Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe<br /> <br /> of_irq_find_parent() returns a node pointer with refcount incremented,<br /> We should use of_node_put() on it when not needed anymore.<br /> Add missing of_node_put() to avoid refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: atmel-quadspi: Free resources even if runtime resume failed in .remove()<br /> <br /> An early error exit in atmel_qspi_remove() doesn&amp;#39;t prevent the device<br /> unbind. So this results in an spi controller with an unbound parent<br /> and unmapped register space (because devm_ioremap_resource() is undone).<br /> So using the remaining spi controller probably results in an oops.<br /> <br /> Instead unregister the controller unconditionally and only skip hardware<br /> access and clk disable.<br /> <br /> Also add a warning about resume failing and return zero unconditionally.<br /> The latter has the only effect to suppress a less helpful error message by<br /> the spi core.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: hidraw: fix data race on device refcount<br /> <br /> The hidraw_open() function increments the hidraw device reference<br /> counter. The counter has no dedicated synchronization mechanism,<br /> resulting in a potential data race when concurrently opening a device.<br /> <br /> The race is a regression introduced by commit 8590222e4b02 ("HID:<br /> hidraw: Replace hidraw device table mutex with a rwsem"). While<br /> minors_rwsem is intended to protect the hidraw_table itself, by instead<br /> acquiring the lock for writing, the reference counter is also protected.<br /> This is symmetrical to hidraw_release().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: mcq: Fix &amp;hwq-&gt;cq_lock deadlock issue<br /> <br /> When ufshcd_err_handler() is executed, CQ event interrupt can enter waiting<br /> for the same lock. This can happen in ufshcd_handle_mcq_cq_events() and<br /> also in ufs_mtk_mcq_intr(). The following warning message will be generated<br /> when &amp;hwq-&gt;cq_lock is used in IRQ context with IRQ enabled. Use<br /> ufshcd_mcq_poll_cqe_lock() with spin_lock_irqsave instead of spin_lock to<br /> resolve the deadlock issue.<br /> <br /> [name:lockdep&amp;]WARNING: inconsistent lock state<br /> [name:lockdep&amp;]--------------------------------<br /> [name:lockdep&amp;]inconsistent {IN-HARDIRQ-W} -&gt; {HARDIRQ-ON-W} usage.<br /> [name:lockdep&amp;]kworker/u16:4/260 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> ffffff8028444600 (&amp;hwq-&gt;cq_lock){?.-.}-{2:2}, at:<br /> ufshcd_mcq_poll_cqe_lock+0x30/0xe0<br /> [name:lockdep&amp;]{IN-HARDIRQ-W} state was registered at:<br /> lock_acquire+0x17c/0x33c<br /> _raw_spin_lock+0x5c/0x7c<br /> ufshcd_mcq_poll_cqe_lock+0x30/0xe0<br /> ufs_mtk_mcq_intr+0x60/0x1bc [ufs_mediatek_mod]<br /> __handle_irq_event_percpu+0x140/0x3ec<br /> handle_irq_event+0x50/0xd8<br /> handle_fasteoi_irq+0x148/0x2b0<br /> generic_handle_domain_irq+0x4c/0x6c<br /> gic_handle_irq+0x58/0x134<br /> call_on_irq_stack+0x40/0x74<br /> do_interrupt_handler+0x84/0xe4<br /> el1_interrupt+0x3c/0x78<br /> <br /> <br /> Possible unsafe locking scenario:<br /> CPU0<br /> ----<br /> lock(&amp;hwq-&gt;cq_lock);<br /> <br /> lock(&amp;hwq-&gt;cq_lock);<br /> *** DEADLOCK ***<br /> 2 locks held by kworker/u16:4/260:<br /> <br /> [name:lockdep&amp;]<br /> stack backtrace:<br /> CPU: 7 PID: 260 Comm: kworker/u16:4 Tainted: G S W OE<br /> 6.1.17-mainline-android14-2-g277223301adb #1<br /> Workqueue: ufs_eh_wq_0 ufshcd_err_handler<br /> <br /> Call trace:<br /> dump_backtrace+0x10c/0x160<br /> show_stack+0x20/0x30<br /> dump_stack_lvl+0x98/0xd8<br /> dump_stack+0x20/0x60<br /> print_usage_bug+0x584/0x76c<br /> mark_lock_irq+0x488/0x510<br /> mark_lock+0x1ec/0x25c<br /> __lock_acquire+0x4d8/0xffc<br /> lock_acquire+0x17c/0x33c<br /> _raw_spin_lock+0x5c/0x7c<br /> ufshcd_mcq_poll_cqe_lock+0x30/0xe0<br /> ufshcd_poll+0x68/0x1b0<br /> ufshcd_transfer_req_compl+0x9c/0xc8<br /> ufshcd_err_handler+0x3bc/0xea0<br /> process_one_work+0x2f4/0x7e8<br /> worker_thread+0x234/0x450<br /> kthread+0x110/0x134<br /> ret_from_fork+0x10/0x20

