Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix incorrect early exits in volume label handling<br /> <br /> Crafted EROFS images containing valid volume labels can trigger<br /> incorrect early returns, leading to folio reference leaks.<br /> <br /> However, this does not cause system crashes or other severe issues.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mux: mmio: fix regmap leak on probe failure<br /> <br /> The mmio regmap that may be allocated during probe is never freed.<br /> <br /> Switch to using the device managed allocator so that the regmap is<br /> released on probe failures (e.g. probe deferral) and on driver unbind.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: pegasus: enable basic endpoint checking<br /> <br /> pegasus_probe() fills URBs with hardcoded endpoint pipes without<br /> verifying the endpoint descriptors:<br /> <br /> - usb_rcvbulkpipe(dev, 1) for RX data<br /> - usb_sndbulkpipe(dev, 2) for TX data<br /> - usb_rcvintpipe(dev, 3) for status interrupts<br /> <br /> A malformed USB device can present these endpoints with transfer types<br /> that differ from what the driver assumes.<br /> <br /> Add a pegasus_usb_ep enum for endpoint numbers, replacing magic<br /> constants throughout. Add usb_check_bulk_endpoints() and<br /> usb_check_int_endpoints() calls before any resource allocation to<br /> verify endpoint types before use, rejecting devices with mismatched<br /> descriptors at probe time, and avoid triggering assertion.<br /> <br /> Similar fix to<br /> - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")<br /> - commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking")

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-af: CGX: fix bitmap leaks<br /> <br /> The RX/TX flow-control bitmaps (rx_fc_pfvf_bmap and tx_fc_pfvf_bmap)<br /> are allocated by cgx_lmac_init() but never freed in cgx_lmac_exit().<br /> Unbinding and rebinding the driver therefore triggers kmemleak:<br /> <br /> unreferenced object (size 16):<br /> backtrace:<br /> rvu_alloc_bitmap<br /> cgx_probe<br /> <br /> Free both bitmaps during teardown.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: rtl8723bs: fix null dereference in find_network<br /> <br /> The variable pwlan has the possibility of being NULL when passed into<br /> rtw_free_network_nolock() which would later dereference the variable.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mfd: macsmc: Initialize mutex<br /> <br /> Initialize struct apple_smc&amp;#39;s mutex in apple_smc_probe(). Using the<br /> mutex uninitialized surprisingly resulted only in occasional NULL<br /> pointer dereferences in apple_smc_read() calls from the probe()<br /> functions of sub devices.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/arm-cmn: Reject unsupported hardware configurations<br /> <br /> So far we&amp;#39;ve been fairly lax about accepting both unknown CMN models<br /> (at least with a warning), and unknown revisions of those which we<br /> do know, as although things do frequently change between releases,<br /> typically enough remains the same to be somewhat useful for at least<br /> some basic bringup checks. However, we also make assumptions of the<br /> maximum supported sizes and numbers of things in various places, and<br /> there&amp;#39;s no guarantee that something new might not be bigger and lead<br /> to nasty array overflows. Make sure we only try to run on things that<br /> actually match our assumptions and so will not risk memory corruption.<br /> <br /> We have at least always failed on completely unknown node types, so<br /> update that error message for clarity and consistency too.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: iris: Add buffer to list only after successful allocation<br /> <br /> Move `list_add_tail()` to after `dma_alloc_attrs()` succeeds when creating<br /> internal buffers. Previously, the buffer was enqueued in `buffers-&gt;list`<br /> before the DMA allocation. If the allocation failed, the function returned<br /> `-ENOMEM` while leaving a partially initialized buffer in the list, which<br /> could lead to inconsistent state and potential leaks.<br /> <br /> By adding the buffer to the list only after `dma_alloc_attrs()` succeeds,<br /> we ensure the list contains only valid, fully initialized buffers.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"<br /> <br /> This reverts commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking<br /> when enabling/disabling SR-IOV"), which causes a deadlock by recursively<br /> taking pci_rescan_remove_lock when sriov_del_vfs() is called as part of<br /> pci_stop_and_remove_bus_device(). For example with the following sequence<br /> of commands:<br /> <br /> $ echo &gt; /sys/bus/pci/devices//sriov_numvfs<br /> $ echo 1 &gt; /sys/bus/pci/devices//remove<br /> <br /> A trimmed trace of the deadlock on a mlx5 device is as below:<br /> <br /> zsh/5715 is trying to acquire lock:<br /> 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: sriov_disable+0x34/0x140<br /> <br /> but task is already holding lock:<br /> 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_stop_and_remove_bus_device_locked+0x24/0x80<br /> ...<br /> Call Trace:<br /> [] dump_stack_lvl+0xc0/0x110<br /> [] print_deadlock_bug+0x31e/0x330<br /> [] __lock_acquire+0x16c8/0x32f0<br /> [] lock_acquire+0x14c/0x350<br /> [] __mutex_lock_common+0xe6/0x1520<br /> [] mutex_lock_nested+0x3c/0x50<br /> [] sriov_disable+0x34/0x140<br /> [] mlx5_sriov_disable+0x50/0x80 [mlx5_core]<br /> [] remove_one+0x5e/0xf0 [mlx5_core]<br /> [] pci_device_remove+0x3c/0xa0<br /> [] device_release_driver_internal+0x18e/0x280<br /> [] pci_stop_bus_device+0x82/0xa0<br /> [] pci_stop_and_remove_bus_device_locked+0x5e/0x80<br /> [] remove_store+0x72/0x90<br /> [] kernfs_fop_write_iter+0x15a/0x200<br /> [] vfs_write+0x24c/0x300<br /> [] ksys_write+0x86/0x110<br /> [] __do_syscall+0x14c/0x400<br /> [] system_call+0x6e/0x90<br /> <br /> This alone is not a complete fix as it restores the issue the cited commit<br /> tried to solve. A new fix will be provided as a follow on.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()<br /> <br /> As kcalloc() may fail, check its return value to avoid a NULL pointer<br /> dereference when passing it to of_property_read_u32_array().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()<br /> <br /> The priv-&gt;rx_buffer and priv-&gt;tx_buffer are alloc&amp;#39;d together as<br /> contiguous buffers in uhdlc_init() but freed as two buffers in<br /> uhdlc_memclean().<br /> <br /> Change the cleanup to only call dma_free_coherent() once on the whole<br /> buffer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "media: iris: Add sanity check for stop streaming"<br /> <br /> This reverts commit ad699fa78b59241c9d71a8cafb51525f3dab04d4.<br /> <br /> Revert the check that skipped stop_streaming when the instance was in<br /> IRIS_INST_ERROR, as it caused multiple regressions:<br /> <br /> 1. Buffers were not returned to vb2 when the instance was already in<br /> error state, triggering warnings in the vb2 core because buffer<br /> completion was skipped.<br /> <br /> 2. If a session failed early (e.g. unsupported configuration), the<br /> instance transitioned to IRIS_INST_ERROR. When userspace attempted<br /> to stop streaming for cleanup, stop_streaming was skipped due to the<br /> added check, preventing proper teardown and leaving the firmware<br /> in an inconsistent state.