Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: TC, Fix using eswitch mapping in nic mode<br /> <br /> Cited patch is using the eswitch object mapping pool while<br /> in nic mode where it isn&amp;#39;t initialized. This results in the<br /> trace below [0].<br /> <br /> Fix that by using either nic or eswitch object mapping pool<br /> depending if eswitch is enabled or not.<br /> <br /> [0]:<br /> [ 826.446057] ==================================================================<br /> [ 826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core]<br /> [ 826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233<br /> <br /> [ 826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G W 6.3.0-rc6+ #1<br /> [ 826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> [ 826.449785] Call Trace:<br /> [ 826.450052] <br /> [ 826.450302] dump_stack_lvl+0x33/0x50<br /> [ 826.450650] print_report+0xc2/0x610<br /> [ 826.450998] ? __virt_addr_valid+0xb1/0x130<br /> [ 826.451385] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]<br /> [ 826.451935] kasan_report+0xae/0xe0<br /> [ 826.452276] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]<br /> [ 826.452829] mlx5_add_flow_rules+0x30/0x490 [mlx5_core]<br /> [ 826.453368] ? __kmalloc_node+0x5a/0x120<br /> [ 826.453733] esw_add_restore_rule+0x20f/0x270 [mlx5_core]<br /> [ 826.454288] ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core]<br /> [ 826.455011] ? mutex_unlock+0x80/0xd0<br /> [ 826.455361] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210<br /> [ 826.455862] ? mapping_add+0x2cb/0x440 [mlx5_core]<br /> [ 826.456425] mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core]<br /> [ 826.457058] ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core]<br /> [ 826.457636] ? __kasan_kmalloc+0x77/0x90<br /> [ 826.458000] ? __kmalloc+0x57/0x120<br /> [ 826.458336] mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core]<br /> [ 826.458916] ? ct_kernel_enter.constprop.0+0x48/0xa0<br /> [ 826.459360] ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core]<br /> [ 826.459933] ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core]<br /> [ 826.460507] ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core]<br /> [ 826.461046] ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core]<br /> [ 826.461635] mlx5e_configure_flower+0x969/0x2110 [mlx5_core]<br /> [ 826.462217] ? _raw_spin_lock_bh+0x85/0xe0<br /> [ 826.462597] ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core]<br /> [ 826.463163] ? kasan_save_stack+0x2e/0x40<br /> [ 826.463534] ? down_read+0x115/0x1b0<br /> [ 826.463878] ? down_write_killable+0x110/0x110<br /> [ 826.464288] ? tc_setup_action.part.0+0x9f/0x3b0<br /> [ 826.464701] ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core]<br /> [ 826.465253] ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core]<br /> [ 826.465878] tc_setup_cb_add+0x112/0x250<br /> [ 826.466247] fl_hw_replace_filter+0x230/0x310 [cls_flower]<br /> [ 826.466724] ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower]<br /> [ 826.467212] fl_change+0x14e1/0x2030 [cls_flower]<br /> [ 826.467636] ? sock_def_readable+0x89/0x120<br /> [ 826.468019] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]<br /> [ 826.468509] ? kasan_unpoison+0x23/0x50<br /> [ 826.468873] ? get_random_u16+0x180/0x180<br /> [ 826.469244] ? __radix_tree_lookup+0x2b/0x130<br /> [ 826.469640] ? fl_get+0x7b/0x140 [cls_flower]<br /> [ 826.470042] ? fl_mask_put+0x200/0x200 [cls_flower]<br /> [ 826.470478] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210<br /> [ 826.470973] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]<br /> [ 826.471427] tc_new_tfilter+0x644/0x1050<br /> [ 826.471795] ? tc_get_tfilter+0x860/0x860<br /> [ 826.472170] ? __thaw_task+0x130/0x130<br /> [ 826.472525] ? arch_stack_walk+0x98/0xf0<br /> [ 826.472892] ? cap_capable+0x9f/0xd0<br /> [ 826.473235] ? security_capable+0x47/0x60<br /> [ 826.473608] rtnetlink_rcv_msg+0x1d5/0x550<br /> [ 826.473985] ? rtnl_calcit.isra.0+0x1f0/0x1f0<br /> [ 826.474383] ? __stack_depot_save+0x35/0x4c0<br /> [ 826.474779] ? kasan_save_stack+0x2e/0x40<br /> [ 826.475149] ? kasan_save_stack+0x1e/0x40<br /> [ 826.475518] ? __kasan_record_aux_stack+0x9f/0xb0<br /> [ 826.475939] ? task_work_add+0x77/0x1c0<br /> [ 826.476305] netlink_rcv_skb+0xe0/0x210<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "drm/msm: Add missing check and destroy for alloc_ordered_workqueue"<br /> <br /> This reverts commit 643b7d0869cc7f1f7a5ac7ca6bd25d88f54e31d0.