Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> be2net: Fix buffer overflow in be_get_module_eeprom<br /> <br /> be_cmd_read_port_transceiver_data assumes that it is given a buffer that<br /> is at least PAGE_DATA_LEN long, or twice that if the module supports SFF<br /> 8472. However, this is not always the case.<br /> <br /> Fix this by passing the desired offset and length to<br /> be_cmd_read_port_transceiver_data so that we only copy the bytes once.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: fix NULL pointer dereference in dsa_port_reset_vlan_filtering<br /> <br /> The "ds" iterator variable used in dsa_port_reset_vlan_filtering() -&gt;<br /> dsa_switch_for_each_port() overwrites the "dp" received as argument,<br /> which is later used to call dsa_port_vlan_filtering() proper.<br /> <br /> As a result, switches which do enter that code path (the ones with<br /> vlan_filtering_is_global=true) will dereference an invalid dp in<br /> dsa_port_reset_vlan_filtering() after leaving a VLAN-aware bridge.<br /> <br /> Use a dedicated "other_dp" iterator variable to avoid this from<br /> happening.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iavf: Fix handling of dummy receive descriptors<br /> <br /> Fix memory leak caused by not handling dummy receive descriptor properly.<br /> iavf_get_rx_buffer now sets the rx_buffer return value for dummy receive<br /> descriptors. Without this patch, when the hardware writes a dummy<br /> descriptor, iavf would not free the page allocated for the previous receive<br /> buffer. This is an unlikely event but can still happen.<br /> <br /> [Jesse: massaged commit message]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero<br /> <br /> It is possible to disable VFs while the PF driver is processing requests<br /> from the VF driver. This can result in a panic.<br /> <br /> BUG: unable to handle kernel paging request at 000000000000106c<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] SMP NOPTI<br /> CPU: 8 PID: 0 Comm: swapper/8 Kdump: loaded Tainted: G I --------- -<br /> Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020<br /> RIP: 0010:ixgbe_msg_task+0x4c8/0x1690 [ixgbe]<br /> Code: 00 00 48 8d 04 40 48 c1 e0 05 89 7c 24 24 89 fd 48 89 44 24 10 83 ff<br /> 01 0f 84 b8 04 00 00 4c 8b 64 24 10 4d 03 a5 48 22 00 00 80 7c 24 4c<br /> 00 0f 84 8a 03 00 00 0f b7 c7 83 f8 08 0f 84 8f 0a<br /> RSP: 0018:ffffb337869f8df8 EFLAGS: 00010002<br /> RAX: 0000000000001020 RBX: 0000000000000000 RCX: 000000000000002b<br /> RDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000006<br /> RBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000029780<br /> R10: 00006957d8f42832 R11: 0000000000000000 R12: 0000000000001020<br /> R13: ffff8a00e8978ac0 R14: 000000000000002b R15: ffff8a00e8979c80<br /> FS: 0000000000000000(0000) GS:ffff8a07dfd00000(0000) knlGS:00000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000000000106c CR3: 0000000063e10004 CR4: 00000000007726e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? ttwu_do_wakeup+0x19/0x140<br /> ? try_to_wake_up+0x1cd/0x550<br /> ? ixgbevf_update_xcast_mode+0x71/0xc0 [ixgbevf]<br /> ixgbe_msix_other+0x17e/0x310 [ixgbe]<br /> __handle_irq_event_percpu+0x40/0x180<br /> handle_irq_event_percpu+0x30/0x80<br /> handle_irq_event+0x36/0x53<br /> handle_edge_irq+0x82/0x190<br /> handle_irq+0x1c/0x30<br /> do_IRQ+0x49/0xd0<br /> common_interrupt+0xf/0xf<br /> <br /> This can be eventually be reproduced with the following script:<br /> <br /> while :<br /> do<br /> echo 63 &gt; /sys/class/net//device/sriov_numvfs<br /> sleep 1<br /> echo 0 &gt; /sys/class/net//device/sriov_numvfs<br /> sleep 1<br /> done<br /> <br /> Add lock when disabling SR-IOV to prevent process VF mailbox communication.