Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Fix handling of lrbp-&gt;cmd<br /> <br /> ufshcd_queuecommand() may be called two times in a row for a SCSI command<br /> before it is completed. Hence make the following changes:<br /> <br /> - In the functions that submit a command, do not check the old value of<br /> lrbp-&gt;cmd nor clear lrbp-&gt;cmd in error paths.<br /> <br /> - In ufshcd_release_scsi_cmd(), do not clear lrbp-&gt;cmd.<br /> <br /> See also scsi_send_eh_cmnd().<br /> <br /> This commit prevents that the following appears if a command times out:<br /> <br /> WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8<br /> Call trace:<br /> ufshcd_queuecommand+0x6f8/0x9a8<br /> scsi_send_eh_cmnd+0x2c0/0x960<br /> scsi_eh_test_devices+0x100/0x314<br /> scsi_eh_ready_devs+0xd90/0x114c<br /> scsi_error_handler+0x2b4/0xb70<br /> kthread+0x16c/0x1e0

*** Pendiente de traducción *** Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()<br /> <br /> The vsp1 driver uses the vb2_is_streaming() function in its .buf_queue()<br /> handler to check if the .start_streaming() operation has been called,<br /> and decide whether to just add the buffer to an internal queue, or also<br /> trigger a hardware run. vb2_is_streaming() relies on the vb2_queue<br /> structure&amp;#39;s streaming field, which used to be set only after calling the<br /> .start_streaming() operation.<br /> <br /> Commit a10b21532574 ("media: vb2: add (un)prepare_streaming queue ops")<br /> changed this, setting the .streaming field in vb2_core_streamon() before<br /> enqueuing buffers to the driver and calling .start_streaming(). This<br /> broke the vsp1 driver which now believes that .start_streaming() has<br /> been called when it hasn&amp;#39;t, leading to a crash:<br /> <br /> [ 881.058705] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020<br /> [ 881.067495] Mem abort info:<br /> [ 881.070290] ESR = 0x0000000096000006<br /> [ 881.074042] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 881.079358] SET = 0, FnV = 0<br /> [ 881.082414] EA = 0, S1PTW = 0<br /> [ 881.085558] FSC = 0x06: level 2 translation fault<br /> [ 881.090439] Data abort info:<br /> [ 881.093320] ISV = 0, ISS = 0x00000006<br /> [ 881.097157] CM = 0, WnR = 0<br /> [ 881.100126] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004fa51000<br /> [ 881.106573] [0000000000000020] pgd=080000004f36e003, p4d=080000004f36e003, pud=080000004f7ec003, pmd=0000000000000000<br /> [ 881.117217] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP<br /> [ 881.123494] Modules linked in: rcar_fdp1 v4l2_mem2mem<br /> [ 881.128572] CPU: 0 PID: 1271 Comm: yavta Tainted: G B 6.2.0-rc1-00023-g6c94e2e99343 #556<br /> [ 881.138061] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)<br /> [ 881.145981] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 881.152951] pc : vsp1_dl_list_add_body+0xa8/0xe0<br /> [ 881.157580] lr : vsp1_dl_list_add_body+0x34/0xe0<br /> [ 881.162206] sp : ffff80000c267710<br /> [ 881.165522] x29: ffff80000c267710 x28: ffff000010938ae8 x27: ffff000013a8dd98<br /> [ 881.172683] x26: ffff000010938098 x25: ffff000013a8dc00 x24: ffff000010ed6ba8<br /> [ 881.179841] x23: ffff00000faa4000 x22: 0000000000000000 x21: 0000000000000020<br /> [ 881.186998] x20: ffff00000faa4000 x19: 0000000000000000 x18: 0000000000000000<br /> [ 881.194154] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> [ 881.201309] x14: 0000000000000000 x13: 746e696174206c65 x12: ffff70000157043d<br /> [ 881.208465] x11: 1ffff0000157043c x10: ffff70000157043c x9 : dfff800000000000<br /> [ 881.215622] x8 : ffff80000ab821e7 x7 : 00008ffffea8fbc4 x6 : 0000000000000001<br /> [ 881.222779] x5 : ffff80000ab821e0 x4 : ffff70000157043d x3 : 0000000000000020<br /> [ 881.229936] x2 : 0000000000000020 x1 : ffff00000e4f6400 x0 : 0000000000000000<br /> [ 881.237092] Call trace:<br /> [ 881.239542] vsp1_dl_list_add_body+0xa8/0xe0<br /> [ 881.243822] vsp1_video_pipeline_run+0x270/0x2a0<br /> [ 881.248449] vsp1_video_buffer_queue+0x1c0/0x1d0<br /> [ 881.253076] __enqueue_in_driver+0xbc/0x260<br /> [ 881.257269] vb2_start_streaming+0x48/0x200<br /> [ 881.261461] vb2_core_streamon+0x13c/0x280<br /> [ 881.265565] vb2_streamon+0x3c/0x90<br /> [ 881.269064] vsp1_video_streamon+0x2fc/0x3e0<br /> [ 881.273344] v4l_streamon+0x50/0x70<br /> [ 881.276844] __video_do_ioctl+0x2bc/0x5d0<br /> [ 881.280861] video_usercopy+0x2a8/0xc80<br /> [ 881.284704] video_ioctl2+0x20/0x40<br /> [ 881.288201] v4l2_ioctl+0xa4/0xc0<br /> [ 881.291525] __arm64_sys_ioctl+0xe8/0x110<br /> [ 881.295543] invoke_syscall+0x68/0x190<br /> [ 881.299303] el0_svc_common.constprop.0+0x88/0x170<br /> [ 881.304105] do_el0_svc+0x4c/0xf0<br /> [ 881.307430] el0_svc+0x4c/0xa0<br /> [ 881.310494] el0t_64_sync_handler+0xbc/0x140<br /> [ 881.314773] el0t_64_sync+0x190/0x194<br /> [ 881.318450] Code: d50323bf d65f03c0 91008263 f9800071 (885f7c60)<br /> [ 881.324551] ---[ end trace 0000000000000000 ]---<br /> [ 881.329173] note: yavta[1271] exited with preempt_count 1<br /> <br /> A different r<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix potential null dereference<br /> <br /> The adev-&gt;dm.dc pointer can be NULL and dereferenced in amdgpu_dm_fini()<br /> without checking.<br /> <br /> Add a NULL pointer check before calling dc_dmub_srv_destroy().<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio_net: Fix error unwinding of XDP initialization<br /> <br /> When initializing XDP in virtnet_open(), some rq xdp initialization<br /> may hit an error causing net device open failed. However, previous<br /> rqs have already initialized XDP and enabled NAPI, which is not the<br /> expected behavior. Need to roll back the previous rq initialization<br /> to avoid leaks in error unwinding of init code.<br /> <br /> Also extract helper functions of disable and enable queue pairs.<br /> Use newly introduced disable helper function in error unwinding and<br /> virtnet_close. Use enable helper function in virtnet_open.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind<br /> <br /> When unbinding pasid - a race condition exists vs outstanding page faults.<br /> <br /> To prevent this, the pasid_state object contains a refcount.<br /> * set to 1 on pasid bind<br /> * incremented on each ppr notification start<br /> * decremented on each ppr notification done<br /> * decremented on pasid unbind<br /> <br /> Since refcount_dec assumes that refcount will never reach 0:<br /> the current implementation causes the following to be invoked on<br /> pasid unbind:<br /> REFCOUNT_WARN("decrement hit 0; leaking memory")<br /> <br /> Fix this issue by changing refcount_dec to refcount_dec_and_test<br /> to explicitly handle refcount=1.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: fix slab-use-after-free in decode_session6<br /> <br /> When the xfrm device is set to the qdisc of the sfb type, the cb field<br /> of the sent skb may be modified during enqueuing. Then,<br /> slab-use-after-free may occur when the xfrm device sends IPv6 packets.<br /> <br /> The stack information is as follows:<br /> BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890<br /> Read of size 1 at addr ffff8881111458ef by task swapper/3/0<br /> CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xd9/0x150<br /> print_address_description.constprop.0+0x2c/0x3c0<br /> kasan_report+0x11d/0x130<br /> decode_session6+0x103f/0x1890<br /> __xfrm_decode_session+0x54/0xb0<br /> xfrmi_xmit+0x173/0x1ca0<br /> dev_hard_start_xmit+0x187/0x700<br /> sch_direct_xmit+0x1a3/0xc30<br /> __qdisc_run+0x510/0x17a0<br /> __dev_queue_xmit+0x2215/0x3b10<br /> neigh_connected_output+0x3c2/0x550<br /> ip6_finish_output2+0x55a/0x1550<br /> ip6_finish_output+0x6b9/0x1270<br /> ip6_output+0x1f1/0x540<br /> ndisc_send_skb+0xa63/0x1890<br /> ndisc_send_rs+0x132/0x6f0<br /> addrconf_rs_timer+0x3f1/0x870<br /> call_timer_fn+0x1a0/0x580<br /> expire_timers+0x29b/0x4b0<br /> run_timer_softirq+0x326/0x910<br /> __do_softirq+0x1d4/0x905<br /> irq_exit_rcu+0xb7/0x120<br /> sysvec_apic_timer_interrupt+0x97/0xc0<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt+0x1a/0x20<br /> RIP: 0010:intel_idle_hlt+0x23/0x30<br /> Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4<br /> RSP: 0018:ffffc90000197d78 EFLAGS: 00000246<br /> RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5<br /> RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50<br /> RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d<br /> R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001<br /> R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000<br /> cpuidle_enter_state+0xd3/0x6f0<br /> cpuidle_enter+0x4e/0xa0<br /> do_idle+0x2fe/0x3c0<br /> cpu_startup_entry+0x18/0x20<br /> start_secondary+0x200/0x290<br /> secondary_startup_64_no_verify+0x167/0x16b<br /> <br /> Allocated by task 939:<br /> kasan_save_stack+0x22/0x40<br /> kasan_set_track+0x25/0x30<br /> __kasan_slab_alloc+0x7f/0x90<br /> kmem_cache_alloc_node+0x1cd/0x410<br /> kmalloc_reserve+0x165/0x270<br /> __alloc_skb+0x129/0x330<br /> inet6_ifa_notify+0x118/0x230<br /> __ipv6_ifa_notify+0x177/0xbe0<br /> addrconf_dad_completed+0x133/0xe00<br /> addrconf_dad_work+0x764/0x1390<br /> process_one_work+0xa32/0x16f0<br /> worker_thread+0x67d/0x10c0<br /> kthread+0x344/0x440<br /> ret_from_fork+0x1f/0x30<br /> The buggy address belongs to the object at ffff888111145800<br /> which belongs to the cache skbuff_small_head of size 640<br /> The buggy address is located 239 bytes inside of<br /> freed 640-byte region [ffff888111145800, ffff888111145a80)<br /> <br /> As commit f855691975bb ("xfrm6: Fix the nexthdr offset in<br /> _decode_session6.") showed, xfrm_decode_session was originally intended<br /> only for the receive path. IP6CB(skb)-&gt;nhoff is not set during<br /> transmission. Therefore, set the cb field in the skb to 0 before<br /> sending packets.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: allow ext4_get_group_info() to fail<br /> <br /> Previously, ext4_get_group_info() would treat an invalid group number<br /> as BUG(), since in theory it should never happen. However, if a<br /> malicious attaker (or fuzzer) modifies the superblock via the block<br /> device while it is the file system is mounted, it is possible for<br /> s_first_data_block to get set to a very large number. In that case,<br /> when calculating the block group of some block number (such as the<br /> starting block of a preallocation region), could result in an<br /> underflow and very large block group number. Then the BUG_ON check in<br /> ext4_get_group_info() would fire, resutling in a denial of service<br /> attack that can be triggered by root or someone with write access to<br /> the block device.<br /> <br /> For a quality of implementation perspective, it&amp;#39;s best that even if<br /> the system administrator does something that they shouldn&amp;#39;t, that it<br /> will not trigger a BUG. So instead of BUG&amp;#39;ing, ext4_get_group_info()<br /> will call ext4_error and return NULL. We also add fallback code in<br /> all of the callers of ext4_get_group_info() that it might NULL.<br /> <br /> Also, since ext4_get_group_info() was already borderline to be an<br /> inline function, un-inline it. The results in a next reduction of the<br /> compiled text size of ext4 by roughly 2k.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix disconnect vs accept race<br /> <br /> Despite commit 0ad529d9fd2b ("mptcp: fix possible divide by zero in<br /> recvmsg()"), the mptcp protocol is still prone to a race between<br /> disconnect() (or shutdown) and accept.<br /> <br /> The root cause is that the mentioned commit checks the msk-level<br /> flag, but mptcp_stream_accept() does acquire the msk-level lock,<br /> as it can rely directly on the first subflow lock.<br /> <br /> As reported by Christoph than can lead to a race where an msk<br /> socket is accepted after that mptcp_subflow_queue_clean() releases<br /> the listener socket lock and just before it takes destructive<br /> actions leading to the following splat:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000012<br /> PGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0<br /> Oops: 0000 [#1] PREEMPT SMP<br /> CPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014<br /> RIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330<br /> Code: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89<br /> RSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300<br /> RDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a<br /> RBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020<br /> R13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880<br /> FS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> do_accept+0x1ae/0x260 net/socket.c:1872<br /> __sys_accept4+0x9b/0x110 net/socket.c:1913<br /> __do_sys_accept4 net/socket.c:1954 [inline]<br /> __se_sys_accept4 net/socket.c:1951 [inline]<br /> __x64_sys_accept4+0x20/0x30 net/socket.c:1951<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> <br /> Address the issue by temporary removing the pending request socket<br /> from the accept queue, so that racing accept() can&amp;#39;t touch them.