Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> integrity: Fix memory leakage in keyring allocation error path<br /> <br /> Key restriction is allocated in integrity_init_keyring(). However, if<br /> keyring allocation failed, it is not freed, causing memory leaks.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sched: fix memory leak in tcindex_set_parms<br /> <br /> Syzkaller reports a memory leak as follows:<br /> ====================================<br /> BUG: memory leak<br /> unreferenced object 0xffff88810c287f00 (size 256):<br /> comm "syz-executor105", pid 3600, jiffies 4294943292 (age 12.990s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046<br /> [] kmalloc include/linux/slab.h:576 [inline]<br /> [] kmalloc_array include/linux/slab.h:627 [inline]<br /> [] kcalloc include/linux/slab.h:659 [inline]<br /> [] tcf_exts_init include/net/pkt_cls.h:250 [inline]<br /> [] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342<br /> [] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553<br /> [] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147<br /> [] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082<br /> [] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540<br /> [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]<br /> [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345<br /> [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921<br /> [] sock_sendmsg_nosec net/socket.c:714 [inline]<br /> [] sock_sendmsg+0x56/0x80 net/socket.c:734<br /> [] ____sys_sendmsg+0x178/0x410 net/socket.c:2482<br /> [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536<br /> [] __sys_sendmmsg+0x105/0x330 net/socket.c:2622<br /> [] __do_sys_sendmmsg net/socket.c:2651 [inline]<br /> [] __se_sys_sendmmsg net/socket.c:2648 [inline]<br /> [] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648<br /> [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> [] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> ====================================<br /> <br /> Kernel uses tcindex_change() to change an existing<br /> filter properties.<br /> <br /> Yet the problem is that, during the process of changing,<br /> if `old_r` is retrieved from `p-&gt;perfect`, then<br /> kernel uses tcindex_alloc_perfect_hash() to newly<br /> allocate filter results, uses tcindex_filter_result_init()<br /> to clear the old filter result, without destroying<br /> its tcf_exts structure, which triggers the above memory leak.<br /> <br /> To be more specific, there are only two source for the `old_r`,<br /> according to the tcindex_lookup(). `old_r` is retrieved from<br /> `p-&gt;perfect`, or `old_r` is retrieved from `p-&gt;h`.<br /> <br /> * If `old_r` is retrieved from `p-&gt;perfect`, kernel uses<br /> tcindex_alloc_perfect_hash() to newly allocate the<br /> filter results. Then `r` is assigned with `cp-&gt;perfect + handle`,<br /> which is newly allocated. So condition `old_r &amp;&amp; old_r != r` is<br /> true in this situation, and kernel uses tcindex_filter_result_init()<br /> to clear the old filter result, without destroying<br /> its tcf_exts structure<br /> <br /> * If `old_r` is retrieved from `p-&gt;h`, then `p-&gt;perfect` is NULL<br /> according to the tcindex_lookup(). Considering that `cp-&gt;h`<br /> is directly copied from `p-&gt;h` and `p-&gt;perfect` is NULL,<br /> `r` is assigned with `tcindex_lookup(cp, handle)`, whose value<br /> should be the same as `old_r`, so condition `old_r &amp;&amp; old_r != r`<br /> is false in this situation, kernel ignores using<br /> tcindex_filter_result_init() to clear the old filter result.<br /> <br /> So only when `old_r` is retrieved from `p-&gt;perfect` does kernel use<br /> tcindex_filter_result_init() to clear the old filter result, which<br /> triggers the above memory leak.