Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ipset: Rework long task execution when adding/deleting entries<br /> <br /> When adding/deleting large number of elements in one step in ipset, it can<br /> take a reasonable amount of time and can result in soft lockup errors. The<br /> patch 5f7b51bf09ba ("netfilter: ipset: Limit the maximal range of<br /> consecutive elements to add/delete") tried to fix it by limiting the max<br /> elements to process at all. However it was not enough, it is still possible<br /> that we get hung tasks. Lowering the limit is not reasonable, so the<br /> approach in this patch is as follows: rely on the method used at resizing<br /> sets and save the state when we reach a smaller internal batch limit,<br /> unlock/lock and proceed from the saved state. Thus we can avoid long<br /> continuous tasks and at the same time removed the limit to add/delete large<br /> number of elements in one step.<br /> <br /> The nfnl mutex is held during the whole operation which prevents one to<br /> issue other ipset commands in parallel.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915: mark requests for GuC virtual engines to avoid use-after-free<br /> <br /> References to i915_requests may be trapped by userspace inside a<br /> sync_file or dmabuf (dma-resv) and held indefinitely across different<br /> proceses. To counter-act the memory leaks, we try to not to keep<br /> references from the request past their completion.<br /> On the other side on fence release we need to know if rq-&gt;engine<br /> is valid and points to hw engine (true for non-virtual requests).<br /> To make it possible extra bit has been added to rq-&gt;execution_mask,<br /> for marking virtual engines.<br /> <br /> (cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: cfg80211: reject auth/assoc to AP with our address<br /> <br /> If the AP uses our own address as its MLD address or BSSID, then<br /> clearly something&amp;#39;s wrong. Reject such connections so we don&amp;#39;t<br /> try and fail later.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy<br /> <br /> For some reason, the driver adding support for Exynos5420 MIPI phy<br /> back in 2016 wasn&amp;#39;t used on Exynos5420, which caused a kernel panic.<br /> Add the proper compatible for it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx<br /> <br /> when mlx5_cmd_exec failed in mlx5dr_cmd_create_reformat_ctx, the memory<br /> pointed by &amp;#39;in&amp;#39; is not released, which will cause memory leak. Move memory<br /> release after mlx5_cmd_exec.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: davinci: Fix clk use after free<br /> <br /> The remove function first frees the clks and only then calls<br /> cpufreq_unregister_driver(). If one of the cpufreq callbacks is called<br /> just before cpufreq_unregister_driver() is run, the freed clks might be<br /> used.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check<br /> <br /> The vdpa_nl_policy structure is used to validate the nlattr when parsing<br /> the incoming nlmsg. It will ensure the attribute being described produces<br /> a valid nlattr pointer in info-&gt;attrs before entering into each handler<br /> in vdpa_nl_ops.<br /> <br /> That is to say, the missing part in vdpa_nl_policy may lead to illegal<br /> nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.<br /> <br /> This patch adds the missing nla_policy for vdpa max vqp attr to avoid<br /> such bugs.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Fix sdma v4 sw fini error<br /> <br /> Fix sdma v4 sw fini error for sdma 4.2.2 to<br /> solve the following general protection fault<br /> <br /> [ +0.108196] general protection fault, probably for non-canonical<br /> address 0xd5e5a4ae79d24a32: 0000 [#1] PREEMPT SMP PTI<br /> [ +0.000018] RIP: 0010:free_fw_priv+0xd/0x70<br /> [ +0.000022] Call Trace:<br /> [ +0.000012] <br /> [ +0.000011] release_firmware+0x55/0x80<br /> [ +0.000021] amdgpu_ucode_release+0x11/0x20 [amdgpu]<br /> [ +0.000415] amdgpu_sdma_destroy_inst_ctx+0x4f/0x90 [amdgpu]<br /> [ +0.000360] sdma_v4_0_sw_fini+0xce/0x110 [amdgpu]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write<br /> <br /> When the oob buffer length is not in multiple of words, the oob write<br /> function does out-of-bounds read on the oob source buffer at the last<br /> iteration. Fix that by always checking length limit on the oob buffer<br /> read and fill with 0xff when reaching the end of the buffer to the oob<br /> registers.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: unmap and remove csa_va properly<br /> <br /> Root PD BO should be reserved before unmap and remove<br /> a bo_va from VM otherwise lockdep will complain.<br /> <br /> v2: check fpriv-&gt;csa_va is not NULL instead of amdgpu_mcbp (christian)<br /> <br /> [14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu]<br /> [14616.937096] Call Trace:<br /> [14616.937097] <br /> [14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu]<br /> [14616.937187] drm_file_free+0x1d6/0x300 [drm]<br /> [14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm]<br /> [14616.937220] drm_release+0x5e/0x100 [drm]<br /> [14616.937234] __fput+0x9f/0x280<br /> [14616.937239] ____fput+0xe/0x20<br /> [14616.937241] task_work_run+0x61/0x90<br /> [14616.937246] exit_to_user_mode_prepare+0x215/0x220<br /> [14616.937251] syscall_exit_to_user_mode+0x2a/0x60<br /> [14616.937254] do_syscall_64+0x48/0x90<br /> [14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix incomplete state save in rxe_requester<br /> <br /> If a send packet is dropped by the IP layer in rxe_requester()<br /> the call to rxe_xmit_packet() can fail with err == -EAGAIN.<br /> To recover, the state of the wqe is restored to the state before<br /> the packet was sent so it can be resent. However, the routines<br /> that save and restore the state miss a significnt part of the<br /> variable state in the wqe, the dma struct which is used to process<br /> through the sge table. And, the state is not saved before the packet<br /> is built which modifies the dma struct.<br /> <br /> Under heavy stress testing with many QPs on a fast node sending<br /> large messages to a slow node dropped packets are observed and<br /> the resent packets are corrupted because the dma struct was not<br /> restored. This patch fixes this behavior and allows the test cases<br /> to succeed.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid use-after-free for cached IPU bio<br /> <br /> xfstest generic/019 reports a bug:<br /> <br /> kernel BUG at mm/filemap.c:1619!<br /> RIP: 0010:folio_end_writeback+0x8a/0x90<br /> Call Trace:<br /> end_page_writeback+0x1c/0x60<br /> f2fs_write_end_io+0x199/0x420<br /> bio_endio+0x104/0x180<br /> submit_bio_noacct+0xa5/0x510<br /> submit_bio+0x48/0x80<br /> f2fs_submit_write_bio+0x35/0x300<br /> f2fs_submit_merged_ipu_write+0x2a0/0x2b0<br /> f2fs_write_single_data_page+0x838/0x8b0<br /> f2fs_write_cache_pages+0x379/0xa30<br /> f2fs_write_data_pages+0x30c/0x340<br /> do_writepages+0xd8/0x1b0<br /> __writeback_single_inode+0x44/0x370<br /> writeback_sb_inodes+0x233/0x4d0<br /> __writeback_inodes_wb+0x56/0xf0<br /> wb_writeback+0x1dd/0x2d0<br /> wb_workfn+0x367/0x4a0<br /> process_one_work+0x21d/0x430<br /> worker_thread+0x4e/0x3c0<br /> kthread+0x103/0x130<br /> ret_from_fork+0x2c/0x50<br /> <br /> The root cause is: after cp_error is set, f2fs_submit_merged_ipu_write()<br /> in f2fs_write_single_data_page() tries to flush IPU bio in cache, however<br /> f2fs_submit_merged_ipu_write() missed to check validity of @bio parameter,<br /> result in submitting random cached bio which belong to other IO context,<br /> then it will cause use-after-free issue, fix it by adding additional<br /> validity check.