Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: deal with integer overflows in kmalloc_reserve()<br /> <br /> Blamed commit changed:<br /> ptr = kmalloc(size);<br /> if (ptr)<br /> size = ksize(ptr);<br /> <br /> size = kmalloc_size_roundup(size);<br /> ptr = kmalloc(size);<br /> <br /> This allowed various crash as reported by syzbot [1]<br /> and Kyle Zeng.<br /> <br /> Problem is that if @size is bigger than 0x80000001,<br /> kmalloc_size_roundup(size) returns 2^32.<br /> <br /> kmalloc_reserve() uses a 32bit variable (obj_size),<br /> so 2^32 is truncated to 0.<br /> <br /> kmalloc(0) returns ZERO_SIZE_PTR which is not handled by<br /> skb allocations.<br /> <br /> Following trace can be triggered if a netdev-&gt;mtu is set<br /> close to 0x7fffffff<br /> <br /> We might in the future limit netdev-&gt;mtu to more sensible<br /> limit (like KMALLOC_MAX_SIZE).<br /> <br /> This patch is based on a syzbot report, and also a report<br /> and tentative fix from Kyle Zeng.<br /> <br /> [1]<br /> BUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline]<br /> BUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527<br /> Write of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554<br /> <br /> CPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023<br /> Call trace:<br /> dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279<br /> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286<br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106<br /> print_report+0xe4/0x4b4 mm/kasan/report.c:398<br /> kasan_report+0x150/0x1ac mm/kasan/report.c:495<br /> kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189<br /> memset+0x40/0x70 mm/kasan/shadow.c:44<br /> __build_skb_around net/core/skbuff.c:294 [inline]<br /> __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527<br /> alloc_skb include/linux/skbuff.h:1316 [inline]<br /> igmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359<br /> add_grec+0x81c/0x1124 net/ipv4/igmp.c:534<br /> igmpv3_send_cr net/ipv4/igmp.c:667 [inline]<br /> igmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810<br /> call_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474<br /> expire_timers kernel/time/timer.c:1519 [inline]<br /> __run_timers+0x54c/0x710 kernel/time/timer.c:1790<br /> run_timer_softirq+0x28/0x4c kernel/time/timer.c:1803<br /> _stext+0x380/0xfbc<br /> ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79<br /> call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891<br /> do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84<br /> invoke_softirq kernel/softirq.c:437 [inline]<br /> __irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683<br /> irq_exit_rcu+0x14/0x78 kernel/softirq.c:695<br /> el0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717<br /> __el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724<br /> el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729<br /> el0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: fix mapping to non-allocated address<br /> <br /> [Why]<br /> There is an issue mapping non-allocated location of memory.<br /> It would allocate gpio registers from an array out of bounds.<br /> <br /> [How]<br /> Patch correct numbers of bounds for using.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()<br /> <br /> When if_type equals zero and pci_resource_start(pdev, PCI_64BIT_BAR4)<br /> returns false, drbl_regs_memmap_p is not remapped. This passes a NULL<br /> pointer to iounmap(), which can trigger a WARN() on certain arches.<br /> <br /> When if_type equals six and pci_resource_start(pdev, PCI_64BIT_BAR4)<br /> returns true, drbl_regs_memmap_p may has been remapped and<br /> ctrl_regs_memmap_p is not remapped. This is a resource leak and passes a<br /> NULL pointer to iounmap().<br /> <br /> To fix these issues, we need to add null checks before iounmap(), and<br /> change some goto labels.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rsi: Fix memory leak in rsi_coex_attach()<br /> <br /> The coex_cb needs to be freed when rsi_create_kthread() failed in<br /> rsi_coex_attach().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: hugetlb: fix UAF in hugetlb_handle_userfault<br /> <br /> The vma_lock and hugetlb_fault_mutex are dropped before handling userfault<br /> and reacquire them again after handle_userfault(), but reacquire the<br /> vma_lock could lead to UAF[1,2] due to the following race,<br /> <br /> hugetlb_fault<br /> hugetlb_no_page<br /> /*unlock vma_lock */<br /> hugetlb_handle_userfault<br /> handle_userfault<br /> /* unlock mm-&gt;mmap_lock*/<br /> vm_mmap_pgoff<br /> do_mmap<br /> mmap_region<br /> munmap_vma_range<br /> /* clean old vma */<br /> /* lock vma_lock again