<br /> <br /> Considering that there already exists a tc_filter_wq workqueue<br /> to destroy the old tcindex_d<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Can&amp;#39;t set dst buffer to done when lat decode error<br /> <br /> Core thread will call v4l2_m2m_buf_done to set dst buffer done for<br /> lat architecture. If lat call v4l2_m2m_buf_done_and_job_finish to<br /> free dst buffer when lat decode error, core thread will access kernel<br /> NULL pointer dereference, then crash.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: vme_user: Fix possible UAF in tsi148_dma_list_add<br /> <br /> Smatch report warning as follows:<br /> <br /> drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:<br /> &amp;#39;&amp;entry-&gt;list&amp;#39; not removed from list<br /> <br /> In tsi148_dma_list_add(), the error path "goto err_dma" will not<br /> remove entry-&gt;list from list-&gt;entries, but entry will be freed,<br /> then list traversal may cause UAF.<br /> <br /> Fix by removeing it from list-&gt;entries before free().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFS: Fix an Oops in nfs_d_automount()<br /> <br /> When mounting from a NFSv4 referral, path-&gt;dentry can end up being a<br /> negative dentry, so derive the struct nfs_server from the dentry<br /> itself instead.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix user-after-free<br /> <br /> This uses l2cap_chan_hold_unless_zero() after calling<br /> __l2cap_get_chan_blah() to prevent the following trace:<br /> <br /> Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref<br /> *kref)<br /> Bluetooth: chan 0000000023c4974d<br /> Bluetooth: parent 00000000ae861c08<br /> ==================================================================<br /> BUG: KASAN: use-after-free in __mutex_waiter_is_first<br /> kernel/locking/mutex.c:191 [inline]<br /> BUG: KASAN: use-after-free in __mutex_lock_common<br /> kernel/locking/mutex.c:671 [inline]<br /> BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400<br /> kernel/locking/mutex.c:729<br /> Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hinic: fix the issue of CMDQ memory leaks<br /> <br /> When hinic_set_cmdq_depth() fails in hinic_init_cmdqs(), the cmdq memory is<br /> not released correctly. Fix it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme: fix multipath crash caused by flush request when blktrace is enabled<br /> <br /> The flush request initialized by blk_kick_flush has NULL bio,<br /> and it may be dealt with nvme_end_req during io completion.<br /> When blktrace is enabled, nvme_trace_bio_complete with multipath<br /> activated trying to access NULL pointer bio from flush request<br /> results in the following crash:<br /> <br /> [ 2517.831677] BUG: kernel NULL pointer dereference, address: 000000000000001a<br /> [ 2517.835213] #PF: supervisor read access in kernel mode<br /> [ 2517.838724] #PF: error_code(0x0000) - not-present page<br /> [ 2517.842222] PGD 7b2d51067 P4D 0<br /> [ 2517.845684] Oops: 0000 [#1] SMP NOPTI<br /> [ 2517.849125] CPU: 2 PID: 732 Comm: kworker/2:1H Kdump: loaded Tainted: G S 5.15.67-0.cl9.x86_64 #1<br /> [ 2517.852723] Hardware name: XFUSION 2288H V6/BC13MBSBC, BIOS 1.13 07/27/2022<br /> [ 2517.856358] Workqueue: nvme_tcp_wq nvme_tcp_io_work [nvme_tcp]<br /> [ 2517.859993] RIP: 0010:blk_add_trace_bio_complete+0x6/0x30<br /> [ 2517.863628] Code: 1f 44 00 00 48 8b 46 08 31 c9 ba 04 00 10 00 48 8b 80 50 03 00 00 48 8b 78 50 e9 e5 fe ff ff 0f 1f 44 00 00 41 54 49 89 f4 55 b6 7a 1a 48 89 d5 e8 3e 1c 2b 00 48 89 ee 4c 89 e7 5d 89 c1 ba<br /> [ 2517.871269] RSP: 0018:ff7f6a008d9dbcd0 EFLAGS: 00010286<br /> [ 2517.875081] RAX: ff3d5b4be00b1d50 RBX: 0000000002040002 RCX: ff3d5b0a270f2000<br /> [ 2517.878966] RDX: 0000000000000000 RSI: ff3d5b0b021fb9f8 RDI: 0000000000000000<br /> [ 2517.882849] RBP: ff3d5b0b96a6fa00 R08: 0000000000000001 R09: 