Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save<br /> <br /> Improper use of secondary pointer (&amp;dev-&gt;i2c_subip_regs) caused<br /> kernel crash and out-of-bounds error:<br /> <br /> BUG: KASAN: slab-out-of-bounds in _regmap_bulk_read+0x449/0x510<br /> Write of size 4 at addr ffff888136005dc0 by task kworker/u33:5/5107<br /> <br /> CPU: 3 UID: 0 PID: 5107 Comm: kworker/u33:5 Not tainted 6.16.0+ #3 PREEMPT(voluntary)<br /> Workqueue: async async_run_entry_fn<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x76/0xa0<br /> print_report+0xd1/0x660<br /> ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> ? kasan_complete_mode_report_info+0x26/0x200<br /> kasan_report+0xe1/0x120<br /> ? _regmap_bulk_read+0x449/0x510<br /> ? _regmap_bulk_read+0x449/0x510<br /> __asan_report_store4_noabort+0x17/0x30<br /> _regmap_bulk_read+0x449/0x510<br /> ? __pfx__regmap_bulk_read+0x10/0x10<br /> regmap_bulk_read+0x270/0x3d0<br /> pio_complete+0x1ee/0x2c0 [intel_thc]<br /> ? __pfx_pio_complete+0x10/0x10 [intel_thc]<br /> ? __pfx_pio_wait+0x10/0x10 [intel_thc]<br /> ? regmap_update_bits_base+0x13b/0x1f0<br /> thc_i2c_subip_pio_read+0x117/0x270 [intel_thc]<br /> thc_i2c_subip_regs_save+0xc2/0x140 [intel_thc]<br /> ? __pfx_thc_i2c_subip_regs_save+0x10/0x10 [intel_thc]<br /> [...]<br /> The buggy address belongs to the object at ffff888136005d00<br /> which belongs to the cache kmalloc-rnd-12-192 of size 192<br /> The buggy address is located 0 bytes to the right of<br /> allocated 192-byte region [ffff888136005d00, ffff888136005dc0)<br /> <br /> Replaced with direct array indexing (&amp;dev-&gt;i2c_subip_regs[i]) to ensure<br /> safe memory access.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare<br /> <br /> Observed on kernel 6.6 (present on master as well):<br /> <br /> BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0<br /> Call trace:<br /> kasan_check_range+0xe8/0x190<br /> __asan_loadN+0x1c/0x28<br /> memcmp+0x98/0xd0<br /> efivarfs_d_compare+0x68/0xd8<br /> __d_lookup_rcu_op_compare+0x178/0x218<br /> __d_lookup_rcu+0x1f8/0x228<br /> d_alloc_parallel+0x150/0x648<br /> lookup_open.isra.0+0x5f0/0x8d0<br /> open_last_lookups+0x264/0x828<br /> path_openat+0x130/0x3f8<br /> do_filp_open+0x114/0x248<br /> do_sys_openat2+0x340/0x3c0<br /> __arm64_sys_openat+0x120/0x1a0<br /> <br /> If dentry-&gt;d_name.len lookup<br /> simple_lookup<br /> d_add<br /> // invalid dentry is added to hash list<br /> <br /> lookup_open<br /> d_alloc_parallel<br /> __d_lookup_rcu<br /> __d_lookup_rcu_op_compare<br /> hlist_bl_for_each_entry_rcu<br /> // invalid dentry can be retrieved<br /> -&gt;d_compare<br /> efivarfs_d_compare<br /> // oob<br /> <br /> Fix it by checking &amp;#39;guid&amp;#39; before cmp.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RISC-V: KVM: fix stack overrun when loading vlenb<br /> <br /> The userspace load can put up to 2048 bits into an xlen bit stack<br /> buffer. We want only xlen bits, so check the size beforehand.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths<br /> <br /> Since the buffers are mapped from userspace, it is prudent to use<br /> READ_ONCE() to read the value into a local variable, and use that for<br /> any other actions taken. Having a stable read of the buffer length<br /> avoids worrying about it changing after checking, or being read multiple<br /> times.<br /> <br /> Similarly, the buffer may well change in between it being picked and<br /> being committed. Ensure the looping for incremental ring buffer commit<br /> stops if it hits a zero sized buffer, as no further progress can be made<br /> at that point.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset<br /> <br /> Issuing a reset when the driver is loaded without RDMA support, will<br /> results in a crash as it attempts to remove RDMA&amp;#39;s non-existent auxbus<br /> device:<br /> echo 1 &gt; /sys/class/net//device/reset<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000008<br /> ...<br /> RIP: 0010:ice_unplug_aux_dev+0x29/0x70 [ice]<br /> ...