Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Fix a possible null pointer dereference<br /> <br /> In function lpfc_xcvr_data_show, the memory allocation with kmalloc might<br /> fail, thereby making rdp_context a null pointer. In the following context<br /> and functions that use this pointer, there are dereferencing operations,<br /> leading to null pointer dereference.<br /> <br /> To fix this issue, a null pointer check should be added. If it is null,<br /> use scnprintf to notify the user and return len.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoc: PCM6240: Return directly after a failed devm_kzalloc() in pcmdevice_i2c_probe()<br /> <br /> The value “-ENOMEM” was assigned to the local variable “ret”<br /> in one if branch after a devm_kzalloc() call failed at the beginning.<br /> This error code will trigger then a pcmdevice_remove() call with a passed<br /> null pointer so that an undesirable dereference will be performed.<br /> Thus return the appropriate error code directly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: endpoint: pci-epf-test: Make use of cached &amp;#39;epc_features&amp;#39; in pci_epf_test_core_init()<br /> <br /> Instead of getting the epc_features from pci_epc_get_features() API, use<br /> the cached pci_epf_test::epc_features value to avoid the NULL check. Since<br /> the NULL check is already performed in pci_epf_test_bind(), having one more<br /> check in pci_epf_test_core_init() is redundant and it is not possible to<br /> hit the NULL pointer dereference.<br /> <br /> Also with commit a01e7214bef9 ("PCI: endpoint: Remove "core_init_notifier"<br /> flag"), &amp;#39;epc_features&amp;#39; got dereferenced without the NULL check, leading to<br /> the following false positive Smatch warning:<br /> <br /> drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed &amp;#39;epc_features&amp;#39; could be null (see line 747)<br /> <br /> Thus, remove the redundant NULL check and also use the epc_features::<br /> {msix_capable/msi_capable} flags directly to avoid local variables.<br /> <br /> [kwilczynski: commit log]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: Fix the sorting functionality in iio_gts_build_avail_time_table<br /> <br /> The sorting in iio_gts_build_avail_time_table is not working as intended.<br /> It could result in an out-of-bounds access when the time is zero.<br /> <br /> Here are more details:<br /> <br /> 1. When the gts-&gt;itime_table[i].time_us is zero, e.g., the time<br /> sequence is `3, 0, 1`, the inner for-loop will not terminate and do<br /> out-of-bound writes. This is because once `times[j] &gt; new`, the value<br /> `new` will be added in the current position and the `times[j]` will be<br /> moved to `j+1` position, which makes the if-condition always hold.<br /> Meanwhile, idx will be added one, making the loop keep running without<br /> termination and out-of-bound write.<br /> 2. If none of the gts-&gt;itime_table[i].time_us is zero, the elements<br /> will just be copied without being sorted as described in the comment<br /> "Sort times from all tables to one and remove duplicates".<br /> <br /> For more details, please refer to<br /> https://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Add null check before access structs<br /> <br /> In enable_phantom_plane, we should better check null pointer before<br /> accessing various structs.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Handle invalid decoder vsi<br /> <br /> Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi<br /> is valid for future use.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: missing check virtio<br /> <br /> Two missing check in virtio_net_hdr_to_skb() allowed syzbot<br /> to crash kernels again<br /> <br /> 1. After the skb_segment function the buffer may become non-linear<br /> (nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere<br /> the __skb_linearize function will not be executed, then the buffer will<br /> remain non-linear. Then the condition (offset &gt;= skb_headlen(skb))<br /> becomes true, which causes WARN_ON_ONCE in skb_checksum_help.<br /> <br /> 2. The struct sk_buff and struct virtio_net_hdr members must be<br /> mathematically related.<br /> (gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.<br /> (remainder) must be greater than (needed) otherwise WARN_ON_ONCE.<br /> (remainder) may be 0 if division is without remainder.<br /> <br /> offset+2 (4191) &gt; skb_headlen() (1116)<br /> WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303<br /> Modules linked in:<br /> CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0<br /> Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023<br /> RIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303<br /> Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef<br /> RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286<br /> RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209<br /> RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001<br /> RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c<br /> R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d<br /> FS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777<br /> ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584<br /> ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]<br /> __ip_finish_output net/ipv4/ip_output.c:308 [inline]<br /> __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295<br /> ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323<br /> NF_HOOK_COND include/linux/netfilter.h:303 [inline]<br /> ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433<br /> dst_output include/net/dst.h:451 [inline]<br /> ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129<br /> iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82<br /> ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]<br /> sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076<br /> __netdev_start_xmit include/linux/netdevice.h:4940 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4954 [inline]<br /> xmit_one net/core/dev.c:3545 [inline]<br /> dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561<br /> __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346<br /> dev_queue_xmit include/linux/netdevice.h:3134 [inline]<br /> packet_xmit+0x257/0x380 net/packet/af_packet.c:276<br /> packet_snd net/packet/af_packet.c:3087 [inline]<br /> packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0xd5/0x180 net/socket.c:745<br /> __sys_sendto+0x255/0x340 net/socket.c:2190<br /> __do_sys_sendto net/socket.c:2202 [inline]<br /> __se_sys_sendto net/socket.c:2198 [inline]<br /> __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: amd: Adjust error handling in case of absent codec device<br /> <br /> acpi_get_first_physical_node() can return NULL in several cases (no such<br /> device, ACPI table error, reference count drop to 0, etc).<br /> Existing check just emit error message, but doesn&amp;#39;t perform return.<br /> Then this NULL pointer is passed to devm_acpi_dev_add_driver_gpios()<br /> where it is dereferenced.<br /> <br /> Adjust this error handling by adding error code return.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()<br /> <br /> If IORESOURCE_MEM is not provided in Device Tree due to<br /> any error, resource_list_first_type() will return NULL and<br /> pci_parse_request_of_pci_ranges() will just emit a warning.<br /> <br /> This will cause a NULL pointer dereference. Fix this bug by adding NULL<br /> return check.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix infinite loop when replaying fast_commit<br /> <br /> When doing fast_commit replay an infinite loop may occur due to an<br /> uninitialized extent_status struct. ext4_ext_determine_insert_hole() does<br /> not detect the replay and calls ext4_es_find_extent_range(), which will<br /> return immediately without initializing the &amp;#39;es&amp;#39; variable.<br /> <br /> Because &amp;#39;es&amp;#39; contains garbage, an integer overflow may happen causing an<br /> infinite loop in this function, easily reproducible using fstest generic/039.<br /> <br /> This commit fixes this issue by unconditionally initializing the structure<br /> in function ext4_es_find_extent_range().<br /> <br /> Thanks to Zhang Yi, for figuring out the real problem!

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/qxl: Add check for drm_cvt_mode<br /> <br /> Add check for the return value of drm_cvt_mode() and return the error if<br /> it fails in order to avoid NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> leds: trigger: Unregister sysfs attributes before calling deactivate()<br /> <br /> Triggers which have trigger specific sysfs attributes typically store<br /> related data in trigger-data allocated by the activate() callback and<br /> freed by the deactivate() callback.<br /> <br /> Calling device_remove_groups() after calling deactivate() leaves a window<br /> where the sysfs attributes show/store functions could be called after<br /> deactivation and then operate on the just freed trigger-data.<br /> <br /> Move the device_remove_groups() call to before deactivate() to close<br /> this race window.<br /> <br /> This also makes the deactivation path properly do things in reverse order<br /> of the activation path which calls the activate() callback before calling<br /> device_add_groups().