<br /> <br /> A recent patch that tried to fix up the msm_drm_init() paths with<br /> respect to the workqueue but only ended up making things worse:<br /> <br /> First, the newly added calls to msm_drm_uninit() on early errors would<br /> trigger NULL-pointer dereferences, for example, as the kms pointer would<br /> not have been initialised. (Note that these paths were also modified by<br /> a second broken error handling patch which in effect cancelled out this<br /> part when merged.)<br /> <br /> Second, the newly added allocation sanity check would still leak the<br /> previously allocated drm device.<br /> <br /> Instead of trying to salvage what was badly broken (and clearly not<br /> tested), let&amp;#39;s revert the bad commit so that clean and backportable<br /> fixes can be added in its place.<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/525107/

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: always release netdev hooks from notifier<br /> <br /> This reverts "netfilter: nf_tables: skip netdev events generated on netns removal".<br /> <br /> The problem is that when a veth device is released, the veth release<br /> callback will also queue the peer netns device for removal.<br /> <br /> Its possible that the peer netns is also slated for removal. In this<br /> case, the device memory is already released before the pre_exit hook of<br /> the peer netns runs:<br /> <br /> BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x1b8/0x1d0<br /> Read of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45<br /> Workqueue: netns cleanup_net<br /> Call Trace:<br /> nf_hook_entry_head+0x1b8/0x1d0<br /> __nf_unregister_net_hook+0x76/0x510<br /> nft_netdev_unregister_hooks+0xa0/0x220<br /> __nft_release_hook+0x184/0x490<br /> nf_tables_pre_exit_net+0x12f/0x1b0<br /> ..<br /> <br /> Order is:<br /> 1. First netns is released, veth_dellink() queues peer netns device<br /> for removal<br /> 2. peer netns is queued for removal<br /> 3. peer netns device is released, unreg event is triggered<br /> 4. unreg event is ignored because netns is going down<br /> 5. pre_exit hook calls nft_netdev_unregister_hooks but device memory<br /> might be free&amp;#39;d already.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/efa: Fix wrong resources deallocation order<br /> <br /> When trying to destroy QP or CQ, we first decrease the refcount and<br /> potentially free memory regions allocated for the object and then<br /> request the device to destroy the object. If the device fails, the<br /> object isn&amp;#39;t fully destroyed so the user/IB core can try to destroy the<br /> object again which will lead to underflow when trying to decrease an<br /> already zeroed refcount.<br /> <br /> Deallocate resources in reverse order of allocating them to safely free<br /> them.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915: fix race condition UAF in i915_perf_add_config_ioctl<br /> <br /> Userspace can guess the id value and try to race oa_config object creation<br /> with config remove, resulting in a use-after-free if we dereference the<br /> object after unlocking the metrics_lock. For that reason, unlocking the<br /> metrics_lock must be done after we are done dereferencing the object.<br /> <br /> [tursulin: Manually added stable tag.]<br /> (cherry picked from commit 49f6f6483b652108bcb73accd0204a464b922395)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr<br /> <br /> When smb1 mount fails, KASAN detect slab-out-of-bounds in<br /> init_smb2_rsp_hdr like the following one.<br /> For smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called.<br /> The issue occurs while handling smb1 negotiate as smb2 server operations.<br /> Add smb server operations for smb1 (get_cmd_val, init_rsp_hdr,<br /> allocate_rsp_buf, check_user_session) to handle smb1 negotiate so that<br /> smb2 server operation does not handle it.