Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rtc: msc313: Fix function prototype mismatch in msc313_rtc_probe()<br /> <br /> With clang&amp;#39;s kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),<br /> indirect call targets are validated against the expected function<br /> pointer prototype to make sure the call target is valid to help mitigate<br /> ROP attacks. If they are not identical, there is a failure at run time,<br /> which manifests as either a kernel panic or thread getting killed.<br /> <br /> msc313_rtc_probe() was passing clk_disable_unprepare() directly, which<br /> did not have matching prototypes for devm_add_action_or_reset()&amp;#39;s<br /> callback argument. Refactor to use devm_clk_get_enabled() instead.<br /> <br /> This was found as a result of Clang&amp;#39;s new -Wcast-function-type-strict<br /> flag, which is more sensitive than the simpler -Wcast-function-type,<br /> which only checks for type width mismatches.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: do not sense pfmemalloc status in skb_append_pagefrags()<br /> <br /> skb_append_pagefrags() is used by af_unix and udp sendpage()<br /> implementation so far.<br /> <br /> In commit 326140063946 ("tcp: TX zerocopy should not sense<br /> pfmemalloc status") we explained why we should not sense<br /> pfmemalloc status for pages owned by user space.<br /> <br /> We should also use skb_fill_page_desc_noacc()<br /> in skb_append_pagefrags() to avoid following KCSAN report:<br /> <br /> BUG: KCSAN: data-race in lru_add_fn / skb_append_pagefrags<br /> <br /> write to 0xffffea00058fc1c8 of 8 bytes by task 17319 on cpu 0:<br /> __list_add include/linux/list.h:73 [inline]<br /> list_add include/linux/list.h:88 [inline]<br /> lruvec_add_folio include/linux/mm_inline.h:323 [inline]<br /> lru_add_fn+0x327/0x410 mm/swap.c:228<br /> folio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246<br /> lru_add_drain_cpu+0x73/0x250 mm/swap.c:669<br /> lru_add_drain+0x21/0x60 mm/swap.c:773<br /> free_pages_and_swap_cache+0x16/0x70 mm/swap_state.c:311<br /> tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]<br /> tlb_flush_mmu_free mm/mmu_gather.c:256 [inline]<br /> tlb_flush_mmu+0x5b2/0x640 mm/mmu_gather.c:263<br /> tlb_finish_mmu+0x86/0x100 mm/mmu_gather.c:363<br /> exit_mmap+0x190/0x4d0 mm/mmap.c:3098<br /> __mmput+0x27/0x1b0 kernel/fork.c:1185<br /> mmput+0x3d/0x50 kernel/fork.c:1207<br /> copy_process+0x19fc/0x2100 kernel/fork.c:2518<br /> kernel_clone+0x166/0x550 kernel/fork.c:2671<br /> __do_sys_clone kernel/fork.c:2812 [inline]<br /> __se_sys_clone kernel/fork.c:2796 [inline]<br /> __x64_sys_clone+0xc3/0xf0 kernel/fork.c:2796<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> read to 0xffffea00058fc1c8 of 8 bytes by task 17325 on cpu 1:<br /> page_is_pfmemalloc include/linux/mm.h:1817 [inline]<br /> __skb_fill_page_desc include/linux/skbuff.h:2432 [inline]<br /> skb_fill_page_desc include/linux/skbuff.h:2453 [inline]<br /> skb_append_pagefrags+0x210/0x600 net/core/skbuff.c:3974<br /> unix_stream_sendpage+0x45e/0x990 net/unix/af_unix.c:2338<br /> kernel_sendpage+0x184/0x300 net/socket.c:3561<br /> sock_sendpage+0x5a/0x70 net/socket.c:1054<br /> pipe_to_sendpage+0x128/0x160 fs/splice.c:361<br /> splice_from_pipe_feed fs/splice.c:415 [inline]<br /> __splice_from_pipe+0x222/0x4d0 fs/splice.c:559<br /> splice_from_pipe fs/splice.c:594 [inline]<br /> generic_splice_sendpage+0x89/0xc0 fs/splice.c:743<br /> do_splice_from fs/splice.c:764 [inline]<br /> direct_splice_actor+0x80/0xa0 fs/splice.c:931<br /> splice_direct_to_actor+0x305/0x620 fs/splice.c:886<br /> do_splice_direct+0xfb/0x180 