Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/region: Fix region HPA ordering validation<br /> <br /> Some regions may not have any address space allocated. Skip them when<br /> validating HPA order otherwise a crash like the following may result:<br /> <br /> devm_cxl_add_region: cxl_acpi cxl_acpi.0: decoder3.4: created region9<br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [..]<br /> RIP: 0010:store_targetN+0x655/0x1740 [cxl_core]<br /> [..]<br /> Call Trace:<br /> <br /> kernfs_fop_write_iter+0x144/0x200<br /> vfs_write+0x24a/0x4d0<br /> ksys_write+0x69/0xf0<br /> do_syscall_64+0x3a/0x90<br /> <br /> store_targetN+0x655/0x1740:<br /> alloc_region_ref at drivers/cxl/core/region.c:676<br /> (inlined by) cxl_port_attach_region at drivers/cxl/core/region.c:850<br /> (inlined by) cxl_region_attach at drivers/cxl/core/region.c:1290<br /> (inlined by) attach_target at drivers/cxl/core/region.c:1410<br /> (inlined by) store_targetN at drivers/cxl/core/region.c:1453

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/region: Fix decoder allocation crash<br /> <br /> When an intermediate port&amp;#39;s decoders have been exhausted by existing<br /> regions, and creating a new region with the port in question in it&amp;#39;s<br /> hierarchical path is attempted, cxl_port_attach_region() fails to find a<br /> port decoder (as would be expected), and drops into the failure / cleanup<br /> path.<br /> <br /> However, during cleanup of the region reference, a sanity check attempts<br /> to dereference the decoder, which in the above case didn&amp;#39;t exist. This<br /> causes a NULL pointer dereference BUG.<br /> <br /> To fix this, refactor the decoder allocation and de-allocation into<br /> helper routines, and in this &amp;#39;free&amp;#39; routine, check that the decoder,<br /> @cxld, is valid before attempting any operations on it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/pmem: Fix cxl_pmem_region and cxl_memdev leak<br /> <br /> When a cxl_nvdimm object goes through a -&gt;remove() event (device<br /> physically removed, nvdimm-bridge disabled, or nvdimm device disabled),<br /> then any associated regions must also be disabled. As highlighted by the<br /> cxl-create-region.sh test [1], a single device may host multiple<br /> regions, but the driver was only tracking one region at a time. This<br /> leads to a situation where only the last enabled region per nvdimm<br /> device is cleaned up properly. Other regions are leaked, and this also<br /> causes cxl_memdev reference leaks.<br /> <br /> Fix the tracking by allowing cxl_nvdimm objects to track multiple region<br /> associations.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fscrypt: stop using keyrings subsystem for fscrypt_master_key<br /> <br /> The approach of fs/crypto/ internally managing the fscrypt_master_key<br /> structs as the payloads of "struct key" objects contained in a<br /> "struct key" keyring has outlived its usefulness. The original idea was<br /> to simplify the code by reusing code from the keyrings subsystem.<br /> However, several issues have arisen that can&amp;#39;t easily be resolved:<br /> <br /> - When a master key struct is destroyed, blk_crypto_evict_key() must be<br /> called on any per-mode keys embedded in it. (This started being the<br /> case when inline encryption support was added.) Yet, the keyrings<br /> subsystem can arbitrarily delay the destruction of keys, even past the<br /> time the filesystem was unmounted. Therefore, currently there is no<br /> easy way to call blk_crypto_evict_key() when a master key is<br /> destroyed. Currently, this is worked around by holding an extra<br /> reference to the filesystem&amp;#39;s request_queue(s). But it was overlooked<br /> that the request_queue reference is *not* guaranteed to pin the<br /> corresponding blk_crypto_profile too; for device-mapper devices that<br /> support inline crypto, it doesn&amp;#39;t. This can cause a use-after-free.<br /> <br /> - When the last inode that was using an incompletely-removed master key<br /> is evicted, the master key removal is completed by removing the key<br /> struct from the keyring. Currently this is done via key_invalidate().<br /> Yet, key_invalidate() takes the key semaphore. This can deadlock when<br /> called from the shrinker, since in fscrypt_ioctl_add_key(), memory is<br /> allocated with GFP_KERNEL under the same semaphore.