Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed<br /> <br /> Following process will trigger an infinite loop in ubi_wl_put_peb():<br /> <br /> ubifs_bgt ubi_bgt<br /> ubifs_leb_unmap<br /> ubi_leb_unmap<br /> ubi_eba_unmap_leb<br /> ubi_wl_put_peb wear_leveling_worker<br /> e1 = rb_entry(rb_first(&amp;ubi-&gt;used)<br /> e2 = get_peb_for_wl(ubi)<br /> ubi_io_read_vid_hdr // return err (flash fault)<br /> out_error:<br /> ubi-&gt;move_from = ubi-&gt;move_to = NULL<br /> wl_entry_destroy(ubi, e1)<br /> ubi-&gt;lookuptbl[e-&gt;pnum] = NULL<br /> retry:<br /> e = ubi-&gt;lookuptbl[pnum]; // return NULL<br /> if (e == ubi-&gt;move_from) { // NULL == NULL gets true<br /> goto retry; // infinite loop !!!<br /> <br /> $ top<br /> PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND<br /> 7676 root 20 0 0 0 0 R 100.0 0.0 ubifs_bgt0_0<br /> <br /> Fix it by:<br /> 1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has<br /> been removed from &amp;#39;ubi-&gt;lookuptbl&amp;#39;.<br /> 2) Using &amp;#39;ubi-&gt;wl_lock&amp;#39; protecting wl entry deletion to preventing an<br /> use-after-free problem for wl entry in ubi_wl_put_peb().<br /> <br /> Fetch a reproducer in [Link].

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/acpi: Fix a use-after-free in cxl_parse_cfmws()<br /> <br /> KASAN and KFENCE detected an user-after-free in the CXL driver. This<br /> happens in the cxl_decoder_add() fail path. KASAN prints the following<br /> error:<br /> <br /> BUG: KASAN: slab-use-after-free in cxl_parse_cfmws (drivers/cxl/acpi.c:299)<br /> <br /> This happens in cxl_parse_cfmws(), where put_device() is called,<br /> releasing cxld, which is accessed later.<br /> <br /> Use the local variables in the dev_err() instead of pointing to the<br /> released memory. Since the dev_err() is printing a resource, change the open<br /> coded print format to use the %pr format specifier.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing/synthetic: Fix races on freeing last_cmd<br /> <br /> Currently, the "last_cmd" variable can be accessed by multiple processes<br /> asynchronously when multiple users manipulate synthetic_events node<br /> at the same time, it could lead to use-after-free or double-free.<br /> <br /> This patch add "lastcmd_mutex" to prevent "last_cmd" from being accessed<br /> asynchronously.<br /> <br /> ================================================================<br /> <br /> It&amp;#39;s easy to reproduce in the KASAN environment by running the two<br /> scripts below in different shells.<br /> <br /> script 1:<br /> while :<br /> do<br /> echo -n -e &amp;#39;\x88&amp;#39; &gt; /sys/kernel/tracing/synthetic_events<br /> done<br /> <br /> script 2:<br /> while :<br /> do<br /> echo -n -e &amp;#39;\xb0&amp;#39; &gt; /sys/kernel/tracing/synthetic_events<br /> done<br /> <br /> ================================================================<br /> double-free scenario:<br /> <br /> process A process B<br /> ------------------- ---------------<br /> 1.kstrdup last_cmd<br /> 2.free last_cmd<br /> 3.free last_cmd(double-free)<br /> <br /> ================================================================<br /> use-after-free scenario:<br /> <br /> process A process B<br /> ------------------- ---------------<br /> 1.kstrdup last_cmd<br /> 2.free last_cmd<br /> 3.tracing_log_err(use-after-free)<br /> <br /> ================================================================<br /> <br /> Appendix 1. KASAN report double-free:<br /> <br /> BUG: KASAN: double-free in kfree+0xdc/0x1d4<br /> Free of addr ***** by task sh/4879<br /> Call trace:<br /> ...