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: usbtmc: Fix direction for 0-length ioctl control messages<br /> <br /> The syzbot fuzzer found a problem in the usbtmc driver: When a user<br /> submits an ioctl for a 0-length control transfer, the driver does not<br /> check that the direction is set to OUT:<br /> <br /> ------------[ cut here ]------------<br /> usb 3-1: BOGUS control dir, pipe 80000b80 doesn&amp;#39;t match bRequestType fd<br /> WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411<br /> Modules linked in:<br /> CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023<br /> RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411<br /> Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41<br /> RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000<br /> RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001<br /> RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528<br /> R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100<br /> FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58<br /> usb_internal_control_msg drivers/usb/core/message.c:102 [inline]<br /> usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153<br /> usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]<br /> usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097<br /> <br /> To fix this, we must override the direction in the bRequestType field<br /> of the control request structure when the length is 0.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF<br /> <br /> After a call to console_unlock() in vcs_write() the vc_data struct can be<br /> freed by vc_port_destruct(). Because of that, the struct vc_data pointer<br /> must be reloaded in the while loop in vcs_write() after console_lock() to<br /> avoid a UAF when vcs_size() is called.<br /> <br /> Syzkaller reported a UAF in vcs_size().<br /> <br /> BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)<br /> Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119<br /> <br /> Call Trace:<br /> <br /> __asan_report_load4_noabort (mm/kasan/report_generic.c:380)<br /> vcs_size (drivers/tty/vt/vc_screen.c:215)<br /> vcs_write (drivers/tty/vt/vc_screen.c:664)<br /> vfs_write (fs/read_write.c:582 fs/read_write.c:564)<br /> ...<br /> <br /> <br /> Allocated by task 1213:<br /> kmalloc_trace (mm/slab_common.c:1064)<br /> vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680<br /> drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)<br /> con_install (drivers/tty/vt/vt.c:3334)<br /> tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415<br /> drivers/tty/tty_io.c:1392)<br /> tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)<br /> chrdev_open (fs/char_dev.c:415)<br /> do_dentry_open (fs/open.c:921)<br /> vfs_open (fs/open.c:1052)<br /> ...<br /> <br /> Freed by task 4116:<br /> kfree (mm/slab_common.c:1016)<br /> vc_port_destruct (drivers/tty/vt/vt.c:1044)<br /> tty_port_destructor (drivers/tty/tty_port.c:296)<br /> tty_port_put (drivers/tty/tty_port.c:312)<br /> vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))<br /> vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)<br /> tty_ioctl (drivers/tty/tty_io.c:2778)<br /> ...<br /> <br /> The buggy address belongs to the object at ffff8880beab8800<br /> which belongs to the cache kmalloc-1k of size 1024<br /> The buggy address is located 424 bytes inside of<br /> freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)<br /> <br /> The buggy address belongs to the physical page:<br /> page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000<br /> index:0x0 pfn:0xbeab8<br /> head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0<br /> pincount:0<br /> flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)<br /> page_type: 0xffffffff()<br /> raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002<br /> raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt;ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ==================================================================<br /> Disabling lock debugging due to kernel taint