<br /> Call Trace:<br /> <br /> ice_prepare_for_reset+0x77/0x260 [ice]<br /> pci_dev_save_and_disable+0x2c/0x70<br /> pci_reset_function+0x88/0x130<br /> reset_store+0x5a/0xa0<br /> kernfs_fop_write_iter+0x15e/0x210<br /> vfs_write+0x273/0x520<br /> ksys_write+0x6b/0xe0<br /> do_syscall_64+0x79/0x3b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> ice_unplug_aux_dev() checks pf-&gt;cdev_info-&gt;adev for NULL pointer, but<br /> pf-&gt;cdev_info will also be NULL, leading to the deref in the trace above.<br /> <br /> Introduce a flag to be set when the creation of the auxbus device is<br /> successful, to avoid multiple NULL pointer checks in ice_unplug_aux_dev().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ftrace: Fix potential warning in trace_printk_seq during ftrace_dump<br /> <br /> When calling ftrace_dump_one() concurrently with reading trace_pipe,<br /> a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race<br /> condition.<br /> <br /> The issue occurs because:<br /> <br /> CPU0 (ftrace_dump) CPU1 (reader)<br /> echo z &gt; /proc/sysrq-trigger<br /> <br /> !trace_empty(&amp;iter)<br /> trace_iterator_reset(&amp;iter) = s-&gt;seq.size)<br /> <br /> In the context between trace_empty() and trace_find_next_entry_inc()<br /> during ftrace_dump, the ring buffer data was consumed by other readers.<br /> This caused trace_find_next_entry_inc to return NULL, failing to populate<br /> `iter.seq`. At this point, due to the prior trace_iterator_reset, both<br /> `iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,<br /> the WARN_ON_ONCE condition is triggered.<br /> <br /> Move the trace_printk_seq() into the if block that checks to make sure the<br /> return value of trace_find_next_entry_inc() is non-NULL in<br /> ftrace_dump_one(), ensuring the &amp;#39;iter.seq&amp;#39; is properly populated before<br /> subsequent operations.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/vm: Clear the scratch_pt pointer on error<br /> <br /> Avoid triggering a dereference of an error pointer on cleanup in<br /> xe_vm_free_scratch() by clearing any scratch_pt error pointer.<br /> <br /> (cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sctp: initialize more fields in sctp_v6_from_sk()<br /> <br /> syzbot found that sin6_scope_id was not properly initialized,<br /> leading to undefined behavior.<br /> <br /> Clear sin6_scope_id and sin6_flowinfo.<br /> <br /> BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649<br /> __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649<br /> sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983<br /> sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390<br /> sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452<br /> sctp_get_port net/sctp/socket.c:8523 [inline]<br /> sctp_listen_start net/sctp/socket.c:8567 [inline]<br /> sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636<br /> __sys_listen_socket net/socket.c:1912 [inline]<br /> __sys_listen net/socket.c:1927 [inline]<br /> __do_sys_listen net/socket.c:1932 [inline]<br /> __se_sys_listen net/socket.c:1930 [inline]<br /> __x64_sys_listen+0x343/0x4c0 net/socket.c:1930<br /> x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Local variable addr.i.i created at:<br /> sctp_get_port net/sctp/socket.c:8515 [inline]<br /> sctp_listen_start net/sctp/socket.c:8567 [inline]<br /> sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636<br /> __sys_listen_socket net/socket.c:1912 [inline]<br /> __sys_listen net/socket.c:1927 [inline]<br /> __do_sys_listen net/socket.c:1932 [inline]<br /> __se_sys_listen net/socket.c:1930 [inline]<br /> __x64_sys_listen+0x343/0x4c0 net/socket.c:1930

