Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35<br /> <br /> [Why]<br /> A backport of the change made for DCN401 that addresses an issue where<br /> we turn off the PHY PLL when disabling TMDS output, which causes the<br /> OTG to remain stuck.<br /> <br /> The OTG being stuck can lead to a hang in the DCHVM&amp;#39;s ability to ACK<br /> invalidations when it thinks the HUBP is still on but it&amp;#39;s not receiving<br /> global sync.<br /> <br /> The transition to PLL_ON needs to be atomic as there&amp;#39;s no guarantee<br /> that the thread isn&amp;#39;t pre-empted or is able to complete before the<br /> IOMMU watchdog times out.<br /> <br /> [How]<br /> Backport the implementation from dcn401 back to dcn35.<br /> <br /> There&amp;#39;s a functional difference in when the eDP output is disabled in<br /> dcn401 code so we don&amp;#39;t want to utilize it directly.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix signededness bug in smb_direct_prepare_negotiation()<br /> <br /> smb_direct_prepare_negotiation() casts an unsigned __u32 value<br /> from sp-&gt;max_recv_size and req-&gt;preferred_send_size to a signed<br /> int before computing min_t(int, ...). A maliciously provided<br /> preferred_send_size of 0x80000000 will return as smaller than<br /> max_recv_size, and then be used to set the maximum allowed<br /> alowed receive size for the next message.<br /> <br /> By sending a second message with a large value (&gt;1420 bytes)<br /> the attacker can then achieve a heap buffer overflow.<br /> <br /> This fix replaces min_t(int, ...) with min_t(u32)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rnbd-srv: Zero the rsp buffer before using it<br /> <br /> Before using the data buffer to send back the response message, zero it<br /> completely. This prevents any stray bytes to be picked up by the client<br /> side when there the message is exchanged between different protocol<br /> versions.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: ccs: Avoid possible division by zero<br /> <br /> Calculating maximum M for scaler configuration involves dividing by<br /> MIN_X_OUTPUT_SIZE limit register&amp;#39;s value. Albeit the value is presumably<br /> non-zero, the driver was missing the check it in fact was. Fix this.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: sysfs: fix chip removal with GPIOs exported over sysfs<br /> <br /> Currently if we export a GPIO over sysfs and unbind the parent GPIO<br /> controller, the exported attribute will remain under /sys/class/gpio<br /> because once we remove the parent device, we can no longer associate the<br /> descriptor with it in gpiod_unexport() and never drop the final<br /> reference.<br /> <br /> Rework the teardown code: provide an unlocked variant of<br /> gpiod_unexport() and remove all exported GPIOs with the sysfs_lock taken<br /> before unregistering the parent device itself. This is done to prevent<br /> any new exports happening before we unregister the device completely.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: cx25821: Fix a resource leak in cx25821_dev_setup()<br /> <br /> Add release_mem_region() if ioremap() fails to release the memory<br /> region obtained by cx25821_get_resources().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode<br /> <br /> kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls<br /> netif_stop_queue() and netif_wake_queue(). These are TX queue flow<br /> control functions unrelated to RX multicast configuration.<br /> <br /> The premature netif_wake_queue() can re-enable TX while tx_urb is still<br /> in-flight, leading to a double usb_submit_urb() on the same URB:<br /> <br /> kaweth_start_xmit() {<br /> netif_stop_queue();<br /> usb_submit_urb(kaweth-&gt;tx_urb);<br /> }<br /> <br /> kaweth_set_rx_mode() {<br /> netif_stop_queue();<br /> netif_wake_queue(); // wakes TX queue before URB is done<br /> }<br /> <br /> kaweth_start_xmit() {<br /> netif_stop_queue();<br /> usb_submit_urb(kaweth-&gt;tx_urb); // URB submitted while active<br /> }<br /> <br /> This triggers the WARN in usb_submit_urb():<br /> <br /> "URB submitted while active"<br /> <br /> This is a similar class of bug fixed in rtl8150 by<br /> <br /> - commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast").<br /> <br /> Also kaweth_set_rx_mode() is already functionally broken, the<br /> real set_rx_mode action is performed by kaweth_async_set_rx_mode(),<br /> which in turn is not a no-op only at ndo_open() time.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix incorrect early exits for invalid metabox-enabled images<br /> <br /> Crafted EROFS images with metadata compression enabled can trigger<br /> incorrect early returns, leading to folio reference leaks.<br /> <br /> However, this does not cause system crashes or other severe issues.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> procfs: fix possible double mmput() in do_procmap_query()<br /> <br /> When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY<br /> we return with -ENAMETOOLONG error. After recent changes this condition<br /> happens later, after we unlocked mmap_lock/per-VMA lock and did mmput(),<br /> so original goto out is now wrong and will double-mmput() mm_struct. Fix<br /> by jumping further to clean up only vm_file and name_buf.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: ipu6: Fix RPM reference leak in probe error paths<br /> <br /> Several error paths in ipu6_pci_probe() were jumping directly to<br /> out_ipu6_bus_del_devices without releasing the runtime PM reference.<br /> Add pm_runtime_put_sync() before cleaning up other resources.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: pci: validate release report content before using for RTL8922DE<br /> <br /> The commit 957eda596c76<br /> ("wifi: rtw89: pci: validate sequence number of TX release report")<br /> does validation on existing chips, which somehow a release report of SKB<br /> becomes malformed. As no clear cause found, add rules ahead for RTL8922DE<br /> to avoid crash if it happens.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841<br /> <br /> The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure<br /> there are 8 slots for those newly registered clk_hw pointers, else<br /> there is going to be out of bounds write when pointers 4..7 are set<br /> into struct rs9_driver_data .clk_dif[4..7] field.<br /> <br /> Since there are other structure members past this struct clk_hw<br /> pointer array, writing to .clk_dif[4..7] fields corrupts both<br /> the struct rs9_driver_data content and data around it, sometimes<br /> without crashing the kernel. However, the kernel does surely<br /> crash when the driver is unbound or during suspend.<br /> <br /> Fix this, increase the struct clk_hw pointer array size to the<br /> maximum output count of 9FGV0841, which is the biggest chip that<br /> is supported by this driver.