Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> efi: runtime: avoid EFIv2 runtime services on Apple x86 machines<br /> <br /> Aditya reports [0] that his recent MacbookPro crashes in the firmware<br /> when using the variable services at runtime. The culprit appears to be a<br /> call to QueryVariableInfo(), which we did not use to call on Apple x86<br /> machines in the past as they only upgraded from EFI v1.10 to EFI v2.40<br /> firmware fairly recently, and QueryVariableInfo() (along with<br /> UpdateCapsule() et al) was added in EFI v2.00.<br /> <br /> The only runtime service introduced in EFI v2.00 that we actually use in<br /> Linux is QueryVariableInfo(), as the capsule based ones are optional,<br /> generally not used at runtime (all the LVFS/fwupd firmware update<br /> infrastructure uses helper EFI programs that invoke capsule update at<br /> boot time, not runtime), and not implemented by Apple machines in the<br /> first place. QueryVariableInfo() is used to &amp;#39;safely&amp;#39; set variables,<br /> i.e., only when there is enough space. This prevents machines with buggy<br /> firmwares from corrupting their NVRAMs when they run out of space.<br /> <br /> Given that Apple machines have been using EFI v1.10 services only for<br /> the longest time (the EFI v2.0 spec was released in 2006, and Linux<br /> support for the newly introduced runtime services was added in 2011, but<br /> the MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only),<br /> let&amp;#39;s avoid the EFI v2.0 ones on all Apple x86 machines.<br /> <br /> [0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Guard against accessing NULL pt_regs in bpf_get_task_stack()<br /> <br /> task_pt_regs() can return NULL on powerpc for kernel threads. This is<br /> then used in __bpf_get_stack() to check for user mode, resulting in a<br /> kernel oops. Guard against this by checking return value of<br /> task_pt_regs() before trying to obtain the call chain.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bridge: vlan: fix memory leak in __allowed_ingress<br /> <br /> When using per-vlan state, if vlan snooping and stats are disabled,<br /> untagged or priority-tagged ingress frame will go to check pvid state.<br /> If the port state is forwarding and the pvid state is not<br /> learning/forwarding, untagged or priority-tagged frame will be dropped<br /> but skb memory is not freed.<br /> Should free skb when __allowed_ingress returns false.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc<br /> <br /> The function performs a check on the "ctx" input parameter, however, it<br /> is used before the check.<br /> <br /> Initialize the "base" variable after the sanity check to avoid a<br /> possible NULL pointer dereference.<br /> <br /> Addresses-Coverity-ID: 1493866 ("Null pointer dereference")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwmon: (nct6775) Fix crash in clear_caseopen<br /> <br /> Paweł Marciniak reports the following crash, observed when clearing<br /> the chassis intrusion alarm.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000028<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 3 PID: 4815 Comm: bash Tainted: G S 5.16.2-200.fc35.x86_64 #1<br /> Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P2.60A 05/03/2018<br /> RIP: 0010:clear_caseopen+0x5a/0x120 [nct6775]<br /> Code: 68 70 e8 e9 32 b1 e3 85 c0 0f 85 d2 00 00 00 48 83 7c 24 ...<br /> RSP: 0018:ffffabcb02803dd8 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000<br /> RDX: ffff8e8808192880 RSI: 0000000000000000 RDI: ffff8e87c7509a68<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000000a<br /> R10: 000000000000000a R11: f000000000000000 R12: 000000000000001f<br /> R13: ffff8e87c7509828 R14: ffff8e87c7509a68 R15: ffff8e88494527a0<br /> FS: 00007f4db9151740(0000) GS:ffff8e8ebfec0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000028 CR3: 0000000166b66001 CR4: 00000000001706e0<br /> Call Trace:<br /> <br /> kernfs_fop_write_iter+0x11c/0x1b0<br /> new_sync_write+0x10b/0x180<br /> vfs_write+0x209/0x2a0<br /> ksys_write+0x4f/0xc0<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> The problem is that the device passed to clear_caseopen() is the hwmon<br /> device, not the platform device, and the platform data is not set in the<br /> hwmon device. Store the pointer to sio_data in struct nct6775_data and<br /> get if from there if needed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: Transitional solution for clcsock race issue<br /> <br /> We encountered a crash in smc_setsockopt() and it is caused by<br /> accessing smc-&gt;clcsock after clcsock was released.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000020<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53<br /> RIP: 0010:smc_setsockopt+0x59/0x280 [smc]<br /> Call Trace:<br /> <br /> __sys_setsockopt+0xfc/0x190<br /> __x64_sys_setsockopt+0x20/0x30<br /> do_syscall_64+0x34/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f16ba83918e<br /> <br /> <br /> This patch tries to fix it by holding clcsock_release_lock and<br /> checking whether clcsock has already been released before access.<br /> <br /> In case that a crash of the same reason happens in smc_getsockopt()<br /> or smc_switch_to_fallback(), this patch also checkes smc-&gt;clcsock<br /> in them too. And the caller of smc_switch_to_fallback() will identify<br /> whether fallback succeeds according to the return value.