<br /> kfree+0xdc/0x1d4<br /> create_or_delete_synth_event+0x60/0x1e8<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Allocated by task 4879:<br /> ...<br /> kstrdup+0x5c/0x98<br /> create_or_delete_synth_event+0x6c/0x1e8<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Freed by task 5464:<br /> ...<br /> kfree+0xdc/0x1d4<br /> create_or_delete_synth_event+0x60/0x1e8<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> ================================================================<br /> Appendix 2. KASAN report use-after-free:<br /> <br /> BUG: KASAN: use-after-free in strlen+0x5c/0x7c<br /> Read of size 1 at addr ***** by task sh/5483<br /> sh: CPU: 7 PID: 5483 Comm: sh<br /> ...<br /> __asan_report_load1_noabort+0x34/0x44<br /> strlen+0x5c/0x7c<br /> tracing_log_err+0x60/0x444<br /> create_or_delete_synth_event+0xc4/0x204<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Allocated by task 5483:<br /> ...<br /> kstrdup+0x5c/0x98<br /> create_or_delete_synth_event+0x80/0x204<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Freed by task 5480:<br /> ...<br /> kfree+0xdc/0x1d4<br /> create_or_delete_synth_event+0x74/0x204<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: Add lwtunnel encap size of all siblings in nexthop calculation<br /> <br /> In function rt6_nlmsg_size(), the length of nexthop is calculated<br /> by multipling the nexthop length of fib6_info and the number of<br /> siblings. However if the fib6_info has no lwtunnel but the siblings<br /> have lwtunnels, the nexthop length is less than it should be, and<br /> it will trigger a warning in inet6_rt_notify() as follows:<br /> <br /> WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130<br /> ......<br /> Call Trace:<br /> <br /> fib6_add_rt2node+0x685/0xa30<br /> fib6_add+0x96/0x1b0<br /> ip6_route_add+0x50/0xd0<br /> inet6_rtm_newroute+0x97/0xa0<br /> rtnetlink_rcv_msg+0x156/0x3d0<br /> netlink_rcv_skb+0x5a/0x110<br /> netlink_unicast+0x246/0x350<br /> netlink_sendmsg+0x250/0x4c0<br /> sock_sendmsg+0x66/0x70<br /> ___sys_sendmsg+0x7c/0xd0<br /> __sys_sendmsg+0x5d/0xb0<br /> do_syscall_64+0x3f/0x90<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> This bug can be reproduced by script:<br /> <br /> ip -6 addr add 2002::2/64 dev ens2<br /> ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100<br /> <br /> for i in 10 20 30 40 50 60 70;<br /> do<br /> ip link add link ens2 name ipv_$i type ipvlan<br /> ip -6 addr add 2002::$i/64 dev ipv_$i<br /> ifconfig ipv_$i up<br /> done<br /> <br /> for i in 10 20 30 40 50 60;<br /> do<br /> ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1<br /> dev ipv_$i metric 100<br /> done<br /> <br /> ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100<br /> <br /> This patch fixes it by adding nexthop_len of every siblings using<br /> rt6_nh_nlmsg_size().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kobject: Add sanity check for kset-&gt;kobj.ktype in kset_register()<br /> <br /> When I register a kset in the following way:<br /> static struct kset my_kset;<br /> kobject_set_name(&amp;my_kset.kobj, "my_kset");<br /> ret = kset_register(&amp;my_kset);<br /> <br /> A null pointer dereference exception is occurred:<br /> [ 4453.568337] Unable to handle kernel NULL pointer dereference at \<br /> virtual address 0000000000000028<br /> ... ...