Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"<br /> <br /> This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f.<br /> <br /> This patch introduces a possible null-ptr-def problem. Revert it. And the<br /> fixed bug by this patch have resolved by commit 73f7b171b7c0 ("Bluetooth:<br /> btsdio: fix use after free bug in btsdio_remove due to race condition").

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: fix out-of-bounds access in tty_driver_lookup_tty()<br /> <br /> When specifying an invalid console= device like console=tty3270,<br /> tty_driver_lookup_tty() returns the tty struct without checking<br /> whether index is a valid number.<br /> <br /> To reproduce:<br /> <br /> qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \<br /> -kernel ../linux-build-x86/arch/x86/boot/bzImage \<br /> -append "console=ttyS0 console=tty3270"<br /> <br /> This crashes with:<br /> <br /> [ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef<br /> [ 0.771265] #PF: supervisor read access in kernel mode<br /> [ 0.771773] #PF: error_code(0x0000) - not-present page<br /> [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI<br /> [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0<br /> [ 0.784013] chrdev_open+0xbd/0x230<br /> [ 0.784444] ? cdev_device_add+0x80/0x80<br /> [ 0.784920] do_dentry_open+0x1e0/0x410<br /> [ 0.785389] path_openat+0xca9/0x1050<br /> [ 0.785813] do_filp_open+0xaa/0x150<br /> [ 0.786240] file_open_name+0x133/0x1b0<br /> [ 0.786746] filp_open+0x27/0x50<br /> [ 0.787244] console_on_rootfs+0x14/0x4d<br /> [ 0.787800] kernel_init_freeable+0x1e4/0x20d<br /> [ 0.788383] ? rest_init+0xc0/0xc0<br /> [ 0.788881] kernel_init+0x11/0x120<br /> [ 0.789356] ret_from_fork+0x22/0x30

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup()<br /> <br /> Fix the below kernel panic due to null pointer access:<br /> [ 18.504431] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000048<br /> [ 18.513464] Mem abort info:<br /> [ 18.516346] ESR = 0x0000000096000005<br /> [ 18.520204] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 18.525706] SET = 0, FnV = 0<br /> [ 18.528878] EA = 0, S1PTW = 0<br /> [ 18.532117] FSC = 0x05: level 1 translation fault<br /> [ 18.537138] Data abort info:<br /> [ 18.540110] ISV = 0, ISS = 0x00000005<br /> [ 18.544060] CM = 0, WnR = 0<br /> [ 18.547109] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000112826000<br /> [ 18.553738] [0000000000000048] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000<br /> [ 18.562690] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP<br /> **Snip**<br /> [ 18.696758] Call trace:<br /> [ 18.699278] adreno_gpu_cleanup+0x30/0x88<br /> [ 18.703396] a6xx_destroy+0xc0/0x130<br /> [ 18.707066] a6xx_gpu_init+0x308/0x424<br /> [ 18.710921] adreno_bind+0x178/0x288<br /> [ 18.714590] component_bind_all+0xe0/0x214<br /> [ 18.718797] msm_drm_bind+0x1d4/0x614<br /> [ 18.722566] try_to_bring_up_aggregate_device+0x16c/0x1b8<br /> [ 18.728105] __component_add+0xa0/0x158<br /> [ 18.732048] component_add+0x20/0x2c<br /> [ 18.735719] adreno_probe+0x40/0xc0<br /> [ 18.739300] platform_probe+0xb4/0xd4<br /> [ 18.743068] really_probe+0xfc/0x284<br /> [ 18.746738] __driver_probe_device+0xc0/0xec<br /> [ 18.751129] driver_probe_device+0x48/0x110<br /> [ 18.755421] __device_attach_driver+0xa8/0xd0<br /> [ 18.759900] bus_for_each_drv+0x90/0xdc<br /> [ 18.763843] __device_attach+0xfc/0x174<br /> [ 18.767786] device_initial_probe+0x20/0x2c<br /> [ 18.772090] bus_probe_device+0x40/0xa0<br /> [ 18.776032] deferred_probe_work_func+0x94/0xd0<br /> [ 18.780686] process_one_work+0x190/0x3d0<br /> [ 18.784805] worker_thread+0x280/0x3d4<br /> [ 18.788659] kthread+0x104/0x1c0<br /> [ 18.791981] ret_from_fork+0x10/0x20<br /> [ 18.795654] Code: f9400408 aa0003f3 aa1f03f4 91142015 (f9402516)<br /> [ 18.801913] ---[ end trace 0000000000000000 ]---<br /> [ 18.809039] Kernel panic - not syncing: Oops: Fatal exception<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/515605/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix issue in verifying allow_ptr_leaks<br /> <br /> After we converted the capabilities of our networking-bpf program from<br /> cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program<br /> failed to start. Because it failed the bpf verifier, and the error log<br /> is "R3 pointer comparison prohibited".<br /> <br /> A simple reproducer as follows,<br /> <br /> SEC("cls-ingress")<br /> int ingress(struct __sk_buff *skb)<br /> {<br /> struct iphdr *iph = (void *)(long)skb-&gt;data + sizeof(struct ethhdr);<br /> <br /> if ((long)(iph + 1) &gt; (long)skb-&gt;data_end)<br /> return TC_ACT_STOLEN;<br /> return TC_ACT_OK;<br /> }<br /> <br /> Per discussion with Yonghong and Alexei [1], comparison of two packet<br /> pointers is not a pointer leak. This patch fixes it.<br /> <br /> Our local kernel is 6.1.y and we expect this fix to be backported to<br /> 6.1.y, so stable is CCed.<br /> <br /> [1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to check readonly condition correctly<br /> <br /> With below case, it can mount multi-device image w/ rw option, however<br /> one of secondary device is set as ro, later update will cause panic, so<br /> let&amp;#39;s introduce f2fs_dev_is_readonly(), and check multi-devices rw status<br /> in f2fs_remount() w/ it in order to avoid such inconsistent mount status.<br /> <br /> mkfs.f2fs -c /dev/zram1 /dev/zram0 -f<br /> blockdev --setro /dev/zram1<br /> mount -t f2fs dev/zram0 /mnt/f2fs<br /> mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only.<br /> mount -t f2fs -o remount,rw mnt/f2fs<br /> dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=8192<br /> <br /> kernel BUG at fs/f2fs/inline.c:258!<br /> RIP: 0010:f2fs_write_inline_data+0x23e/0x2d0 [f2fs]<br /> Call Trace:<br /> f2fs_write_single_data_page+0x26b/0x9f0 [f2fs]<br /> f2fs_write_cache_pages+0x389/0xa60 [f2fs]<br /> __f2fs_write_data_pages+0x26b/0x2d0 [f2fs]<br /> f2fs_write_data_pages+0x2e/0x40 [f2fs]<br /> do_writepages+0xd3/0x1b0<br /> __writeback_single_inode+0x5b/0x420<br /> writeback_sb_inodes+0x236/0x5a0<br /> __writeback_inodes_wb+0x56/0xf0<br /> wb_writeback+0x2a3/0x490<br /> wb_do_writeback+0x2b2/0x330<br /> wb_workfn+0x6a/0x260<br /> process_one_work+0x270/0x5e0<br /> worker_thread+0x52/0x3e0<br /> kthread+0xf4/0x120<br /> ret_from_fork+0x29/0x50

