Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_event: Ignore multiple conn complete events<br /> <br /> When one of the three connection complete events is received multiple<br /> times for the same handle, the device is registered multiple times which<br /> leads to memory corruptions. Therefore, consequent events for a single<br /> connection are ignored.<br /> <br /> The conn-&gt;state can hold different values, therefore HCI_CONN_HANDLE_UNSET<br /> is introduced to identify new connections. To make sure the events do not<br /> contain this or another invalid handle HCI_CONN_HANDLE_MAX and checks<br /> are introduced.<br /> <br /> Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt<br /> <br /> This event is just specified for SCO and eSCO link types.<br /> On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR<br /> of an existing LE connection, LE link type and a status that triggers the<br /> second case of the packet processing a NULL pointer dereference happens,<br /> as conn-&gt;link is NULL.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: felix: fix possible NULL pointer dereference<br /> <br /> As the possible failure of the allocation, kzalloc() may return NULL<br /> pointer.<br /> Therefore, it should be better to check the &amp;#39;sgi&amp;#39; in order to prevent<br /> the dereference of NULL pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: preserve skb_end_offset() in skb_unclone_keeptruesize()<br /> <br /> syzbot found another way to trigger the infamous WARN_ON_ONCE(delta truesize value,<br /> we also need to make sure TCP wont fill new tailroom<br /> that pskb_expand_head() was able to get from a<br /> addr = kmalloc(...) followed by ksize(addr)<br /> <br /> Split skb_unclone_keeptruesize() into two parts:<br /> <br /> 1) Inline skb_unclone_keeptruesize() for the common case,<br /> when skb is not cloned.<br /> <br /> 2) Out of line __skb_unclone_keeptruesize() for the &amp;#39;slow path&amp;#39;.<br /> <br /> WARNING: CPU: 1 PID: 6490 at net/core/skbuff.c:5295 skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295<br /> Modules linked in:<br /> CPU: 1 PID: 6490 Comm: syz-executor161 Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> RIP: 0010:skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295<br /> Code: bf 01 00 00 00 0f b7 c0 89 c6 89 44 24 20 e8 62 24 4e fa 8b 44 24 20 83 e8 01 0f 85 e5 f0 ff ff e9 87 f4 ff ff e8 cb 20 4e fa 0b e9 06 f9 ff ff e8 af b2 95 fa e9 69 f0 ff ff e8 95 b2 95 fa<br /> RSP: 0018:ffffc900063af268 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: 00000000ffffffd5 RCX: 0000000000000000<br /> RDX: ffff88806fc05700 RSI: ffffffff872abd55 RDI: 0000000000000003<br /> RBP: ffff88806e675500 R08: 00000000ffffffd5 R09: 0000000000000000<br /> R10: ffffffff872ab659 R11: 0000000000000000 R12: ffff88806dd554e8<br /> R13: ffff88806dd9bac0 R14: ffff88806dd9a2c0 R15: 0000000000000155<br /> FS: 00007f18014f9700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000020002000 CR3: 000000006be7a000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> tcp_try_coalesce net/ipv4/tcp_input.c:4651 [inline]<br /> tcp_try_coalesce+0x393/0x920 net/ipv4/tcp_input.c:4630<br /> tcp_queue_rcv+0x8a/0x6e0 net/ipv4/tcp_input.c:4914<br /> tcp_data_queue+0x11fd/0x4bb0 net/ipv4/tcp_input.c:5025<br /> tcp_rcv_established+0x81e/0x1ff0 net/ipv4/tcp_input.c:5947<br /> tcp_v4_do_rcv+0x65e/0x980 net/ipv4/tcp_ipv4.c:1719<br /> sk_backlog_rcv include/net/sock.h:1037 [inline]<br /> __release_sock+0x134/0x3b0 net/core/sock.c:2779<br /> release_sock+0x54/0x1b0 net/core/sock.c:3311<br /> sk_wait_data+0x177/0x450 net/core/sock.c:2821<br /> tcp_recvmsg_locked+0xe28/0x1fd0 net/ipv4/tcp.c:2457<br /> tcp_recvmsg+0x137/0x610 net/ipv4/tcp.c:2572<br /> inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850<br /> sock_recvmsg_nosec net/socket.c:948 [inline]<br /> sock_recvmsg net/socket.c:966 [inline]<br /> sock_recvmsg net/socket.c:962 [inline]<br /> ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632<br /> ___sys_recvmsg+0x127/0x200 net/socket.c:2674<br /> __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: fix memory leak of uid in files registration<br /> <br /> When there are no files for __io_sqe_files_scm() to process in the<br /> range, it&amp;#39;ll free everything and return. However, it forgets to put uid.