Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt: avoid overflow in bnxt_get_nvram_directory()<br /> <br /> The value of an arithmetic expression is subject<br /> of possible overflow due to a failure to cast operands to a larger data<br /> type before performing arithmetic. Used macro for multiplication instead<br /> operator for avoiding overflow.<br /> <br /> Found by Security Code and Linux Verification<br /> Center (linuxtesting.org) with SVACE.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, cpumap: Handle skb as well when clean up ptr_ring<br /> <br /> The following warning was reported when running xdp_redirect_cpu with<br /> both skb-mode and stress-mode enabled:<br /> <br /> ------------[ cut here ]------------<br /> Incorrect XDP memory type (-2128176192) usage<br /> WARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405<br /> Modules linked in:<br /> CPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)<br /> Workqueue: events __cpu_map_entry_free<br /> RIP: 0010:__xdp_return+0x1e4/0x4a0<br /> ......<br /> Call Trace:<br /> <br /> ? show_regs+0x65/0x70<br /> ? __warn+0xa5/0x240<br /> ? __xdp_return+0x1e4/0x4a0<br /> ......<br /> xdp_return_frame+0x4d/0x150<br /> __cpu_map_entry_free+0xf9/0x230<br /> process_one_work+0x6b0/0xb80<br /> worker_thread+0x96/0x720<br /> kthread+0x1a5/0x1f0<br /> ret_from_fork+0x3a/0x70<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> <br /> The reason for the warning is twofold. One is due to the kthread<br /> cpu_map_kthread_run() is stopped prematurely. Another one is<br /> __cpu_map_ring_cleanup() doesn&amp;#39;t handle skb mode and treats skbs in<br /> ptr_ring as XDP frames.<br /> <br /> Prematurely-stopped kthread will be fixed by the preceding patch and<br /> ptr_ring will be empty when __cpu_map_ring_cleanup() is called. But<br /> as the comments in __cpu_map_ring_cleanup() said, handling and freeing<br /> skbs in ptr_ring as well to "catch any broken behaviour gracefully".

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-af: Add validation before accessing cgx and lmac<br /> <br /> with the addition of new MAC blocks like CN10K RPM and CN10KB<br /> RPM_USX, LMACs are noncontiguous and CGX blocks are also<br /> noncontiguous. But during RVU driver initialization, the driver<br /> is assuming they are contiguous and trying to access<br /> cgx or lmac with their id which is resulting in kernel panic.<br /> <br /> This patch fixes the issue by adding proper checks.<br /> <br /> [ 23.219150] pc : cgx_lmac_read+0x38/0x70<br /> [ 23.219154] lr : rvu_program_channels+0x3f0/0x498<br /> [ 23.223852] sp : ffff000100d6fc80<br /> [ 23.227158] x29: ffff000100d6fc80 x28: ffff00010009f880 x27:<br /> 000000000000005a<br /> [ 23.234288] x26: ffff000102586768 x25: 0000000000002500 x24:<br /> fffffffffff0f000

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: amphion: fix REVERSE_INULL issues reported by coverity<br /> <br /> null-checking of a pointor is suggested before dereferencing it

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpa: Add features attr to vdpa_nl_policy for nlattr length check<br /> <br /> The vdpa_nl_policy structure is used to validate the nlattr when parsing<br /> the incoming nlmsg. It will ensure the attribute being described produces<br /> a valid nlattr pointer in info-&gt;attrs before entering into each handler<br /> in vdpa_nl_ops.<br /> <br /> That is to say, the missing part in vdpa_nl_policy may lead to illegal<br /> nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.<br /> <br /> This patch adds the missing nla_policy for vdpa features attr to avoid<br /> such bugs.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: exc3000 - properly stop timer on shutdown<br /> <br /> We need to stop the timer on driver unbind or probe failures, otherwise<br /> we get UAF/Oops.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()<br /> <br /> If &amp;#39;mipid_detect()&amp;#39; fails, we must free &amp;#39;md&amp;#39; to avoid a memory leak.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf trace: Really free the evsel-&gt;priv area<br /> <br /> In 3cb4d5e00e037c70 ("perf trace: Free syscall tp fields in<br /> evsel-&gt;priv") it only was freeing if strcmp(evsel-&gt;tp_format-&gt;system,<br /> "syscalls") returned zero, while the corresponding initialization of<br /> evsel-&gt;priv was being performed if it was _not_ zero, i.e. if the tp<br /> system wasn&amp;#39;t &amp;#39;syscalls&amp;#39;.<br /> <br /> Just stop looking for that and free it if evsel-&gt;priv was set, which<br /> should be equivalent.<br /> <br /> Also use the pre-existing evsel_trace__delete() function.