Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency()<br /> <br /> syzbot reported a f2fs bug as below:<br /> <br /> Oops: gen[ 107.736417][ T5848] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI<br /> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> CPU: 1 UID: 0 PID: 5848 Comm: syz-executor263 Tainted: G W 6.17.0-rc1-syzkaller-00014-g0e39a731820a #0 PREEMPT_{RT,(full)}<br /> RIP: 0010:strcmp+0x3c/0xc0 lib/string.c:284<br /> Call Trace:<br /> <br /> f2fs_check_quota_consistency fs/f2fs/super.c:1188 [inline]<br /> f2fs_check_opt_consistency+0x1378/0x2c10 fs/f2fs/super.c:1436<br /> __f2fs_remount fs/f2fs/super.c:2653 [inline]<br /> f2fs_reconfigure+0x482/0x1770 fs/f2fs/super.c:5297<br /> reconfigure_super+0x224/0x890 fs/super.c:1077<br /> do_remount fs/namespace.c:3314 [inline]<br /> path_mount+0xd18/0xfe0 fs/namespace.c:4112<br /> do_mount fs/namespace.c:4133 [inline]<br /> __do_sys_mount fs/namespace.c:4344 [inline]<br /> __se_sys_mount+0x317/0x410 fs/namespace.c:4321<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> The direct reason is f2fs_check_quota_consistency() may suffer null-ptr-deref<br /> issue in strcmp().<br /> <br /> The bug can be reproduced w/ below scripts:<br /> mkfs.f2fs -f /dev/vdb<br /> mount -t f2fs -o usrquota /dev/vdb /mnt/f2fs<br /> quotacheck -uc /mnt/f2fs/<br /> umount /mnt/f2fs<br /> mount -t f2fs -o usrjquota=aquota.user,jqfmt=vfsold /dev/vdb /mnt/f2fs<br /> mount -t f2fs -o remount,usrjquota=,jqfmt=vfsold /dev/vdb /mnt/f2fs<br /> umount /mnt/f2fs<br /> <br /> So, before old_qname and new_qname comparison, we need to check whether<br /> they are all valid pointers, fix it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().<br /> <br /> smc_clc_prfx_set() is called during connect() and not under RCU<br /> nor RTNL.<br /> <br /> Using sk_dst_get(sk)-&gt;dev could trigger UAF.<br /> <br /> Let&amp;#39;s use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()<br /> after kernel_getsockname().<br /> <br /> Note that the returned value of smc_clc_prfx_set() is not used<br /> in the caller.<br /> <br /> While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()<br /> not to touch dst there.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast<br /> <br /> syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.<br /> This is the sequence of events that leads to the warning:<br /> <br /> rtl8150_start_xmit() {<br /> netif_stop_queue();<br /> usb_submit_urb(dev-&gt;tx_urb);<br /> }<br /> <br /> rtl8150_set_multicast() {<br /> netif_stop_queue();<br /> netif_wake_queue(); tx_urb);

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: ISO: Fix possible UAF on iso_conn_free<br /> <br /> This attempt to fix similar issue to sco_conn_free where if the<br /> conn-&gt;sk is not set to NULL may lead to UAF on iso_conn_free.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx<br /> <br /> In __blk_mq_update_nr_hw_queues() the return value of<br /> blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx<br /> fails, later changing the number of hw_queues or removing disk will<br /> trigger the following warning:<br /> <br /> kernfs: can not remove &amp;#39;nr_tags&amp;#39;, no directory<br /> WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160<br /> Call Trace:<br /> remove_files.isra.1+0x38/0xb0<br /> sysfs_remove_group+0x4d/0x100<br /> sysfs_remove_groups+0x31/0x60<br /> __kobject_del+0x23/0xf0<br /> kobject_del+0x17/0x40<br /> blk_mq_unregister_hctx+0x5d/0x80<br /> blk_mq_sysfs_unregister_hctxs+0x94/0xd0<br /> blk_mq_update_nr_hw_queues+0x124/0x760<br /> nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]<br /> nullb_device_submit_queues_store+0x92/0x120 [null_blk]<br /> <br /> kobjct_del() was called unconditionally even if sysfs creation failed.<br /> Fix it by checkig the kobject creation statusbefore deleting it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC<br /> <br /> The referenced commit introduced exception handlers on user-space memory<br /> references in copy_from_user and copy_to_user. These handlers return from<br /> the respective function and calculate the remaining bytes left to copy<br /> using the current register contents. This commit fixes a couple of bad<br /> calculations. This will fix the return value of copy_from_user and<br /> copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwrng: ks-sa - fix division by zero in ks_sa_rng_init<br /> <br /> Fix division by zero in ks_sa_rng_init caused by missing clock<br /> pointer initialization. The clk_get_rate() call is performed on<br /> an uninitialized clk pointer, resulting in division by zero when<br /> calculating delay values.<br /> <br /> Add clock initialization code before using the clock.