Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix use-after-free of timer for log writer thread<br /> <br /> Patch series "nilfs2: fix log writer related issues".<br /> <br /> This bug fix series covers three nilfs2 log writer-related issues,<br /> including a timer use-after-free issue and potential deadlock issue on<br /> unmount, and a potential freeze issue in event synchronization found<br /> during their analysis. Details are described in each commit log.<br /> <br /> <br /> This patch (of 3):<br /> <br /> A use-after-free issue has been reported regarding the timer sc_timer on<br /> the nilfs_sc_info structure.<br /> <br /> The problem is that even though it is used to wake up a sleeping log<br /> writer thread, sc_timer is not shut down until the nilfs_sc_info structure<br /> is about to be freed, and is used regardless of the thread&amp;#39;s lifetime.<br /> <br /> Fix this issue by limiting the use of sc_timer only while the log writer<br /> thread is alive.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> speakup: Fix sizeof() vs ARRAY_SIZE() bug<br /> <br /> The "buf" pointer is an array of u16 values. This code should be<br /> using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),<br /> otherwise it can the still got out of bounds.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ftrace: Fix possible use-after-free issue in ftrace_location()<br /> <br /> KASAN reports a bug:<br /> <br /> BUG: KASAN: use-after-free in ftrace_location+0x90/0x120<br /> Read of size 8 at addr ffff888141d40010 by task insmod/424<br /> CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+<br /> [...]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x68/0xa0<br /> print_report+0xcf/0x610<br /> kasan_report+0xb5/0xe0<br /> ftrace_location+0x90/0x120<br /> register_kprobe+0x14b/0xa40<br /> kprobe_init+0x2d/0xff0 [kprobe_example]<br /> do_one_initcall+0x8f/0x2d0<br /> do_init_module+0x13a/0x3c0<br /> load_module+0x3082/0x33d0<br /> init_module_from_file+0xd2/0x130<br /> __x64_sys_finit_module+0x306/0x440<br /> do_syscall_64+0x68/0x140<br /> entry_SYSCALL_64_after_hwframe+0x71/0x79<br /> <br /> The root cause is that, in lookup_rec(), ftrace record of some address<br /> is being searched in ftrace pages of some module, but those ftrace pages<br /> at the same time is being freed in ftrace_release_mod() as the<br /> corresponding module is being deleted:<br /> <br /> CPU1 | CPU2<br /> register_kprobes() { | delete_module() {<br /> check_kprobe_address_safe() { |<br /> arch_check_ftrace_location() { |<br /> ftrace_location() { |<br /> lookup_rec() // USE! | ftrace_release_mod() // Free!<br /> <br /> To fix this issue:<br /> 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();<br /> 2. Use ftrace_location_range() instead of lookup_rec() in<br /> ftrace_location();<br /> 3. Call synchronize_rcu() before freeing any ftrace pages both in<br /> ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libbpf: Prevent null-pointer dereference when prog to load has no BTF<br /> <br /> In bpf_objec_load_prog(), there&amp;#39;s no guarantee that obj-&gt;btf is non-NULL<br /> when passing it to btf__fd(), and this function does not perform any<br /> check before dereferencing its argument (as bpf_object__btf_fd() used to<br /> do). As a consequence, we get segmentation fault errors in bpftool (for<br /> example) when trying to load programs that come without BTF information.<br /> <br /> v2: Keep btf__fd() in the fix instead of reverting to bpf_object__btf_fd().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: pcie: handle randbuf allocation failure<br /> <br /> The kzalloc() in brcmf_pcie_download_fw_nvram() will return null<br /> if the physical memory has run out. As a result, if we use<br /> get_random_bytes() to generate random bytes in the randbuf, the<br /> null pointer dereference bug will happen.<br /> <br /> In order to prevent allocation failure, this patch adds a separate<br /> function using buffer on kernel stack to generate random bytes in<br /> the randbuf, which could prevent the kernel stack from overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rcu: Fix buffer overflow in print_cpu_stall_info()<br /> <br /> The rcuc-starvation output from print_cpu_stall_info() might overflow the<br /> buffer if there is a huge difference in jiffies difference. The situation<br /> might seem improbable, but computers sometimes get very confused about<br /> time, which can result in full-sized integers, and, in this case,<br /> buffer overflow.