<br /> <br /> This resolves these leaks, detected with:<br /> <br /> $ make EXTRA_CFLAGS="-fsanitize=address" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin<br /> <br /> =================================================================<br /> ==481565==ERROR: LeakSanitizer: detected memory leaks<br /> <br /> Direct leak of 40 byte(s) in 1 object(s) allocated from:<br /> #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)<br /> #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)<br /> #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307<br /> #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333<br /> #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458<br /> #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480<br /> #6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212<br /> #7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891<br /> #8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156<br /> #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323<br /> #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377<br /> #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421<br /> #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537<br /> #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)<br /> <br /> Direct leak of 40 byte(s) in 1 object(s) allocated from:<br /> #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)<br /> #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)<br /> #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307<br /> #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333<br /> #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458<br /> #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480<br /> #6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205<br /> #7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891<br /> #8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156<br /> #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323<br /> #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377<br /> #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421<br /> #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537<br /> #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)<br /> <br /> SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s).<br /> [root@quaco ~]#<br /> <br /> With this we plug all leaks with "perf trace sleep 1".

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer<br /> <br /> smatch error:<br /> sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:<br /> we previously assumed &amp;#39;rac97&amp;#39; could be null (see line 2072)<br /> <br /> remove redundant assignment, return error if rac97 is NULL.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Drivers: hv: vmbus: Don&amp;#39;t dereference ACPI root object handle<br /> <br /> Since the commit referenced in the Fixes: tag below the VMBus client driver<br /> is walking the ACPI namespace up from the VMBus ACPI device to the ACPI<br /> namespace root object trying to find Hyper-V MMIO ranges.<br /> <br /> However, if it is not able to find them it ends trying to walk resources of<br /> the ACPI namespace root object itself.<br /> This object has all-ones handle, which causes a NULL pointer dereference<br /> in the ACPI code (from dereferencing this pointer with an offset).<br /> <br /> This in turn causes an oops on boot with VMBus host implementations that do<br /> not provide Hyper-V MMIO ranges in their VMBus ACPI device or its<br /> ancestors.<br /> The QEMU VMBus implementation is an example of such implementation.<br /> <br /> I guess providing these ranges is optional, since all tested Windows<br /> versions seem to be able to use VMBus devices without them.<br /> <br /> Fix this by explicitly terminating the lookup at the ACPI namespace root<br /> object.<br /> <br /> Note that Linux guests under KVM/QEMU do not use the Hyper-V PV interface<br /> by default - they only do so if the KVM PV interface is missing or<br /> disabled.<br /> <br /> Example stack trace of such oops:<br /> [ 3.710827] ? __die+0x1f/0x60<br /> [ 3.715030] ? page_fault_oops+0x159/0x460<br /> [ 3.716008] ? exc_page_fault+0x73/0x170<br /> [ 3.716959] ? asm_exc_page_fault+0x22/0x30<br /> [ 3.717957] ? acpi_ns_lookup+0x7a/0x4b0<br /> [ 3.718898] ? acpi_ns_internalize_name+0x79/0xc0<br /> [ 3.720018] acpi_ns_get_node_unlocked+0xb5/0xe0<br /> [ 3.721120] ? acpi_ns_check_object_type+0xfe/0x200<br /> [ 3.722285] ? acpi_rs_convert_aml_to_resource+0x37/0x6e0<br /> [ 3.723559] ? down_timeout+0x3a/0x60<br /> [ 3.724455] ? acpi_ns_get_node+0x3a/0x60<br /> [ 3.725412] acpi_ns_get_node+0x3a/0x60<br /> [ 3.726335] acpi_ns_evaluate+0x1c3/0x2c0<br /> [ 3.727295] acpi_ut_evaluate_object+0x64/0x1b0<br /> [ 3.728400] acpi_rs_get_method_data+0x2b/0x70<br /> [ 3.729476] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]<br /> [ 3.730940] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]<br /> [ 3.732411] acpi_walk_resources+0x78/0xd0<br /> [ 3.733398] vmbus_platform_driver_probe+0x9f/0x1d0 [hv_vmbus]<br /> [ 3.734802] platform_probe+0x3d/0x90<br /> [ 3.735684] really_probe+0x19b/0x400<br /> [ 3.736570] ? __device_attach_driver+0x100/0x100<br /> [ 3.737697] __driver_probe_device+0x78/0x160<br /> [ 3.738746] driver_probe_device+0x1f/0x90<br /> [ 3.739743] __driver_attach+0xc2/0x1b0<br /> [ 3.740671] bus_for_each_dev+0x70/0xc0<br /> [ 3.741601] bus_add_driver+0x10e/0x210<br /> [ 3.742527] driver_register+0x55/0xf0<br /> [ 3.744412] ? 