Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eventpoll: Fix semi-unbounded recursion<br /> <br /> Ensure that epoll instances can never form a graph deeper than<br /> EP_MAX_NESTS+1 links.<br /> <br /> Currently, ep_loop_check_proc() ensures that the graph is loop-free and<br /> does some recursion depth checks, but those recursion depth checks don&amp;#39;t<br /> limit the depth of the resulting tree for two reasons:<br /> <br /> - They don&amp;#39;t look upwards in the tree.<br /> - If there are multiple downwards paths of different lengths, only one of<br /> the paths is actually considered for the depth check since commit<br /> 28d82dc1c4ed ("epoll: limit paths").<br /> <br /> Essentially, the current recursion depth check in ep_loop_check_proc() just<br /> serves to prevent it from recursing too deeply while checking for loops.<br /> <br /> A more thorough check is done in reverse_path_check() after the new graph<br /> edge has already been created; this checks, among other things, that no<br /> paths going upwards from any non-epoll file with a length of more than 5<br /> edges exist. However, this check does not apply to non-epoll files.<br /> <br /> As a result, it is possible to recurse to a depth of at least roughly 500,<br /> tested on v6.15. (I am unsure if deeper recursion is possible; and this may<br /> have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion<br /> problem").)<br /> <br /> To fix it:<br /> <br /> 1. In ep_loop_check_proc(), note the subtree depth of each visited node,<br /> and use subtree depths for the total depth calculation even when a subtree<br /> has already been visited.<br /> 2. Add ep_get_upwards_depth_proc() for similarly determining the maximum<br /> depth of an upwards walk.<br /> 3. In ep_loop_check(), use these values to limit the total path length<br /> between epoll nodes to EP_MAX_NESTS edges.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: cancle set bad inode after removing name fails<br /> <br /> The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link.<br /> When renaming, the file0&amp;#39;s inode is marked as a bad inode because the file<br /> name cannot be deleted.<br /> <br /> The underlying bug is that make_bad_inode() is called on a live inode.<br /> In some cases it&amp;#39;s "icache lookup finds a normal inode, d_splice_alias()<br /> is called to attach it to dentry, while another thread decides to call<br /> make_bad_inode() on it - that would evict it from icache, but we&amp;#39;d already<br /> found it there earlier".<br /> In some it&amp;#39;s outright "we have an inode attached to dentry - that&amp;#39;s how we<br /> got it in the first place; let&amp;#39;s call make_bad_inode() on it just for shits<br /> and giggles".

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()<br /> <br /> In the error paths after fb_info structure is successfully allocated,<br /> the memory allocated in fb_deferred_io_init() for info-&gt;pagerefs is not<br /> freed. Fix that by adding the cleanup function on the error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()<br /> <br /> The get_pd_power_uw() function can crash with a NULL pointer dereference<br /> when em_cpu_get() returns NULL. This occurs when a CPU becomes impossible<br /> during runtime, causing get_cpu_device() to return NULL, which propagates<br /> through em_cpu_get() and leads to a crash when em_span_cpus() dereferences<br /> the NULL pointer.<br /> <br /> Add a NULL check after em_cpu_get() and return 0 if unavailable,<br /> matching the existing fallback behavior in __dtpm_cpu_setup().<br /> <br /> [ rjw: Drop an excess empty code line ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PM / devfreq: Check governor before using governor-&gt;name<br /> <br /> Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from<br /> struct devfreq") removes governor_name and uses governor-&gt;name to replace<br /> it. But devfreq-&gt;governor may be NULL and directly using<br /> devfreq-&gt;governor-&gt;name may cause null pointer exception. Move the check of<br /> governor to before using governor-&gt;name.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls<br /> <br /> When sending plaintext data, we initially calculated the corresponding<br /> ciphertext length. However, if we later reduced the plaintext data length<br /> via socket policy, we failed to recalculate the ciphertext length.<br /> <br /> This results in transmitting buffers containing uninitialized data during<br /> ciphertext transmission.<br /> <br /> This causes uninitialized bytes to be appended after a complete<br /> "Application Data" packet, leading to errors on the receiving end when<br /> parsing TLS record.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: handle jset (if a &amp; b ...) as a jump in CFG computation<br /> <br /> BPF_JSET is a conditional jump and currently verifier.c:can_jump()<br /> does not know about that. This can lead to incorrect live registers<br /> and SCC computation.<br /> <br /> E.g. in the following example:<br /> <br /> 1: r0 = 1;<br /> 2: r2 = 2;<br /> 3: if r1 &amp; 0x7 goto +1;<br /> 4: exit;<br /> 5: r0 = r2;<br /> 6: exit;<br /> <br /> W/o this fix insn_successors(3) will return only (4), a jump to (5)<br /> would be missed and r2 won&amp;#39;t be marked as alive at (3).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: gpib: fix unset padding field copy back to userspace<br /> <br /> The introduction of a padding field in the gpib_board_info_ioctl is<br /> showing up as initialized data on the stack frame being copyied back<br /> to userspace in function board_info_ioctl. The simplest fix is to<br /> initialize the entire struct to zero to ensure all unassigned padding<br /> fields are zero&amp;#39;d before being copied back to userspace.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtl818x: Kill URBs before clearing tx status queue<br /> <br /> In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing<br /> b_tx_status.queue. This change prevents callbacks from using already freed<br /> skb due to anchor was not killed before freeing such skb.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000080<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015<br /> RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]<br /> Call Trace:<br /> <br /> rtl8187_tx_cb+0x116/0x150 [rtl8187]<br /> __usb_hcd_giveback_urb+0x9d/0x120<br /> usb_giveback_urb_bh+0xbb/0x140<br /> process_one_work+0x19b/0x3c0<br /> bh_worker+0x1a7/0x210<br /> tasklet_action+0x10/0x30<br /> handle_softirqs+0xf0/0x340<br /> __irq_exit_rcu+0xcd/0xf0<br /> common_interrupt+0x85/0xa0<br /> <br /> <br /> Tested on RTL8187BvE device.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iwlwifi: Add missing check for alloc_ordered_workqueue<br /> <br /> Add check for the return value of alloc_ordered_workqueue since it may<br /> return NULL pointer.