Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: uvcvideo: Fix memory leak in uvc_gpio_parse<br /> <br /> Previously the unit buffer was allocated before checking the IRQ for<br /> privacy GPIO. In case of error, the unit buffer was leaked.<br /> <br /> Allocate the unit buffer after the IRQ to avoid it.<br /> <br /> Addresses-Coverity-ID: 1474639 ("Resource leak")

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm: Prevent drm_copy_field() to attempt copying a NULL pointer<br /> <br /> There are some struct drm_driver fields that are required by drivers since<br /> drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.<br /> <br /> But it can be possible that a driver has a bug and did not set some of the<br /> fields, which leads to drm_copy_field() attempting to copy a NULL pointer:<br /> <br /> [ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000<br /> [ +0.010955] Mem abort info:<br /> [ +0.002835] ESR = 0x0000000096000004<br /> [ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ +0.005395] SET = 0, FnV = 0<br /> [ +0.003113] EA = 0, S1PTW = 0<br /> [ +0.003182] FSC = 0x04: level 0 translation fault<br /> [ +0.004964] Data abort info:<br /> [ +0.002919] ISV = 0, ISS = 0x00000004<br /> [ +0.003886] CM = 0, WnR = 0<br /> [ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000<br /> [ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000<br /> [ +0.006925] Internal error: Oops: 96000004 [#1] SMP<br /> ...<br /> [ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ +0.007061] pc : __pi_strlen+0x14/0x150<br /> [ +0.003895] lr : drm_copy_field+0x30/0x1a4<br /> [ +0.004156] sp : ffff8000094b3a50<br /> [ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040<br /> [ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040<br /> [ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000<br /> [ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000<br /> [ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40<br /> [ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> [ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8<br /> [ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141<br /> [ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000<br /> [ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000<br /> [ +0.007240] Call trace:<br /> [ +0.002475] __pi_strlen+0x14/0x150<br /> [ +0.003537] drm_version+0x84/0xac<br /> [ +0.003448] drm_ioctl_kernel+0xa8/0x16c<br /> [ +0.003975] drm_ioctl+0x270/0x580<br /> [ +0.003448] __arm64_sys_ioctl+0xb8/0xfc<br /> [ +0.003978] invoke_syscall+0x78/0x100<br /> [ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4<br /> [ +0.004767] do_el0_svc+0x38/0x4c<br /> [ +0.003357] el0_svc+0x34/0x100<br /> [ +0.003185] el0t_64_sync_handler+0x11c/0x150<br /> [ +0.004418] el0t_64_sync+0x190/0x194<br /> [ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)<br /> [ +0.006180] ---[ end trace 0000000000000000 ]---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed<br /> <br /> There is a null-ptr-deref when mount.cifs over rdma:<br /> <br /> BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]<br /> Read of size 8 at addr 0000000000000018 by task mount.cifs/3046<br /> <br /> CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x44<br /> kasan_report+0xad/0x130<br /> rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]<br /> execute_in_process_context+0x25/0x90<br /> __rxe_cleanup+0x101/0x1d0 [rdma_rxe]<br /> rxe_create_qp+0x16a/0x180 [rdma_rxe]<br /> create_qp.part.0+0x27d/0x340<br /> ib_create_qp_kernel+0x73/0x160<br /> rdma_create_qp+0x100/0x230<br /> _smbd_get_connection+0x752/0x20f0<br /> smbd_get_connection+0x21/0x40<br /> cifs_get_tcp_session+0x8ef/0xda0<br /> mount_get_conns+0x60/0x750<br /> cifs_mount+0x103/0xd00<br /> cifs_smb3_do_mount+0x1dd/0xcb0<br /> smb3_get_tree+0x1d5/0x300<br /> vfs_get_tree+0x41/0xf0<br /> path_mount+0x9b3/0xdd0<br /> __x64_sys_mount+0x190/0x1d0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> The root cause of the issue is the socket create failed in<br /> rxe_qp_init_req().<br /> <br /> So move the reset rxe_qp_do_cleanup() after the NULL ptr check.