<br /> <br /> [ 411.400423] CIFS: VFS: Use of the less secure dialect vers=1.0 is<br /> not recommended unless required for access to very old servers<br /> [ 411.400452] CIFS: Attempting to mount \\192.168.45.139\homes<br /> [ 411.479312] ksmbd: init_smb2_rsp_hdr : 492<br /> [ 411.479323] ==================================================================<br /> [ 411.479327] BUG: KASAN: slab-out-of-bounds in<br /> init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]<br /> [ 411.479369] Read of size 16 at addr ffff888488ed0734 by task kworker/14:1/199<br /> <br /> [ 411.479379] CPU: 14 PID: 199 Comm: kworker/14:1 Tainted: G<br /> OE 6.1.21 #3<br /> [ 411.479386] Hardware name: ASUSTeK COMPUTER INC. Z10PA-D8<br /> Series/Z10PA-D8 Series, BIOS 3801 08/23/2019<br /> [ 411.479390] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]<br /> [ 411.479425] Call Trace:<br /> [ 411.479428] <br /> [ 411.479432] dump_stack_lvl+0x49/0x63<br /> [ 411.479444] print_report+0x171/0x4a8<br /> [ 411.479452] ? kasan_complete_mode_report_info+0x3c/0x200<br /> [ 411.479463] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]<br /> [ 411.479497] kasan_report+0xb4/0x130<br /> [ 411.479503] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]<br /> [ 411.479537] kasan_check_range+0x149/0x1e0<br /> [ 411.479543] memcpy+0x24/0x70<br /> [ 411.479550] init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]<br /> [ 411.479585] handle_ksmbd_work+0x109/0x760 [ksmbd]<br /> [ 411.479616] ? _raw_spin_unlock_irqrestore+0x50/0x50<br /> [ 411.479624] ? smb3_encrypt_resp+0x340/0x340 [ksmbd]<br /> [ 411.479656] process_one_work+0x49c/0x790<br /> [ 411.479667] worker_thread+0x2b1/0x6e0<br /> [ 411.479674] ? process_one_work+0x790/0x790<br /> [ 411.479680] kthread+0x177/0x1b0<br /> [ 411.479686] ? kthread_complete_and_exit+0x30/0x30<br /> [ 411.479692] ret_from_fork+0x22/0x30<br /> [ 411.479702]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: sunplus: fix return value check of mmc_add_host()<br /> <br /> mmc_add_host() may return error, if we ignore its return value,<br /> 1. the memory allocated in mmc_alloc_host() will be leaked<br /> 2. null-ptr-deref will happen when calling mmc_remove_host()<br /> in remove function spmmc_drv_remove() because deleting not<br /> added device.<br /> <br /> Fix this by checking the return value of mmc_add_host(). Moreover,<br /> I fixed the error handling path of spmmc_drv_probe() to clean up.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain<br /> <br /> of_irq_find_parent() returns a node pointer with refcount incremented,<br /> We should use of_node_put() on it when not needed anymore.<br /> Add missing of_node_put() to avoid refcount leak.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: flower: fix filter idr initialization<br /> <br /> The cited commit moved idr initialization too early in fl_change() which<br /> allows concurrent users to access the filter that is still being<br /> initialized and is in inconsistent state, which, in turn, can cause NULL<br /> pointer dereference [0]. Since there is no obvious way to fix the ordering<br /> without reverting the whole cited commit, alternative approach taken to<br /> first insert NULL pointer into idr in order to allocate the handle but<br /> still cause fl_get() to return NULL and prevent concurrent users from<br /> seeing the filter while providing miss-to-action infrastructure with valid<br /> handle id early in fl_change().<br /> <br /> [ 152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN<br /> [ 152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> [ 152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5<br /> [ 152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> [ 152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower]<br /> [ 152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57<br /> [ 152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246<br /> [ 152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> [ 152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900<br /> [ 152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240<br /> [ 152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900<br /> [ 