Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: synaptics - fix crash when enabling pass-through port<br /> <br /> When enabling a pass-through port an interrupt might come before psmouse<br /> driver binds to the pass-through port. However synaptics sub-driver<br /> tries to access psmouse instance presumably associated with the<br /> pass-through port to figure out if only 1 byte of response or entire<br /> protocol packet needs to be forwarded to the pass-through port and may<br /> crash if psmouse instance has not been attached to the port yet.<br /> <br /> Fix the crash by introducing open() and close() methods for the port and<br /> check if the port is open before trying to access psmouse instance.<br /> Because psmouse calls serio_open() only after attaching psmouse instance<br /> to serio port instance this prevents the potential crash.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()<br /> <br /> On removal of the device or unloading of the kernel module a potential NULL<br /> pointer dereference occurs.<br /> <br /> The following sequence deletes the interface:<br /> <br /> brcmf_detach()<br /> brcmf_remove_interface()<br /> brcmf_del_if()<br /> <br /> Inside the brcmf_del_if() function the drvr-&gt;if2bss[ifidx] is updated to<br /> BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.<br /> <br /> After brcmf_remove_interface() call the brcmf_proto_detach() function is<br /> called providing the following sequence:<br /> <br /> brcmf_detach()<br /> brcmf_proto_detach()<br /> brcmf_proto_msgbuf_detach()<br /> brcmf_flowring_detach()<br /> brcmf_msgbuf_delete_flowring()<br /> brcmf_msgbuf_remove_flowring()<br /> brcmf_flowring_delete()<br /> brcmf_get_ifp()<br /> brcmf_txfinalize()<br /> <br /> Since brcmf_get_ip() can and actually will return NULL in this case the<br /> call to brcmf_txfinalize() will result in a NULL pointer dereference inside<br /> brcmf_txfinalize() when trying to update ifp-&gt;ndev-&gt;stats.tx_errors.<br /> <br /> This will only happen if a flowring still has an skb.<br /> <br /> Although the NULL pointer dereference has only been seen when trying to<br /> update the tx statistic, all other uses of the ifp pointer have been<br /> guarded as well with an early return if ifp is NULL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-cgroup: Fix class @block_class&amp;#39;s subsystem refcount leakage<br /> <br /> blkcg_fill_root_iostats() iterates over @block_class&amp;#39;s devices by<br /> class_dev_iter_(init|next)(), but does not end iterating with<br /> class_dev_iter_exit(), so causes the class&amp;#39;s subsystem refcount leakage.<br /> <br /> Fix by ending the iterating with class_dev_iter_exit().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix use-after-free when attempting to join an aborted transaction<br /> <br /> When we are trying to join the current transaction and if it&amp;#39;s aborted,<br /> we read its &amp;#39;aborted&amp;#39; field after unlocking fs_info-&gt;trans_lock and<br /> without holding any extra reference count on it. This means that a<br /> concurrent task that is aborting the transaction may free the transaction<br /> before we read its &amp;#39;aborted&amp;#39; field, leading to a use-after-free.<br /> <br /> Fix this by reading the &amp;#39;aborted&amp;#39; field while holding fs_info-&gt;trans_lock<br /> since any freeing task must first acquire that lock and set<br /> fs_info-&gt;running_transaction to NULL before freeing the transaction.<br /> <br /> This was reported by syzbot and Dmitry with the following stack traces<br /> from KASAN:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278<br /> Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128<br /> <br /> CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> Workqueue: events_unbound btrfs_async_reclaim_data_space<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:489<br /> kasan_report+0x143/0x180 mm/kasan/report.c:602<br /> join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278<br /> start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697<br /> flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803<br /> btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321<br /> process_one_work kernel/workqueue.c:3236 [inline]<br /> process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317<br /> worker_thread+0x870/0xd30 kernel/workqueue.c:3398<br /> kthread+0x2f0/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> <br /> Allocated by task 5315:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329<br /> kmalloc_noprof include/linux/slab.h:901 [inline]<br /> join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308<br /> start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697<br /> btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572<br /> lookup_open fs/namei.c:3649 [inline]<br /> open_last_lookups fs/namei.c:3748 [inline]<br /> path_openat+0x1c03/0x3590 fs/namei.c:3984<br /> do_filp_open+0x27f/0x4e0 fs/namei.c:4014<br /> do_sys_openat2+0x13e/0x1d0 fs/open.c:1402<br /> do_sys_open fs/open.c:1417 [inline]<br /> __do_sys_creat fs/open.c:1495 [inline]<br /> __se_sys_creat fs/open.c:1489 [inline]<br /> __x64_sys_creat+0x123/0x170 fs/open.c:1489<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 5336:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582<br /> poison_slab_object mm/kasan/common.c:247 [inline]<br /> __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264<br /> kasan_slab_free include/linux/kasan.h:233 [inline]<br /> slab_free_hook mm/slub.c:2353 [inline]<br /> slab_free mm/slub.c:4613 [inline]<br /> kfree+0x196/0x430 mm/slub.c:4761<br /> cleanup_transaction fs/btrfs/transaction.c:2063 [inline]<br /> btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598<br /> insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757<br /> btrfs_balance+0x992/<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: fix memory leak in ceph_mds_auth_match()<br /> <br /> We now free the temporary target path substring allocation on every<br /> possible branch, instead of omitting the default branch. In some<br /> cases, a memory leak occured, which could rapidly crash the system<br /> (depending on how many file accesses were attempted).