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix memory corruption when FW resources change during ifdown<br /> <br /> bnxt_set_dflt_rings() assumes that it is always called before any TC has<br /> been created. So it doesn&amp;#39;t take bp-&gt;num_tc into account and assumes<br /> that it is always 0 or 1.<br /> <br /> In the FW resource or capability change scenario, the FW will return<br /> flags in bnxt_hwrm_if_change() that will cause the driver to<br /> reinitialize and call bnxt_cancel_reservations(). This will lead to<br /> bnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp-&gt;num_tc<br /> may be greater than 1. This will cause bp-&gt;tx_ring[] to be sized too<br /> small and cause memory corruption in bnxt_alloc_cp_rings().<br /> <br /> Fix it by properly scaling the TX rings by bp-&gt;num_tc in the code<br /> paths mentioned above. Add 2 helper functions to determine<br /> bp-&gt;tx_nr_rings and bp-&gt;tx_nr_rings_per_tc.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length<br /> <br /> The QuickI2C ACPI _DSD methods return ICRS and ISUB data with a<br /> trailing byte, making the actual length is one more byte than the<br /> structs defined.<br /> <br /> It caused stack-out-of-bounds and kernel crash:<br /> <br /> kernel: BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75<br /> kernel:<br /> kernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3 PREEMPT(voluntary)<br /> kernel: Workqueue: async async_run_entry_fn<br /> kernel: Call Trace:<br /> kernel: <br /> kernel: dump_stack_lvl+0x76/0xa0<br /> kernel: print_report+0xd1/0x660<br /> kernel: ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> kernel: ? __kasan_slab_free+0x5d/0x80<br /> kernel: ? kasan_addr_to_slab+0xd/0xb0<br /> kernel: kasan_report+0xe1/0x120<br /> kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: kasan_check_range+0x11c/0x200<br /> kernel: __asan_memcpy+0x3b/0x80<br /> kernel: quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10 [intel_quicki2c]<br /> kernel: quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c]<br /> [...]<br /> kernel: <br /> kernel:<br /> kernel: The buggy address belongs to stack of task kworker/u33:2/75<br /> kernel: and is located at offset 48 in frame:<br /> kernel: quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c]<br /> kernel:<br /> kernel: This frame has 3 objects:<br /> kernel: [32, 36) &amp;#39;hid_desc_addr&amp;#39;<br /> kernel: [48, 59) &amp;#39;i2c_param&amp;#39;<br /> kernel: [80, 224) &amp;#39;i2c_config&amp;#39;<br /> <br /> ACPI DSD methods return:<br /> <br /> \_SB.PC00.THC0.ICRS Buffer 000000003fdc947b 001 Len 0C = 0A 00 80 1A 06 00 00 00 00 00 00 00<br /> \_SB.PC00.THC0.ISUB Buffer 00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00 00 00 00 00 00 00 00<br /> <br /> Adding reserved padding to quicki2c_subip_acpi_parameter/config.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()<br /> <br /> in ntrig_report_version(), hdev parameter passed from hid_probe().<br /> sending descriptor to /dev/uhid can make hdev-&gt;dev.parent-&gt;parent to null<br /> if hdev-&gt;dev.parent-&gt;parent is null, usb_dev has<br /> invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned<br /> when usb_rcvctrlpipe() use usb_dev,it trigger<br /> page fault error for address(0xffffffffffffff58)<br /> <br /> add null check logic to ntrig_report_version()<br /> before calling hid_to_usb_dev()

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/mediatek: Add error handling for old state CRTC in atomic_disable<br /> <br /> Introduce error handling to address an issue where, after a hotplug<br /> event, the cursor continues to update. This situation can lead to a<br /> kernel panic due to accessing the NULL `old_state-&gt;crtc`.<br /> <br /> E,g.<br /> Unable to handle kernel NULL pointer dereference at virtual address<br /> Call trace:<br /> mtk_crtc_plane_disable+0x24/0x140<br /> mtk_plane_atomic_update+0x8c/0xa8<br /> drm_atomic_helper_commit_planes+0x114/0x2c8<br /> drm_atomic_helper_commit_tail_rpm+0x4c/0x158<br /> commit_tail+0xa0/0x168<br /> drm_atomic_helper_commit+0x110/0x120<br /> drm_atomic_commit+0x8c/0xe0<br /> drm_atomic_helper_update_plane+0xd4/0x128<br /> __setplane_atomic+0xcc/0x110<br /> drm_mode_cursor_common+0x250/0x440<br /> drm_mode_cursor_ioctl+0x44/0x70<br /> drm_ioctl+0x264/0x5d8<br /> __arm64_sys_ioctl+0xd8/0x510<br /> invoke_syscall+0x6c/0xe0<br /> do_el0_svc+0x68/0xe8<br /> el0_svc+0x34/0x60<br /> el0t_64_sync_handler+0x1c/0xf8<br /> el0t_64_sync+0x180/0x188<br /> <br /> Adding NULL pointer checks to ensure stability by preventing operations<br /> on an invalid CRTC state.