Vulnerabilities

In SAEMM_DiscloseGuti of SAEMM_RadioMessageCodec.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

In gpu_slc_liveness_update of pixel_gpu_slc.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

In pktproc_perftest_gen_rx_packet_sktbuf_mode of link_rx_pktproc.c, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

In acpm_tmu_ipc_handler of tmu_plugin.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

In tmu_tz_control of tmu.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

In tmu_reset_tmu_trip_counter of , there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

In tmu_set_gov_active of tmu.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

OOB read in the TMU plugin that allows for memory disclosure in the power management subsystem of the device.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: fix a memory corruption<br /> <br /> iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that<br /> if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in<br /> bytes, we&amp;#39;ll write past the buffer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xsk: fix usage of multi-buffer BPF helpers for ZC XDP<br /> <br /> Currently when packet is shrunk via bpf_xdp_adjust_tail() and memory<br /> type is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens:<br /> <br /> [1136314.192256] BUG: kernel NULL pointer dereference, address:<br /> 0000000000000034<br /> [1136314.203943] #PF: supervisor read access in kernel mode<br /> [1136314.213768] #PF: error_code(0x0000) - not-present page<br /> [1136314.223550] PGD 0 P4D 0<br /> [1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257<br /> [1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT,<br /> BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019<br /> [1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210<br /> [1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86<br /> [1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246<br /> [1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX:<br /> 0000000000000000<br /> [1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI:<br /> ffffc9003168c000<br /> [1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09:<br /> 0000000000010000<br /> [1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12:<br /> 0000000000000001<br /> [1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15:<br /> 0000000000000001<br /> [1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000)<br /> knlGS:0000000000000000<br /> [1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4:<br /> 00000000007706f0<br /> [1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2:<br /> 0000000000000000<br /> [1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:<br /> 0000000000000400<br /> [1136314.431890] PKRU: 55555554<br /> [1136314.439143] Call Trace:<br /> [1136314.446058] <br /> [1136314.452465] ? __die+0x20/0x70<br /> [1136314.459881] ? page_fault_oops+0x15b/0x440<br /> [1136314.468305] ? exc_page_fault+0x6a/0x150<br /> [1136314.476491] ? asm_exc_page_fault+0x22/0x30<br /> [1136314.484927] ? __xdp_return+0x6c/0x210<br /> [1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0<br /> [1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60<br /> [1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice]<br /> [1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice]<br /> [1136314.528506] ice_napi_poll+0x467/0x670 [ice]<br /> [1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0<br /> [1136314.546010] __napi_poll+0x29/0x1b0<br /> [1136314.553462] net_rx_action+0x133/0x270<br /> [1136314.561619] __do_softirq+0xbe/0x28e<br /> [1136314.569303] do_softirq+0x3f/0x60<br /> <br /> This comes from __xdp_return() call with xdp_buff argument passed as<br /> NULL which is supposed to be consumed by xsk_buff_free() call.<br /> <br /> To address this properly, in ZC case, a node that represents the frag<br /> being removed has to be pulled out of xskb_list. Introduce<br /> appropriate xsk helpers to do such node operation and use them<br /> accordingly within bpf_xdp_adjust_tail().