Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gfs2: Prevent recursive memory reclaim<br /> <br /> Function new_inode() returns a new inode with inode-&gt;i_mapping-&gt;gfp_mask<br /> set to GFP_HIGHUSER_MOVABLE. This value includes the __GFP_FS flag, so<br /> allocations in that address space can recurse into filesystem memory<br /> reclaim. We don&amp;#39;t want that to happen because it can consume a<br /> significant amount of stack memory.<br /> <br /> Worse than that is that it can also deadlock: for example, in several<br /> places, gfs2_unstuff_dinode() is called inside filesystem transactions.<br /> This calls filemap_grab_folio(), which can allocate a new folio, which<br /> can trigger memory reclaim. If memory reclaim recurses into the<br /> filesystem and starts another transaction, a deadlock will ensue.<br /> <br /> To fix these kinds of problems, prevent memory reclaim from recursing<br /> into filesystem code by making sure that the gfp_mask of inode address<br /> spaces doesn&amp;#39;t include __GFP_FS.<br /> <br /> The "meta" and resource group address spaces were already using GFP_NOFS<br /> as their gfp_mask (which doesn&amp;#39;t include __GFP_FS). The default value<br /> of GFP_HIGHUSER_MOVABLE is less restrictive than GFP_NOFS, though. To<br /> avoid being overly limiting, use the default value and only knock off<br /> the __GFP_FS flag. I&amp;#39;m not sure if this will actually make a<br /> difference, but it also shouldn&amp;#39;t hurt.<br /> <br /> This patch is loosely based on commit ad22c7a043c2 ("xfs: prevent stack<br /> overflows from page cache allocation").<br /> <br /> Fixes xfstest generic/273.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events<br /> <br /> The DSP event handling code in hwdep_read() could write more bytes to<br /> the user buffer than requested, when a user provides a buffer smaller<br /> than the event header size (8 bytes).<br /> <br /> Fix by using min_t() to clamp the copy size, This ensures we never copy<br /> more than the user requested.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid<br /> <br /> Fixes a crash when layout is null during this call stack:<br /> <br /> write_inode<br /> -&gt; nfs4_write_inode<br /> -&gt; pnfs_layoutcommit_inode<br /> <br /> pnfs_set_layoutcommit relies on the lseg refcount to keep the layout<br /> around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt<br /> to reference a null layout.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex<br /> <br /> regulator_supply_alias_list was accessed without any locking in<br /> regulator_supply_alias(), regulator_register_supply_alias(), and<br /> regulator_unregister_supply_alias(). Concurrent registration,<br /> unregistration and lookups can race, leading to:<br /> <br /> 1 use-after-free if an alias entry is removed while being read,<br /> 2 duplicate entries when two threads register the same alias,<br /> 3 inconsistent alias mappings observed by consumers.<br /> <br /> Protect all traversals, insertions and deletions on<br /> regulator_supply_alias_list with the existing regulator_list_mutex.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> exfat: fix refcount leak in exfat_find<br /> <br /> Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.<br /> <br /> Function `exfat_get_dentry_set` would increase the reference counter of<br /> `es-&gt;bh` on success. Therefore, `exfat_put_dentry_set` must be called<br /> after `exfat_get_dentry_set` to ensure refcount consistency. This patch<br /> relocate two checks to avoid possible leaks.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: fix memory leak when removing provided buffers<br /> <br /> When removing provided buffers, io_buffer structs are not being disposed<br /> of, leading to a memory leak. They can&amp;#39;t be freed individually, because<br /> they are allocated in page-sized groups. They need to be added to some<br /> free list instead, such as io_buffers_cache. All callers already hold<br /> the lock protecting it, apart from when destroying buffers, so had to<br /> extend the lock there.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/64s: Fix VAS mm use after free<br /> <br /> The refcount on mm is dropped before the coprocessor is detached.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()<br /> <br /> The acpi_get_first_physical_node() function can return NULL, in which<br /> case the get_device() function also returns NULL, but this value is<br /> then dereferenced without checking,so add a check to prevent a crash.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: wavefront: Fix integer overflow in sample size validation<br /> <br /> The wavefront_send_sample() function has an integer overflow issue<br /> when validating sample size. The header-&gt;size field is u32 but gets<br /> cast to int for comparison with dev-&gt;freemem<br /> <br /> Fix by using unsigned comparison to avoid integer overflow.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: dice: fix buffer overflow in detect_stream_formats()<br /> <br /> The function detect_stream_formats() reads the stream_count value directly<br /> from a FireWire device without validating it. This can lead to<br /> out-of-bounds writes when a malicious device provides a stream_count value<br /> greater than MAX_STREAMS.<br /> <br /> Fix by applying the same validation to both TX and RX stream counts in<br /> detect_stream_formats().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/net: don&amp;#39;t overflow multishot recv<br /> <br /> Don&amp;#39;t allow overflowing multishot recv CQEs, it might get out of<br /> hand, hurt performance, and in the worst case scenario OOM the task.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check<br /> <br /> The vdpa_nl_policy structure is used to validate the nlattr when parsing<br /> the incoming nlmsg. It will ensure the attribute being described produces<br /> a valid nlattr pointer in info-&gt;attrs before entering into each handler<br /> in vdpa_nl_ops.<br /> <br /> That is to say, the missing part in vdpa_nl_policy may lead to illegal<br /> nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.<br /> <br /> This patch adds the missing nla_policy for vdpa queue index attr to avoid<br /> such bugs.