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: CPPC: Avoid out of bounds access when parsing _CPC data<br /> <br /> If the NumEntries field in the _CPC return package is less than 2, do<br /> not attempt to access the "Revision" element of that package, because<br /> it may not be present then.<br /> <br /> BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio: use virtio_device_ready() in virtio_device_restore()<br /> <br /> After waking up a suspended VM, the kernel prints the following trace<br /> for virtio drivers which do not directly call virtio_device_ready() in<br /> the .restore:<br /> <br /> PM: suspend exit<br /> irq 22: nobody cared (try booting with the "irqpoll" option)<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x38/0x49<br /> dump_stack+0x10/0x12<br /> __report_bad_irq+0x3a/0xaf<br /> note_interrupt.cold+0xb/0x60<br /> handle_irq_event+0x71/0x80<br /> handle_fasteoi_irq+0x95/0x1e0<br /> __common_interrupt+0x6b/0x110<br /> common_interrupt+0x63/0xe0<br /> asm_common_interrupt+0x1e/0x40<br /> ? __do_softirq+0x75/0x2f3<br /> irq_exit_rcu+0x93/0xe0<br /> sysvec_apic_timer_interrupt+0xac/0xd0<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt+0x12/0x20<br /> arch_cpu_idle+0x12/0x20<br /> default_idle_call+0x39/0xf0<br /> do_idle+0x1b5/0x210<br /> cpu_startup_entry+0x20/0x30<br /> start_secondary+0xf3/0x100<br /> secondary_startup_64_no_verify+0xc3/0xcb<br /> <br /> handlers:<br /> [] vp_interrupt<br /> [] vp_interrupt<br /> Disabling IRQ #22<br /> <br /> This happens because we don&amp;#39;t invoke .enable_cbs callback in<br /> virtio_device_restore(). That callback is used by some transports<br /> (e.g. virtio-pci) to enable interrupts.<br /> <br /> Let&amp;#39;s fix it, by calling virtio_device_ready() as we do in<br /> virtio_dev_probe(). This function calls .enable_cts callback and sets<br /> DRIVER_OK status bit.<br /> <br /> This fix also avoids setting DRIVER_OK twice for those drivers that<br /> call virtio_device_ready() in the .restore.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: Fix the maximum minor value is blk_alloc_ext_minor()<br /> <br /> ida_alloc_range(..., min, max, ...) returns values from min to max,<br /> inclusive.<br /> <br /> So, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor().<br /> <br /> This is an issue because in device_add_disk(), this value is used in:<br /> ddev-&gt;devt = MKDEV(disk-&gt;major, disk-&gt;first_minor);<br /> and NR_EXT_DEVT is &amp;#39;(1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> watch_queue: Free the page array when watch_queue is dismantled<br /> <br /> Commit 7ea1a0124b6d ("watch_queue: Free the alloc bitmap when the<br /> watch_queue is torn down") took care of the bitmap, but not the page<br /> array.<br /> <br /> BUG: memory leak<br /> unreferenced object 0xffff88810d9bc140 (size 32):<br /> comm "syz-executor335", pid 3603, jiffies 4294946994 (age 12.840s)<br /> hex dump (first 32 bytes):<br /> 40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00 @.@.............<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> kmalloc_array include/linux/slab.h:621 [inline]<br /> kcalloc include/linux/slab.h:652 [inline]<br /> watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251<br /> pipe_ioctl+0x82/0x140 fs/pipe.c:632<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:874 [inline]<br /> __se_sys_ioctl fs/ioctl.c:860 [inline]<br /> __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ref_tracker: implement use-after-free detection<br /> <br /> Whenever ref_tracker_dir_init() is called, mark the struct ref_tracker_dir<br /> as dead.<br /> <br /> Test the dead status from ref_tracker_alloc() and ref_tracker_free()<br /> <br /> This should detect buggy dev_put()/dev_hold() happening too late<br /> in netdevice dismantle process.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/bridge: Add missing pm_runtime_put_sync<br /> <br /> pm_runtime_get_sync() will increase the rumtime PM counter<br /> even when it returns an error. Thus a pairing decrement is needed<br /> to prevent refcount leak. Fix this by replacing this API with<br /> pm_runtime_resume_and_get(), which will not change the runtime<br /> PM counter on error. Besides, a matching decrement is needed<br /> on the error handling path to keep the counter balanced.