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()<br /> <br /> If fwnode_graph_get_remote_endpoint() fails, &amp;#39;fwnode&amp;#39; is known to be NULL,<br /> so fwnode_handle_put() is a no-op.<br /> <br /> Release the reference taken from a previous fwnode_graph_get_port_parent()<br /> call instead.<br /> <br /> Also handle fwnode_graph_get_port_parent() failures.<br /> <br /> In order to fix these issues, add an error handling path to the function<br /> and the needed gotos.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: iscsit: Free cmds before session free<br /> <br /> Commands from recovery entries are freed after session has been closed.<br /> That leads to use-after-free at command free or NPE with such call trace:<br /> <br /> Time2Retain timer expired for SID: 1, cleaning up iSCSI session.<br /> BUG: kernel NULL pointer dereference, address: 0000000000000140<br /> RIP: 0010:sbitmap_queue_clear+0x3a/0xa0<br /> Call Trace:<br /> target_release_cmd_kref+0xd1/0x1f0 [target_core_mod]<br /> transport_generic_free_cmd+0xd1/0x180 [target_core_mod]<br /> iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod]<br /> iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod]<br /> iscsit_close_session+0x13a/0x140 [iscsi_target_mod]<br /> iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod]<br /> call_timer_fn+0x24/0x140<br /> <br /> Move cleanup of recovery enrties to before session freeing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: remove BUG_ON()&amp;#39;s in add_new_free_space()<br /> <br /> At add_new_free_space() we have these BUG_ON()&amp;#39;s that are there to deal<br /> with any failure to add free space to the in memory free space cache.<br /> Such failures are mostly -ENOMEM that should be very rare. However there&amp;#39;s<br /> no need to have these BUG_ON()&amp;#39;s, we can just return any error to the<br /> caller and all callers and their upper call chain are already dealing with<br /> errors.<br /> <br /> So just make add_new_free_space() return any errors, while removing the<br /> BUG_ON()&amp;#39;s, and returning the total amount of added free space to an<br /> optional u64 pointer argument.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: altmodes/displayport: fix pin_assignment_show<br /> <br /> This patch fixes negative indexing of buf array in pin_assignment_show<br /> when get_current_pin_assignments returns 0 i.e. no compatible pin<br /> assignments are found.<br /> <br /> BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c<br /> ...<br /> Call trace:<br /> dump_backtrace+0x110/0x204<br /> dump_stack_lvl+0x84/0xbc<br /> print_report+0x358/0x974<br /> kasan_report+0x9c/0xfc<br /> __do_kernel_fault+0xd4/0x2d4<br /> do_bad_area+0x48/0x168<br /> do_tag_check_fault+0x24/0x38<br /> do_mem_abort+0x6c/0x14c<br /> el1_abort+0x44/0x68<br /> el1h_64_sync_handler+0x64/0xa4<br /> el1h_64_sync+0x78/0x7c<br /> pin_assignment_show+0x26c/0x33c<br /> dev_attr_show+0x50/0xc0

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix potential corruption when moving a directory<br /> <br /> F2FS has the same issue in ext4_rename causing crash revealed by<br /> xfstests/generic/707.<br /> <br /> See also commit 0813299c586b ("ext4: Fix possible corruption when moving a directory")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: apple-admac: Fix &amp;#39;current_tx&amp;#39; not getting freed<br /> <br /> In terminate_all we should queue up all submitted descriptors to be<br /> freed. We do that for the content of the &amp;#39;issued&amp;#39; and &amp;#39;submitted&amp;#39; lists,<br /> but the &amp;#39;current_tx&amp;#39; descriptor falls through the cracks as it&amp;#39;s<br /> removed from the &amp;#39;issued&amp;#39; list once it gets assigned to be the current<br /> descriptor. Explicitly queue up freeing of the &amp;#39;current_tx&amp;#39; descriptor<br /> to address a memory leak that is otherwise present.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pstore/ram: Add check for kstrdup<br /> <br /> Add check for the return value of kstrdup() and return the error<br /> if it fails in order to avoid NULL pointer dereference.