Vulnerabilidades

*** Pendiente de traducción *** Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: Fix potential memory leaks<br /> <br /> When the driver hits -ENOMEM at allocating a URB or a buffer, it<br /> aborts and goes to the error path that releases the all previously<br /> allocated resources. However, when -ENOMEM hits at the middle of the<br /> sync EP URB allocation loop, the partially allocated URBs might be<br /> left without released, because ep-&gt;nurbs is still zero at that point.<br /> <br /> Fix it by setting ep-&gt;nurbs at first, so that the error handler loops<br /> over the full URB list.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: enetc: avoid buffer leaks on xdp_do_redirect() failure<br /> <br /> Before enetc_clean_rx_ring_xdp() calls xdp_do_redirect(), each software<br /> BD in the RX ring between index orig_i and i can have one of 2 refcount<br /> values on its page.<br /> <br /> We are the owner of the current buffer that is being processed, so the<br /> refcount will be at least 1.<br /> <br /> If the current owner of the buffer at the diametrically opposed index<br /> in the RX ring (i.o.w, the other half of this page) has not yet called<br /> kfree(), this page&amp;#39;s refcount could even be 2.<br /> <br /> enetc_page_reusable() in enetc_flip_rx_buff() tests for the page<br /> refcount against 1, and [ if it&amp;#39;s 2 ] does not attempt to reuse it.<br /> <br /> But if enetc_flip_rx_buff() is put after the xdp_do_redirect() call,<br /> the page refcount can have one of 3 values. It can also be 0, if there<br /> is no owner of the other page half, and xdp_do_redirect() for this<br /> buffer ran so far that it triggered a flush of the devmap/cpumap bulk<br /> queue, and the consumers of those bulk queues also freed the buffer,<br /> all by the time xdp_do_redirect() returns the execution back to enetc.<br /> <br /> This is the reason why enetc_flip_rx_buff() is called before<br /> xdp_do_redirect(), but there is a big flaw with that reasoning:<br /> enetc_flip_rx_buff() will set rx_swbd-&gt;page = NULL on both sides of the<br /> enetc_page_reusable() branch, and if xdp_do_redirect() returns an error,<br /> we call enetc_xdp_free(), which does not deal gracefully with that.<br /> <br /> In fact, what happens is quite special. The page refcounts start as 1.<br /> enetc_flip_rx_buff() figures they&amp;#39;re reusable, transfers these<br /> rx_swbd-&gt;page pointers to a different rx_swbd in enetc_reuse_page(), and<br /> bumps the refcount to 2. When xdp_do_redirect() later returns an error,<br /> we call the no-op enetc_xdp_free(), but we still haven&amp;#39;t lost the<br /> reference to that page. A copy of it is still at rx_ring-&gt;next_to_alloc,<br /> but that has refcount 2 (and there are no concurrent owners of it in<br /> flight, to drop the refcount). What really kills the system is when<br /> we&amp;#39;ll flip the rx_swbd-&gt;page the second time around. With an updated<br /> refcount of 2, the page will not be reusable and we&amp;#39;ll really leak it.<br /> Then enetc_new_page() will have to allocate more pages, which will then<br /> eventually leak again on further errors from xdp_do_redirect().<br /> <br /> The problem, summarized, is that we zeroize rx_swbd-&gt;page before we&amp;#39;re<br /> completely done with it, and this makes it impossible for the error path<br /> to do something with it.<br /> <br /> Since the packet is potentially multi-buffer and therefore the<br /> rx_swbd-&gt;page is potentially an array, manual passing of the old<br /> pointers between enetc_flip_rx_buff() and enetc_xdp_free() is a bit<br /> difficult.<br /> <br /> For the sake of going with a simple solution, we accept the possibility<br /> of racing with xdp_do_redirect(), and we move the flip procedure to<br /> execute only on the redirect success path. By racing, I mean that the<br /> page may be deemed as not reusable by enetc (having a refcount of 0),<br /> but there will be no leak in that case, either.