<br /> [ 4453.810361] Call trace:<br /> [ 4453.813062] kobject_get_ownership+0xc/0x34<br /> [ 4453.817493] kobject_add_internal+0x98/0x274<br /> [ 4453.822005] kset_register+0x5c/0xb4<br /> [ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]<br /> ... ...<br /> <br /> Because I didn&amp;#39;t initialize my_kset.kobj.ktype.<br /> <br /> According to the description in Documentation/core-api/kobject.rst:<br /> - A ktype is the type of object that embeds a kobject. Every structure<br /> that embeds a kobject needs a corresponding ktype.<br /> <br /> So add sanity check to make sure kset-&gt;kobj.ktype is not NULL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ionic: catch failure from devlink_alloc<br /> <br /> Add a check for NULL on the alloc return. If devlink_alloc() fails and<br /> we try to use devlink_priv() on the NULL return, the kernel gets very<br /> unhappy and panics. With this fix, the driver load will still fail,<br /> but at least it won&amp;#39;t panic the kernel.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iw_cxgb4: Fix potential NULL dereference in c4iw_fill_res_cm_id_entry()<br /> <br /> This condition needs to match the previous "if (epcp-&gt;state == LISTEN) {"<br /> exactly to avoid a NULL dereference of either "listen_ep" or "ep". The<br /> problem is that "epcp" has been re-assigned so just testing<br /> "if (epcp-&gt;state == LISTEN) {" a second time is not sufficient.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: tegra: fix sleep in atomic call<br /> <br /> When we set the dual-role port to Host mode, we observed the following<br /> splat:<br /> [ 167.057718] BUG: sleeping function called from invalid context at<br /> include/linux/sched/mm.h:229<br /> [ 167.057872] Workqueue: events tegra_xusb_usb_phy_work<br /> [ 167.057954] Call trace:<br /> [ 167.057962] dump_backtrace+0x0/0x210<br /> [ 167.057996] show_stack+0x30/0x50<br /> [ 167.058020] dump_stack_lvl+0x64/0x84<br /> [ 167.058065] dump_stack+0x14/0x34<br /> [ 167.058100] __might_resched+0x144/0x180<br /> [ 167.058140] __might_sleep+0x64/0xd0<br /> [ 167.058171] slab_pre_alloc_hook.constprop.0+0xa8/0x110<br /> [ 167.058202] __kmalloc_track_caller+0x74/0x2b0<br /> [ 167.058233] kvasprintf+0xa4/0x190<br /> [ 167.058261] kasprintf+0x58/0x90<br /> [ 167.058285] tegra_xusb_find_port_node.isra.0+0x58/0xd0<br /> [ 167.058334] tegra_xusb_find_port+0x38/0xa0<br /> [ 167.058380] tegra_xusb_padctl_get_usb3_companion+0x38/0xd0<br /> [ 167.058430] tegra_xhci_id_notify+0x8c/0x1e0<br /> [ 167.058473] notifier_call_chain+0x88/0x100<br /> [ 167.058506] atomic_notifier_call_chain+0x44/0x70<br /> [ 167.058537] tegra_xusb_usb_phy_work+0x60/0xd0<br /> [ 167.058581] process_one_work+0x1dc/0x4c0<br /> [ 167.058618] worker_thread+0x54/0x410<br /> [ 167.058650] kthread+0x188/0x1b0<br /> [ 167.058672] ret_from_fork+0x10/0x20<br /> <br /> The function tegra_xusb_padctl_get_usb3_companion eventually calls<br /> tegra_xusb_find_port and this in turn calls kasprintf which might sleep<br /> and so cannot be called from an atomic context.<br /> <br /> Fix this by moving the call to tegra_xusb_padctl_get_usb3_companion to<br /> the tegra_xhci_id_work function where it is really needed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/MCE/AMD: Use an u64 for bank_map<br /> <br /> Thee maximum number of MCA banks is 64 (MAX_NR_BANKS), see<br /> <br /> a0bc32b3cacf ("x86/mce: Increase maximum number of banks to 64").