<br /> <br /> After depleting the msk - the ssk still exists, as plain TCP sockets,<br /> re-insert them into the accept queue, so that later inet_csk_listen_stop()<br /> will complete the tcp socket disposal.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: do not ignore genmask when looking up chain by id<br /> <br /> When adding a rule to a chain referring to its ID, if that chain had been<br /> deleted on the same batch, the rule might end up referring to a deleted<br /> chain.<br /> <br /> This will lead to a WARNING like following:<br /> <br /> [ 33.098431] ------------[ cut here ]------------<br /> [ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.099217] Modules linked in:<br /> [ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409<br /> [ 33.099726] Workqueue: events nf_tables_trans_destroy_work<br /> [ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7<br /> [ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202<br /> [ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000<br /> [ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> [ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000<br /> [ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500<br /> [ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10<br /> [ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000<br /> [ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0<br /> [ 33.104872] PKRU: 55555554<br /> [ 33.104999] Call Trace:<br /> [ 33.105113] <br /> [ 33.105214] ? show_regs+0x72/0x90<br /> [ 33.105371] ? __warn+0xa5/0x210<br /> [ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.105732] ? report_bug+0x1f2/0x200<br /> [ 33.105902] ? handle_bug+0x46/0x90<br /> [ 33.106546] ? exc_invalid_op+0x19/0x50<br /> [ 33.106762] ? asm_exc_invalid_op+0x1b/0x20<br /> [ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.107249] ? nf_tables_chain_destroy+0x30/0x260<br /> [ 33.107506] nf_tables_trans_destroy_work+0x669/0x680<br /> [ 33.107782] ? mark_held_locks+0x28/0xa0<br /> [ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10<br /> [ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70<br /> [ 33.108538] process_one_work+0x68c/0xb70<br /> [ 33.108755] ? lock_acquire+0x17f/0x420<br /> [ 33.108977] ? __pfx_process_one_work+0x10/0x10<br /> [ 33.109218] ? do_raw_spin_lock+0x128/0x1d0<br /> [ 33.109435] ? _raw_spin_lock_irq+0x71/0x80<br /> [ 33.109634] worker_thread+0x2bd/0x700<br /> [ 33.109817] ? __pfx_worker_thread+0x10/0x10<br /> [ 33.110254] kthread+0x18b/0x1d0<br /> [ 33.110410] ? __pfx_kthread+0x10/0x10<br /> [ 33.110581] ret_from_fork+0x29/0x50<br /> [ 33.110757] <br /> [ 33.110866] irq event stamp: 1651<br /> [ 33.111017] hardirqs last enabled at (1659): [] __up_console_sem+0x79/0xa0<br /> [ 33.111379] hardirqs last disabled at (1666): [] __up_console_sem+0x5e/0xa0<br /> [ 33.111740] softirqs last enabled at (1616): [] __irq_exit_rcu+0x9e/0xe0<br /> [ 33.112094] softirqs last disabled at (1367): [] __irq_exit_rcu+0x9e/0xe0<br /> [ 33.112453] ---[ end trace 0000000000000000 ]---<br /> <br /> This is due to the nft_chain_lookup_byid ignoring the genmask. After this<br /> change, adding the new rule will fail as it will not find the chain.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> accel/qaic: tighten bounds checking in decode_message()<br /> <br /> Copy the bounds checking from encode_message() to decode_message().<br /> <br /> This patch addresses the following concerns. Ensure that there is<br /> enough space for at least one header so that we don&amp;#39;t have a negative<br /> size later.<br /> <br /> if (msg_hdr_len data.<br /> <br /> if (msg_len &gt; msg_hdr_len - sizeof(*trans_hdr))<br /> return -EINVAL;<br /> <br /> Check that the trans_hdr-&gt;len is not below the minimum size:<br /> <br /> if (hdr_len data, in_trans-&gt;data, len - sizeof(in_trans-&gt;hdr));<br /> <br /> And finally, use size_add() to prevent an integer overflow:<br /> <br /> if (size_add(msg_len, hdr_len) &gt; msg_hdr_len)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: xts - Handle EBUSY correctly<br /> <br /> As it is xts only handles the special return value of EINPROGRESS,<br /> which means that in all other cases it will free data related to the<br /> request.<br /> <br /> However, as the caller of xts may specify MAY_BACKLOG, we also need<br /> to expect EBUSY and treat it in the same way. Otherwise backlogged<br /> requests will trigger a use-after-free.