Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt76x0: fix oob access in mt76x0_phy_get_target_power<br /> <br /> After &amp;#39;commit ba45841ca5eb ("wifi: mt76: mt76x02: simplify struct<br /> mt76x02_rate_power")&amp;#39;, mt76x02 relies on ht[0-7] rate_power data for<br /> vht mcs{0,7}, while it uses vth[0-1] rate_power for vht mcs {8,9}.<br /> Fix a possible out-of-bound access in mt76x0_phy_get_target_power routine.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix incomplete state save in rxe_requester<br /> <br /> If a send packet is dropped by the IP layer in rxe_requester()<br /> the call to rxe_xmit_packet() can fail with err == -EAGAIN.<br /> To recover, the state of the wqe is restored to the state before<br /> the packet was sent so it can be resent. However, the routines<br /> that save and restore the state miss a significnt part of the<br /> variable state in the wqe, the dma struct which is used to process<br /> through the sge table. And, the state is not saved before the packet<br /> is built which modifies the dma struct.<br /> <br /> Under heavy stress testing with many QPs on a fast node sending<br /> large messages to a slow node dropped packets are observed and<br /> the resent packets are corrupted because the dma struct was not<br /> restored. This patch fixes this behavior and allows the test cases<br /> to succeed.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: insert tree mod log move in push_node_left<br /> <br /> There is a fairly unlikely race condition in tree mod log rewind that<br /> can result in a kernel panic which has the following trace:<br /> <br /> [530.569] BTRFS critical (device sda3): unable to find logical 0 length 4096<br /> [530.585] BTRFS critical (device sda3): unable to find logical 0 length 4096<br /> [530.602] BUG: kernel NULL pointer dereference, address: 0000000000000002<br /> [530.618] #PF: supervisor read access in kernel mode<br /> [530.629] #PF: error_code(0x0000) - not-present page<br /> [530.641] PGD 0 P4D 0<br /> [530.647] Oops: 0000 [#1] SMP<br /> [530.654] CPU: 30 PID: 398973 Comm: below Kdump: loaded Tainted: G S O K 5.12.0-0_fbk13_clang_7455_gb24de3bdb045 #1<br /> [530.680] Hardware name: Quanta Mono Lake-M.2 SATA 1HY9U9Z001G/Mono Lake-M.2 SATA, BIOS F20_3A15 08/16/2017<br /> [530.703] RIP: 0010:__btrfs_map_block+0xaa/0xd00<br /> [530.755] RSP: 0018:ffffc9002c2f7600 EFLAGS: 00010246<br /> [530.767] RAX: ffffffffffffffea RBX: ffff888292e41000 RCX: f2702d8b8be15100<br /> [530.784] RDX: ffff88885fda6fb8 RSI: ffff88885fd973c8 RDI: ffff88885fd973c8<br /> [530.800] RBP: ffff888292e410d0 R08: ffffffff82fd7fd0 R09: 00000000fffeffff<br /> [530.816] R10: ffffffff82e57fd0 R11: ffffffff82e57d70 R12: 0000000000000000<br /> [530.832] R13: 0000000000001000 R14: 0000000000001000 R15: ffffc9002c2f76f0<br /> [530.848] FS: 00007f38d64af000(0000) GS:ffff88885fd80000(0000) knlGS:0000000000000000<br /> [530.866] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [530.880] CR2: 0000000000000002 CR3: 00000002b6770004 CR4: 00000000003706e0<br /> [530.896] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [530.912] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [530.928] Call Trace:<br /> [530.934] ? btrfs_printk+0x13b/0x18c<br /> [530.943] ? btrfs_bio_counter_inc_blocked+0x3d/0x130<br /> [530.955] btrfs_map_bio+0x75/0x330<br /> [530.963] ? kmem_cache_alloc+0x12a/0x2d0<br /> [530.973] ? btrfs_submit_metadata_bio+0x63/0x100<br /> [530.984] btrfs_submit_metadata_bio+0xa4/0x100<br /> [530.995] submit_extent_page+0x30f/0x360<br /> [531.004] read_extent_buffer_pages+0x49e/0x6d0<br /> [531.015] ? submit_extent_page+0x360/0x360<br /> [531.025] btree_read_extent_buffer_pages+0x5f/0x150<br /> [531.037] read_tree_block+0x37/0x60<br /> [531.046] read_block_for_search+0x18b/0x410<br /> [531.056] btrfs_search_old_slot+0x198/0x2f0<br /> [531.066] resolve_indirect_ref+0xfe/0x6f0<br /> [531.076] ? ulist_alloc+0x31/0x60<br /> [531.084] ? kmem_cache_alloc_trace+0x12e/0x2b0<br /> [531.095] find_parent_nodes+0x720/0x1830<br /> [531.105] ? ulist_alloc+0x10/0x60<br /> [531.113] iterate_extent_inodes+0xea/0x370<br /> [531.123] ? btrfs_previous_extent_item+0x8f/0x110<br /> [531.134] ? btrfs_search_path_in_tree+0x240/0x240<br /> [531.146] iterate_inodes_from_logical+0x98/0xd0<br /> [531.157] ? btrfs_search_path_in_tree+0x240/0x240<br /> [531.168] btrfs_ioctl_logical_to_ino+0xd9/0x180<br /> [531.179] btrfs_ioctl+0xe2/0x2eb0<br /> <br /> This occurs when logical inode resolution takes a tree mod log sequence<br /> number, and then while backref walking hits a rewind on a busy node<br /> which has the following sequence of tree mod log operations (numbers<br /> filled in from a specific example, but they are somewhat arbitrary)<br /> <br /> REMOVE_WHILE_FREEING slot 532<br /> REMOVE_WHILE_FREEING slot 531<br /> REMOVE_WHILE_FREEING slot 530<br /> ...<br /> REMOVE_WHILE_FREEING slot 0<br /> REMOVE slot 455<br /> REMOVE slot 454<br /> REMOVE slot 453<br /> ...<br /> REMOVE slot 0<br /> ADD slot 455<br /> ADD slot 454<br /> ADD slot 453<br /> ...<br /> ADD slot 0<br /> MOVE src slot 0 -&gt; dst slot 456 nritems 533<br /> REMOVE slot 455<br /> REMOVE slot 454<br /> REMOVE slot 453<br /> ...<br /> REMOVE slot 0<br /> <br /> When this sequence gets applied via btrfs_tree_mod_log_rewind, it<br /> allocates a fresh rewind eb, and first inserts the correct key info for<br /> the 533 elements, then overwrites the first 456 of them, then decrements<br /> the count by 456 via the add ops, then rewinds the move by doing a<br /> memmove from 456:988-&gt;0:532. We have never written anything past 532,<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid use-after-free for cached IPU bio<br /> <br /> xfstest generic/019 reports a bug:<br /> <br /> kernel BUG at mm/filemap.c:1619!<br /> RIP: 0010:folio_end_writeback+0x8a/0x90<br /> Call Trace:<br /> end_page_writeback+0x1c/0x60<br /> f2fs_write_end_io+0x199/0x420<br /> bio_endio+0x104/0x180<br /> submit_bio_noacct+0xa5/0x510<br /> submit_bio+0x48/0x80<br /> f2fs_submit_write_bio+0x35/0x300<br /> f2fs_submit_merged_ipu_write+0x2a0/0x2b0<br /> f2fs_write_single_data_page+0x838/0x8b0<br /> f2fs_write_cache_pages+0x379/0xa30<br /> f2fs_write_data_pages+0x30c/0x340<br /> do_writepages+0xd8/0x1b0<br /> __writeback_single_inode+0x44/0x370<br /> writeback_sb_inodes+0x233/0x4d0<br /> __writeback_inodes_wb+0x56/0xf0<br /> wb_writeback+0x1dd/0x2d0<br /> wb_workfn+0x367/0x4a0<br /> process_one_work+0x21d/0x430<br /> worker_thread+0x4e/0x3c0<br /> kthread+0x103/0x130<br /> ret_from_fork+0x2c/0x50<br /> <br /> The root cause is: after cp_error is set, f2fs_submit_merged_ipu_write()<br /> in f2fs_write_single_data_page() tries to flush IPU bio in cache, however<br /> f2fs_submit_merged_ipu_write() missed to check validity of @bio parameter,<br /> result in submitting random cached bio which belong to other IO context,<br /> then it will cause use-after-free issue, fix it by adding additional<br /> validity check.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-crypto: make blk_crypto_evict_key() more robust<br /> <br /> If blk_crypto_evict_key() sees that the key is still in-use (due to a<br /> bug) or that -&gt;keyslot_evict failed, it currently just returns while<br /> leaving the key linked into the keyslot management structures.