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qat - add param check for RSA<br /> <br /> Reject requests with a source buffer that is bigger than the size of the<br /> key. This is to prevent a possible integer underflow that might happen<br /> when copying the source scatterlist into a linear buffer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qat - add param check for DH<br /> <br /> Reject requests with a source buffer that is bigger than the size of the<br /> key. This is to prevent a possible integer underflow that might happen<br /> when copying the source scatterlist into a linear buffer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86/intel/lbr: Fix unchecked MSR access error on HSW<br /> <br /> The fuzzer triggers the below trace.<br /> <br /> [ 7763.384369] unchecked MSR access error: WRMSR to 0x689<br /> (tried to write 0x1fffffff8101349e) at rIP: 0xffffffff810704a4<br /> (native_write_msr+0x4/0x20)<br /> [ 7763.397420] Call Trace:<br /> [ 7763.399881] <br /> [ 7763.401994] intel_pmu_lbr_restore+0x9a/0x1f0<br /> [ 7763.406363] intel_pmu_lbr_sched_task+0x91/0x1c0<br /> [ 7763.410992] __perf_event_task_sched_in+0x1cd/0x240<br /> <br /> On a machine with the LBR format LBR_FORMAT_EIP_FLAGS2, when the TSX is<br /> disabled, a TSX quirk is required to access LBR from registers.<br /> The lbr_from_signext_quirk_needed() is introduced to determine whether<br /> the TSX quirk should be applied. However, the<br /> lbr_from_signext_quirk_needed() is invoked before the<br /> intel_pmu_lbr_init(), which parses the LBR format information. Without<br /> the correct LBR format information, the TSX quirk never be applied.<br /> <br /> Move the lbr_from_signext_quirk_needed() into the intel_pmu_lbr_init().<br /> Checking x86_pmu.lbr_has_tsx in the lbr_from_signext_quirk_needed() is<br /> not required anymore.<br /> <br /> Both LBR_FORMAT_EIP_FLAGS2 and LBR_FORMAT_INFO have LBR_TSX flag, but<br /> only the LBR_FORMAT_EIP_FLAGS2 requirs the quirk. Update the comments<br /> accordingly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qat - fix memory leak in RSA<br /> <br /> When an RSA key represented in form 2 (as defined in PKCS #1 V2.1) is<br /> used, some components of the private key persist even after the TFM is<br /> released.<br /> Replace the explicit calls to free the buffers in qat_rsa_exit_tfm()<br /> with a call to qat_rsa_clear_ctx() which frees all buffers referenced in<br /> the TFM context.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: Don&amp;#39;t null dereference ops-&gt;destroy<br /> <br /> A KVM device cleanup happens in either of two callbacks:<br /> 1) destroy() which is called when the VM is being destroyed;<br /> 2) release() which is called when a device fd is closed.<br /> <br /> Most KVM devices use 1) but Book3s&amp;#39;s interrupt controller KVM devices<br /> (XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during<br /> the machine execution. The error handling in kvm_ioctl_create_device()<br /> assumes destroy() is always defined which leads to NULL dereference as<br /> discovered by Syzkaller.<br /> <br /> This adds a checks for destroy!=NULL and adds a missing release().<br /> <br /> This is not changing kvm_destroy_devices() as devices with defined<br /> release() should have been removed from the KVM devices list by then.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers<br /> <br /> In case a IRQ based transfer times out the bcm2835_spi_handle_err()<br /> function is called. Since commit 1513ceee70f2 ("spi: bcm2835: Drop<br /> dma_pending flag") the TX and RX DMA transfers are unconditionally<br /> canceled, leading to NULL pointer derefs if ctlr-&gt;dma_tx or<br /> ctlr-&gt;dma_rx are not set.<br /> <br /> Fix the NULL pointer deref by checking that ctlr-&gt;dma_tx and<br /> ctlr-&gt;dma_rx are valid pointers before accessing them.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: gpio-xilinx: Fix integer overflow<br /> <br /> Current implementation is not able to configure more than 32 pins<br /> due to incorrect data type. So type casting with unsigned long<br /> to avoid it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Fix data-races around sysctl_tcp_max_reordering.<br /> <br /> While reading sysctl_tcp_max_reordering, it can be changed<br /> concurrently. Thus, we need to add READ_ONCE() to its readers.