Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mcb: mcb-parse: fix error handing in chameleon_parse_gdd()<br /> <br /> If mcb_device_register() returns error in chameleon_parse_gdd(), the refcount<br /> of bus and device name are leaked. Fix this by calling put_device() to give up<br /> the reference, so they can be released in mcb_release_dev() and kobject_cleanup().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> test_firmware: fix memory leak in test_firmware_init()<br /> <br /> When misc_register() failed in test_firmware_init(), the memory pointed<br /> by test_fw_config-&gt;name is not released. The memory leak information is<br /> as follows:<br /> unreferenced object 0xffff88810a34cb00 (size 32):<br /> comm "insmod", pid 7952, jiffies 4294948236 (age 49.060s)<br /> hex dump (first 32 bytes):<br /> 74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi<br /> 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............<br /> backtrace:<br /> [] __kmalloc_node_track_caller+0x4b/0xc0<br /> [] kstrndup+0x46/0xc0<br /> [] __test_firmware_config_init+0x29/0x380 [test_firmware]<br /> [] 0xffffffffa040f068<br /> [] do_one_initcall+0x141/0x780<br /> [] do_init_module+0x1c3/0x630<br /> [] load_module+0x623e/0x76a0<br /> [] __do_sys_finit_module+0x181/0x240<br /> [] do_syscall_64+0x39/0xb0<br /> [] entry_SYSCALL_64_after_hwframe+0x63/0xcd

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()<br /> <br /> The ACPI buffer memory (out.pointer) returned by wmi_evaluate_method()<br /> is not freed after the call, so it leads to memory leak.<br /> <br /> The method results in ACPI buffer is not used, so just pass NULL to<br /> wmi_evaluate_method() which fixes the memory leak.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()<br /> <br /> As comment of pci_get_class() says, it returns a pci_device with its<br /> refcount increased and decreased the refcount for the input parameter<br /> @from if it is not NULL.<br /> <br /> If we break the loop in radeon_atrm_get_bios() with &amp;#39;pdev&amp;#39; not NULL, we<br /> need to call pci_dev_put() to decrease the refcount. Add the missing<br /> pci_dev_put() to avoid refcount leak.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure<br /> <br /> If creation or finalization of a checkpoint fails due to anomalies in the<br /> checkpoint metadata on disk, a kernel warning is generated.<br /> <br /> This patch replaces the WARN_ONs by nilfs_error, so that a kernel, booted<br /> with panic_on_warn, does not panic. A nilfs_error is appropriate here to<br /> handle the abnormal filesystem condition.<br /> <br /> This also replaces the detected error codes with an I/O error so that<br /> neither of the internal error codes is returned to callers.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: Fix locking in pdc_iodc_print() firmware call<br /> <br /> Utilize pdc_lock spinlock to protect parallel modifications of the<br /> iodc_dbuf[] buffer, check length to prevent buffer overflow of<br /> iodc_dbuf[], drop the iodc_retbuf[] buffer and fix some wrong<br /> indentings.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/huge_memory: do not clobber swp_entry_t during THP split<br /> <br /> The following has been observed when running stressng mmap since commit<br /> b653db77350c ("mm: Clear page-&gt;private when splitting or migrating a page")<br /> <br /> watchdog: BUG: soft lockup - CPU#75 stuck for 26s! [stress-ng:9546]<br /> CPU: 75 PID: 9546 Comm: stress-ng Tainted: G E 6.0.0-revert-b653db77-fix+ #29 0357d79b60fb09775f678e4f3f64ef0579ad1374<br /> Hardware name: SGI.COM C2112-4GP3/X10DRT-P-Series, BIOS 2.0a 05/09/2016<br /> RIP: 0010:xas_descend+0x28/0x80<br /> Code: cc cc 0f b6 0e 48 8b 57 08 48 d3 ea 83 e2 3f 89 d0 48 83 c0 04 48 8b 44 c6 08 48 89 77 18 48 89 c1 83 e1 03 48 83 f9 02 75 08 3d fd 00 00 00 76 08 88 57 12 c3 cc cc cc cc 48 c1 e8 02 89 c2<br /> RSP: 0018:ffffbbf02a2236a8 EFLAGS: 00000246<br /> RAX: ffff9cab7d6a0002 RBX: ffffe04b0af88040 RCX: 0000000000000002<br /> RDX: 0000000000000030 RSI: ffff9cab60509b60 RDI: ffffbbf02a2236c0<br /> RBP: 0000000000000000 R08: ffff9cab60509b60 R09: ffffbbf02a2236c0<br /> R10: 0000000000000001 R11: ffffbbf02a223698 R12: 0000000000000000<br /> R13: ffff9cab4e28da80 R14: 0000000000039c01 R15: ffff9cab4e28da88<br /> FS: 00007fab89b85e40(0000) GS:ffff9cea3fcc0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fab84e00000 CR3: 00000040b73a4003 CR4: 00000000003706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> xas_load+0x3a/0x50<br /> __filemap_get_folio+0x80/0x370<br /> ? put_swap_page+0x163/0x360<br /> pagecache_get_page+0x13/0x90<br /> __try_to_reclaim_swap+0x50/0x190<br /> scan_swap_map_slots+0x31e/0x670<br /> get_swap_pages+0x226/0x3c0<br /> folio_alloc_swap+0x1cc/0x240<br /> add_to_swap+0x14/0x70<br /> shrink_page_list+0x968/0xbc0<br /> reclaim_page_list+0x70/0xf0<br /> reclaim_pages+0xdd/0x120<br /> madvise_cold_or_pageout_pte_range+0x814/0xf30<br /> walk_pgd_range+0x637/0xa30<br /> __walk_page_range+0x142/0x170<br /> walk_page_range+0x146/0x170<br /> madvise_pageout+0xb7/0x280<br /> ? asm_common_interrupt+0x22/0x40<br /> madvise_vma_behavior+0x3b7/0xac0<br /> ? find_vma+0x4a/0x70<br /> ? find_vma+0x64/0x70<br /> ? madvise_vma_anon_name+0x40/0x40<br /> madvise_walk_vmas+0xa6/0x130<br /> do_madvise+0x2f4/0x360<br /> __x64_sys_madvise+0x26/0x30<br /> do_syscall_64+0x5b/0x80<br /> ? do_syscall_64+0x67/0x80<br /> ? syscall_exit_to_user_mode+0x17/0x40<br /> ? do_syscall_64+0x67/0x80<br /> ? syscall_exit_to_user_mode+0x17/0x40<br /> ? do_syscall_64+0x67/0x80<br /> ? do_syscall_64+0x67/0x80<br /> ? common_interrupt+0x8b/0xa0<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> The problem can be reproduced with the mmtests config<br /> config-workload-stressng-mmap. It does not always happen and when it<br /> triggers is variable but it has happened on multiple machines.