<br /> <br /> Once we accept that, we have something better to do with buffers on<br /> XDP_REDIRECT failure. Since we haven&amp;#39;t performed half-page flipping yet,<br /> we won&amp;#39;t, either (and this way, we can avoid enetc_xdp_free()<br /> completely, which gives the entire page to the slab allocator).<br /> Instead, we&amp;#39;ll call enetc_xdp_drop(), which will recycle this half of<br /> the buffer back to the RX ring.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block, bfq: fix possible uaf for &amp;#39;bfqq-&gt;bic&amp;#39;<br /> <br /> Our test report a uaf for &amp;#39;bfqq-&gt;bic&amp;#39; in 5.10:<br /> <br /> ==================================================================<br /> BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30<br /> <br /> CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014<br /> Call Trace:<br /> bfq_select_queue+0x378/0xa30<br /> bfq_dispatch_request+0xe8/0x130<br /> blk_mq_do_dispatch_sched+0x62/0xb0<br /> __blk_mq_sched_dispatch_requests+0x215/0x2a0<br /> blk_mq_sched_dispatch_requests+0x8f/0xd0<br /> __blk_mq_run_hw_queue+0x98/0x180<br /> __blk_mq_delay_run_hw_queue+0x22b/0x240<br /> blk_mq_run_hw_queue+0xe3/0x190<br /> blk_mq_sched_insert_requests+0x107/0x200<br /> blk_mq_flush_plug_list+0x26e/0x3c0<br /> blk_finish_plug+0x63/0x90<br /> __iomap_dio_rw+0x7b5/0x910<br /> iomap_dio_rw+0x36/0x80<br /> ext4_dio_read_iter+0x146/0x190 [ext4]<br /> ext4_file_read_iter+0x1e2/0x230 [ext4]<br /> new_sync_read+0x29f/0x400<br /> vfs_read+0x24e/0x2d0<br /> ksys_read+0xd5/0x1b0<br /> do_syscall_64+0x33/0x40<br /> entry_SYSCALL_64_after_hwframe+0x61/0xc6<br /> <br /> Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups")<br /> changes that move process to a new cgroup will allocate a new bfqq to<br /> use, however, the old bfqq and new bfqq can point to the same bic:<br /> <br /> 1) Initial state, two process with io in the same cgroup.<br /> <br /> Process 1 Process 2<br /> (BIC1) (BIC2)<br /> | Λ | Λ<br /> | | | |<br /> V | V |<br /> bfqq1 bfqq2<br /> <br /> 2) bfqq1 is merged to bfqq2.<br /> <br /> Process 1 Process 2<br /> (BIC1) (BIC2)<br /> | |<br /> \-------------\|<br /> V<br /> bfqq1 bfqq2(coop)<br /> <br /> 3) Process 1 exit, then issue new io(denoce IOA) from Process 2.<br /> <br /> (BIC2)<br /> | Λ<br /> | |<br /> V |<br /> bfqq2(coop)<br /> <br /> 4) Before IOA is completed, move Process 2 to another cgroup and issue io.<br /> <br /> Process 2<br /> (BIC2)<br /> Λ<br /> |\--------------\<br /> | V<br /> bfqq2 bfqq3<br /> <br /> Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.<br /> If all the requests are completed, and Process 2 exit, BIC2 will be<br /> freed while there is no guarantee that bfqq2 will be freed before BIC2.<br /> <br /> Fix the problem by clearing bfqq-&gt;bic while bfqq is detached from bic.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Propagate error from htab_lock_bucket() to userspace<br /> <br /> In __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns<br /> -EBUSY, it will go to next bucket. Going to next bucket may not only<br /> skip the elements in current bucket silently, but also incur<br /> out-of-bound memory access or expose kernel memory to userspace if<br /> current bucket_cnt is greater than bucket_size or zero.<br /> <br /> Fixing it by stopping batch operation and returning -EBUSY when<br /> htab_lock_bucket() fails, and the application can retry or skip the busy<br /> batch as needed.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/mipi-dsi: Detach devices when removing the host<br /> <br /> Whenever the MIPI-DSI host is unregistered, the code of<br /> mipi_dsi_host_unregister() loops over every device currently found on that<br /> bus and will unregister it.<br /> <br /> However, it doesn&amp;#39;t detach it from the bus first, which leads to all kind<br /> of resource leaks if the host wants to perform some clean up whenever a<br /> device is detached.