<br /> <br /> This was detected in production because it caused a continuous memory<br /> growth, eventually triggering kernel OOM and completely hard-locking<br /> the kernel.<br /> <br /> Relevant kmemleak stacktrace:<br /> <br /> unreferenced object 0xffff888131e69900 (size 128):<br /> comm "git", pid 66104, jiffies 4295435999<br /> hex dump (first 32 bytes):<br /> 76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65 volumes/containe<br /> 72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67 rs/gitea/gitea/g<br /> backtrace (crc 2f3bb450):<br /> [] __kmalloc_noprof+0x359/0x510<br /> [] ceph_mds_check_access+0x5bf/0x14e0 [ceph]<br /> [] ceph_open+0x312/0xd80 [ceph]<br /> [] do_dentry_open+0x456/0x1120<br /> [] vfs_open+0x79/0x360<br /> [] path_openat+0x1de5/0x4390<br /> [] do_filp_open+0x19c/0x3c0<br /> [] do_sys_openat2+0x141/0x180<br /> [] __x64_sys_open+0xe5/0x1a0<br /> [] do_syscall_64+0xb7/0x210<br /> [] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> It can be triggered by mouting a subdirectory of a CephFS filesystem,<br /> and then trying to access files on this subdirectory with an auth token<br /> using a path-scoped capability:<br /> <br /> $ ceph auth get client.services<br /> [client.services]<br /> key = REDACTED<br /> caps mds = "allow rw fsname=cephfs path=/volumes/"<br /> caps mon = "allow r fsname=cephfs"<br /> caps osd = "allow rw tag cephfs data=cephfs"<br /> <br /> $ cat /proc/self/mounts<br /> services@[REDACTED].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTED]:3300,recover_session=clean 0 0<br /> <br /> $ seq 1 1000000 | xargs -P32 --replace={} touch /ceph/containers/file-{} &amp;&amp; \<br /> seq 1 1000000 | xargs -P32 --replace={} cat /ceph/containers/file-{}<br /> <br /> [ idryomov: combine if statements, rename rc to path_matched and make<br /> it a bool, formatting ]

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usbnet: ipheth: fix DPE OoB read<br /> <br /> Fix an out-of-bounds DPE read, limit the number of processed DPEs to<br /> the amount that fits into the fixed-size NDP16 header.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usbnet: ipheth: use static NDP16 location in URB<br /> <br /> Original code allowed for the start of NDP16 to be anywhere within the<br /> URB based on the `wNdpIndex` value in NTH16. Only the start position of<br /> NDP16 was checked, so it was possible for even the fixed-length part<br /> of NDP16 to extend past the end of URB, leading to an out-of-bounds<br /> read.<br /> <br /> On iOS devices, the NDP16 header always directly follows NTH16. Rely on<br /> and check for this specific format.<br /> <br /> This, along with NCM-specific minimal URB length check that already<br /> exists, will ensure that the fixed-length part of NDP16 plus a set<br /> amount of DPEs fit within the URB.<br /> <br /> Note that this commit alone does not fully address the OoB read.<br /> The limit on the amount of DPEs needs to be enforced separately.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usbnet: ipheth: fix possible overflow in DPE length check<br /> <br /> Originally, it was possible for the DPE length check to overflow if<br /> wDatagramIndex + wDatagramLength &gt; U16_MAX. This could lead to an OoB<br /> read.<br /> <br /> Move the wDatagramIndex term to the other side of the inequality.<br /> <br /> An existing condition ensures that wDatagramIndex actual_length.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> misc: fastrpc: Fix copy buffer page size<br /> <br /> For non-registered buffer, fastrpc driver copies the buffer and<br /> pass it to the remote subsystem. There is a problem with current<br /> implementation of page size calculation which is not considering<br /> the offset in the calculation. This might lead to passing of<br /> improper and out-of-bounds page size which could result in<br /> memory issue. Calculate page start and page end using the offset<br /> adjusted address instead of absolute address.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix possible int overflows in nilfs_fiemap()<br /> <br /> Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result<br /> by being prepared to go through potentially maxblocks == INT_MAX blocks,<br /> the value in n may experience an overflow caused by left shift of blkbits.<br /> <br /> While it is extremely unlikely to occur, play it safe and cast right hand<br /> expression to wider type to mitigate the issue.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with static analysis<br /> tool SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: libata-sff: Ensure that we cannot write outside the allocated buffer<br /> <br /> reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len<br /> set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to<br /> ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to<br /> write outside the allocated buffer, overwriting random memory.<br /> <br /> While a ATA device is supposed to abort a ATA_NOP command, there does seem<br /> to be a bug either in libata-sff or QEMU, where either this status is not<br /> set, or the status is cleared before read by ata_sff_hsm_move().<br /> Anyway, that is most likely a separate bug.<br /> <br /> Looking at __atapi_pio_bytes(), it already has a safety check to ensure<br /> that __atapi_pio_bytes() cannot write outside the allocated buffer.<br /> <br /> Add a similar check to ata_pio_sector(), such that also ata_pio_sector()<br /> cannot write outside the allocated buffer.