152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738<br /> [ 152.448756] FS: 00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000<br /> [ 152.449888] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0<br /> [ 152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 152.453588] Call Trace:<br /> [ 152.454032] <br /> [ 152.454447] ? netlink_sendmsg+0x7a1/0xcb0<br /> [ 152.455109] ? sock_sendmsg+0xc5/0x190<br /> [ 152.455689] ? ____sys_sendmsg+0x535/0x6b0<br /> [ 152.456320] ? ___sys_sendmsg+0xeb/0x170<br /> [ 152.456916] ? do_syscall_64+0x3d/0x90<br /> [ 152.457529] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> [ 152.458321] ? ___sys_sendmsg+0xeb/0x170<br /> [ 152.458958] ? __sys_sendmsg+0xb5/0x140<br /> [ 152.459564] ? do_syscall_64+0x3d/0x90<br /> [ 152.460122] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> [ 152.460852] ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower]<br /> [ 152.461710] ? _raw_spin_lock+0x7a/0xd0<br /> [ 152.462299] ? _raw_read_lock_irq+0x30/0x30<br /> [ 152.462924] ? nla_put+0x15e/0x1c0<br /> [ 152.463480] fl_dump+0x228/0x650 [cls_flower]<br /> [ 152.464112] ? fl_tmplt_dump+0x210/0x210 [cls_flower]<br /> [ 152.464854] ? __kmem_cache_alloc_node+0x1a7/0x330<br /> [ 152.465592] ? nla_put+0x15e/0x1c0<br /> [ 152.466160] tcf_fill_node+0x515/0x9a0<br /> [ 152.466766] ? tc_setup_offload_action+0xf0/0xf0<br /> [ 152.467463] ? __alloc_skb+0x13c/0x2a0<br /> [ 152.468067] ? __build_skb_around+0x330/0x330<br /> [ 152.468814] ? fl_get+0x107/0x1a0 [cls_flower]<br /> [ 152.469503] tc_del_tfilter+0x718/0x1330<br /> [ 152.470115] ? is_bpf_text_address+0xa/0x20<br /> [ 152.470765] ? tc_ctl_chain+0xee0/0xee0<br /> [ 152.471335] ? __kernel_text_address+0xe/0x30<br /> [ 152.471948] ? unwind_get_return_address+0x56/0xa0<br /> [ 152.472639] ? __thaw_task+0x150/0x150<br /> [ 152.473218] ? arch_stack_walk+0x98/0xf0<br /> [ 152.473839] ? __stack_depot_save+0x35/0x4c0<br /> [ 152.474501] ? stack_trace_save+0x91/0xc0<br /> [ 152.475119] ? security_capable+0x51/0x90<br /> [ 152.475741] rtnetlink_rcv_msg+0x2c1/0x9d0<br /> [ 152.476387] ? rtnl_calcit.isra.0+0x2b0/0x2b0<br /> [ 152.477042]<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: uclogic: Correct devm device reference for hidinput input_dev name<br /> <br /> Reference the HID device rather than the input device for the devm<br /> allocation of the input_dev name. Referencing the input_dev would lead to a<br /> use-after-free when the input_dev was unregistered and subsequently fires a<br /> uevent that depends on the name. At the point of firing the uevent, the<br /> name would be freed by devres management.<br /> <br /> Use devm_kasprintf to simplify the logic for allocating memory and<br /> formatting the input_dev name string.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: ov5675: Fix memleak in ov5675_init_controls()<br /> <br /> There is a kmemleak when testing the media/i2c/ov5675.c with bpf mock<br /> device:<br /> <br /> AssertionError: unreferenced object 0xffff888107362160 (size 16):<br /> comm "python3", pid 277, jiffies 4294832798 (age 20.722s)<br /> hex dump (first 16 bytes):<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] __kmalloc_node+0x44/0x1b0<br /> [] kvmalloc_node+0x34/0x180<br /> [] v4l2_ctrl_handler_init_class+0x11d/0x180<br /> [videodev]<br /> [] ov5675_probe+0x38b/0x897 [ov5675]<br /> [] i2c_device_probe+0x28d/0x680<br /> [] really_probe+0x17c/0x3f0<br /> [] __driver_probe_device+0xe3/0x170<br /> [] driver_probe_device+0x49/0x120<br /> [] __device_attach_driver+0xf7/0x150<br /> [] bus_for_each_drv+0x114/0x180<br /> [] __device_attach+0x1e5/0x2d0<br /> [] bus_probe_device+0x126/0x140<br /> [] device_add+0x810/0x1130<br /> [] i2c_new_client_device+0x386/0x540<br /> [] of_i2c_register_device+0xf1/0x110<br /> [] of_i2c_notify+0xfc/0x1f0<br /> <br /> ov5675_init_controls() won&amp;#39;t clean all the allocated resources in fail<br /> path, which may causes the memleaks. Add v4l2_ctrl_handler_free() to<br /> prevent memleak.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7996: fix memory leak in mt7996_mcu_exit<br /> <br /> Always purge mcu skb queues in mt7996_mcu_exit routine even if<br /> mt7996_firmware_state fails.