Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hv_netvsc: Fix panic during namespace deletion with VF<br /> <br /> The existing code move the VF NIC to new namespace when NETDEV_REGISTER is<br /> received on netvsc NIC. During deletion of the namespace,<br /> default_device_exit_batch() &gt;&gt; default_device_exit_net() is called. When<br /> netvsc NIC is moved back and registered to the default namespace, it<br /> automatically brings VF NIC back to the default namespace. This will cause<br /> the default_device_exit_net() &gt;&gt; for_each_netdev_safe loop unable to detect<br /> the list end, and hit NULL ptr:<br /> <br /> [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0<br /> [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010<br /> [ 231.450246] #PF: supervisor read access in kernel mode<br /> [ 231.450579] #PF: error_code(0x0000) - not-present page<br /> [ 231.450916] PGD 17b8a8067 P4D 0<br /> [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI<br /> [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY<br /> [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024<br /> [ 231.452692] Workqueue: netns cleanup_net<br /> [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0<br /> [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00<br /> [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246<br /> [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb<br /> [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564<br /> [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000<br /> [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340<br /> [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340<br /> [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000<br /> [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0<br /> [ 231.458434] Call Trace:<br /> [ 231.458600] <br /> [ 231.458777] ops_undo_list+0x100/0x220<br /> [ 231.459015] cleanup_net+0x1b8/0x300<br /> [ 231.459285] process_one_work+0x184/0x340<br /> <br /> To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid<br /> changing the netdev list when default_device_exit_net() is using it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: fix race between polling and detaching<br /> <br /> syzbot reports a use-after-free in comedi in the below link, which is<br /> due to comedi gladly removing the allocated async area even though poll<br /> requests are still active on the wait_queue_head inside of it. This can<br /> cause a use-after-free when the poll entries are later triggered or<br /> removed, as the memory for the wait_queue_head has been freed. We need<br /> to check there are no tasks queued on any of the subdevices&amp;#39; wait queues<br /> before allowing the device to be detached by the `COMEDI_DEVCONFIG`<br /> ioctl.<br /> <br /> Tasks will read-lock `dev-&gt;attach_lock` before adding themselves to the<br /> subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl<br /> handler by write-locking `dev-&gt;attach_lock` before checking that all of<br /> the subdevices are safe to be deleted. This includes testing for any<br /> sleepers on the subdevices&amp;#39; wait queues. It remains locked until the<br /> device has been detached. This requires the `comedi_device_detach()`<br /> function to be refactored slightly, moving the bulk of it into new<br /> function `comedi_device_detach_locked()`.<br /> <br /> Note that the refactor of `comedi_device_detach()` results in<br /> `comedi_device_cancel_all()` now being called while `dev-&gt;attach_lock`<br /> is write-locked, which wasn&amp;#39;t the case previously, but that does not<br /> matter.<br /> <br /> Thanks to Jens Axboe for diagnosing the problem and co-developing this<br /> patch.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommufd: Prevent ALIGN() overflow<br /> <br /> When allocating IOVA the candidate range gets aligned to the target<br /> alignment. If the range is close to ULONG_MAX then the ALIGN() can<br /> wrap resulting in a corrupted iova.<br /> <br /> Open code the ALIGN() using get_add_overflow() to prevent this.<br /> This simplifies the checks as we don&amp;#39;t need to check for length earlier<br /> either.<br /> <br /> Consolidate the two copies of this code under a single helper.<br /> <br /> This bug would allow userspace to create a mapping that overlaps with some<br /> other mapping or a reserved range.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry<br /> <br /> When UFFDIO_MOVE encounters a migration PMD entry, it proceeds with<br /> obtaining a folio and accessing it even though the entry is swp_entry_t. <br /> Add the missing check and let split_huge_pmd() handle migration entries. <br /> While at it also remove unnecessary folio check.<br /> <br /> [surenb@google.com: remove extra folio check, per David]

