<br /> <br /> TCP_Server_Info::hostname may be updated once or many times during<br /> reconnect, so protect its access outside reconnect path as well and<br /> then prevent any potential use-after-free bugs.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: deal with integer overflows in kmalloc_reserve()<br /> <br /> Blamed commit changed:<br /> ptr = kmalloc(size);<br /> if (ptr)<br /> size = ksize(ptr);<br /> <br /> size = kmalloc_size_roundup(size);<br /> ptr = kmalloc(size);<br /> <br /> This allowed various crash as reported by syzbot [1]<br /> and Kyle Zeng.<br /> <br /> Problem is that if @size is bigger than 0x80000001,<br /> kmalloc_size_roundup(size) returns 2^32.<br /> <br /> kmalloc_reserve() uses a 32bit variable (obj_size),<br /> so 2^32 is truncated to 0.<br /> <br /> kmalloc(0) returns ZERO_SIZE_PTR which is not handled by<br /> skb allocations.<br /> <br /> Following trace can be triggered if a netdev-&gt;mtu is set<br /> close to 0x7fffffff<br /> <br /> We might in the future limit netdev-&gt;mtu to more sensible<br /> limit (like KMALLOC_MAX_SIZE).<br /> <br /> This patch is based on a syzbot report, and also a report<br /> and tentative fix from Kyle Zeng.<br /> <br /> [1]<br /> BUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline]<br /> BUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527<br /> Write of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554<br /> <br /> CPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023<br /> Call trace:<br /> dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279<br /> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286<br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106<br /> print_report+0xe4/0x4b4 mm/kasan/report.c:398<br /> kasan_report+0x150/0x1ac mm/kasan/report.c:495<br /> kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189<br /> memset+0x40/0x70 mm/kasan/shadow.c:44<br /> __build_skb_around net/core/skbuff.c:294 [inline]<br /> __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527<br /> alloc_skb include/linux/skbuff.h:1316 [inline]<br /> igmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359<br /> add_grec+0x81c/0x1124 net/ipv4/igmp.c:534<br /> igmpv3_send_cr net/ipv4/igmp.c:667 [inline]<br /> igmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810<br /> call_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474<br /> expire_timers kernel/time/timer.c:1519 [inline]<br /> __run_timers+0x54c/0x710 kernel/time/timer.c:1790<br /> run_timer_softirq+0x28/0x4c kernel/time/timer.c:1803<br /> _stext+0x380/0xfbc<br /> ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79<br /> call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891<br /> do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84<br /> invoke_softirq kernel/softirq.c:437 [inline]<br /> __irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683<br /> irq_exit_rcu+0x14/0x78 kernel/softirq.c:695<br /> el0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717<br /> __el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724<br /> el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729<br /> el0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: fix mapping to non-allocated address<br /> <br /> [Why]<br /> There is an issue mapping non-allocated location of memory.<br /> It would allocate gpio registers from an array out of bounds.<br /> <br /> [How]<br /> Patch correct numbers of bounds for using.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()<br /> <br /> When if_type equals zero and pci_resource_start(pdev, PCI_64BIT_BAR4)<br /> returns false, drbl_regs_memmap_p is not remapped. This passes a NULL<br /> pointer to iounmap(), which can trigger a WARN() on certain arches.<br /> <br /> When if_type equals six and pci_resource_start(pdev, PCI_64BIT_BAR4)<br /> returns true, drbl_regs_memmap_p may has been remapped and<br /> ctrl_regs_memmap_p is not remapped. This is a resource leak and passes a<br /> NULL pointer to iounmap().<br /> <br /> To fix these issues, we need to add null checks before iounmap(), and<br /> change some goto labels.