<br /> <br /> - More generally, the fact that the keyrings subsystem can arbitrarily<br /> delay the destruction of keys (via garbage collection delay, or via<br /> random processes getting temporary key references) is undesirable, as<br /> it means we can&amp;#39;t strictly guarantee that all secrets are ever wiped.<br /> <br /> - Doing the master key lookups via the keyrings subsystem results in the<br /> key_permission LSM hook being called. fscrypt doesn&amp;#39;t want this, as<br /> all access control for encrypted files is designed to happen via the<br /> files themselves, like any other files. The workaround which SELinux<br /> users are using is to change their SELinux policy to grant key search<br /> access to all domains. This works, but it is an odd extra step that<br /> shouldn&amp;#39;t really have to be done.<br /> <br /> The fix for all these issues is to change the implementation to what I<br /> should have done originally: don&amp;#39;t use the keyrings subsystem to keep<br /> track of the filesystem&amp;#39;s fscrypt_master_key structs. Instead, just<br /> store them in a regular kernel data structure, and rework the reference<br /> counting, locking, and lifetime accordingly. Retain support for<br /> RCU-mode key lookups by using a hash table. Replace fscrypt_sb_free()<br /> with fscrypt_sb_delete(), which releases the keys synchronously and runs<br /> a bit earlier during unmount, so that block devices are still available.<br /> <br /> A side effect of this patch is that neither the master keys themselves<br /> nor the filesystem keyrings will be listed in /proc/keys anymore.<br /> ("Master key users" and the master key users keyrings will still be<br /> listed.) However, this was mostly an implementation detail, and it was<br /> intended just for debugging purposes. I don&amp;#39;t know of anyone using it.<br /> <br /> This patch does *not* change how "master key users" (-&gt;mk_users) works;<br /> that still uses the keyrings subsystem. That is still needed for key<br /> quotas, and changing that isn&amp;#39;t necessary to solve the issues listed<br /> above. If we decide to change that too, it would be a separate patch.<br /> <br /> I&amp;#39;ve marked this as fixing the original commit that added the fscrypt<br /> keyring, but as noted above the most important issue that this patch<br /> fixes wasn&amp;#39;t introduced until the addition of inline encryption support.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix tree mod log mishandling of reallocated nodes<br /> <br /> We have been seeing the following panic in production<br /> <br /> kernel BUG at fs/btrfs/tree-mod-log.c:677!<br /> invalid opcode: 0000 [#1] SMP<br /> RIP: 0010:tree_mod_log_rewind+0x1b4/0x200<br /> RSP: 0000:ffffc9002c02f890 EFLAGS: 00010293<br /> RAX: 0000000000000003 RBX: ffff8882b448c700 RCX: 0000000000000000<br /> RDX: 0000000000008000 RSI: 00000000000000a7 RDI: ffff88877d831c00<br /> RBP: 0000000000000002 R08: 000000000000009f R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000100c40 R12: 0000000000000001<br /> R13: ffff8886c26d6a00 R14: ffff88829f5424f8 R15: ffff88877d831a00<br /> FS: 00007fee1d80c780(0000) GS:ffff8890400c0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fee1963a020 CR3: 0000000434f33002 CR4: 00000000007706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> btrfs_get_old_root+0x12b/0x420<br /> btrfs_search_old_slot+0x64/0x2f0<br /> ? tree_mod_log_oldest_root+0x3d/0xf0<br /> resolve_indirect_ref+0xfd/0x660<br /> ? ulist_alloc+0x31/0x60<br /> ? kmem_cache_alloc_trace+0x114/0x2c0<br /> find_parent_nodes+0x97a/0x17e0<br /> ? ulist_alloc+0x30/0x60<br /> btrfs_find_all_roots_safe+0x97/0x150<br /> iterate_extent_inodes+0x154/0x370<br /> ? btrfs_search_path_in_tree+0x240/0x240<br /> iterate_inodes_from_logical+0x98/0xd0<br /> ? btrfs_search_path_in_tree+0x240/0x240<br /> btrfs_ioctl_logical_to_ino+0xd9/0x180<br /> btrfs_ioctl+0xe2/0x2ec0<br /> ? __mod_memcg_lruvec_state+0x3d/0x280<br /> ? do_sys_openat2+0x6d/0x140<br /> ? kretprobe_dispatcher+0x47/0x70<br /> ? kretprobe_rethook_handler+0x38/0x50<br /> ? rethook_trampoline_handler+0x82/0x140<br /> ? arch_rethook_trampoline_callback+0x3b/0x50<br /> ? kmem_cache_free+0xfb/0x270<br /> ? do_sys_openat2+0xd5/0x140<br /> __x64_sys_ioctl+0x71/0xb0<br /> do_syscall_64+0x2d/0x40<br /> <br /> Which is this code in tree_mod_log_rewind()<br /> <br /> switch (tm-&gt;op) {<br /> case BTRFS_MOD_LOG_KEY_REMOVE_WHILE_FREEING:<br /> BUG_ON(tm-&gt;slot From here the bug is triggered by the following steps<br /> <br /> 1. Call btrfs_get_old_root() on the new_root.