Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()<br /> <br /> The brcmf_netdev_start_xmit() returns NETDEV_TX_OK without freeing skb<br /> in case of pskb_expand_head() fails, add dev_kfree_skb() to fix it.<br /> Compile tested only.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: maps: pxa2xx-flash: fix memory leak in probe<br /> <br /> Free &amp;#39;info&amp;#39; upon remapping error to avoid a memory leak.<br /> <br /> [: Reword the commit log]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: airspy: fix memory leak in airspy probe<br /> <br /> The commit ca9dc8d06ab6 ("media: airspy: respect the DMA coherency<br /> rules") moves variable buf from stack to heap, however, it only frees<br /> buf in the error handling code, missing deallocation in the success<br /> path.<br /> <br /> Fix this by freeing buf in the success path since this variable does not<br /> have any references in other code.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: tables: FPDT: Don&amp;#39;t call acpi_os_map_memory() on invalid phys address<br /> <br /> On a Packard Bell Dot SC (Intel Atom N2600 model) there is a FPDT table<br /> which contains invalid physical addresses, with high bits set which fall<br /> outside the range of the CPU-s supported physical address range.<br /> <br /> Calling acpi_os_map_memory() on such an invalid phys address leads to<br /> the below WARN_ON in ioremap triggering resulting in an oops/stacktrace.<br /> <br /> Add code to verify the physical address before calling acpi_os_map_memory()<br /> to fix / avoid the oops.<br /> <br /> [ 1.226900] ioremap: invalid physical address 3001000000000000<br /> [ 1.226949] ------------[ cut here ]------------<br /> [ 1.226962] WARNING: CPU: 1 PID: 1 at arch/x86/mm/ioremap.c:200 __ioremap_caller.cold+0x43/0x5f<br /> [ 1.226996] Modules linked in:<br /> [ 1.227016] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc3+ #490<br /> [ 1.227029] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013<br /> [ 1.227038] RIP: 0010:__ioremap_caller.cold+0x43/0x5f<br /> [ 1.227054] Code: 96 00 00 e9 f8 af 24 ff 89 c6 48 c7 c7 d8 0c 84 99 e8 6a 96 00 00 e9 76 af 24 ff 48 89 fe 48 c7 c7 a8 0c 84 99 e8 56 96 00 00 0b e9 60 af 24 ff 48 8b 34 24 48 c7 c7 40 0d 84 99 e8 3f 96 00<br /> [ 1.227067] RSP: 0000:ffffb18c40033d60 EFLAGS: 00010286<br /> [ 1.227084] RAX: 0000000000000032 RBX: 3001000000000000 RCX: 0000000000000000<br /> [ 1.227095] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff<br /> [ 1.227105] RBP: 3001000000000000 R08: 0000000000000000 R09: ffffb18c40033c18<br /> [ 1.227115] R10: 0000000000000003 R11: ffffffff99d62fe8 R12: 0000000000000008<br /> [ 1.227124] R13: 0003001000000000 R14: 0000000000001000 R15: 3001000000000000<br /> [ 1.227135] FS: 0000000000000000(0000) GS:ffff913a3c080000(0000) knlGS:0000000000000000<br /> [ 1.227146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 1.227156] CR2: 0000000000000000 CR3: 0000000018c26000 CR4: 00000000000006e0<br /> [ 1.227167] Call Trace:<br /> [ 1.227176] <br /> [ 1.227185] ? acpi_os_map_iomem+0x1c9/0x1e0<br /> [ 1.227215] ? kmem_cache_alloc_trace+0x187/0x370<br /> [ 1.227254] acpi_os_map_iomem+0x1c9/0x1e0<br /> [ 1.227288] acpi_init_fpdt+0xa8/0x253<br /> [ 1.227308] ? acpi_debugfs_init+0x1f/0x1f<br /> [ 1.227339] do_one_initcall+0x5a/0x300<br /> [ 1.227406] ? rcu_read_lock_sched_held+0x3f/0x80<br /> [ 1.227442] kernel_init_freeable+0x28b/0x2cc<br /> [ 1.227512] ? rest_init+0x170/0x170<br /> [ 1.227538] kernel_init+0x16/0x140<br /> [ 1.227552] ret_from_fork+0x1f/0x30<br /> [ 1.227639] <br /> [ 1.227647] irq event stamp: 186819<br /> [ 1.227656] hardirqs last enabled at (186825): [] __up_console_sem+0x5e/0x70<br /> [ 1.227672] hardirqs last disabled at (186830): [] __up_console_sem+0x43/0x70<br /> [ 1.227686] softirqs last enabled at (186576): [] __irq_exit_rcu+0xed/0x160<br /> [ 1.227701] softirqs last disabled at (186569): [] __irq_exit_rcu+0xed/0x160<br /> [ 1.227715] ---[ end trace 0000000000000000 ]---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> coresight: trbe: remove cpuhp instance node before remove cpuhp state<br /> <br /> cpuhp_state_add_instance() and cpuhp_state_remove_instance() should<br /> be used in pairs. Or there will lead to the warn on<br /> cpuhp_remove_multi_state() since the cpuhp_step list is not empty.