<br /> <br /> Also, the unsigned jiffies difference is printed using %ld, which is<br /> normally for signed integers. This is intentional for debugging purposes,<br /> but it is not obvious from the code.<br /> <br /> This commit therefore changes sprintf() to snprintf() and adds a<br /> clarifying comment about intention of %ld format.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group<br /> <br /> The perf tool allows users to create event groups through following<br /> cmd [1], but the driver does not check whether the array index is out of<br /> bounds when writing data to the event_group array. If the number of events<br /> in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write<br /> overflow of event_group array occurs.<br /> <br /> Add array index check to fix the possible array out of bounds violation,<br /> and return directly when write new events are written to array bounds.<br /> <br /> There are 9 different events in an event_group.<br /> [1] perf stat -e &amp;#39;{pmu/event1/, ... ,pmu/event9/}&amp;#39;

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gfs2: Fix potential glock use-after-free on unmount<br /> <br /> When a DLM lockspace is released and there ares still locks in that<br /> lockspace, DLM will unlock those locks automatically. Commit<br /> fb6791d100d1b started exploiting this behavior to speed up filesystem<br /> unmount: gfs2 would simply free glocks it didn&amp;#39;t want to unlock and then<br /> release the lockspace. This didn&amp;#39;t take the bast callbacks for<br /> asynchronous lock contention notifications into account, which remain<br /> active until until a lock is unlocked or its lockspace is released.<br /> <br /> To prevent those callbacks from accessing deallocated objects, put the<br /> glocks that should not be unlocked on the sd_dead_glocks list, release<br /> the lockspace, and only then free those glocks.<br /> <br /> As an additional measure, ignore unexpected ast and bast callbacks if<br /> the receiving glock is dead.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/drivers/tsens: Fix null pointer dereference<br /> <br /> compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)<br /> as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null<br /> pointer dereference (if DEBUG or DYNAMIC_DEBUG set).<br /> Fix this bug by adding null pointer check.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: fix out-of-bound access of qmi_invoke_handler()<br /> <br /> Currently, there is no terminator entry for ath12k_qmi_msg_handlers hence<br /> facing below KASAN warning,<br /> <br /> ==================================================================<br /> BUG: KASAN: global-out-of-bounds in qmi_invoke_handler+0xa4/0x148<br /> Read of size 8 at addr ffffffd00a6428d8 by task kworker/u8:2/1273<br /> <br /> CPU: 0 PID: 1273 Comm: kworker/u8:2 Not tainted 5.4.213 #0<br /> Workqueue: qmi_msg_handler qmi_data_ready_work<br /> Call trace:<br /> dump_backtrace+0x0/0x20c<br /> show_stack+0x14/0x1c<br /> dump_stack+0xe0/0x138<br /> print_address_description.isra.5+0x30/0x330<br /> __kasan_report+0x16c/0x1bc<br /> kasan_report+0xc/0x14<br /> __asan_load8+0xa8/0xb0<br /> qmi_invoke_handler+0xa4/0x148<br /> qmi_handle_message+0x18c/0x1bc<br /> qmi_data_ready_work+0x4ec/0x528<br /> process_one_work+0x2c0/0x440<br /> worker_thread+0x324/0x4b8<br /> kthread+0x210/0x228<br /> ret_from_fork+0x10/0x18<br /> <br /> The address belongs to the variable:<br /> ath12k_mac_mon_status_filter_default+0x4bd8/0xfffffffffffe2300 [ath12k]<br /> [...]<br /> ==================================================================<br /> <br /> Add a dummy terminator entry at the end to assist the qmi_invoke_handler()<br /> in traversing up to the terminator entry without accessing an<br /> out-of-boundary index.<br /> <br /> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cppc_cpufreq: Fix possible null pointer dereference<br /> <br /> cppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from<br /> different places with various parameters. So cpufreq_cpu_get() can return<br /> null as &amp;#39;policy&amp;#39; in some circumstances.<br /> Fix this bug by adding null return check.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow<br /> <br /> There is a possibility of buffer overflow in<br /> show_rcu_tasks_trace_gp_kthread() if counters, passed<br /> to sprintf() are huge. Counter numbers, needed for this<br /> are unrealistically high, but buffer overflow is still<br /> possible.<br /> <br /> Use snprintf() with buffer size instead of sprintf().<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.