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()<br /> <br /> With clang&amp;#39;s kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),<br /> indirect call targets are validated against the expected function<br /> pointer prototype to make sure the call target is valid to help mitigate<br /> ROP attacks. If they are not identical, there is a failure at run time,<br /> which manifests as either a kernel panic or thread getting killed. A<br /> proposed warning in clang aims to catch these at compile time, which<br /> reveals:<br /> <br /> drivers/net/ethernet/ti/netcp_core.c:1944:21: error: incompatible function pointer types initializing &amp;#39;netdev_tx_t (*)(struct sk_buff *, struct net_device *)&amp;#39; (aka &amp;#39;enum netdev_tx (*)(struct sk_buff *, struct net_device *)&amp;#39;) with an expression of type &amp;#39;int (struct sk_buff *, struct net_device *)&amp;#39; [-Werror,-Wincompatible-function-pointer-types-strict]<br /> .ndo_start_xmit = netcp_ndo_start_xmit,<br /> ^~~~~~~~~~~~~~~~~~~~<br /> 1 error generated.<br /> <br /> -&gt;ndo_start_xmit() in &amp;#39;struct net_device_ops&amp;#39; expects a return type of<br /> &amp;#39;netdev_tx_t&amp;#39;, not &amp;#39;int&amp;#39;. Adjust the return type of<br /> netcp_ndo_start_xmit() to match the prototype&amp;#39;s to resolve the warning<br /> and CFI failure.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode<br /> <br /> There are many places that will get unhappy (and crash) when ext4_iget()<br /> returns a bad inode. However, if iget the boot loader inode, allows a bad<br /> inode to be returned, because the inode may not be initialized. This<br /> mechanism can be used to bypass some checks and cause panic. To solve this<br /> problem, we add a special iget flag EXT4_IGET_BAD. Only with this flag<br /> we&amp;#39;d be returning bad inode from ext4_iget(), otherwise we always return<br /> the error code if the inode is bad inode.(suggested by Jan Kara)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rtc: class: Fix potential memleak in devm_rtc_allocate_device()<br /> <br /> devm_rtc_allocate_device() will alloc a rtc_device first, and then run<br /> dev_set_name(). If dev_set_name() failed, the rtc_device will memleak.<br /> Move devm_add_action_or_reset() in front of dev_set_name() to prevent<br /> memleak.<br /> <br /> unreferenced object 0xffff888110a53000 (size 2048):<br /> comm "python3", pid 470, jiffies 4296078308 (age 58.882s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 08 30 a5 10 81 88 ff ff .........0......<br /> 08 30 a5 10 81 88 ff ff 00 00 00 00 00 00 00 00 .0..............<br /> backtrace:<br /> [] kmalloc_trace+0x21/0x110<br /> [] devm_rtc_allocate_device+0xd4/0x400<br /> [] devm_rtc_device_register+0x1a/0x80<br /> [] rx4581_probe+0xdd/0x110 [rtc_rx4581]<br /> [] spi_probe+0xde/0x130<br /> [] really_probe+0x175/0x3f0<br /> [] __driver_probe_device+0xe6/0x170<br /> [] device_driver_attach+0x32/0x80<br /> [] bind_store+0x10b/0x1a0<br /> [] drv_attr_store+0x49/0x70<br /> [] sysfs_kf_write+0x8d/0xb0<br /> [] kernfs_fop_write_iter+0x214/0x2d0<br /> [] vfs_write+0x61a/0x7d0<br /> [] ksys_write+0xc8/0x190<br /> [] do_syscall_64+0x37/0x90<br /> [] entry_SYSCALL_64_after_hwframe+0x63/0xcd

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ntb_netdev: Use dev_kfree_skb_any() in interrupt context<br /> <br /> TX/RX callback handlers (ntb_netdev_tx_handler(),<br /> ntb_netdev_rx_handler()) can be called in interrupt<br /> context via the DMA framework when the respective<br /> DMA operations have completed. As such, any calls<br /> by these routines to free skb&amp;#39;s, should use the<br /> interrupt context safe dev_kfree_skb_any() function.<br /> <br /> Previously, these callback handlers would call the<br /> interrupt unsafe version of dev_kfree_skb(). This has<br /> not presented an issue on Intel IOAT DMA engines as<br /> that driver utilizes tasklets rather than a hard<br /> interrupt handler, like the AMD PTDMA DMA driver.