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup<br /> <br /> variable *nplanes is provided by user via system call argument. The<br /> possible value of q_data-&gt;fmt-&gt;num_planes is 1-3, while the value<br /> of *nplanes can be 1-8. The array access by index i can cause array<br /> out-of-bounds.<br /> <br /> Fix this bug by checking *nplanes against the array size.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: freescale: Fix a memory out of bounds when num_configs is 1<br /> <br /> The config passed in by pad wakeup is 1, when num_configs is 1,<br /> Configuration [1] should not be fetched, which will be detected<br /> by KASAN as a memory out of bounds condition. Modify to get<br /> configs[1] when num_configs is 2.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname<br /> <br /> TCP_Server_Info::hostname may be updated once or many times during<br /> reconnect, so protect its access outside reconnect path as well and<br /> then prevent any potential use-after-free bugs.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: deal with integer overflows in kmalloc_reserve()<br /> <br /> Blamed commit changed:<br /> ptr = kmalloc(size);<br /> if (ptr)<br /> size = ksize(ptr);<br /> <br /> size = kmalloc_size_roundup(size);<br /> ptr = kmalloc(size);<br /> <br /> This allowed various crash as reported by syzbot [1]<br /> and Kyle Zeng.<br /> <br /> Problem is that if @size is bigger than 0x80000001,<br /> kmalloc_size_roundup(size) returns 2^32.<br /> <br /> kmalloc_reserve() uses a 32bit variable (obj_size),<br /> so 2^32 is truncated to 0.<br /> <br /> kmalloc(0) returns ZERO_SIZE_PTR which is not handled by<br /> skb allocations.<br /> <br /> Following trace can be triggered if a netdev-&gt;mtu is set<br /> close to 0x7fffffff<br /> <br /> We might in the future limit netdev-&gt;mtu to more sensible<br /> limit (like KMALLOC_MAX_SIZE).<br /> <br /> This patch is based on a syzbot report, and also a report<br /> and tentative fix from Kyle Zeng.<br /> <br /> [1]<br /> BUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline]<br /> BUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527<br /> Write of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554<br /> <br /> CPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023<br /> Call trace:<br /> dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279<br /> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286<br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106<br /> print_report+0xe4/0x4b4 mm/kasan/report.c:398<br /> kasan_report+0x150/0x1ac mm/kasan/report.c:495<br /> kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189<br /> memset+0x40/0x70 mm/kasan/shadow.c:44<br /> __build_skb_around net/core/skbuff.c:294 [inline]<br /> __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527<br /> alloc_skb include/linux/skbuff.h:1316 [inline]<br /> igmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359<br /> add_grec+0x81c/0x1124 net/ipv4/igmp.c:534<br /> igmpv3_send_cr net/ipv4/igmp.c:667 [inline]<br /> igmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810<br /> call_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474<br /> expire_timers kernel/time/timer.c:1519 [inline]<br /> __run_timers+0x54c/0x710 kernel/time/timer.c:1790<br /> run_timer_softirq+0x28/0x4c kernel/time/timer.c:1803<br /> _stext+0x380/0xfbc<br /> ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79<br /> call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891<br /> do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84<br /> invoke_softirq kernel/softirq.c:437 [inline]<br /> __irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683<br /> irq_exit_rcu+0x14/0x78 kernel/softirq.c:695<br /> el0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717<br /> __el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724<br /> el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729<br /> el0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: fix mapping to non-allocated address<br /> <br /> [Why]<br /> There is an issue mapping non-allocated location of memory.<br /> It would allocate gpio registers from an array out of bounds.<br /> <br /> [How]<br /> Patch correct numbers of bounds for using.