<br /> 2. We call tree_mod_log_oldest_root(btrfs_root_node(new_root)), which is<br /> currently logical 0.<br /> 3. tree_mod_log_oldest_root() calls tree_mod_log_search_oldest(), which<br /> gives us the KEY_REPLACE seq 2, and since that&amp;#39;s not a<br /> LOG_ROOT_REPLACE we incorrectly believe that we don&amp;#39;t have an old<br /> root, because we expect that the most recent change should be a<br /> LOG_ROOT_REPLACE.<br /> 4. Back in tree_mod_log_oldest_root() we don&amp;#39;t have a LOG_ROOT_REPLACE,<br /> so we don&amp;#39;t set old_root, we simply use our e<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/region: Fix cxl_region leak, cleanup targets at region delete<br /> <br /> When a region is deleted any targets that have been previously assigned<br /> to that region hold references to it. Trigger those references to<br /> drop by detaching all targets at unregister_region() time.<br /> <br /> Otherwise that region object will leak as userspace has lost the ability<br /> to detach targets once region sysfs is torn down.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: cfg80211: fix memory leak in query_regdb_file()<br /> <br /> In the function query_regdb_file() the alpha2 parameter is duplicated<br /> using kmemdup() and subsequently freed in regdb_fw_cb(). However,<br /> request_firmware_nowait() can fail without calling regdb_fw_cb() and<br /> thus leak memory.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()<br /> <br /> Change num_ghes from int to unsigned int, preventing an overflow<br /> and causing subsequent vmalloc() to fail.<br /> <br /> The overflow happens in ghes_estatus_pool_init() when calculating<br /> len during execution of the statement below as both multiplication<br /> operands here are signed int:<br /> <br /> len += (num_ghes * GHES_ESOURCE_PREALLOC_MAX_SIZE);<br /> <br /> The following call trace is observed because of this bug:<br /> <br /> [ 9.317108] swapper/0: vmalloc error: size 18446744071562596352, exceeds total pages, mode:0xcc0(GFP_KERNEL), nodemask=(null),cpuset=/,mems_allowed=0-1<br /> [ 9.317131] Call Trace:<br /> [ 9.317134] <br /> [ 9.317137] dump_stack_lvl+0x49/0x5f<br /> [ 9.317145] dump_stack+0x10/0x12<br /> [ 9.317146] warn_alloc.cold+0x7b/0xdf<br /> [ 9.317150] ? __device_attach+0x16a/0x1b0<br /> [ 9.317155] __vmalloc_node_range+0x702/0x740<br /> [ 9.317160] ? device_add+0x17f/0x920<br /> [ 9.317164] ? dev_set_name+0x53/0x70<br /> [ 9.317166] ? platform_device_add+0xf9/0x240<br /> [ 9.317168] __vmalloc_node+0x49/0x50<br /> [ 9.317170] ? ghes_estatus_pool_init+0x43/0xa0<br /> [ 9.317176] vmalloc+0x21/0x30<br /> [ 9.317177] ghes_estatus_pool_init+0x43/0xa0<br /> [ 9.317179] acpi_hest_init+0x129/0x19c<br /> [ 9.317185] acpi_init+0x434/0x4a4<br /> [ 9.317188] ? acpi_sleep_proc_init+0x2a/0x2a<br /> [ 9.317190] do_one_initcall+0x48/0x200<br /> [ 9.317195] kernel_init_freeable+0x221/0x284<br /> [ 9.317200] ? rest_init+0xe0/0xe0<br /> [ 9.317204] kernel_init+0x1a/0x130<br /> [ 9.317205] ret_from_fork+0x22/0x30<br /> [ 9.317208] <br /> <br /> [ rjw: Subject and changelog edits ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: meson: vdec: fix possible refcount leak in vdec_probe()<br /> <br /> v4l2_device_unregister need to be called to put the refcount got by<br /> v4l2_device_register when vdec_probe fails or vdec_remove is called.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: entry: avoid kprobe recursion<br /> <br /> The cortex_a76_erratum_1463225_debug_handler() function is called when<br /> handling debug exceptions (and synchronous exceptions from BRK<br /> instructions), and so is called when a probed function executes. If the<br /> compiler does not inline cortex_a76_erratum_1463225_debug_handler(), it<br /> can be probed.<br /> <br /> If cortex_a76_erratum_1463225_debug_handler() is probed, any debug<br /> exception or software breakpoint exception will result in recursive<br /> exceptions leading to a stack overflow. This can be triggered with the<br /> ftrace multiple_probes selftest, and as per the example splat below.<br /> <br /> This is a regression caused by commit:<br /> <br /> 6459b8469753e9fe ("arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround")<br /> <br /> ... which removed the NOKPROBE_SYMBOL() annotation associated with the<br /> function.