Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix Rx page leak on multi-buffer frames<br /> <br /> The ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each<br /> buffer in the current frame. This function was introduced as part of<br /> handling multi-buffer XDP support in the ice driver.<br /> <br /> It works by iterating over the buffers from first_desc up to 1 plus the<br /> total number of fragments in the frame, cached from before the XDP program<br /> was executed.<br /> <br /> If the hardware posts a descriptor with a size of 0, the logic used in<br /> ice_put_rx_mbuf() breaks. Such descriptors get skipped and don&amp;#39;t get added<br /> as fragments in ice_add_xdp_frag. Since the buffer isn&amp;#39;t counted as a<br /> fragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don&amp;#39;t<br /> call ice_put_rx_buf().<br /> <br /> Because we don&amp;#39;t call ice_put_rx_buf(), we don&amp;#39;t attempt to re-use the<br /> page or free it. This leaves a stale page in the ring, as we don&amp;#39;t<br /> increment next_to_alloc.<br /> <br /> The ice_reuse_rx_page() assumes that the next_to_alloc has been incremented<br /> properly, and that it always points to a buffer with a NULL page. Since<br /> this function doesn&amp;#39;t check, it will happily recycle a page over the top<br /> of the next_to_alloc buffer, losing track of the old page.<br /> <br /> Note that this leak only occurs for multi-buffer frames. The<br /> ice_put_rx_mbuf() function always handles at least one buffer, so a<br /> single-buffer frame will always get handled correctly. It is not clear<br /> precisely why the hardware hands us descriptors with a size of 0 sometimes,<br /> but it happens somewhat regularly with "jumbo frames" used by 9K MTU.<br /> <br /> To fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() on<br /> all buffers between first_desc and next_to_clean. Borrow the logic of a<br /> similar function in i40e used for this same purpose. Use the same logic<br /> also in ice_get_pgcnts().<br /> <br /> Instead of iterating over just the number of fragments, use a loop which<br /> iterates until the current index reaches to the next_to_clean element just<br /> past the current frame. Unlike i40e, the ice_put_rx_mbuf() function does<br /> call ice_put_rx_buf() on the last buffer of the frame indicating the end of<br /> packet.<br /> <br /> For non-linear (multi-buffer) frames, we need to take care when adjusting<br /> the pagecnt_bias. An XDP program might release fragments from the tail of<br /> the frame, in which case that fragment page is already released. Only<br /> update the pagecnt_bias for the first descriptor and fragments still<br /> remaining post-XDP program. Take care to only access the shared info for<br /> fragmented buffers, as this avoids a significant cache miss.<br /> <br /> The xdp_xmit value only needs to be updated if an XDP program is run, and<br /> only once per packet. Drop the xdp_xmit pointer argument from<br /> ice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() function<br /> directly. This avoids needing to pass the argument and avoids an extra<br /> bit-wise OR for each buffer in the frame.<br /> <br /> Move the increment of the ntc local variable to ensure its updated *before*<br /> all calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logic<br /> requires the index of the element just after the current frame.<br /> <br /> Now that we use an index pointer in the ring to identify the packet, we no<br /> longer need to track or cache the number of fragments in the rx_ring.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Harden uplink netdev access against device unbind<br /> <br /> The function mlx5_uplink_netdev_get() gets the uplink netdevice<br /> pointer from mdev-&gt;mlx5e_res.uplink_netdev. However, the netdevice can<br /> be removed and its pointer cleared when unbound from the mlx5_core.eth<br /> driver. This results in a NULL pointer, causing a kernel panic.