fs/splice.c:974<br /> do_sendfile+0x3bf/0x910 fs/read_write.c:1255<br /> __do_sys_sendfile64 fs/read_write.c:1323 [inline]<br /> __se_sys_sendfile64 fs/read_write.c:1309 [inline]<br /> __x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1309<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> value changed: 0x0000000000000000 -&gt; 0xffffea00058fc188<br /> <br /> Reported by Kernel Concurrency Sanitizer on:<br /> CPU: 1 PID: 17325 Comm: syz-executor.0 Not tainted 6.1.0-rc1-syzkaller-00158-g440b7895c990-dirty #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: maps: pxa2xx-flash: fix memory leak in probe<br /> <br /> Free &amp;#39;info&amp;#39; upon remapping error to avoid a memory leak.<br /> <br /> [: Reword the commit log]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: avs: Fix potential RX buffer overflow<br /> <br /> If an event caused firmware to return invalid RX size for<br /> LARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes.<br /> Fix by utilizing min_t().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: airspy: fix memory leak in airspy probe<br /> <br /> The commit ca9dc8d06ab6 ("media: airspy: respect the DMA coherency<br /> rules") moves variable buf from stack to heap, however, it only frees<br /> buf in the error handling code, missing deallocation in the success<br /> path.<br /> <br /> Fix this by freeing buf in the success path since this variable does not<br /> have any references in other code.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jbd2: fix potential use-after-free in jbd2_fc_wait_bufs<br /> <br /> In &amp;#39;jbd2_fc_wait_bufs&amp;#39; use &amp;#39;bh&amp;#39; after put buffer head reference count<br /> which may lead to use-after-free.<br /> So judge buffer if uptodate before put buffer head reference count.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value<br /> <br /> The return value of acpi_fetch_acpi_dev() could be NULL, which would<br /> cause a NULL pointer dereference to occur in acpi_device_hid().<br /> <br /> [ rjw: Subject and changelog edits, added empty line after if () ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: tables: FPDT: Don&amp;#39;t call acpi_os_map_memory() on invalid phys address<br /> <br /> On a Packard Bell Dot SC (Intel Atom N2600 model) there is a FPDT table<br /> which contains invalid physical addresses, with high bits set which fall<br /> outside the range of the CPU-s supported physical address range.<br /> <br /> Calling acpi_os_map_memory() on such an invalid phys address leads to<br /> the below WARN_ON in ioremap triggering resulting in an oops/stacktrace.<br /> <br /> Add code to verify the physical address before calling acpi_os_map_memory()<br /> to fix / avoid the oops.<br /> <br /> [ 1.226900] ioremap: invalid physical address 3001000000000000<br /> [ 1.226949] ------------[ cut here ]------------<br /> [ 1.226962] WARNING: CPU: 1 PID: 1 at arch/x86/mm/ioremap.c:200 __ioremap_caller.cold+0x43/0x5f<br /> [ 1.226996] Modules linked in:<br /> [ 1.227016] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc3+ #490<br /> [ 1.227029] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013<br /> [ 1.227038] RIP: 0010:__ioremap_caller.cold+0x43/0x5f<br /> [ 1.227054] Code: 96 00 00 e9 f8 af 24 ff 89 c6 48 c7 c7 d8 0c 84 99 e8 6a 96 00 00 e9 76 af 24 ff 48 89 fe 48 c7 c7 a8 0c 84 99 e8 56 96 00 00 0b e9 60 af 24 ff 48 8b 34 24 48 c7 c7 40 0d 84 99 e8 3f 96 00<br /> [ 1.227067] RSP: 0000:ffffb18c40033d60 EFLAGS: 00010286<br /> [ 1.227084] RAX: 0000000000000032 RBX: 3001000000000000 RCX: 0000000000000000<br /> [ 