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kcsan: Avoid READ_ONCE() in read_instrumented_memory()<br /> <br /> Haibo Li reported:<br /> <br /> | Unable to handle kernel paging request at virtual address<br /> | ffffff802a0d8d7171<br /> | Mem abort info:o:<br /> | ESR = 0x9600002121<br /> | EC = 0x25: DABT (current EL), IL = 32 bitsts<br /> | SET = 0, FnV = 0 0<br /> | EA = 0, S1PTW = 0 0<br /> | FSC = 0x21: alignment fault<br /> | Data abort info:o:<br /> | ISV = 0, ISS = 0x0000002121<br /> | CM = 0, WnR = 0 0<br /> | swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000002835200000<br /> | [ffffff802a0d8d71] pgd=180000005fbf9003, p4d=180000005fbf9003,<br /> | pud=180000005fbf9003, pmd=180000005fbe8003, pte=006800002a0d8707<br /> | Internal error: Oops: 96000021 [#1] PREEMPT SMP<br /> | Modules linked in:<br /> | CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted<br /> | 5.15.78-android13-8-g63561175bbda-dirty #1<br /> | ...<br /> | pc : kcsan_setup_watchpoint+0x26c/0x6bc<br /> | lr : kcsan_setup_watchpoint+0x88/0x6bc<br /> | sp : ffffffc00ab4b7f0<br /> | x29: ffffffc00ab4b800 x28: ffffff80294fe588 x27: 0000000000000001<br /> | x26: 0000000000000019 x25: 0000000000000001 x24: ffffff80294fdb80<br /> | x23: 0000000000000000 x22: ffffffc00a70fb68 x21: ffffff802a0d8d71<br /> | x20: 0000000000000002 x19: 0000000000000000 x18: ffffffc00a9bd060<br /> | x17: 0000000000000001 x16: 0000000000000000 x15: ffffffc00a59f000<br /> | x14: 0000000000000001 x13: 0000000000000000 x12: ffffffc00a70faa0<br /> | x11: 00000000aaaaaaab x10: 0000000000000054 x9 : ffffffc00839adf8<br /> | x8 : ffffffc009b4cf00 x7 : 0000000000000000 x6 : 0000000000000007<br /> | x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffffffc00a70fb70<br /> | x2 : 0005ff802a0d8d71 x1 : 0000000000000000 x0 : 0000000000000000<br /> | Call trace:<br /> | kcsan_setup_watchpoint+0x26c/0x6bc<br /> | __tsan_read2+0x1f0/0x234<br /> | inflate_fast+0x498/0x750<br /> | zlib_inflate+0x1304/0x2384<br /> | __gunzip+0x3a0/0x45c<br /> | gunzip+0x20/0x30<br /> | unpack_to_rootfs+0x2a8/0x3fc<br /> | do_populate_rootfs+0xe8/0x11c<br /> | async_run_entry_fn+0x58/0x1bc<br /> | process_one_work+0x3ec/0x738<br /> | worker_thread+0x4c4/0x838<br /> | kthread+0x20c/0x258<br /> | ret_from_fork+0x10/0x20<br /> | Code: b8bfc2a8 2a0803f7 14000007 d503249f (78bfc2a8) )<br /> | ---[ end trace 613a943cb0a572b6 ]-----<br /> <br /> The reason for this is that on certain arm64 configuration since<br /> e35123d83ee3 ("arm64: lto: Strengthen READ_ONCE() to acquire when<br /> CONFIG_LTO=y"), READ_ONCE() may be promoted to a full atomic acquire<br /> instruction which cannot be used on unaligned addresses.<br /> <br /> Fix it by avoiding READ_ONCE() in read_instrumented_memory(), and simply<br /> forcing the compiler to do the required access by casting to the<br /> appropriate volatile type. In terms of generated code this currently<br /> only affects architectures that do not use the default READ_ONCE()<br /> implementation.<br /> <br /> The only downside is that we are not guaranteed atomicity of the access<br /> itself, although on most architectures a plain load up to machine word<br /> size should still be atomic (a fact the default READ_ONCE() still relies<br /> on itself).

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: Free released resource after coalescing<br /> <br /> release_resource() doesn&amp;#39;t actually free the resource or resource list<br /> entry so free the resource list entry to avoid a leak.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe<br /> <br /> wkup_m3_ipc_get() takes refcount, which should be freed by<br /> wkup_m3_ipc_put(). Add missing refcount release in the error paths.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> um: vector: Fix memory leak in vector_config<br /> <br /> If the return value of the uml_parse_vector_ifspec function is NULL,<br /> we should call kfree(params) to prevent memory leak.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/vfio-ap: fix memory leak in vfio_ap device driver<br /> <br /> The device release callback function invoked to release the matrix device<br /> uses the dev_get_drvdata(device *dev) function to retrieve the<br /> pointer to the vfio_matrix_dev object in order to free its storage. The<br /> problem is, this object is not stored as drvdata with the device; since the<br /> kfree function will accept a NULL pointer, the memory for the<br /> vfio_matrix_dev object is never freed.<br /> <br /> Since the device being released is contained within the vfio_matrix_dev<br /> object, the container_of macro will be used to retrieve its pointer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm: verity-loadpin: Only trust verity targets with enforcement<br /> <br /> Verity targets can be configured to ignore corrupted data blocks.<br /> LoadPin must only trust verity targets that are configured to<br /> perform some kind of enforcement when data corruption is detected,<br /> like returning an error, restarting the system or triggering a<br /> panic.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix potential memory leak in ext4_fc_record_modified_inode()<br /> <br /> As krealloc may return NULL, in this case &amp;#39;state-&gt;fc_modified_inodes&amp;#39;<br /> may not be freed by krealloc, but &amp;#39;state-&gt;fc_modified_inodes&amp;#39; already<br /> set NULL. Then will lead to &amp;#39;state-&gt;fc_modified_inodes&amp;#39; memory leak.