<br /> <br /> BUG: unable to handle page fault for address: 0000000000001300<br /> at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core]<br /> Call Trace:<br /> <br /> mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core]<br /> esw_offloads_enable+0x593/0x910 [mlx5_core]<br /> mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core]<br /> mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core]<br /> devlink_nl_eswitch_set_doit+0x60/0xd0<br /> genl_family_rcv_msg_doit+0xe0/0x130<br /> genl_rcv_msg+0x183/0x290<br /> netlink_rcv_skb+0x4b/0xf0<br /> genl_rcv+0x24/0x40<br /> netlink_unicast+0x255/0x380<br /> netlink_sendmsg+0x1f3/0x420<br /> __sock_sendmsg+0x38/0x60<br /> __sys_sendto+0x119/0x180<br /> do_syscall_64+0x53/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> Ensure the pointer is valid before use by checking it for NULL. If it<br /> is valid, immediately call netdev_hold() to take a reference, and<br /> preventing the netdevice from being freed while it is in use.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: make sure to abort the stream if headers are bogus<br /> <br /> Normally we wait for the socket to buffer up the whole record<br /> before we service it. If the socket has a tiny buffer, however,<br /> we read out the data sooner, to prevent connection stalls.<br /> Make sure that we abort the connection when we find out late<br /> that the record is actually invalid. Retrying the parsing is<br /> fine in itself but since we copy some more data each time<br /> before we parse we can overflow the allocated skb space.<br /> <br /> Constructing a scenario in which we&amp;#39;re under pressure without<br /> enough data in the socket to parse the length upfront is quite<br /> hard. syzbot figured out a way to do this by serving us the header<br /> in small OOB sends, and then filling in the recvbuf with a large<br /> normal send.<br /> <br /> Make sure that tls_rx_msg_size() aborts strp, if we reach<br /> an invalid record there&amp;#39;s really no way to recover.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()<br /> <br /> The original code relies on cancel_delayed_work() in otx2_ptp_destroy(),<br /> which does not ensure that the delayed work item synctstamp_work has fully<br /> completed if it was already running. This leads to use-after-free scenarios<br /> where otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work<br /> remains active and attempts to dereference otx2_ptp in otx2_sync_tstamp().<br /> Furthermore, the synctstamp_work is cyclic, the likelihood of triggering<br /> the bug is nonnegligible.<br /> <br /> A typical race condition is illustrated below:<br /> <br /> CPU 0 (cleanup) | CPU 1 (delayed work callback)<br /> otx2_remove() |<br /> otx2_ptp_destroy() | otx2_sync_tstamp()<br /> cancel_delayed_work() |<br /> kfree(ptp) |<br /> | ptp = container_of(...); //UAF<br /> | ptp-&gt; //UAF<br /> <br /> This is confirmed by a KASAN report:<br /> <br /> BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0<br /> Write of size 8 at addr ffff88800aa09a18 by task bash/136<br /> ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x55/0x70<br /> print_report+0xcf/0x610<br /> ? __run_timer_base.part.0+0x7d7/0x8c0<br /> kasan_report+0xb8/0xf0<br /> ? __run_timer_base.part.0+0x7d7/0x8c0<br /> __run_timer_base.part.0+0x7d7/0x8c0<br /> ? __pfx___run_timer_base.part.0+0x10/0x10<br /> ? __pfx_read_tsc+0x10/0x10<br /> ? ktime_get+0x60/0x140<br /> ? lapic_next_event+0x11/0x20<br /> ? clockevents_program_event+0x1d4/0x2a0<br /> run_timer_softirq+0xd1/0x190<br /> handle_softirqs+0x16a/0x550<br /> irq_exit_rcu+0xaf/0xe0<br /> sysvec_apic_timer_interrupt+0x70/0x80<br /> <br /> ...<br /> Allocated by task 1:<br /> kasan_save_stack+0x24/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0x7f/0x90<br /> otx2_ptp_init+0xb1/0x860<br /> otx2_probe+0x4eb/0xc30<br /> local_pci_probe+0xdc/0x190<br /> pci_device_probe+0x2fe/0x470<br /> really_probe+0x1ca/0x5c0<br /> __driver_probe_device+0x248/0x310<br /> driver_probe_device+0x44/0x120<br /> __driver_attach+0xd2/0x310<br /> bus_for_each_dev+0xed/0x170<br /> bus_add_driver+0x208/0x500<br /> driver_register+0x132/0x460<br /> do_one_initcall+0x89/0x300<br /> kernel_init_freeable+0x40d/0x720<br /> kernel_init+0x1a/0x150<br /> ret_from_fork+0x10c/0x1a0<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Freed by task 136:<br /> kasan_save_stack+0x24/0x50<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3a/0x60<br /> __kasan_slab_free+0x3f/0x50<br /> kfree+0x137/0x370<br /> otx2_ptp_destroy+0x38/0x80<br /> otx2_remove+0x10d/0x4c0<br /> pci_device_remove+0xa6/0x1d0<br /> device_release_driver_internal+0xf8/0x210<br /> pci_stop_bus_device+0x105/0x150<br /> pci_stop_and_remove_bus_device_locked+0x15/0x30<br /> remove_store+0xcc/0xe0<br /> kernfs_fop_write_iter+0x2c3/0x440<br /> vfs_write+0x871/0xd70<br /> ksys_write+0xee/0x1c0<br /> do_syscall_64+0xac/0x280<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure<br /> that the delayed work item is properly canceled before the otx2_ptp is<br /> deallocated.