<br /> <br /> My intent was that cortex_a76_erratum_1463225_debug_handler() would be<br /> inlined into its caller, el1_dbg(), which is marked noinstr and cannot<br /> be probed. Mark cortex_a76_erratum_1463225_debug_handler() as<br /> __always_inline to ensure this.<br /> <br /> Example splat prior to this patch (with recursive entries elided):<br /> <br /> | # echo p cortex_a76_erratum_1463225_debug_handler &gt; /sys/kernel/debug/tracing/kprobe_events<br /> | # echo p do_el0_svc &gt;&gt; /sys/kernel/debug/tracing/kprobe_events<br /> | # echo 1 &gt; /sys/kernel/debug/tracing/events/kprobes/enable<br /> | Insufficient stack space to handle exception!<br /> | ESR: 0x0000000096000047 -- DABT (current EL)<br /> | FAR: 0xffff800009cefff0<br /> | Task stack: [0xffff800009cf0000..0xffff800009cf4000]<br /> | IRQ stack: [0xffff800008000000..0xffff800008004000]<br /> | Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0]<br /> | CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2<br /> | Hardware name: linux,dummy-virt (DT)<br /> | pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> | pc : arm64_enter_el1_dbg+0x4/0x20<br /> | lr : el1_dbg+0x24/0x5c<br /> | sp : ffff800009cf0000<br /> | x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000<br /> | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000<br /> | x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068<br /> | x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000<br /> | x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> | x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> | x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0<br /> | x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000<br /> | x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4<br /> | x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040<br /> | Kernel panic - not syncing: kernel stack overflow<br /> | CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2<br /> | Hardware name: linux,dummy-virt (DT)<br /> | Call trace:<br /> | dump_backtrace+0xe4/0x104<br /> | show_stack+0x18/0x4c<br /> | dump_stack_lvl+0x64/0x7c<br /> | dump_stack+0x18/0x38<br /> | panic+0x14c/0x338<br /> | test_taint+0x0/0x2c<br /> | panic_bad_stack+0x104/0x118<br /> | handle_bad_stack+0x34/0x48<br /> | __bad_stack+0x78/0x7c<br /> | arm64_enter_el1_dbg+0x4/0x20<br /> | el1h_64_sync_handler+0x40/0x98<br /> | el1h_64_sync+0x64/0x68<br /> | cortex_a76_erratum_1463225_debug_handler+0x0/0x34<br /> ...<br /> | el1h_64_sync_handler+0x40/0x98<br /> | el1h_64_sync+0x64/0x68<br /> | cortex_a76_erratum_1463225_debug_handler+0x0/0x34<br /> ...<br /> | el1h_64_sync_handler+0x40/0x98<br /> | el1h_64_sync+0x64/0x68<br /> | cortex_a76_erratum_1463225_debug_handler+0x0/0x34<br /> | el1h_64_sync_handler+0x40/0x98<br /> | el1h_64_sync+0x64/0x68<br /> | do_el0_svc+0x0/0x28<br /> | el0t_64_sync_handler+0x84/0xf0<br /> | el0t_64_sync+0x18c/0x190<br /> | Kernel Offset: disabled<br /> | CPU features: 0x0080,00005021,19001080<br /> | Memory Limit: none<br /> | ---[ end Kernel panic - not syncing: kernel stack overflow ]---<br /> <br /> With this patch, cortex_a76_erratum_1463225_debug_handler() is inlined<br /> into el1_dbg(), and el1_dbg() cannot be probed:<br /> <br /> | # echo p cortex_a76_erratum_1463225_debug_handler &gt; /sys/kernel/debug/tracing/kprobe_events<br /> | sh: write error: No such file or directory<br /> | # grep -w cortex_a76_errat<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()<br /> <br /> On some machines the number of listed CPUs may be bigger than the actual<br /> CPUs that exist. The tracing subsystem allocates a per_cpu directory with<br /> access to the per CPU ring buffer via a cpuX file. But to save space, the<br /> ring buffer will only allocate buffers for online CPUs, even though the<br /> CPU array will be as big as the nr_cpu_ids.<br /> <br /> With the addition of waking waiters on the ring buffer when closing the<br /> file, the ring_buffer_wake_waiters() now needs to make sure that the<br /> buffer is allocated (with the irq_work allocated with it) before trying to<br /> wake waiters, as it will cause a NULL pointer dereference.<br /> <br /> While debugging this, I added a NULL check for the buffer itself (which is<br /> OK to do), and also NULL pointer checks against buffer-&gt;buffers (which is<br /> not fine, and will WARN) as well as making sure the CPU number passed in<br /> is within the nr_cpu_ids (which is also not fine if it isn&amp;#39;t).<br /> <br /> <br /> Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705