Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: amd-pstate: fix global sysfs attribute type<br /> <br /> In commit 3666062b87ec ("cpufreq: amd-pstate: move to use bus_get_dev_root()")<br /> the "amd_pstate" attributes where moved from a dedicated kobject to the<br /> cpu root kobject.<br /> <br /> While the dedicated kobject expects to contain kobj_attributes the root<br /> kobject needs device_attributes.<br /> <br /> As the changed arguments are not used by the callbacks it works most of<br /> the time.<br /> However CFI will detect this issue:<br /> <br /> [ 4947.849350] CFI failure at dev_attr_show+0x24/0x60 (target: show_status+0x0/0x70; expected type: 0x8651b1de)<br /> ...<br /> [ 4947.849409] Call Trace:<br /> [ 4947.849410] <br /> [ 4947.849411] ? __warn+0xcf/0x1c0<br /> [ 4947.849414] ? dev_attr_show+0x24/0x60<br /> [ 4947.849415] ? report_cfi_failure+0x4e/0x60<br /> [ 4947.849417] ? handle_cfi_failure+0x14c/0x1d0<br /> [ 4947.849419] ? __cfi_show_status+0x10/0x10<br /> [ 4947.849420] ? handle_bug+0x4f/0x90<br /> [ 4947.849421] ? exc_invalid_op+0x1a/0x60<br /> [ 4947.849422] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 4947.849424] ? __cfi_show_status+0x10/0x10<br /> [ 4947.849425] ? dev_attr_show+0x24/0x60<br /> [ 4947.849426] sysfs_kf_seq_show+0xa6/0x110<br /> [ 4947.849433] seq_read_iter+0x16c/0x4b0<br /> [ 4947.849436] vfs_read+0x272/0x2d0<br /> [ 4947.849438] ksys_read+0x72/0xe0<br /> [ 4947.849439] do_syscall_64+0x76/0xb0<br /> [ 4947.849440] ? do_user_addr_fault+0x252/0x650<br /> [ 4947.849442] ? exc_page_fault+0x7a/0x1b0<br /> [ 4947.849443] entry_SYSCALL_64_after_hwframe+0x72/0xdc

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx<br /> <br /> when mlx5_cmd_exec failed in mlx5dr_cmd_create_reformat_ctx, the memory<br /> pointed by &amp;#39;in&amp;#39; is not released, which will cause memory leak. Move memory<br /> release after mlx5_cmd_exec.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy<br /> <br /> For some reason, the driver adding support for Exynos5420 MIPI phy<br /> back in 2016 wasn&amp;#39;t used on Exynos5420, which caused a kernel panic.<br /> Add the proper compatible for it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write<br /> <br /> When the oob buffer length is not in multiple of words, the oob write<br /> function does out-of-bounds read on the oob source buffer at the last<br /> iteration. Fix that by always checking length limit on the oob buffer<br /> read and fill with 0xff when reaching the end of the buffer to the oob<br /> registers.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: cfg80211: reject auth/assoc to AP with our address<br /> <br /> If the AP uses our own address as its MLD address or BSSID, then<br /> clearly something&amp;#39;s wrong. Reject such connections so we don&amp;#39;t<br /> try and fail later.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Fix sdma v4 sw fini error<br /> <br /> Fix sdma v4 sw fini error for sdma 4.2.2 to<br /> solve the following general protection fault<br /> <br /> [ +0.108196] general protection fault, probably for non-canonical<br /> address 0xd5e5a4ae79d24a32: 0000 [#1] PREEMPT SMP PTI<br /> [ +0.000018] RIP: 0010:free_fw_priv+0xd/0x70<br /> [ +0.000022] Call Trace:<br /> [ +0.000012] <br /> [ +0.000011] release_firmware+0x55/0x80<br /> [ +0.000021] amdgpu_ucode_release+0x11/0x20 [amdgpu]<br /> [ +0.000415] amdgpu_sdma_destroy_inst_ctx+0x4f/0x90 [amdgpu]<br /> [ +0.000360] sdma_v4_0_sw_fini+0xce/0x110 [amdgpu]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: unmap and remove csa_va properly<br /> <br /> Root PD BO should be reserved before unmap and remove<br /> a bo_va from VM otherwise lockdep will complain.