<br /> <br /> <br /> drivers/char/hw_random/ks-sa-rng.c | 7 +++++++<br /> 1 file changed, 7 insertions(+)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix symbolic link reading when bs &gt; ps<br /> <br /> [BUG DURING BS &gt; PS TEST]<br /> When running the following script on a btrfs whose block size is larger<br /> than page size, e.g. 8K block size and 4K page size, it will trigger a<br /> kernel BUG:<br /> <br /> # mkfs.btrfs -s 8k $dev<br /> # mount $dev $mnt<br /> # mkdir $mnt/dir<br /> # ln -s dir $mnt/link<br /> # ls $mnt/link<br /> <br /> The call trace looks like this:<br /> <br /> BTRFS warning (device dm-2): support for block size 8192 with page size 4096 is experimental, some features may be missing<br /> BTRFS info (device dm-2): checking UUID tree<br /> BTRFS info (device dm-2): enabling ssd optimizations<br /> BTRFS info (device dm-2): enabling free space tree<br /> ------------[ cut here ]------------<br /> kernel BUG at /home/adam/linux/include/linux/highmem.h:275!<br /> Oops: invalid opcode: 0000 [#1] SMP<br /> CPU: 8 UID: 0 PID: 667 Comm: ls Tainted: G OE 6.17.0-rc4-custom+ #283 PREEMPT(full)<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022<br /> RIP: 0010:zero_user_segments.constprop.0+0xdc/0xe0 [btrfs]<br /> Call Trace:<br /> <br /> btrfs_get_extent.cold+0x85/0x101 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f]<br /> btrfs_do_readpage+0x244/0x750 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f]<br /> btrfs_read_folio+0x9c/0x100 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f]<br /> filemap_read_folio+0x37/0xe0<br /> do_read_cache_folio+0x94/0x3e0<br /> __page_get_link.isra.0+0x20/0x90<br /> page_get_link+0x16/0x40<br /> step_into+0x69b/0x830<br /> path_lookupat+0xa7/0x170<br /> filename_lookup+0xf7/0x200<br /> ? set_ptes.isra.0+0x36/0x70<br /> vfs_statx+0x7a/0x160<br /> do_statx+0x63/0xa0<br /> __x64_sys_statx+0x90/0xe0<br /> do_syscall_64+0x82/0xae0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> <br /> Please note bs &gt; ps support is still under development and the<br /> enablement patch is not even in btrfs development branch.<br /> <br /> [CAUSE]<br /> Btrfs reuses its data folio read path to handle symbolic links, as the<br /> symbolic link target is stored as an inline data extent.<br /> <br /> But for newly created inodes, btrfs only set the minimal order if the<br /> target inode is a regular file.<br /> <br /> Thus for above newly created symbolic link, it doesn&amp;#39;t properly respect<br /> the minimal folio order, and triggered the above crash.<br /> <br /> [FIX]<br /> Call btrfs_set_inode_mapping_order() unconditionally inside<br /> btrfs_create_new_inode().<br /> <br /> For symbolic links this will fix the crash as now the folio will meet<br /> the minimal order.<br /> <br /> For regular files this brings no change.<br /> <br /> For directory/bdev/char and all the other types of inodes, they won&amp;#39;t<br /> go through the data read path, thus no effect either.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sunrpc: fix null pointer dereference on zero-length checksum<br /> <br /> In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes<br /> checksum.data to be set to NULL. This triggers a NPD when accessing<br /> checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that<br /> the value of checksum.len is not less than XDR_UNIT.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Fix data race in CPU latency PM QoS request handling<br /> <br /> The cpu_latency_qos_add/remove/update_request interfaces lack internal<br /> synchronization by design, requiring the caller to ensure thread safety.<br /> The current implementation relies on the &amp;#39;pm_qos_enabled&amp;#39; flag, which is<br /> insufficient to prevent concurrent access and cannot serve as a proper<br /> synchronization mechanism. This has led to data races and list<br /> corruption issues.<br /> <br /> A typical race condition call trace is:<br /> <br /> [Thread A]<br /> ufshcd_pm_qos_exit()<br /> --&gt; cpu_latency_qos_remove_request()<br /> --&gt; cpu_latency_qos_apply();<br /> --&gt; pm_qos_update_target()<br /> --&gt; plist_del memset(req, 0, sizeof(*req));<br /> --&gt; hba-&gt;pm_qos_enabled = false;<br /> <br /> [Thread B]<br /> ufshcd_devfreq_target<br /> --&gt; ufshcd_devfreq_scale<br /> --&gt; ufshcd_scale_clks<br /> --&gt; ufshcd_pm_qos_update cpu_latency_qos_update_request<br /> --&gt; pm_qos_update_target<br /> --&gt; plist_del

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()<br /> <br /> In ath12k_dp_mon_rx_deliver_msdu(), peer lookup fails because<br /> rxcb-&gt;peer_id is not updated with a valid value. This is expected<br /> in monitor mode, where RX frames bypass the regular RX<br /> descriptor path that typically sets rxcb-&gt;peer_id.<br /> As a result, the peer is NULL, and link_id and link_valid fields<br /> in the RX status are not populated. This leads to a WARN_ON in<br /> mac80211 when it receives data frame from an associated station<br /> with invalid link_id.<br /> <br /> Fix this potential issue by using ppduinfo-&gt;peer_id, which holds<br /> the correct peer id for the received frame. This ensures that the<br /> peer is correctly found and the associated link metadata is updated<br /> accordingly.<br /> <br /> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback<br /> <br /> In create_sdw_dailink() check that sof_end-&gt;codec_info-&gt;add_sidecar<br /> is not NULL before calling it.<br /> <br /> The original code assumed that if include_sidecar is true, the codec<br /> on that link has an add_sidecar callback. But there could be other<br /> codecs on the same link that do not have an add_sidecar callback.