Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix potential hang in nilfs_detach_log_writer()<br /> <br /> Syzbot has reported a potential hang in nilfs_detach_log_writer() called<br /> during nilfs2 unmount.<br /> <br /> Analysis revealed that this is because nilfs_segctor_sync(), which<br /> synchronizes with the log writer thread, can be called after<br /> nilfs_segctor_destroy() terminates that thread, as shown in the call trace<br /> below:<br /> <br /> nilfs_detach_log_writer<br /> nilfs_segctor_destroy<br /> nilfs_segctor_kill_thread --&gt; Shut down log writer thread<br /> flush_work<br /> nilfs_iput_work_func<br /> nilfs_dispose_list<br /> iput<br /> nilfs_evict_inode<br /> nilfs_transaction_commit<br /> nilfs_construct_segment (if inode needs sync)<br /> nilfs_segctor_sync --&gt; Attempt to synchronize with<br /> log writer thread<br /> *** DEADLOCK ***<br /> <br /> Fix this issue by changing nilfs_segctor_sync() so that the log writer<br /> thread returns normally without synchronizing after it terminates, and by<br /> forcing tasks that are already waiting to complete once after the thread<br /> terminates.<br /> <br /> The skipped inode metadata flushout will then be processed together in the<br /> subsequent cleanup work in nilfs_segctor_destroy().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> speakup: Fix sizeof() vs ARRAY_SIZE() bug<br /> <br /> The "buf" pointer is an array of u16 values. This code should be<br /> using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),<br /> otherwise it can the still got out of bounds.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/mes: fix use-after-free issue<br /> <br /> Delete fence fallback timer to fix the ramdom<br /> use-after-free issue.<br /> <br /> v2: move to amdgpu_mes.c

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group<br /> <br /> The perf tool allows users to create event groups through following<br /> cmd [1], but the driver does not check whether the array index is out of<br /> bounds when writing data to the event_group array. If the number of events<br /> in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write<br /> overflow of event_group array occurs.<br /> <br /> Add array index check to fix the possible array out of bounds violation,<br /> and return directly when write new events are written to array bounds.<br /> <br /> There are 9 different events in an event_group.<br /> [1] perf stat -e &amp;#39;{pmu/event1/, ... ,pmu/event9/}&amp;#39;

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gfs2: Fix potential glock use-after-free on unmount<br /> <br /> When a DLM lockspace is released and there ares still locks in that<br /> lockspace, DLM will unlock those locks automatically. Commit<br /> fb6791d100d1b started exploiting this behavior to speed up filesystem<br /> unmount: gfs2 would simply free glocks it didn&amp;#39;t want to unlock and then<br /> release the lockspace. This didn&amp;#39;t take the bast callbacks for<br /> asynchronous lock contention notifications into account, which remain<br /> active until until a lock is unlocked or its lockspace is released.<br /> <br /> To prevent those callbacks from accessing deallocated objects, put the<br /> glocks that should not be unlocked on the sd_dead_glocks list, release<br /> the lockspace, and only then free those glocks.<br /> <br /> As an additional measure, ignore unexpected ast and bast callbacks if<br /> the receiving glock is dead.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/drivers/tsens: Fix null pointer dereference<br /> <br /> compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)<br /> as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null<br /> pointer dereference (if DEBUG or DYNAMIC_DEBUG set).<br /> Fix this bug by adding null pointer check.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: fix out-of-bound access of qmi_invoke_handler()<br /> <br /> Currently, there is no terminator entry for ath12k_qmi_msg_handlers hence<br /> facing below KASAN warning,<br /> <br /> ==================================================================<br /> BUG: KASAN: global-out-of-bounds in qmi_invoke_handler+0xa4/0x148<br /> Read of size 8 at addr ffffffd00a6428d8 by task kworker/u8:2/1273<br /> <br /> CPU: 0 PID: 1273 Comm: kworker/u8:2 Not tainted 5.4.213 #0<br /> Workqueue: qmi_msg_handler qmi_data_ready_work<br /> Call trace:<br /> dump_backtrace+0x0/0x20c<br /> show_stack+0x14/0x1c<br /> dump_stack+0xe0/0x138<br /> print_address_description.isra.5+0x30/0x330<br /> __kasan_report+0x16c/0x1bc<br /> kasan_report+0xc/0x14<br /> __asan_load8+0xa8/0xb0<br /> qmi_invoke_handler+0xa4/0x148<br /> qmi_handle_message+0x18c/0x1bc<br /> qmi_data_ready_work+0x4ec/0x528<br /> process_one_work+0x2c0/0x440<br /> worker_thread+0x324/0x4b8<br /> kthread+0x210/0x228<br /> ret_from_fork+0x10/0x18<br /> <br /> The address belongs to the variable:<br /> ath12k_mac_mon_status_filter_default+0x4bd8/0xfffffffffffe2300 [ath12k]<br /> [...]