<br /> <br /> v2: check fpriv-&gt;csa_va is not NULL instead of amdgpu_mcbp (christian)<br /> <br /> [14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu]<br /> [14616.937096] Call Trace:<br /> [14616.937097] <br /> [14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu]<br /> [14616.937187] drm_file_free+0x1d6/0x300 [drm]<br /> [14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm]<br /> [14616.937220] drm_release+0x5e/0x100 [drm]<br /> [14616.937234] __fput+0x9f/0x280<br /> [14616.937239] ____fput+0xe/0x20<br /> [14616.937241] task_work_run+0x61/0x90<br /> [14616.937246] exit_to_user_mode_prepare+0x215/0x220<br /> [14616.937251] syscall_exit_to_user_mode+0x2a/0x60<br /> [14616.937254] do_syscall_64+0x48/0x90<br /> [14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: davinci: Fix clk use after free<br /> <br /> The remove function first frees the clks and only then calls<br /> cpufreq_unregister_driver(). If one of the cpufreq callbacks is called<br /> just before cpufreq_unregister_driver() is run, the freed clks might be<br /> used.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check<br /> <br /> The vdpa_nl_policy structure is used to validate the nlattr when parsing<br /> the incoming nlmsg. It will ensure the attribute being described produces<br /> a valid nlattr pointer in info-&gt;attrs before entering into each handler<br /> in vdpa_nl_ops.<br /> <br /> That is to say, the missing part in vdpa_nl_policy may lead to illegal<br /> nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.<br /> <br /> This patch adds the missing nla_policy for vdpa max vqp attr to avoid<br /> such bugs.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt76x0: fix oob access in mt76x0_phy_get_target_power<br /> <br /> After &amp;#39;commit ba45841ca5eb ("wifi: mt76: mt76x02: simplify struct<br /> mt76x02_rate_power")&amp;#39;, mt76x02 relies on ht[0-7] rate_power data for<br /> vht mcs{0,7}, while it uses vth[0-1] rate_power for vht mcs {8,9}.<br /> Fix a possible out-of-bound access in mt76x0_phy_get_target_power routine.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix incomplete state save in rxe_requester<br /> <br /> If a send packet is dropped by the IP layer in rxe_requester()<br /> the call to rxe_xmit_packet() can fail with err == -EAGAIN.<br /> To recover, the state of the wqe is restored to the state before<br /> the packet was sent so it can be resent. However, the routines<br /> that save and restore the state miss a significnt part of the<br /> variable state in the wqe, the dma struct which is used to process<br /> through the sge table. And, the state is not saved before the packet<br /> is built which modifies the dma struct.<br /> <br /> Under heavy stress testing with many QPs on a fast node sending<br /> large messages to a slow node dropped packets are observed and<br /> the resent packets are corrupted because the dma struct was not<br /> restored. This patch fixes this behavior and allows the test cases<br /> to succeed.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: insert tree mod log move in push_node_left<br /> <br /> There is a fairly unlikely race condition in tree mod log rewind that<br /> can result in a kernel panic which has the following trace:<br /> <br /> [530.569] BTRFS critical (device sda3): unable to find logical 0 length 4096<br /> [530.585] BTRFS critical (device sda3): unable to find logical 0 length 4096<br /> [530.602] BUG: kernel NULL pointer dereference, address: 0000000000000002<br /> [530.618] #PF: supervisor read access in kernel mode<br /> [530.629] #PF: error_code(0x0000) - not-present