Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cachefiles: fix incorrect dentry refcount in cachefiles_cull()<br /> <br /> The patch mentioned below changed cachefiles_bury_object() to expect 2<br /> references to the &amp;#39;rep&amp;#39; dentry. Three of the callers were changed to<br /> use start_removing_dentry() which takes an extra reference so in those<br /> cases the call gets the expected references.<br /> <br /> However there is another call to cachefiles_bury_object() in<br /> cachefiles_cull() which did not need to be changed to use<br /> start_removing_dentry() and so was not properly considered.<br /> It still passed the dentry with just one reference so the net result is<br /> that a reference is lost.<br /> <br /> To meet the expectations of cachefiles_bury_object(), cachefiles_cull()<br /> must take an extra reference before the call. It will be dropped by<br /> cachefiles_bury_object().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: validate bsscfg indices in IF events<br /> <br /> brcmf_fweh_handle_if_event() validates the firmware-provided interface<br /> index before it touches drvr-&gt;iflist[], but it still uses the raw<br /> bsscfgidx field as an array index without a matching range check.<br /> <br /> Reject IF events whose bsscfg index does not fit in drvr-&gt;iflist[]<br /> before indexing the interface array.<br /> <br /> [add missing wifi prefix]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: roccat: fix use-after-free in roccat_report_event<br /> <br /> roccat_report_event() iterates over the device-&gt;readers list without<br /> holding the readers_lock. This allows a concurrent roccat_release() to<br /> remove and free a reader while it&amp;#39;s still being accessed, leading to a<br /> use-after-free.<br /> <br /> Protect the readers list traversal with the readers_lock mutex.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath<br /> <br /> When cifs_sanitize_prepath is called with an empty string or a string<br /> containing only delimiters (e.g., "/"), the current logic attempts to<br /> check *(cursor2 - 1) before cursor2 has advanced. This results in an<br /> out-of-bounds read.<br /> <br /> This patch adds an early exit check after stripping prepended<br /> delimiters. If no path content remains, the function returns NULL.<br /> <br /> The bug was identified via manual audit and verified using a<br /> standalone test case compiled with AddressSanitizer, which<br /> triggered a SEGV on affected inputs.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vc4: Fix memory leak of BO array in hang state<br /> <br /> The hang state&amp;#39;s BO array is allocated separately with kzalloc() in<br /> vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the<br /> missing kfree() for the BO array before freeing the hang state struct.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: account XFRMA_IF_ID in aevent size calculation<br /> <br /> xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then<br /> build_aevent() appends attributes including XFRMA_IF_ID when x-&gt;if_id is<br /> set.<br /> <br /> xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states<br /> with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei<br /> <br /> It looks element length declared in servreg_loc_pfr_req_ei for reason<br /> not matching servreg_loc_pfr_req&amp;#39;s reason field due which we could<br /> observe decoding error on PD crash.<br /> <br /> qmi_decode_string_elem: String len 81 &gt;= Max Len 65<br /> <br /> Fix this by matching with servreg_loc_pfr_req&amp;#39;s reason field.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86: shadow stacks: proper error handling for mmap lock<br /> <br /> 김영민 reports that shstk_pop_sigframe() doesn&amp;#39;t check for errors from<br /> mmap_read_lock_killable(), which is a silly oversight, and also shows<br /> that we haven&amp;#39;t marked those functions with "__must_check", which would<br /> have immediately caught it.<br /> <br /> So let&amp;#39;s fix both issues.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv4: icmp: fix null-ptr-deref in icmp_build_probe()<br /> <br /> ipv6_stub-&gt;ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the<br /> IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing<br /> this error pointer to dev_hold() will cause a kernel crash with<br /> null-ptr-deref.<br /> <br /> Instead, silently discard the request. RFC 8335 does not appear to<br /> define a specific response for the case where an IPv6 interface<br /> identifier is syntactically valid but the implementation cannot perform<br /> the lookup at runtime, and silently dropping the request may safer than<br /> misreporting "No Such Interface".

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data()<br /> <br /> We need to check __in6_dev_get() for possible NULL value, as<br /> suggested by Yiming Qian.<br /> <br /> Also add skb_dst_dev_rcu() instead of skb_dst_dev(),<br /> and two missing READ_ONCE().<br /> <br /> Note that @dev can&amp;#39;t be NULL.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bridge: guard local VLAN-0 FDB helpers against NULL vlan group<br /> <br /> When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and<br /> nbp_vlan_group() return NULL (br_private.h stub definitions). The<br /> BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and<br /> reaches br_fdb_delete_locals_per_vlan_port() and<br /> br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer<br /> is dereferenced via list_for_each_entry(v, &amp;vg-&gt;vlan_list, vlist).<br /> <br /> The observed crash is in the delete path, triggered when creating a<br /> bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0<br /> via RTM_NEWLINK. The insert helper has the same bug pattern.<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]<br /> RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310<br /> Call Trace:<br /> br_fdb_toggle_local_vlan_0+0x452/0x4c0<br /> br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276<br /> br_boolopt_toggle net/bridge/br.c:313<br /> br_boolopt_multi_toggle net/bridge/br.c:364<br /> br_changelink net/bridge/br_netlink.c:1542<br /> br_dev_newlink net/bridge/br_netlink.c:1575<br /> <br /> Add NULL checks for the vlan group pointer in both helpers, returning<br /> early when there are no VLANs to iterate. This matches the existing<br /> pattern used by other bridge FDB functions such as br_fdb_add() and<br /> br_fdb_delete().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: airoha: Fix memory leak in airoha_qdma_rx_process()<br /> <br /> If an error occurs on the subsequents buffers belonging to the<br /> non-linear part of the skb (e.g. due to an error in the payload length<br /> reported by the NIC or if we consumed all the available fragments for<br /> the skb), the page_pool fragment will not be linked to the skb so it will<br /> not return to the pool in the airoha_qdma_rx_process() error path. Fix the<br /> memory leak partially reverting commit &amp;#39;d6d2b0e1538d ("net: airoha: Fix<br /> page recycling in airoha_qdma_rx_process()")&amp;#39; and always running<br /> page_pool_put_full_page routine in the airoha_qdma_rx_process() error<br /> path.