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rsi: Fix memory leak in rsi_coex_attach()<br /> <br /> The coex_cb needs to be freed when rsi_create_kthread() failed in<br /> rsi_coex_attach().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: hugetlb: fix UAF in hugetlb_handle_userfault<br /> <br /> The vma_lock and hugetlb_fault_mutex are dropped before handling userfault<br /> and reacquire them again after handle_userfault(), but reacquire the<br /> vma_lock could lead to UAF[1,2] due to the following race,<br /> <br /> hugetlb_fault<br /> hugetlb_no_page<br /> /*unlock vma_lock */<br /> hugetlb_handle_userfault<br /> handle_userfault<br /> /* unlock mm-&gt;mmap_lock*/<br /> vm_mmap_pgoff<br /> do_mmap<br /> mmap_region<br /> munmap_vma_range<br /> /* clean old vma */<br /> /* lock vma_lock again

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kcsan: Avoid READ_ONCE() in read_instrumented_memory()<br /> <br /> Haibo Li reported:<br /> <br /> | Unable to handle kernel paging request at virtual address<br /> | ffffff802a0d8d7171<br /> | Mem abort info:o:<br /> | ESR = 0x9600002121<br /> | EC = 0x25: DABT (current EL), IL = 32 bitsts<br /> | SET = 0, FnV = 0 0<br /> | EA = 0, S1PTW = 0 0<br /> | FSC = 0x21: alignment fault<br /> | Data abort info:o:<br /> | ISV = 0, ISS = 0x0000002121<br /> | CM = 0, WnR = 0 0<br /> | swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000002835200000<br /> | [ffffff802a0d8d71] pgd=180000005fbf9003, p4d=180000005fbf9003,<br /> | pud=180000005fbf9003, pmd=180000005fbe8003, pte=006800002a0d8707<br /> | Internal error: Oops: 96000021 [#1] PREEMPT SMP<br /> | Modules linked in:<br /> | CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted<br /> | 5.15.78-android13-8-g63561175bbda-dirty #1<br /> | ...<br /> | pc : kcsan_setup_watchpoint+0x26c/0x6bc<br /> | lr : kcsan_setup_watchpoint+0x88/0x6bc<br /> | sp : ffffffc00ab4b7f0<br /> | x29: ffffffc00ab4b800 x28: ffffff80294fe588 x27: 0000000000000001<br /> | x26: 0000000000000019 x25: 0000000000000001 x24: ffffff80294fdb80<br /> | x23: 0000000000000000 x22: ffffffc00a70fb68 x21: ffffff802a0d8d71<br /> | x20: 0000000000000002 x19: 0000000000000000 x18: ffffffc00a9bd060<br /> | x17: 0000000000000001 x16: 0000000000000000 x15: ffffffc00a59f000<br /> | x14: 0000000000000001 x13: 0000000000000000 x12: ffffffc00a70faa0<br /> | x11: 00000000aaaaaaab x10: 0000000000000054 x9 : ffffffc00839adf8<br /> | x8 : ffffffc009b4cf00 x7 : 0000000000000000 x6 : 0000000000000007<br /> | x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffffffc00a70fb70<br /> | x2 : 0005ff802a0d8d71 x1 : 0000000000000000 x0 : 0000000000000000<br /> | Call trace:<br /> | kcsan_setup_watchpoint+0x26c/0x6bc<br /> | __tsan_read2+0x1f0/0x234<br /> | inflate_fast+0x498/0x750<br /> | zlib_inflate+0x1304/0x2384<br /> | __gunzip+0x3a0/0x45c<br /> | gunzip+0x20/0x30<br /> | unpack_to_rootfs+0x2a8/0x3fc<br /> | do_populate_rootfs+0xe8/0x11c<br /> | async_run_entry_fn+0x58/0x1bc<br /> | process_one_work+0x3ec/0x738<br /> | worker_thread+0x4c4/0x838<br /> | kthread+0x20c/0x258<br /> | ret_from_fork+0x10/0x20<br /> | Code: b8bfc2a8 2a0803f7 14000007 d503249f (78bfc2a8) )<br /> | ---[ end trace 613a943cb0a572b6 ]-----<br /> <br /> The reason for this is that on certain arm64 configuration since<br /> e35123d83ee3 ("arm64: lto: Strengthen READ_ONCE() to acquire when<br /> CONFIG_LTO=y"), READ_ONCE() may be promoted to a full atomic acquire<br /> instruction which cannot be used on unaligned addresses.<br /> <br /> Fix it by avoiding READ_ONCE() in read_instrumented_memory(), and simply<br /> forcing the compiler to do the required access by casting to the<br /> appropriate volatile type. In terms of generated code this currently<br /> only affects architectures that do not use the default READ_ONCE()<br /> implementation.<br /> <br /> The only downside is that we are not guaranteed atomicity of the access<br /> itself, although on most architectures a plain load up to machine word<br /> size should still be atomic (a fact the default READ_ONCE() still relies<br /> on itself).