<br /> ==================================================================<br /> <br /> Add a dummy terminator entry at the end to assist the qmi_invoke_handler()<br /> in traversing up to the terminator entry without accessing an<br /> out-of-boundary index.<br /> <br /> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ecryptfs: Fix buffer size for tag 66 packet<br /> <br /> The &amp;#39;TAG 66 Packet Format&amp;#39; description is missing the cipher code and<br /> checksum fields that are packed into the message packet. As a result,<br /> the buffer allocated for the packet is 3 bytes too small and<br /> write_tag_66_packet() will write up to 3 bytes past the end of the<br /> buffer.<br /> <br /> Fix this by increasing the size of the allocation so the whole packet<br /> will always fit in the buffer.<br /> <br /> This fixes the below kasan slab-out-of-bounds bug:<br /> <br /> BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0<br /> Write of size 1 at addr ffff88800afbb2a5 by task touch/181<br /> <br /> CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x4c/0x70<br /> print_report+0xc5/0x610<br /> ? ecryptfs_generate_key_packet_set+0x7d6/0xde0<br /> ? kasan_complete_mode_report_info+0x44/0x210<br /> ? ecryptfs_generate_key_packet_set+0x7d6/0xde0<br /> kasan_report+0xc2/0x110<br /> ? ecryptfs_generate_key_packet_set+0x7d6/0xde0<br /> __asan_store1+0x62/0x80<br /> ecryptfs_generate_key_packet_set+0x7d6/0xde0<br /> ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10<br /> ? __alloc_pages+0x2e2/0x540<br /> ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]<br /> ? dentry_open+0x8f/0xd0<br /> ecryptfs_write_metadata+0x30a/0x550<br /> ? __pfx_ecryptfs_write_metadata+0x10/0x10<br /> ? ecryptfs_get_lower_file+0x6b/0x190<br /> ecryptfs_initialize_file+0x77/0x150<br /> ecryptfs_create+0x1c2/0x2f0<br /> path_openat+0x17cf/0x1ba0<br /> ? __pfx_path_openat+0x10/0x10<br /> do_filp_open+0x15e/0x290<br /> ? __pfx_do_filp_open+0x10/0x10<br /> ? __kasan_check_write+0x18/0x30<br /> ? _raw_spin_lock+0x86/0xf0<br /> ? __pfx__raw_spin_lock+0x10/0x10<br /> ? __kasan_check_write+0x18/0x30<br /> ? alloc_fd+0xf4/0x330<br /> do_sys_openat2+0x122/0x160<br /> ? __pfx_do_sys_openat2+0x10/0x10<br /> __x64_sys_openat+0xef/0x170<br /> ? __pfx___x64_sys_openat+0x10/0x10<br /> do_syscall_64+0x60/0xd0<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> RIP: 0033:0x7f00a703fd67<br /> Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f<br /> RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101<br /> RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67<br /> RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c<br /> RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941<br /> R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040<br /> <br /> <br /> Allocated by task 181:<br /> kasan_save_stack+0x2f/0x60<br /> kasan_set_track+0x29/0x40<br /> kasan_save_alloc_info+0x25/0x40<br /> __kasan_kmalloc+0xc5/0xd0<br /> __kmalloc+0x66/0x160<br /> ecryptfs_generate_key_packet_set+0x6d2/0xde0<br /> ecryptfs_write_metadata+0x30a/0x550<br /> ecryptfs_initialize_file+0x77/0x150<br /> ecryptfs_create+0x1c2/0x2f0<br /> path_openat+0x17cf/0x1ba0<br /> do_filp_open+0x15e/0x290<br /> do_sys_openat2+0x122/0x160<br /> __x64_sys_openat+0xef/0x170<br /> do_syscall_64+0x60/0xd0<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: bcm - Fix pointer arithmetic<br /> <br /> In spu2_dump_omd() value of ptr is increased by ciph_key_len<br /> instead of hash_iv_len which could lead to going beyond the<br /> buffer boundaries.<br /> Fix this bug by changing ciph_key_len to hash_iv_len.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libbpf: Prevent null-pointer dereference when prog to load has no BTF<br /> <br /> In bpf_objec_load_prog(), there&amp;#39;s no guarantee that obj-&gt;btf is non-NULL<br /> when passing it to btf__fd(), and this function does not perform any<br /> check before dereferencing its argument (as bpf_object__btf_fd() used to<br /> do). As a consequence, we get segmentation fault errors in bpftool (for<br /> example) when trying to load programs that come without BTF information.<br /> <br /> v2: Keep btf__fd() in the fix instead of reverting to bpf_object__btf_fd().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: pcie: handle randbuf allocation failure<br /> <br /> The kzalloc() in brcmf_pcie_download_fw_nvram() will return null<br /> if the physical memory has run out. As a result, if we use<br /> get_random_bytes() to generate random bytes in the randbuf, the<br /> null pointer dereference bug will happen.<br /> <br /> In order to prevent allocation failure, this patch adds a separate<br /> function using buffer on kernel stack to generate random bytes in<br /> the randbuf, which could prevent the kernel stack from overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cppc_cpufreq: Fix possible null pointer dereference<br /> <br /> cppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from<br /> different places with various parameters. So cpufreq_cpu_get() can return<br /> null as &amp;#39;policy&amp;#39; in some circumstances.<br /> Fix this bug by adding null return check.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.