Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data<br /> <br /> In tcp_bpf_send_verdict() redirection, the eval variable is assigned to<br /> __SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,<br /> sock_put() will be called multiple times.<br /> <br /> We should reset the eval variable to __SK_NONE every time more_data<br /> starts.<br /> <br /> This causes:<br /> <br /> IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7<br /> ------------[ cut here ]------------<br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110<br /> Modules linked in:<br /> CPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1<br /> Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014<br /> Call Trace:<br /> <br /> __tcp_transmit_skb+0xa1b/0xb90<br /> ? __alloc_skb+0x8c/0x1a0<br /> ? __kmalloc_node_track_caller+0x184/0x320<br /> tcp_write_xmit+0x22a/0x1110<br /> __tcp_push_pending_frames+0x32/0xf0<br /> do_tcp_sendpages+0x62d/0x640<br /> tcp_bpf_push+0xae/0x2c0<br /> tcp_bpf_sendmsg_redir+0x260/0x410<br /> ? preempt_count_add+0x70/0xa0<br /> tcp_bpf_send_verdict+0x386/0x4b0<br /> tcp_bpf_sendmsg+0x21b/0x3b0<br /> sock_sendmsg+0x58/0x70<br /> __sys_sendto+0xfa/0x170<br /> ? xfd_validate_state+0x1d/0x80<br /> ? switch_fpu_return+0x59/0xe0<br /> __x64_sys_sendto+0x24/0x30<br /> do_syscall_64+0x37/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()<br /> <br /> In rpi_firmware_probe(), if mbox_request_channel() fails, the &amp;#39;fw&amp;#39; will<br /> not be freed through rpi_firmware_delete(), fix this leak by calling<br /> kfree() in the error path.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm thin: Use last transaction&amp;#39;s pmd-&gt;root when commit failed<br /> <br /> Recently we found a softlock up problem in dm thin pool btree lookup<br /> code due to corrupted metadata:<br /> <br /> Kernel panic - not syncing: softlockup: hung tasks<br /> CPU: 7 PID: 2669225 Comm: kworker/u16:3<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)<br /> Workqueue: dm-thin do_worker [dm_thin_pool]<br /> Call Trace:<br /> <br /> dump_stack+0x9c/0xd3<br /> panic+0x35d/0x6b9<br /> watchdog_timer_fn.cold+0x16/0x25<br /> __run_hrtimer+0xa2/0x2d0<br /> <br /> RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]<br /> __bufio_new+0x11f/0x4f0 [dm_bufio]<br /> new_read+0xa3/0x1e0 [dm_bufio]<br /> dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]<br /> ro_step+0x63/0x100 [dm_persistent_data]<br /> btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]<br /> dm_btree_lookup+0x16f/0x210 [dm_persistent_data]<br /> dm_thin_find_block+0x12c/0x210 [dm_thin_pool]<br /> __process_bio_read_only+0xc5/0x400 [dm_thin_pool]<br /> process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]<br /> process_one_work+0x3c5/0x730<br /> <br /> Following process may generate a broken btree mixed with fresh and<br /> stale btree nodes, which could get dm thin trapped in an infinite loop<br /> while looking up data block:<br /> Transaction 1: pmd-&gt;root = A, A-&gt;B-&gt;C // One path in btree<br /> pmd-&gt;root = X, X-&gt;Y-&gt;Z // Copy-up<br /> Transaction 2: X,Z is updated on disk, Y write failed.<br /> // Commit failed, dm thin becomes read-only.<br /> process_bio_read_only<br /> dm_thin_find_block<br /> __find_block<br /> dm_btree_lookup(pmd-&gt;root)<br /> The pmd-&gt;root points to a broken btree, Y may contain stale node<br /> pointing to any block, for example X, which gets dm thin trapped into<br /> a dead loop while looking up Z.<br /> <br /> Fix this by setting pmd-&gt;root in __open_metadata(), so that dm thin<br /> will use the last transaction&amp;#39;s pmd-&gt;root if commit failed.<br /> <br /> Fetch a reproducer in [Link].<br /> <br /> Linke: https://bugzilla.kernel.org/show_bug.cgi?id=216790