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: toshsd: fix return value check of mmc_add_host()<br /> <br /> mmc_add_host() may return error, if we ignore its return value, the memory<br /> that allocated in mmc_alloc_host() will be leaked and it will lead a kernel<br /> crash because of deleting not added device in the remove path.<br /> <br /> So fix this by checking the return value and goto error path which will call<br /> mmc_free_host(), besides, free_irq() also needs be called.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()<br /> <br /> I got the the following report:<br /> <br /> OF: ERROR: memory leak, expected refcount 1 instead of 2,<br /> of_node_get()/of_node_put() unbalanced - destroy cset entry:<br /> attach overlay node /i2c/pmic@62/regulators/exten<br /> <br /> In of_get_regulator(), the node is returned from of_parse_phandle()<br /> with refcount incremented, after using it, of_node_put() need be called.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()<br /> <br /> q6v5_wcss_init_mmio() will call platform_get_resource_byname() that may<br /> fail and return NULL. devm_ioremap() will use res-&gt;start as input, which<br /> may causes null-ptr-deref. Check the ret value of<br /> platform_get_resource_byname() to avoid the null-ptr-deref.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Prevent decl_tag from being referenced in func_proto arg<br /> <br /> Syzkaller managed to hit another decl_tag issue:<br /> <br /> btf_func_proto_check kernel/bpf/btf.c:4506 [inline]<br /> btf_check_all_types kernel/bpf/btf.c:4734 [inline]<br /> btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763<br /> btf_parse kernel/bpf/btf.c:5042 [inline]<br /> btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709<br /> bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342<br /> __sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034<br /> __do_sys_bpf kernel/bpf/syscall.c:5093 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:5091 [inline]<br /> __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091<br /> do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48<br /> <br /> This seems similar to commit ea68376c8bed ("bpf: prevent decl_tag from being<br /> referenced in func_proto") but for the argument.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: Fix qmi_msg_handler data structure initialization<br /> <br /> qmi_msg_handler is required to be null terminated by QMI module.<br /> There might be a case where a handler for a msg id is not present in the<br /> handlers array which can lead to infinite loop while searching the handler<br /> and therefore out of bound access in qmi_invoke_handler().<br /> Hence update the initialization in qmi_msg_handler data structure.<br /> <br /> Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ARM: OMAP2+: Fix memory leak in realtime_counter_init()<br /> <br /> The "sys_clk" resource is malloced by clk_get(),<br /> it is not released when the function return.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove<br /> <br /> In vp_vdpa_remove(), the code kfree(&amp;vp_vdpa_mgtdev-&gt;mgtdev.id_table) uses<br /> a reference of pointer as the argument of kfree, which is the wrong pointer<br /> and then may hit crash like this:<br /> <br /> Unable to handle kernel paging request at virtual address 00ffff003363e30c<br /> Internal error: Oops: 96000004 [#1] SMP<br /> Call trace:<br /> rb_next+0x20/0x5c<br /> ext4_readdir+0x494/0x5c4 [ext4]<br /> iterate_dir+0x168/0x1b4<br /> __se_sys_getdents64+0x68/0x170<br /> __arm64_sys_getdents64+0x24/0x30<br /> el0_svc_common.constprop.0+0x7c/0x1bc<br /> do_el0_svc+0x2c/0x94<br /> el0_svc+0x20/0x30<br /> el0_sync_handler+0xb0/0xb4<br /> el0_sync+0x160/0x180<br /> Code: 54000220 f9400441 b4000161 aa0103e0 (f9400821)<br /> SMP: stopping secondary CPUs<br /> Starting crashdump kernel...

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/erdma: Fix refcount leak in erdma_mmap<br /> <br /> rdma_user_mmap_entry_get() take reference, we should release it when not<br /> need anymore, add the missing rdma_user_mmap_entry_put() in the error<br /> path to fix it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop()<br /> <br /> When kmalloc() fail to allocate memory in kasprintf(), fn_1 or fn_2 will<br /> be NULL, and strcmp() will cause null pointer dereference.