*** Pendiente de traducción *** NVIDIA HGX and DGX contain a vulnerability where a misconfiguration of the LS10 could enable an attacker to set an unsafe debug access level. A successful exploit of this vulnerability might lead to denial of service.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: venus: Fix OOB read due to missing payload bound check<br /> <br /> Currently, The event_seq_changed() handler processes a variable number<br /> of properties sent by the firmware. The number of properties is indicated<br /> by the firmware and used to iterate over the payload. However, the<br /> payload size is not being validated against the actual message length.<br /> <br /> This can lead to out-of-bounds memory access if the firmware provides a<br /> property count that exceeds the data available in the payload. Such a<br /> condition can result in kernel crashes or potential information leaks if<br /> memory beyond the buffer is accessed.<br /> <br /> Fix this by properly validating the remaining size of the payload before<br /> each property access and updating bounds accordingly as properties are<br /> parsed.<br /> <br /> This ensures that property parsing is safely bounded within the received<br /> message buffer and protects against malformed or malicious firmware<br /> behavior.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()<br /> <br /> Memory hot remove unmaps and tears down various kernel page table regions<br /> as required. The ptdump code can race with concurrent modifications of<br /> the kernel page tables. When leaf entries are modified concurrently, the<br /> dump code may log stale or inconsistent information for a VA range, but<br /> this is otherwise not harmful.<br /> <br /> But when intermediate levels of kernel page table are freed, the dump code<br /> will continue to use memory that has been freed and potentially<br /> reallocated for another purpose. In such cases, the ptdump code may<br /> dereference bogus addresses, leading to a number of potential problems.<br /> <br /> To avoid the above mentioned race condition, platforms such as arm64,<br /> riscv and s390 take memory hotplug lock, while dumping kernel page table<br /> via the sysfs interface /sys/kernel/debug/kernel_page_tables.<br /> <br /> Similar race condition exists while checking for pages that might have<br /> been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages<br /> which in turn calls ptdump_check_wx(). Instead of solving this race<br /> condition again, let&amp;#39;s just move the memory hotplug lock inside generic<br /> ptdump_check_wx() which will benefit both the scenarios.<br /> <br /> Drop get_online_mems() and put_online_mems() combination from all existing<br /> platform ptdump code paths.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()<br /> <br /> The buffer length check before calling uvc_parse_format() only ensured<br /> that the buffer has at least 3 bytes (buflen &gt; 2), buf the function<br /> accesses buffer[3], requiring at least 4 bytes.<br /> <br /> This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.<br /> <br /> Fix it by checking that the buffer has at least 4 bytes in<br /> uvc_parse_format().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: core: Fix double-free of fwnode in i2c_unregister_device()<br /> <br /> Before commit df6d7277e552 ("i2c: core: Do not dereference fwnode in struct<br /> device"), i2c_unregister_device() only called fwnode_handle_put() on<br /> of_node-s in the form of calling of_node_put(client-&gt;dev.of_node).<br /> <br /> But after this commit the i2c_client&amp;#39;s fwnode now unconditionally gets<br /> fwnode_handle_put() on it.<br /> <br /> When the i2c_client has no primary (ACPI / OF) fwnode but it does have<br /> a software fwnode, the software-node will be the primary node and<br /> fwnode_handle_put() will put() it.<br /> <br /> But for the software fwnode device_remove_software_node() will also put()<br /> it leading to a double free:<br /> <br /> [ 82.665598] ------------[ cut here ]------------<br /> [ 82.665609] refcount_t: underflow; use-after-free.<br /> [ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11<br /> ...<br /> [ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110<br /> ...<br /> [ 82.666962] <br /> [ 82.666971] i2c_unregister_device+0x60/0x90<br /> <br /> Fix this by not calling fwnode_handle_put() when the primary fwnode is<br /> a software-node.

*** Pendiente de traducción *** NVIDIA DOCA contains a vulnerability in the collectx-dpeserver Debian package for arm64 that could allow an attacker with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.

*** Pendiente de traducción *** NVIDIA Mellanox DPDK contains a vulnerability in Poll Mode Driver (PMD), where an attacker on a VM in the system might be able to cause information disclosure and denial of service on the network interface.

*** Pendiente de traducción *** NVIDIA Cumulus Linux and NVOS products contain a vulnerability, where hashed user passwords are not properly suppressed in log files, potentially disclosing information to unauthorized users.