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending<br /> <br /> Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel<br /> triggered below warning:<br /> <br /> [ 172.851380] ------------[ cut here ]------------<br /> [ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280<br /> [ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse<br /> [ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2<br /> [ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180<br /> [ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598)<br /> [ 172.851465] MSR: 8000000000029033 CR: 48004884 XER: 20040000<br /> [ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1<br /> [ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004<br /> [ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000<br /> [ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68<br /> [ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000<br /> [ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0<br /> [ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003<br /> [ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600<br /> [ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8<br /> [ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280<br /> [ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280<br /> [ 172.851565] Call Trace:<br /> [ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable)<br /> [ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60<br /> [ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660<br /> [ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0<br /> [ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140<br /> [ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40<br /> [ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380<br /> [ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268<br /> <br /> The warning indicates that MSR_EE being set(interrupt enabled) when<br /> there was an overflown PMC detected. This could happen in<br /> power_pmu_disable since it runs under interrupt soft disable<br /> condition ( local_irq_save ) and not with interrupts hard disabled.<br /> commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear<br /> pending PMI before resetting an overflown PMC") intended to clear<br /> PMI pending bit in Paca when disabling the PMU. It could happen<br /> that PMC gets overflown while code is in power_pmu_disable<br /> callback function. Hence add a check to see if PMI pending bit<br /> is set in Paca before clearing it via clear_pmi_pending.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: fix memory leak in disk_register_independent_access_ranges<br /> <br /> kobject_init_and_add() takes reference even when it fails.<br /> According to the doc of kobject_init_and_add()<br /> <br /> If this function returns an error, kobject_put() must be called to<br /> properly clean up the memory associated with the object.<br /> <br /> Fix this issue by adding kobject_put().<br /> Callback function blk_ia_ranges_sysfs_release() in kobject_put()<br /> can handle the pointer "iars" properly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> phylib: fix potential use-after-free<br /> <br /> Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call<br /> to phy_device_reset(phydev) after the put_device() call in phy_detach().<br /> <br /> The comment before the put_device() call says that the phydev might go<br /> away with put_device().<br /> <br /> Fix potential use-after-free by calling phy_device_reset() before<br /> put_device().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc64/bpf: Limit &amp;#39;ldbrx&amp;#39; to processors compliant with ISA v2.06<br /> <br /> Johan reported the below crash with test_bpf on ppc64 e5500:<br /> <br /> test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -&gt; 0x67452301 jited:1<br /> Oops: Exception in kernel mode, sig: 4 [#1]<br /> BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500<br /> Modules linked in: test_bpf(+)<br /> CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1<br /> NIP: 8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18<br /> REGS: c0000000032d3420 TRAP: 0700 Not tainted (5.14.0-03771-g98c2059e008a-dirty)<br /> MSR: 0000000080089000 CR: 88002822 XER: 20000000 IRQMASK: 0<br /> <br /> NIP [8000000000061c3c] 0x8000000000061c3c<br /> LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf]<br /> Call Trace:<br /> .__run_one+0x60/0x17c [test_bpf] (unreliable)<br /> .test_bpf_init+0x6a8/0xdc8 [test_bpf]<br /> .do_one_initcall+0x6c/0x28c<br /> .do_init_module+0x68/0x28c<br /> .load_module+0x2460/0x2abc<br /> .__do_sys_init_module+0x120/0x18c<br /> .system_call_exception+0x110/0x1b8<br /> system_call_common+0xf0/0x210<br /> --- interrupt: c00 at 0x101d0acc<br /> <br /> ---[ end trace 47b2bf19090bb3d0 ]---<br /> <br /> Illegal instruction<br /> <br /> The illegal instruction turned out to be &amp;#39;ldbrx&amp;#39; emitted for<br /> BPF_FROM_[L|B]E, which was only introduced in ISA v2.06. Guard use of<br /> the same and implement an alternative approach for older processors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable<br /> <br /> The function performs a check on the "phy" input parameter, however, it<br /> is used before the check.<br /> <br /> Initialize the "dev" variable after the sanity check to avoid a possible<br /> NULL pointer dereference.<br /> <br /> Addresses-Coverity-ID: 1493860 ("Null pointer dereference")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix information leakage in /proc/net/ptype<br /> <br /> In one net namespace, after creating a packet socket without binding<br /> it to a device, users in other net namespaces can observe the new<br /> `packet_type` added by this packet socket by reading `/proc/net/ptype`<br /> file. This is minor information leakage as packet socket is<br /> namespace aware.<br /> <br /> Add a net pointer in `packet_type` to keep the net namespace of<br /> of corresponding packet socket. In `ptype_seq_show`, this net pointer<br /> must be checked when it is not NULL.