page<br /> [530.641] PGD 0 P4D 0<br /> [530.647] Oops: 0000 [#1] SMP<br /> [530.654] CPU: 30 PID: 398973 Comm: below Kdump: loaded Tainted: G S O K 5.12.0-0_fbk13_clang_7455_gb24de3bdb045 #1<br /> [530.680] Hardware name: Quanta Mono Lake-M.2 SATA 1HY9U9Z001G/Mono Lake-M.2 SATA, BIOS F20_3A15 08/16/2017<br /> [530.703] RIP: 0010:__btrfs_map_block+0xaa/0xd00<br /> [530.755] RSP: 0018:ffffc9002c2f7600 EFLAGS: 00010246<br /> [530.767] RAX: ffffffffffffffea RBX: ffff888292e41000 RCX: f2702d8b8be15100<br /> [530.784] RDX: ffff88885fda6fb8 RSI: ffff88885fd973c8 RDI: ffff88885fd973c8<br /> [530.800] RBP: ffff888292e410d0 R08: ffffffff82fd7fd0 R09: 00000000fffeffff<br /> [530.816] R10: ffffffff82e57fd0 R11: ffffffff82e57d70 R12: 0000000000000000<br /> [530.832] R13: 0000000000001000 R14: 0000000000001000 R15: ffffc9002c2f76f0<br /> [530.848] FS: 00007f38d64af000(0000) GS:ffff88885fd80000(0000) knlGS:0000000000000000<br /> [530.866] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [530.880] CR2: 0000000000000002 CR3: 00000002b6770004 CR4: 00000000003706e0<br /> [530.896] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [530.912] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [530.928] Call Trace:<br /> [530.934] ? btrfs_printk+0x13b/0x18c<br /> [530.943] ? btrfs_bio_counter_inc_blocked+0x3d/0x130<br /> [530.955] btrfs_map_bio+0x75/0x330<br /> [530.963] ? kmem_cache_alloc+0x12a/0x2d0<br /> [530.973] ? btrfs_submit_metadata_bio+0x63/0x100<br /> [530.984] btrfs_submit_metadata_bio+0xa4/0x100<br /> [530.995] submit_extent_page+0x30f/0x360<br /> [531.004] read_extent_buffer_pages+0x49e/0x6d0<br /> [531.015] ? submit_extent_page+0x360/0x360<br /> [531.025] btree_read_extent_buffer_pages+0x5f/0x150<br /> [531.037] read_tree_block+0x37/0x60<br /> [531.046] read_block_for_search+0x18b/0x410<br /> [531.056] btrfs_search_old_slot+0x198/0x2f0<br /> [531.066] resolve_indirect_ref+0xfe/0x6f0<br /> [531.076] ? ulist_alloc+0x31/0x60<br /> [531.084] ? kmem_cache_alloc_trace+0x12e/0x2b0<br /> [531.095] find_parent_nodes+0x720/0x1830<br /> [531.105] ? ulist_alloc+0x10/0x60<br /> [531.113] iterate_extent_inodes+0xea/0x370<br /> [531.123] ? btrfs_previous_extent_item+0x8f/0x110<br /> [531.134] ? btrfs_search_path_in_tree+0x240/0x240<br /> [531.146] iterate_inodes_from_logical+0x98/0xd0<br /> [531.157] ? btrfs_search_path_in_tree+0x240/0x240<br /> [531.168] btrfs_ioctl_logical_to_ino+0xd9/0x180<br /> [531.179] btrfs_ioctl+0xe2/0x2eb0<br /> <br /> This occurs when logical inode resolution takes a tree mod log sequence<br /> number, and then while backref walking hits a rewind on a busy node<br /> which has the following sequence of tree mod log operations (numbers<br /> filled in from a specific example, but they are somewhat arbitrary)<br /> <br /> REMOVE_WHILE_FREEING slot 532<br /> REMOVE_WHILE_FREEING slot 531<br /> REMOVE_WHILE_FREEING slot 530<br /> ...<br /> REMOVE_WHILE_FREEING slot 0<br /> REMOVE slot 455<br /> REMOVE slot 454<br /> REMOVE slot 453<br /> ...<br /> REMOVE slot 0<br /> ADD slot 455<br /> ADD slot 454<br /> ADD slot 453<br /> ...<br /> ADD slot 0<br /> MOVE src slot 0 -&gt; dst slot 456 nritems 533<br /> REMOVE slot 455<br /> REMOVE slot 454<br /> REMOVE slot 453<br /> ...<br /> REMOVE slot 0<br /> <br /> When this sequence gets applied via btrfs_tree_mod_log_rewind, it<br /> allocates a fresh rewind eb, and first inserts the correct key info for<br /> the 533 elements, then overwrites the first 456 of them, then decrements<br /> the count by 456 via the add ops, then rewinds the move by doing a<br /> memmove from 456:988-&gt;0:532. We have never written anything past 532,<br /> ---truncated---