0xffffffffc039a000<br /> [ 3.745207] hv_acpi_init+0x3c/0x1000 [hv_vmbus]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/perf: add sentinel to xehp_oa_b_counters<br /> <br /> Arrays passed to reg_in_range_table should end with empty record.<br /> <br /> The patch solves KASAN detected bug with signature:<br /> BUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]<br /> Read of size 4 at addr ffffffffa1555d90 by task perf/1518<br /> <br /> CPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1<br /> Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023<br /> Call Trace:<br /> <br /> ...<br /> xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]<br /> <br /> (cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Make bpf_refcount_acquire fallible for non-owning refs<br /> <br /> This patch fixes an incorrect assumption made in the original<br /> bpf_refcount series [0], specifically that the BPF program calling<br /> bpf_refcount_acquire on some node can always guarantee that the node is<br /> alive. In that series, the patch adding failure behavior to rbtree_add<br /> and list_push_{front, back} breaks this assumption for non-owning<br /> references.<br /> <br /> Consider the following program:<br /> <br /> n = bpf_kptr_xchg(&amp;mapval, NULL);<br /> /* skip error checking */<br /> <br /> bpf_spin_lock(&amp;l);<br /> if(bpf_rbtree_add(&amp;t, &amp;n-&gt;rb, less)) {<br /> bpf_refcount_acquire(n);<br /> /* Failed to add, do something else with the node */<br /> }<br /> bpf_spin_unlock(&amp;l);<br /> <br /> It&amp;#39;s incorrect to assume that bpf_refcount_acquire will always succeed in this<br /> scenario. bpf_refcount_acquire is being called in a critical section<br /> here, but the lock being held is associated with rbtree t, which isn&amp;#39;t<br /> necessarily the lock associated with the tree that the node is already<br /> in. So after bpf_rbtree_add fails to add the node and calls bpf_obj_drop<br /> in it, the program has no ownership of the node&amp;#39;s lifetime. Therefore<br /> the node&amp;#39;s refcount can be decr&amp;#39;d to 0 at any time after the failing<br /> rbtree_add. If this happens before the refcount_acquire above, the node<br /> might be free&amp;#39;d, and regardless refcount_acquire will be incrementing a<br /> 0 refcount.<br /> <br /> Later patches in the series exercise this scenario, resulting in the<br /> expected complaint from the kernel (without this patch&amp;#39;s changes):<br /> <br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcount_warn_saturate+0xbc/0x110<br /> Modules linked in: bpf_testmod(O)<br /> CPU: 1 PID: 207 Comm: test_progs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0xbc/0x110<br /> Code: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7<br /> RSP: 0018:ffff88810b9179b0 EFLAGS: 00010082<br /> RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000<br /> RDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680<br /> RBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7<br /> R10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388<br /> R13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048<br /> FS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> bpf_refcount_acquire_impl+0xb5/0xc0<br /> <br /> (rest of output snipped)<br /> <br /> The patch addresses this by changing bpf_refcount_acquire_impl to use<br /> refcount_inc_not_zero instead of refcount_inc and marking<br /> bpf_refcount_acquire KF_RET_NULL.<br /> <br /> For owning references, though, we know the above scenario is not possible<br /> and thus that bpf_refcount_acquire will always succeed. Some verifier<br /> bookkeeping is added to track "is input owning ref?" for bpf_refcount_acquire<br /> calls and return false from is_kfunc_ret_null for bpf_refcount_acquire on<br /> owning refs despite it being marked KF_RET_NULL.<br /> <br /> Existing selftests using bpf_refcount_acquire are modified where<br /> necessary to NULL-check its return value.<br /> <br /> [0]: https://lore.kernel.org/bpf/20230415201811.343116-1-davemarchevsky@fb.com/