<br /> <br /> However, blk_crypto_evict_key() is only called in contexts such as inode<br /> eviction where failure is not an option. So actually the caller<br /> proceeds with freeing the blk_crypto_key regardless of the return value<br /> of blk_crypto_evict_key().<br /> <br /> These two assumptions don&amp;#39;t match, and the result is that there can be a<br /> use-after-free in blk_crypto_reprogram_all_keys() after one of these<br /> errors occurs. (Note, these errors *shouldn&amp;#39;t* happen; we&amp;#39;re just<br /> talking about what happens if they do anyway.)<br /> <br /> Fix this by making blk_crypto_evict_key() unlink the key from the<br /> keyslot management structures even on failure.<br /> <br /> Also improve some comments.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bcmgenet: Add a check for oversized packets<br /> <br /> Occasionnaly we may get oversized packets from the hardware which<br /> exceed the nomimal 2KiB buffer size we allocate SKBs with. Add an early<br /> check which drops the packet to avoid invoking skb_over_panic() and move<br /> on to processing the next packet.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/mediatek: mtk_drm_crtc: Add checks for devm_kcalloc<br /> <br /> As the devm_kcalloc may return NULL, the return value needs to be checked<br /> to avoid NULL poineter dereference.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe<br /> <br /> rpi_firmware_get() take reference, we need to release it in error paths<br /> as well. Use devm_rpi_firmware_get() helper to handling the resources.<br /> Also remove the existing rpi_firmware_put().

*** Pendiente de traducción *** Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/rtas: avoid scheduling in rtas_os_term()<br /> <br /> It&amp;#39;s unsafe to use rtas_busy_delay() to handle a busy status from<br /> the ibm,os-term RTAS function in rtas_os_term():<br /> <br /> Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b<br /> BUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:618<br /> in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0<br /> preempt_count: 2, expected: 0<br /> CPU: 7 PID: 1 Comm: swapper/0 Tainted: G D 6.0.0-rc5-02182-gf8553a572277-dirty #9<br /> Call Trace:<br /> [c000000007b8f000] [c000000001337110] dump_stack_lvl+0xb4/0x110 (unreliable)<br /> [c000000007b8f040] [c0000000002440e4] __might_resched+0x394/0x3c0<br /> [c000000007b8f0e0] [c00000000004f680] rtas_busy_delay+0x120/0x1b0<br /> [c000000007b8f100] [c000000000052d04] rtas_os_term+0xb8/0xf4<br /> [c000000007b8f180] [c0000000001150fc] pseries_panic+0x50/0x68<br /> [c000000007b8f1f0] [c000000000036354] ppc_panic_platform_handler+0x34/0x50<br /> [c000000007b8f210] [c0000000002303c4] notifier_call_chain+0xd4/0x1c0<br /> [c000000007b8f2b0] [c0000000002306cc] atomic_notifier_call_chain+0xac/0x1c0<br /> [c000000007b8f2f0] [c0000000001d62b8] panic+0x228/0x4d0<br /> [c000000007b8f390] [c0000000001e573c] do_exit+0x140c/0x1420<br /> [c000000007b8f480] [c0000000001e586c] make_task_dead+0xdc/0x200<br /> <br /> Use rtas_busy_delay_time() instead, which signals without side effects<br /> whether to attempt the ibm,os-term RTAS call again.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: lpddr2_nvm: Fix possible null-ptr-deref<br /> <br /> It will cause null-ptr-deref when resource_size(add_range) invoked,<br /> if platform_get_resource() returns NULL.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: coda: Add check for dcoda_iram_alloc<br /> <br /> As the coda_iram_alloc may return NULL pointer,<br /> it should be better to check the return value<br /> in order to avoid NULL poineter dereference,<br /> same as the others.