1.227095] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff<br /> [ 1.227105] RBP: 3001000000000000 R08: 0000000000000000 R09: ffffb18c40033c18<br /> [ 1.227115] R10: 0000000000000003 R11: ffffffff99d62fe8 R12: 0000000000000008<br /> [ 1.227124] R13: 0003001000000000 R14: 0000000000001000 R15: 3001000000000000<br /> [ 1.227135] FS: 0000000000000000(0000) GS:ffff913a3c080000(0000) knlGS:0000000000000000<br /> [ 1.227146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 1.227156] CR2: 0000000000000000 CR3: 0000000018c26000 CR4: 00000000000006e0<br /> [ 1.227167] Call Trace:<br /> [ 1.227176] <br /> [ 1.227185] ? acpi_os_map_iomem+0x1c9/0x1e0<br /> [ 1.227215] ? kmem_cache_alloc_trace+0x187/0x370<br /> [ 1.227254] acpi_os_map_iomem+0x1c9/0x1e0<br /> [ 1.227288] acpi_init_fpdt+0xa8/0x253<br /> [ 1.227308] ? acpi_debugfs_init+0x1f/0x1f<br /> [ 1.227339] do_one_initcall+0x5a/0x300<br /> [ 1.227406] ? rcu_read_lock_sched_held+0x3f/0x80<br /> [ 1.227442] kernel_init_freeable+0x28b/0x2cc<br /> [ 1.227512] ? rest_init+0x170/0x170<br /> [ 1.227538] kernel_init+0x16/0x140<br /> [ 1.227552] ret_from_fork+0x1f/0x30<br /> [ 1.227639] <br /> [ 1.227647] irq event stamp: 186819<br /> [ 1.227656] hardirqs last enabled at (186825): [] __up_console_sem+0x5e/0x70<br /> [ 1.227672] hardirqs last disabled at (186830): [] __up_console_sem+0x43/0x70<br /> [ 1.227686] softirqs last enabled at (186576): [] __irq_exit_rcu+0xed/0x160<br /> [ 1.227701] softirqs last disabled at (186569): [] __irq_exit_rcu+0xed/0x160<br /> [ 1.227715] ---[ end trace 0000000000000000 ]---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix order &gt;= MAX_ORDER warning due to crafted negative i_size<br /> <br /> As syzbot reported [1], the root cause is that i_size field is a<br /> signed type, and negative i_size is also less than EROFS_BLKSIZ.<br /> As a consequence, it&amp;#39;s handled as fast symlink unexpectedly.<br /> <br /> Let&amp;#39;s fall back to the generic path to deal with such unusual i_size.<br /> <br /> [1] https://lore.kernel.org/r/000000000000ac8efa05e7feaa1f@google.com

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nbd: Fix hung when signal interrupts nbd_start_device_ioctl()<br /> <br /> syzbot reported hung task [1]. The following program is a simplified<br /> version of the reproducer:<br /> <br /> int main(void)<br /> {<br /> int sv[2], fd;<br /> <br /> if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS<br /> <br /> UBSAN complains about array-index-out-of-bounds:<br /> [ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41<br /> [ 1.980709] kernel: index 15 is out of range for type &amp;#39;ahci_em_priv [8]&amp;#39;<br /> [ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu<br /> [ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010<br /> [ 1.980718] kernel: Call Trace:<br /> [ 1.980721] kernel: <br /> [ 1.980723] kernel: show_stack+0x52/0x58<br /> [ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f<br /> [ 1.980734] kernel: dump_stack+0x10/0x12<br /> [ 1.980736] kernel: ubsan_epilogue+0x9/0x45<br /> [ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49<br /> [ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci]<br /> [ 1.980748] kernel: ata_qc_issue+0x135/0x240<br /> [ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580<br /> [ 1.980754] kernel: ? vprintk_default+0x1d/0x20<br /> [ 1.980759] kernel: ata_exec_internal+0x67/0xa0<br /> [ 1.980762] kernel: sata_pmp_read+0x8d/0xc0<br /> [ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90<br /> [ 1.980768] kernel: sata_pmp_attach+0x8b/0x310<br /> [ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0<br /> [ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30<br /> [ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci]<br /> [ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci]<br /> [ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci]<br /> [ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0<br /> [ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560<br /> [ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40<br /> [ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci]<br /> [ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600<br /> [ 1.980810] kernel: ata_scsi_error+0x9c/0xd0<br /> [ 1.980813] kernel: scsi_error_handler+0xa1/0x180<br /> [ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0<br /> [ 1.980820] kernel: kthread+0x12a/0x150<br /> [ 1.980823] kernel: ? set_kthread_struct+0x50/0x50<br /> [ 1.980826] kernel: ret_from_fork+0x22/0x30<br /> [ 1.980831] kernel: <br /> <br /> This happens because sata_pmp_init_links() initialize link-&gt;pmp up to<br /> SATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array.<br /> <br /> I can&amp;#39;t find the maximum Enclosure Management ports specified in AHCI<br /> spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier<br /> Information" can utilize 4 bits, which implies it can support up to 16<br /> ports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the<br /> issue.<br /> <br /> BugLink: https://bugs.launchpad.net/bugs/1970074

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> orangefs: Fix kmemleak in orangefs_sysfs_init()<br /> <br /> When insert and remove the orangefs module, there are kobjects memory<br /> leaked as below:<br /> <br /> unreferenced object 0xffff88810f95af00 (size 64):<br /> comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)<br /> hex dump (first 32 bytes):<br /> a0 83 af 01 81 88 ff ff 08 af 95 0f 81 88 ff ff ................<br /> 08 af 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_sysfs_init+0x42/0x3a0<br /> [] 0xffffffffa02780fe<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> unreferenced object 0xffff88810f95ae80 (size 64):<br /> comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)<br /> hex dump (first 32 bytes):<br /> c8 90 0f 02 81 88 ff ff 88 ae 95 0f 81 88 ff ff ................<br /> 88 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_sysfs_init+0xc7/0x3a0<br /> [] 0xffffffffa02780fe<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> unreferenced object 0xffff88810f95ae00 (size 64):<br /> comm "insmod", pid 783, jiffies 4294813440 (age 65.511s)<br /> hex dump (first 32 bytes):<br /> 60 87 a1 00 81 88 ff ff 08 ae 95 0f 81 88 ff ff `...............<br /> 08 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_sysfs_init+0x12b/0x3a0<br /> [] 0xffffffffa02780fe<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> unreferenced object 0xffff88810f95ad80 (size 64):<br /> comm "insmod", pid 783, jiffies 4294813440 (age 65.511s)<br /> hex dump (first 32 bytes):<br /> 78 90 0f 02 81 88 ff ff 88 ad 95 0f 81 88 ff ff x...............<br /> 88 ad 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_sysfs_init+0x1ac/0x3a0<br /> [] 0xffffffffa02780fe<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> unreferenced object 0xffff88810f95ac00 (size 64):<br /> comm "insmod", pid 783, jiffies 4294813440 (age 65.531s)<br /> hex dump (first 32 bytes):<br /> e0 ff 67 02 81 88 ff ff 08 ac 95 0f 81 88 ff ff ..g.............<br /> 08 ac 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_sysfs_init+0x291/0x3a0<br /> [] 0xffffffffa02780fe<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/<br /> ---truncated---