<br /> <br /> This bug was initially identified through static analysis. To reproduce<br /> and test it, I simulated the OcteonTX2 PCI device in QEMU and introduced<br /> artificial delays within the otx2_sync_tstamp() function to increase the<br /> likelihood of triggering the bug.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer<br /> <br /> If data_offset and data_length of smb_direct_data_transfer struct are<br /> invalid, out of bounds issue could happen.<br /> This patch validate data_offset and data_length field in recv_done.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size<br /> <br /> This is inspired by the check for data_offset + data_length.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ<br /> <br /> If the interrupt occurs before resource initialization is complete, the<br /> interrupt handler/worker may access uninitialized data such as the I2C<br /> tcpc_client device, potentially leading to NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed<br /> <br /> If earlier opening of source graph fails (e.g. ADSP rejects due to<br /> incorrect audioreach topology), the graph is closed and<br /> "dai_data-&gt;graph[dai-&gt;id]" is assigned NULL. Preparing the DAI for sink<br /> graph continues though and next call to q6apm_lpass_dai_prepare()<br /> receives dai_data-&gt;graph[dai-&gt;id]=NULL leading to NULL pointer<br /> exception:<br /> <br /> qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd<br /> qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1<br /> q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78<br /> q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22<br /> Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8<br /> ...<br /> Call trace:<br /> q6apm_graph_media_format_pcm+0x48/0x120 (P)<br /> q6apm_lpass_dai_prepare+0x110/0x1b4<br /> snd_soc_pcm_dai_prepare+0x74/0x108<br /> __soc_pcm_prepare+0x44/0x160<br /> dpcm_be_dai_prepare+0x124/0x1c0

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm-stripe: fix a possible integer overflow<br /> <br /> There&amp;#39;s a possible integer overflow in stripe_io_hints if we have too<br /> large chunk size. Test if the overflow happened, and if it did, don&amp;#39;t set<br /> limits-&gt;io_min and limits-&gt;io_opt;

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/s390: Fix memory corruption when using identity domain<br /> <br /> zpci_get_iommu_ctrs() returns counter information to be reported as part<br /> of device statistics; these counters are stored as part of the s390_domain.<br /> The problem, however, is that the identity domain is not backed by an<br /> s390_domain and so the conversion via to_s390_domain() yields a bad address<br /> that is zero&amp;#39;d initially and read on-demand later via a sysfs read.<br /> These counters aren&amp;#39;t necessary for the identity domain; just return NULL<br /> in this case.<br /> <br /> This issue was discovered via KASAN with reports that look like:<br /> BUG: KASAN: global-out-of-bounds in zpci_fmb_enable_device<br /> when using the identity domain for a device on s390.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: let recv_done verify data_offset, data_length and remaining_data_length<br /> <br /> This is inspired by the related server fixes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: codec: sma1307: Fix memory corruption in sma1307_setting_loaded()<br /> <br /> The sma1307-&gt;set.header_size is how many integers are in the header<br /> (there are 8 of them) but instead of allocating space of 8 integers<br /> we allocate 8 bytes. This leads to memory corruption when we copy data<br /> it on the next line:<br /> <br /> memcpy(sma1307-&gt;set.header, data,<br /> sma1307-&gt;set.header_size * sizeof(int));<br /> <br /> Also since we&amp;#39;re immediately copying over the memory in -&gt;set.header,<br /> there is no need to zero it in the allocator. Use devm_kmalloc_array()<br /> to allocate the memory instead.