<br /> On AMD systems, a kernel WARNING message is<br /> encountered, which is being issued from<br /> skb_release_head_state() due to in_hardirq()<br /> being true.<br /> <br /> Besides the user visible WARNING from the kernel,<br /> the other symptom of this bug was that TCP/IP performance<br /> across the ntb_netdev interface was very poor, i.e.<br /> approximately an order of magnitude below what was<br /> expected. With the repair to use dev_kfree_skb_any(),<br /> kernel WARNINGs from skb_release_head_state() ceased<br /> and TCP/IP performance, as measured by iperf, was on<br /> par with expected results, approximately 20 Gb/s on<br /> AMD Milan based server. Note that this performance<br /> is comparable with Intel based servers.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/core: Make sure "ib_port" is valid when access sysfs node<br /> <br /> The "ib_port" structure must be set before adding the sysfs kobject,<br /> and reset after removing it, otherwise it may crash when accessing<br /> the sysfs node:<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050<br /> Mem abort info:<br /> ESR = 0x96000006<br /> Exception class = DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000006<br /> CM = 0, WnR = 0<br /> user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e85f5ba5<br /> [0000000000000050] pgd=0000000848fd9003, pud=000000085b387003, pmd=0000000000000000<br /> Internal error: Oops: 96000006 [#2] PREEMPT SMP<br /> Modules linked in: ib_umad(O) mlx5_ib(O) nfnetlink_cttimeout(E) nfnetlink(E) act_gact(E) cls_flower(E) sch_ingress(E) openvswitch(E) nsh(E) nf_nat_ipv6(E) nf_nat_ipv4(E) nf_conncount(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) mst_pciconf(O) ipmi_devintf(E) ipmi_msghandler(E) ipmb_dev_int(OE) mlx5_core(O) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) ib_core(O) mlx_compat(O) psample(E) sbsa_gwdt(E) uio_pdrv_genirq(E) uio(E) mlxbf_pmc(OE) mlxbf_gige(OE) mlxbf_tmfifo(OE) gpio_mlxbf2(OE) pwr_mlxbf(OE) mlx_trio(OE) i2c_mlxbf(OE) mlx_bootctl(OE) bluefield_edac(OE) knem(O) ip_tables(E) ipv6(E) crc_ccitt(E) [last unloaded: mst_pci]<br /> Process grep (pid: 3372, stack limit = 0x0000000022055c92)<br /> CPU: 5 PID: 3372 Comm: grep Tainted: G D OE 4.19.161-mlnx.47.gadcd9e3 #1<br /> Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.9.2-15-ga2403ab Sep 8 2022<br /> pstate: 40000005 (nZcv daif -PAN -UAO)<br /> pc : hw_stat_port_show+0x4c/0x80 [ib_core]<br /> lr : port_attr_show+0x40/0x58 [ib_core]<br /> sp : ffff000029f43b50<br /> x29: ffff000029f43b50 x28: 0000000019375000<br /> x27: ffff8007b821a540 x26: ffff000029f43e30<br /> x25: 0000000000008000 x24: ffff000000eaa958<br /> x23: 0000000000001000 x22: ffff8007a4ce3000<br /> x21: ffff8007baff8000 x20: ffff8007b9066ac0<br /> x19: ffff8007bae97578 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000<br /> x15: 0000000000000000 x14: 0000000000000000<br /> x13: 0000000000000000 x12: 0000000000000000<br /> x11: 0000000000000000 x10: 0000000000000000<br /> x9 : 0000000000000000 x8 : ffff8007a4ce4000<br /> x7 : 0000000000000000 x6 : 000000000000003f<br /> x5 : ffff000000e6a280 x4 : ffff8007a4ce3000<br /> x3 : 0000000000000000 x2 : aaaaaaaaaaaaaaab<br /> x1 : ffff8007b9066a10 x0 : ffff8007baff8000<br /> Call trace:<br /> hw_stat_port_show+0x4c/0x80 [ib_core]<br /> port_attr_show+0x40/0x58 [ib_core]<br /> sysfs_kf_seq_show+0x8c/0x150<br /> kernfs_seq_show+0x44/0x50<br /> seq_read+0x1b4/0x45c<br /> kernfs_fop_read+0x148/0x1d8<br /> __vfs_read+0x58/0x180<br /> vfs_read+0x94/0x154<br /> ksys_read+0x68/0xd8<br /> __arm64_sys_read+0x28/0x34<br /> el0_svc_common+0x88/0x18c<br /> el0_svc_handler+0x78/0x94<br /> el0_svc+0x8/0xe8<br /> Code: f2955562 aa1603e4 aa1503e0 f9405683 (f9402861)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd: fix potential memory leak<br /> <br /> This patch fix potential memory leak (clk_src) when function run<br /> into last return NULL.<br /> <br /> s/free/kfree/ - Alex