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: mlme: fix null-ptr deref on failed assoc<br /> <br /> If association to an AP without a link 0 fails, then we crash in<br /> tracing because it assumes that either ap_mld_addr or link 0 BSS<br /> is valid, since we clear sdata-&gt;vif.valid_links and then don&amp;#39;t<br /> add the ap_mld_addr to the struct.<br /> <br /> Since we clear also sdata-&gt;vif.cfg.ap_addr, keep a local copy of<br /> it and assign it earlier, before clearing valid_links, to fix<br /> this.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()<br /> <br /> In mpt3sas_transport_port_add(), if sas_rphy_add() returns error,<br /> sas_rphy_free() needs be called to free the resource allocated in<br /> sas_end_device_alloc(). Otherwise a kernel crash will happen:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108<br /> CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189<br /> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : device_del+0x54/0x3d0<br /> lr : device_del+0x37c/0x3d0<br /> Call trace:<br /> device_del+0x54/0x3d0<br /> attribute_container_class_device_del+0x28/0x38<br /> transport_remove_classdev+0x6c/0x80<br /> attribute_container_device_trigger+0x108/0x110<br /> transport_remove_device+0x28/0x38<br /> sas_rphy_remove+0x50/0x78 [scsi_transport_sas]<br /> sas_port_delete+0x30/0x148 [scsi_transport_sas]<br /> do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]<br /> device_for_each_child+0x68/0xb0<br /> sas_remove_children+0x30/0x50 [scsi_transport_sas]<br /> sas_rphy_remove+0x38/0x78 [scsi_transport_sas]<br /> sas_port_delete+0x30/0x148 [scsi_transport_sas]<br /> do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]<br /> device_for_each_child+0x68/0xb0<br /> sas_remove_children+0x30/0x50 [scsi_transport_sas]<br /> sas_remove_host+0x20/0x38 [scsi_transport_sas]<br /> scsih_remove+0xd8/0x420 [mpt3sas]<br /> <br /> Because transport_add_device() is not called when sas_rphy_add() fails, the<br /> device is not added. When sas_rphy_remove() is subsequently called to<br /> remove the device in the remove() path, a NULL pointer dereference happens.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: fix an information leak in tipc_topsrv_kern_subscr<br /> <br /> Use a 8-byte write to initialize sub.usr_handle in<br /> tipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized<br /> when issuing setsockopt(..., SOL_TIPC, ...).<br /> This resulted in an infoleak reported by KMSAN when the packet was<br /> received:<br /> <br /> =====================================================<br /> BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169<br /> instrument_copy_to_user ./include/linux/instrumented.h:121<br /> copyout+0xbc/0x100 lib/iov_iter.c:169<br /> _copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527<br /> copy_to_iter ./include/linux/uio.h:176<br /> simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513<br /> __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419<br /> skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527<br /> skb_copy_datagram_msg ./include/linux/skbuff.h:3903<br /> packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469<br /> ____sys_recvmsg+0x2c4/0x810 net/socket.c:?<br /> ___sys_recvmsg+0x217/0x840 net/socket.c:2743<br /> __sys_recvmsg net/socket.c:2773<br /> __do_sys_recvmsg net/socket.c:2783<br /> __se_sys_recvmsg net/socket.c:2780<br /> __x64_sys_recvmsg+0x364/0x540 net/socket.c:2780<br /> do_syscall_x64 arch/x86/entry/common.c:50<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120<br /> <br /> ...<br /> <br /> Uninit was stored to memory at:<br /> tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156<br /> tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375<br /> tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579<br /> tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190<br /> tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084<br /> tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201<br /> __sys_setsockopt+0x87f/0xdc0 net/socket.c:2252<br /> __do_sys_setsockopt net/socket.c:2263<br /> __se_sys_setsockopt net/socket.c:2260<br /> __x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260<br /> do_syscall_x64 arch/x86/entry/common.c:50<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120<br /> <br /> Local variable sub created at:<br /> tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562<br /> tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190<br /> <br /> Bytes 84-87 of 88 are uninitialized<br /> Memory access of size 88 starts at ffff88801ed57cd0<br /> Data copied to user address 0000000020000400<br /> ...<br /> =====================================================

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()<br /> <br /> Our syzkaller report a null pointer dereference, root cause is<br /> following:<br /> <br /> __blk_mq_alloc_map_and_rqs<br /> set-&gt;tags[hctx_idx] = blk_mq_alloc_map_and_rqs<br /> blk_mq_alloc_map_and_rqs<br /> blk_mq_alloc_rqs<br /> // failed due to oom<br /> alloc_pages_node<br /> // set-&gt;tags[hctx_idx] is still NULL<br /> blk_mq_free_rqs<br /> drv_tags = set-&gt;tags[hctx_idx];<br /> // null pointer dereference is triggered<br /> blk_mq_clear_rq_mapping(drv_tags, ...)<br /> <br /> This is because commit 63064be150e4 ("blk-mq:<br /> Add blk_mq_alloc_map_and_rqs()") merged the two steps:<br /> <br /> 1) set-&gt;tags[hctx_idx] = blk_mq_alloc_rq_map()<br /> 2) blk_mq_alloc_rqs(..., set-&gt;tags[hctx_idx])<br /> <br /> into one step:<br /> <br /> set-&gt;tags[hctx_idx] = blk_mq_alloc_map_and_rqs()<br /> <br /> Since tags is not initialized yet in this case, fix the problem by<br /> checking if tags is NULL pointer in blk_mq_clear_rq_mapping().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix potential null-deref in dm_resume<br /> <br /> [Why]<br /> Fixing smatch error:<br /> dm_resume() error: we previously assumed &amp;#39;aconnector-&gt;dc_link&amp;#39; could be null<br /> <br /> [How]<br /> Check if dc_link null at the beginning of the loop,<br /> so further checks can be dropped.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Fix memory leakage<br /> <br /> This patch fixes potential memory leakage and seg fault<br /> in _gpuvm_import_dmabuf() function

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Fix size validation for non-exclusive domains (v4)<br /> <br /> Fix amdgpu_bo_validate_size() to check whether the TTM domain manager for the<br /> requested memory exists, else we get a kernel oops when dereferencing "man".<br /> <br /> v2: Make the patch standalone, i.e. not dependent on local patches.<br /> v3: Preserve old behaviour and just check that the manager pointer is not<br /> NULL.<br /> v4: Complain if GTT domain requested and it is uninitialized--most likely a<br /> bug.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dp: fix memory corruption with too many bridges<br /> <br /> Add the missing sanity check on the bridge counter to avoid corrupting<br /> data beyond the fixed-sized bridge array in case there are ever more<br /> than eight bridges.<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/502664/

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()<br /> <br /> The fsl_pamu_probe() returns directly when create_csd() failed, leaving<br /> irq and memories unreleased.<br /> Fix by jumping to error if create_csd() returns error.