<br /> <br /> However, the bank_map which contains a bitfield of which banks to<br /> initialize is of type unsigned int and that overflows when those bit<br /> numbers are &gt;= 32, leading to UBSAN complaining correctly:<br /> <br /> UBSAN: shift-out-of-bounds in arch/x86/kernel/cpu/mce/amd.c:1365:38<br /> shift exponent 32 is too large for 32-bit type &amp;#39;int&amp;#39;<br /> <br /> Change the bank_map to a u64 and use the proper BIT_ULL() macro when<br /> modifying bits in there.<br /> <br /> [ bp: Rewrite commit message. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: improve error handling from ext4_dirhash()<br /> <br /> The ext4_dirhash() will *almost* never fail, especially when the hash<br /> tree feature was first introduced. However, with the addition of<br /> support of encrypted, casefolded file names, that function can most<br /> certainly fail today.<br /> <br /> So make sure the callers of ext4_dirhash() properly check for<br /> failures, and reflect the errors back up to their callers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pwm: lpc32xx: Remove handling of PWM channels<br /> <br /> Because LPC32xx PWM controllers have only a single output which is<br /> registered as the only PWM device/channel per controller, it is known in<br /> advance that pwm-&gt;hwpwm value is always 0. On basis of this fact<br /> simplify the code by removing operations with pwm-&gt;hwpwm, there is no<br /> controls which require channel number as input.<br /> <br /> Even though I wasn&amp;#39;t aware at the time when I forward ported that patch,<br /> this fixes a null pointer dereference as lpc32xx-&gt;chip.pwms is NULL<br /> before devm_pwmchip_add() is called.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras<br /> <br /> gfx9 cp_ecc_error_irq is only enabled when legacy gfx ras is assert.<br /> So in gfx_v9_0_hw_fini, interrupt disablement for cp_ecc_error_irq<br /> should be executed under such condition, otherwise, an amdgpu_irq_put<br /> calltrace will occur.<br /> <br /> [ 7283.170322] RIP: 0010:amdgpu_irq_put+0x45/0x70 [amdgpu]<br /> [ 7283.170964] RSP: 0018:ffff9a5fc3967d00 EFLAGS: 00010246<br /> [ 7283.170967] RAX: ffff98d88afd3040 RBX: ffff98d89da20000 RCX: 0000000000000000<br /> [ 7283.170969] RDX: 0000000000000000 RSI: ffff98d89da2bef8 RDI: ffff98d89da20000<br /> [ 7283.170971] RBP: ffff98d89da20000 R08: ffff98d89da2ca18 R09: 0000000000000006<br /> [ 7283.170973] R10: ffffd5764243c008 R11: 0000000000000000 R12: 0000000000001050<br /> [ 7283.170975] R13: ffff98d89da38978 R14: ffffffff999ae15a R15: ffff98d880130105<br /> [ 7283.170978] FS: 0000000000000000(0000) GS:ffff98d996f00000(0000) knlGS:0000000000000000<br /> [ 7283.170981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 7283.170983] CR2: 00000000f7a9d178 CR3: 00000001c42ea000 CR4: 00000000003506e0<br /> [ 7283.170986] Call Trace:<br /> [ 7283.170988] <br /> [ 7283.170989] gfx_v9_0_hw_fini+0x1c/0x6d0 [amdgpu]<br /> [ 7283.171655] amdgpu_device_ip_suspend_phase2+0x101/0x1a0 [amdgpu]<br /> [ 7283.172245] amdgpu_device_suspend+0x103/0x180 [amdgpu]<br /> [ 7283.172823] amdgpu_pmops_freeze+0x21/0x60 [amdgpu]<br /> [ 7283.173412] pci_pm_freeze+0x54/0xc0<br /> [ 7283.173419] ? __pfx_pci_pm_freeze+0x10/0x10<br /> [ 7283.173425] dpm_run_callback+0x98/0x200<br /> [ 7283.173430] __device_suspend+0x164/0x5f0<br /> <br /> v2: drop gfx11 as it&amp;#39;s fixed in a different solution by retiring cp_ecc_irq funcs(Hawking)