<br /> <br /> The following is the error log with &amp;#39;rmmod coresight-trbe&amp;#39;:<br /> Error: Removing state 215 which has instances left.<br /> Call trace:<br /> __cpuhp_remove_state_cpuslocked+0x144/0x160<br /> __cpuhp_remove_state+0xac/0x100<br /> arm_trbe_device_remove+0x2c/0x60 [coresight_trbe]<br /> platform_remove+0x34/0x70<br /> device_remove+0x54/0x90<br /> device_release_driver_internal+0x1e4/0x250<br /> driver_detach+0x5c/0xb0<br /> bus_remove_driver+0x64/0xc0<br /> driver_unregister+0x3c/0x70<br /> platform_driver_unregister+0x20/0x30<br /> arm_trbe_exit+0x1c/0x658 [coresight_trbe]<br /> __arm64_sys_delete_module+0x1ac/0x24c<br /> invoke_syscall+0x50/0x120<br /> el0_svc_common.constprop.0+0x58/0x1a0<br /> do_el0_svc+0x38/0xd0<br /> el0_svc+0x2c/0xc0<br /> el0t_64_sync_handler+0x1ac/0x1b0<br /> el0t_64_sync+0x19c/0x1a0<br /> ---[ end trace 0000000000000000 ]---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()<br /> <br /> pci_get_device() will increase the reference count for the returned<br /> &amp;#39;dev&amp;#39;. We need to call pci_dev_put() to decrease the reference count.<br /> Since &amp;#39;dev&amp;#39; is only used in pci_read_config_dword(), let&amp;#39;s add<br /> pci_dev_put() right after it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/bridge: megachips: Fix a null pointer dereference bug<br /> <br /> When removing the module we will get the following warning:<br /> <br /> [ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered<br /> [ 31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI<br /> [ 31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]<br /> [ 31.915280] RIP: 0010:drm_bridge_remove+0x97/0x130<br /> [ 31.921825] Call Trace:<br /> [ 31.922533] stdp4028_ge_b850v3_fw_remove+0x34/0x60 [megachips_stdpxxxx_ge_b850v3_fw]<br /> [ 31.923139] i2c_device_remove+0x181/0x1f0<br /> <br /> The two bridges (stdp2690, stdp4028) do not probe at the same time, so<br /> the driver does not call ge_b850v3_resgiter() when probing, causing the<br /> driver to try to remove the object that has not been initialized.<br /> <br /> Fix this by checking whether both the bridges are probed.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS<br /> <br /> UBSAN complains about array-index-out-of-bounds:<br /> [ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41<br /> [ 1.980709] kernel: index 15 is out of range for type &amp;#39;ahci_em_priv [8]&amp;#39;<br /> [ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu<br /> [ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010<br /> [ 1.980718] kernel: Call Trace:<br /> [ 1.980721] kernel: <br /> [ 1.980723] kernel: show_stack+0x52/0x58<br /> [ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f<br /> [ 1.980734] kernel: dump_stack+0x10/0x12<br /> [ 1.980736] kernel: ubsan_epilogue+0x9/0x45<br /> [ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49<br /> [ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci]<br /> [ 1.980748] kernel: ata_qc_issue+0x135/0x240<br /> [ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580<br /> [ 1.980754] kernel: ? vprintk_default+0x1d/0x20<br /> [ 1.980759] kernel: ata_exec_internal+0x67/0xa0<br /> [ 1.980762] kernel: sata_pmp_read+0x8d/0xc0<br /> [ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90<br /> [ 1.980768] kernel: sata_pmp_attach+0x8b/0x310<br /> [ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0<br /> [ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30<br /> [ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci]<br /> [ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci]<br /> [ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci]<br /> [ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0<br /> [ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560<br /> [ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40<br /> [ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci]<br /> [ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600<br /> [ 1.980810] kernel: ata_scsi_error+0x9c/0xd0<br /> [ 1.980813] kernel: scsi_error_handler+0xa1/0x180<br /> [ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0<br /> [ 1.980820] kernel: kthread+0x12a/0x150<br /> [ 1.980823] kernel: ? set_kthread_struct+0x50/0x50<br /> [ 1.980826] kernel: ret_from_fork+0x22/0x30<br /> [ 1.980831] kernel: <br /> <br /> This happens because sata_pmp_init_links() initialize link-&gt;pmp up to<br /> SATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array.<br /> <br /> I can&amp;#39;t find the maximum Enclosure Management ports specified in AHCI<br /> spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier<br /> Information" can utilize 4 bits, which implies it can support up to 16<br /> ports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the<br /> issue.<br /> <br /> BugLink: https://bugs.launchpad.net/bugs/1970074

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nbd: Fix hung when signal interrupts nbd_start_device_ioctl()<br /> <br /> syzbot reported hung task [1]. The following program is a simplified<br /> version of the reproducer:<br /> <br /> int main(void)<br /> {<br /> int sv[2], fd;<br /> <br /> if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix order &gt;= MAX_ORDER warning due to crafted negative i_size<br /> <br /> As syzbot reported [1], the root cause is that i_size field is a<br /> signed type, and negative i_size is also less than EROFS_BLKSIZ.<br /> As a consequence, it&amp;#39;s handled as fast symlink unexpectedly.<br /> <br /> Let&amp;#39;s fall back to the generic path to deal with such unusual i_size.<br /> <br /> [1] https://lore.kernel.org/r/000000000000ac8efa05e7feaa1f@google.com

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> orangefs: Fix kmemleak in orangefs_sysfs_init()<br /> <br /> When insert and remove the orangefs module, there are kobjects memory<br /> leaked as below:<br /> <br /> unreferenced object 0xffff88810f95af00 (size 64):<br /> comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)<br /> hex dump (first 32 bytes):<br /> a0 83 af 01 81 88 ff ff 08 af 95 0f 81 88 ff ff ................<br /> 08 af 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_sysfs_init+0x42/0x3a0<br /> [] 0xffffffffa02780fe<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> unreferenced object 0xffff88810f95ae80 (size 64):<br /> comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)<br /> hex dump (first 32 bytes):<br /> c8 90 0f 02 81 88 ff ff 88 ae 95 0f 81 88 ff ff ................<br /> 88 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_sysfs_init+0xc7/0x3a0<br /> [] 0xffffffffa02780fe<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> unreferenced object 0xffff88810f95ae00 (size 64):<br /> comm "insmod", pid 783, jiffies 4294813440 (age 65.511s)<br /> hex dump (first 32 bytes):<br /> 60 87 a1 00 81 88 ff ff 08 ae 95 0f 81 88 ff ff `...............<br /> 08 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_sysfs_init+0x12b/0x3a0<br /> [] 0xffffffffa02780fe<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> unreferenced object 0xffff88810f95ad80 (size 64):<br /> comm "insmod", pid 783, jiffies 4294813440 (age 65.511s)<br /> hex dump (first 32 bytes):<br /> 78 90 0f 02 81 88 ff ff 88 ad 95 0f 81 88 ff ff x...............<br /> 88 ad 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_sysfs_init+0x1ac/0x3a0<br /> [] 0xffffffffa02780fe<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> unreferenced object 0xffff88810f95ac00 (size 64):<br /> comm "insmod", pid 783, jiffies 4294813440 (age 65.531s)<br /> hex dump (first 32 bytes):<br /> e0 ff 67 02 81 88 ff ff 08 ac 95 0f 81 88 ff ff ..g.............<br /> 08 ac 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_sysfs_init+0x291/0x3a0<br /> [] 0xffffffffa02780fe<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drivers: serial: jsm: fix some leaks in probe<br /> <br /> This error path needs to unwind instead of just returning directly.