Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()<br /> <br /> In mtk_mdp_probe(), vpu_get_plat_device() increases the reference<br /> count of the returned platform device. Add platform_device_put()<br /> to prevent reference leak.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ring-buffer: Fix possible dereference of uninitialized pointer<br /> <br /> There is a pointer head_page in rb_meta_validate_events() which is not<br /> initialized at the beginning of a function. This pointer can be dereferenced<br /> if there is a failure during reader page validation. In this case the control<br /> is passed to "invalid" label where the pointer is dereferenced in a loop.<br /> <br /> To fix the issue initialize orig_head and head_page before calling<br /> rb_validate_buffer.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: supply snapshot context in ceph_zero_partial_object()<br /> <br /> The ceph_zero_partial_object function was missing proper snapshot<br /> context for its OSD write operations, which could lead to data<br /> inconsistencies in snapshots.<br /> <br /> Reproducer:<br /> ../src/vstart.sh --new -x --localhost --bluestore<br /> ./bin/ceph auth caps client.fs_a mds &amp;#39;allow rwps fsname=a&amp;#39; mon &amp;#39;allow r fsname=a&amp;#39; osd &amp;#39;allow rw tag cephfs data=a&amp;#39;<br /> mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf<br /> dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1<br /> mkdir /mnt/mycephfs/.snap/snap1<br /> md5sum /mnt/mycephfs/.snap/snap1/foo<br /> fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo<br /> echo 3 &gt; /proc/sys/vm/drop/caches<br /> md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: chips-media: wave5: Fix Null reference while testing fluster<br /> <br /> When multi instances are created/destroyed, many interrupts happens<br /> and structures for decoder are removed.<br /> "struct vpu_instance" this structure is shared for all flow in the decoder,<br /> so if the structure is not protected by lock, Null dereference<br /> could happens sometimes.<br /> IRQ Handler was spilt to two phases and Lock was added as well.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: of: display_timing: fix refcount leak in of_get_display_timings()<br /> <br /> of_parse_phandle() returns a device_node with refcount incremented,<br /> which is stored in &amp;#39;entry&amp;#39; and then copied to &amp;#39;native_mode&amp;#39;. When the<br /> error paths at lines 184 or 192 jump to &amp;#39;entryfail&amp;#39;, native_mode&amp;#39;s<br /> refcount is not decremented, causing a refcount leak.<br /> <br /> Fix this by changing the goto target from &amp;#39;entryfail&amp;#39; to &amp;#39;timingfail&amp;#39;,<br /> which properly calls of_node_put(native_mode) before cleanup.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()<br /> <br /> Ignore -EBUSY when checking nested events after exiting a blocking state<br /> while L2 is active, as exiting to userspace will generate a spurious<br /> userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM&amp;#39;s<br /> demise. Continuing with the wakeup isn&amp;#39;t perfect either, as *something*<br /> has gone sideways if a vCPU is awakened in L2 with an injected event (or<br /> worse, a nested run pending), but continuing on gives the VM a decent<br /> chance of surviving without any major side effects.<br /> <br /> As explained in the Fixes commits, it _should_ be impossible for a vCPU to<br /> be put into a blocking state with an already-injected event (exception,<br /> IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected<br /> events, and thus put the vCPU into what should be an impossible state.<br /> <br /> Don&amp;#39;t bother trying to preserve the WARN, e.g. with an anti-syzkaller<br /> Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be<br /> violating x86 architecture, e.g. by WARNing if KVM attempts to inject an<br /> exception or interrupt while the vCPU isn&amp;#39;t running.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: Add support for TSV110 Spectre-BHB mitigation<br /> <br /> The TSV110 processor is vulnerable to the Spectre-BHB (Branch History<br /> Buffer) attack, which can be exploited to leak information through<br /> branch prediction side channels. This commit adds the MIDR of TSV110<br /> to the list for software mitigation.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gfs2: fiemap page fault fix<br /> <br /> In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode<br /> glock. This can lead to recursive glock taking if the fiemap buffer is<br /> memory mapped to the same inode and accessing it triggers a page fault.<br /> <br /> Fix by disabling page faults for iomap_fiemap() and faulting in the<br /> buffer by hand if necessary.<br /> <br /> Fixes xfstest generic/742.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> EFI/CPER: don&amp;#39;t go past the ARM processor CPER record buffer<br /> <br /> There&amp;#39;s a logic inside GHES/CPER to detect if the section_length<br /> is too small, but it doesn&amp;#39;t detect if it is too big.<br /> <br /> Currently, if the firmware receives an ARM processor CPER record<br /> stating that a section length is big, kernel will blindly trust<br /> section_length, producing a very long dump. For instance, a 67<br /> bytes record with ERR_INFO_NUM set 46198 and section length<br /> set to 854918320 would dump a lot of data going a way past the<br /> firmware memory-mapped area.<br /> <br /> Fix it by adding a logic to prevent it to go past the buffer<br /> if ERR_INFO_NUM is too big, making it report instead:<br /> <br /> [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1<br /> [Hardware Error]: event severity: recoverable<br /> [Hardware Error]: Error 0, type: recoverable<br /> [Hardware Error]: section_type: ARM processor error<br /> [Hardware Error]: MIDR: 0xff304b2f8476870a<br /> [Hardware Error]: section length: 854918320, CPER size: 67<br /> [Hardware Error]: section length is too big<br /> [Hardware Error]: firmware-generated error record is incorrect<br /> [Hardware Error]: ERR_INFO_NUM is 46198<br /> <br /> [ rjw: Subject and changelog tweaks ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfsplus: pretend special inodes as regular files<br /> <br /> Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()")<br /> requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/<br /> S_IFIFO/S_IFSOCK type, use S_IFREG for special inodes.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: fix potential zero beacon interval in beacon tracking<br /> <br /> During fuzz testing, it was discovered that bss_conf-&gt;beacon_int<br /> might be zero, which could result in a division by zero error in<br /> subsequent calculations. Set a default value of 100 TU if the<br /> interval is zero to ensure stability.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: libertas: fix WARNING in usb_tx_block<br /> <br /> The function usb_tx_block() submits cardp-&gt;tx_urb without ensuring that<br /> any previous transmission on this URB has completed. If a second call<br /> occurs while the URB is still active (e.g. during rapid firmware loading),<br /> usb_submit_urb() detects the active state and triggers a warning:<br /> &amp;#39;URB submitted while active&amp;#39;.<br /> <br /> Fix this by enforcing serialization: call usb_kill_urb() before<br /> submitting the new request. This ensures the URB is idle and safe to reuse.