<br /> <br /> The intent of commit b653db77350c patch was to avoid the case where<br /> PG_private is clear but folio-&gt;private is not-NULL. However, THP tail<br /> pages uses page-&gt;private for "swp_entry_t if folio_test_swapcache()" as<br /> stated in the documentation for struct folio. This patch only clobbers<br /> page-&gt;private for tail pages if the head page was not in swapcache and<br /> warns once if page-&gt;private had an unexpected value.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()<br /> <br /> If construction of the array of work queues to handle hpd_rx_irq offload<br /> work fails, we need to unwind. Destroy all the created workqueues and<br /> the allocated memory for the hpd_rx_irq_offload_work_queue struct array.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: dlm: fix invalid derefence of sb_lvbptr<br /> <br /> I experience issues when putting a lkbsb on the stack and have sb_lvbptr<br /> field to a dangled pointer while not using DLM_LKF_VALBLK. It will crash<br /> with the following kernel message, the dangled pointer is here<br /> 0xdeadbeef as example:<br /> <br /> [ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef<br /> [ 102.749320] #PF: supervisor read access in kernel mode<br /> [ 102.749323] #PF: error_code(0x0000) - not-present page<br /> [ 102.749325] PGD 0 P4D 0<br /> [ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI<br /> [ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565<br /> [ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014<br /> [ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10<br /> [ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe<br /> [ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202<br /> [ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040<br /> [ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070<br /> [ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001<br /> [ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70<br /> [ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001<br /> [ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000<br /> [ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0<br /> [ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 102.749379] PKRU: 55555554<br /> [ 102.749381] Call Trace:<br /> [ 102.749382] <br /> [ 102.749383] ? send_args+0xb2/0xd0<br /> [ 102.749389] send_common+0xb7/0xd0<br /> [ 102.749395] _unlock_lock+0x2c/0x90<br /> [ 102.749400] unlock_lock.isra.56+0x62/0xa0<br /> [ 102.749405] dlm_unlock+0x21e/0x330<br /> [ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]<br /> [ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture]<br /> [ 102.749419] ? preempt_count_sub+0xba/0x100<br /> [ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture]<br /> [ 102.786186] kthread+0x10a/0x130<br /> [ 102.786581] ? kthread_complete_and_exit+0x20/0x20<br /> [ 102.787156] ret_from_fork+0x22/0x30<br /> [ 102.787588] <br /> [ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw<br /> [ 102.792536] CR2: 00000000deadbeef<br /> [ 102.792930] ---[ end trace 0000000000000000 ]---<br /> <br /> This patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags<br /> is set when copying the lvbptr array instead of if it&amp;#39;s just null which<br /> fixes for me the issue.<br /> <br /> I think this patch can fix other dlm users as well, depending how they<br /> handle the init, freeing memory handling of sb_lvbptr and don&amp;#39;t set<br /> DLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a<br /> hidden issue all the time. However with checking on DLM_LKF_VALBLK the<br /> user always need to provide a sb_lvbptr non-null value. There might be<br /> more intelligent handling between per ls lvblen, DLM_LKF_VALBLK and<br /> non-null to report the user the way how DLM API is used is wrong but can<br /> be added for later, this will only fix the current behaviour.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_hid: fix refcount leak on error path<br /> <br /> When failing to allocate report_desc, opts-&gt;refcnt has already been<br /> incremented so it needs to be decremented to avoid leaving the options<br /> structure permanently locked.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()<br /> <br /> In rtw_init_cmd_priv(), if `pcmdpriv-&gt;rsp_allocated_buf` is allocated<br /> in failure, then `pcmdpriv-&gt;cmd_allocated_buf` will be not properly<br /> released. Besides, considering there are only two error paths and the<br /> first one can directly return, so we do not need implicitly jump to the<br /> `exit` tag to execute the error handler.<br /> <br /> So this patch added `kfree(pcmdpriv-&gt;cmd_allocated_buf);` on the error<br /> path to release the resource and simplified the return logic of<br /> rtw_init_cmd_priv(). As there is no proper device to test with, no runtime<br /> testing was performed.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix potential memory leak in ext4_fc_record_regions()<br /> <br /> As krealloc may return NULL, in this case &amp;#39;state-&gt;fc_regions&amp;#39; may not be<br /> freed by krealloc, but &amp;#39;state-&gt;fc_regions&amp;#39; already set NULL. Then will<br /> lead to &amp;#39;state-&gt;fc_regions&amp;#39; memory leak.