0000000000000000<br /> [ 2517.886718] R10: 000000000000000c R11: 000000000000000c R12: ff3d5b0b021fb9f8<br /> [ 2517.890575] R13: 0000000002000000 R14: ff3d5b0b021fb1b0 R15: 0000000000000018<br /> [ 2517.894434] FS: 0000000000000000(0000) GS:ff3d5b42bfc80000(0000) knlGS:0000000000000000<br /> [ 2517.898299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 2517.902157] CR2: 000000000000001a CR3: 00000004f023e005 CR4: 0000000000771ee0<br /> [ 2517.906053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 2517.909930] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 2517.913761] PKRU: 55555554<br /> [ 2517.917558] Call Trace:<br /> [ 2517.921294] <br /> [ 2517.924982] nvme_complete_rq+0x1c3/0x1e0 [nvme_core]<br /> [ 2517.928715] nvme_tcp_recv_pdu+0x4d7/0x540 [nvme_tcp]<br /> [ 2517.932442] nvme_tcp_recv_skb+0x4f/0x240 [nvme_tcp]<br /> [ 2517.936137] ? nvme_tcp_recv_pdu+0x540/0x540 [nvme_tcp]<br /> [ 2517.939830] tcp_read_sock+0x9c/0x260<br /> [ 2517.943486] nvme_tcp_try_recv+0x65/0xa0 [nvme_tcp]<br /> [ 2517.947173] nvme_tcp_io_work+0x64/0x90 [nvme_tcp]<br /> [ 2517.950834] process_one_work+0x1e8/0x390<br /> [ 2517.954473] worker_thread+0x53/0x3c0<br /> [ 2517.958069] ? process_one_work+0x390/0x390<br /> [ 2517.961655] kthread+0x10c/0x130<br /> [ 2517.965211] ? set_kthread_struct+0x40/0x40<br /> [ 2517.968760] ret_from_fork+0x1f/0x30<br /> [ 2517.972285] <br /> <br /> To avoid this situation, add a NULL check for req-&gt;bio before<br /> calling trace_block_bio_complete.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak<br /> <br /> In crb_acpi_add(), we get the TPM2 table to retrieve information<br /> like start method, and then assign them to the priv data, so the<br /> TPM2 table is not used after the init, should be freed, call<br /> acpi_put_table() to fix the memory leak.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED<br /> <br /> Shifting signed 32-bit value by 31 bits is undefined, so changing<br /> significant bit to unsigned. The UBSAN warning calltrace like below:<br /> <br /> UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26<br /> left shift of 1 by 31 places cannot be represented in type &amp;#39;int&amp;#39;<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x7d/0xa5<br /> dump_stack+0x15/0x1b<br /> ubsan_epilogue+0xe/0x4e<br /> __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c<br /> ttm_bo_move_memcpy+0x3b4/0x460 [ttm]<br /> bo_driver_move+0x32/0x40 [drm_vram_helper]<br /> ttm_bo_handle_move_mem+0x118/0x200 [ttm]<br /> ttm_bo_validate+0xfa/0x220 [ttm]<br /> drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper]<br /> drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper]<br /> drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper]<br /> drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper]<br /> drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper]<br /> drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper]<br /> drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper]<br /> drm_atomic_commit+0x9c/0x160 [drm]<br /> drm_client_modeset_commit_atomic+0x33a/0x380 [drm]<br /> drm_client_modeset_commit_locked+0x77/0x220 [drm]<br /> drm_client_modeset_commit+0x31/0x60 [drm]<br /> __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper]<br /> drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper]<br /> fbcon_init+0x316/0x790<br /> visual_init+0x113/0x1d0<br /> do_bind_con_driver+0x2a3/0x5c0<br /> do_take_over_console+0xa9/0x270<br /> do_fbcon_takeover+0xa1/0x170<br /> do_fb_registered+0x2a8/0x340<br /> fbcon_fb_registered+0x47/0xe0<br /> register_framebuffer+0x294/0x4a0<br /> __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]<br /> drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]<br /> drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]<br /> drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]<br /> bochs_pci_probe+0x6ca/0x772 [bochs]<br /> local_pci_probe+0x4d/0xb0<br /> pci_device_probe+0x119/0x320<br /> really_probe+0x181/0x550<br /> __driver_probe_device+0xc6/0x220<br /> driver_probe_device+0x32/0x100<br /> __driver_attach+0x195/0x200<br /> bus_for_each_dev+0xbb/0x120<br /> driver_attach+0x27/0x30<br /> bus_add_driver+0x22e/0x2f0<br /> driver_register+0xa9/0x190<br /> __pci_register_driver+0x90/0xa0<br /> bochs_pci_driver_init+0x52/0x1000 [bochs]<br /> do_one_initcall+0x76/0x430<br /> do_init_module+0x61/0x28a<br /> load_module+0x1f82/0x2e50<br /> __do_sys_finit_module+0xf8/0x190<br /> __x64_sys_finit_module+0x23/0x30<br /> do_syscall_64+0x58/0x80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />

*** Pendiente de traducción *** Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown<br /> <br /> lpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can<br /> still occur which in turn tries to access dma apis if lpuart_dma_tx_use<br /> flag is true. At this point since dma is torn down, these dma apis can<br /> abort. Set lpuart_dma_tx_use and the corresponding rx flag<br /> lpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not<br /> accessed after they are relinquished.<br /> <br /> Otherwise, when try to kill btattach, kernel may panic. This patch may<br /> fix this issue.<br /> root@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200<br /> ^C[ 90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP<br /> [ 90.189806] Modules linked in: moal(O) mlan(O)<br /> [ 90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G O 5.15.32-06136-g34eecdf2f9e4 #37<br /> [ 90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT)<br /> [ 90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 90.215470] pc : fsl_edma3_disable_request+0x8/0x60<br /> [ 90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c<br /> [ 90.225237] sp : ffff800013f0bac0<br /> [ 90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800<br /> [ 90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00<br /> [ 90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000<br /> [ 90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000<br /> [ 90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> [ 90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040<br /> [ 90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090<br /> [ 90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804<br /> [ 90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480<br /> [ 90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800<br /> [ 90.299876] Call trace:<br /> [ 90.302321] fsl_edma3_disable_request+0x8/0x60<br /> [ 90.306851] lpuart_flush_buffer+0x40/0x160<br /> [ 90.311037] uart_flush_buffer+0x88/0x120<br /> [ 90.315050] tty_driver_flush_buffer+0x20/0x30<br /> [ 90.319496] hci_uart_flush+0x44/0x90<br /> [ 90.323162] +0x34/0x12c<br /> [ 90.327253] tty_ldisc_close+0x38/0x70<br /> [ 90.331005] tty_ldisc_release+0xa8/0x190<br /> [ 90.335018] tty_release_struct+0x24/0x8c<br /> [ 90.339022] tty_release+0x3ec/0x4c0<br /> [ 90.342593] __fput+0x70/0x234<br /> [ 90.345652] ____fput+0x14/0x20<br /> [ 90.348790] task_work_run+0x84/0x17c<br /> [ 90.352455] do_exit+0x310/0x96c<br /> [ 90.355688] do_group_exit+0x3c/0xa0<br /> [ 90.359259] __arm64_sys_exit_group+0x1c/0x20<br /> [ 90.363609] invoke_syscall+0x48/0x114<br /> [ 90.367362] el0_svc_common.constprop.0+0xd4/0xfc<br /> [ 90.372068] do_el0_svc+0x2c/0x94<br /> [ 90.375379] el0_svc+0x28/0x80<br /> [ 90.378438] el0t_64_sync_handler+0xa8/0x130<br /> [ 90.382711] el0t_64_sync+0x1a0/0x1a4<br /> [ 90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041)<br /> [ 90.392467] ---[ end trace 2f60524b4a43f1f6 ]---<br /> [ 90.397073] note: btattach[503] exited with preempt_count 1<br /> [ 90.402636] Fixing recursive fault but reboot is needed!