Page 109 of 2817 results (0.020 seconds)

CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. So if there's a device replace operation happening when we extract the device and that device is the source of the replace operation, we will trigger a use-after-free if before we finish using the device the replace operation finishes and frees the device. Fix this by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs:zoned: corrige el use-after-free debido a la ejecución con el reemplazo de desarrollo. Mientras cargamos la información de una zona durante la creación de un grupo de bloques, podemos ejecutar una operación de reemplazo de dispositivo y luego activar un use-after-free en el dispositivo que acaba de ser reemplazado (dispositivo fuente de la operación de reemplazo). Esto sucede porque en btrfs_load_zone_info() extraemos un dispositivo del mapa de fragmentos en una variable local y luego usamos el dispositivo mientras no está bajo la protección del dispositivo y reemplazamos rwsem. • https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43 https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6 https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752 https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9 • CWE-416: Use After Free •

CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: greybus: Fix use-after-free bug in gb_interface_release due to race condition. In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". • https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201 https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83 https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9 https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445 https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce • CWE-416: Use After Free •

CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ima: corrige el use-after-free en dentry dname.name ->d_name.name puede cambiar al cambiar el nombre y el valor anterior se puede liberar; existen condiciones suficientes para estabilizarlo (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusivo en el inodo del padre, rename_lock), pero ninguna de ellas se cumple en ninguno de los sitios. En su lugar, tome una instantánea estable del nombre. • https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4 https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de • CWE-416: Use After Free •

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mmc: davinci: no eliminar la función de eliminación cuando el controlador está integrado. El uso de __exit para la función de eliminación hace que la devolución de llamada de eliminación se descarte con CONFIG_MMC_DAVINCI=y. • https://git.kernel.org/stable/c/b4cff4549b7a8c5fc8b88e3493b6287555f0512c https://git.kernel.org/stable/c/6ff7cfa02baabec907f6f29ea76634e6256d2ec4 https://git.kernel.org/stable/c/aea35157bb9b825faa0432bd0f7fbea37ff39aa1 https://git.kernel.org/stable/c/5ee241f72edc6dce5051a5f100eab6cc019d873e https://git.kernel.org/stable/c/7590da4c04dd4aa9c262da0231e978263861c6eb https://git.kernel.org/stable/c/1d5ed0efe51d36b9ae9b64f133bf41cdbf56f584 https://git.kernel.org/stable/c/55c421b364482b61c4c45313a535e61ed5ae4ea3 • CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: bcache: fix variable length array abuse in btree_iter btree_iter is used in two ways: either allocated on the stack with a fixed size MAX_BSETS, or from a mempool with a dynamic size based on the specific cache set. Previously, the struct had a fixed-length array of size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized iterators, which causes UBSAN to complain. This patch uses the same approach as in bcachefs's sort_iter and splits the iterator into a btree_iter with a flexible array member and a btree_iter_stack which embeds a btree_iter as well as a fixed-length data array. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bcache: corrige el abuso de matriz de longitud variable en btree_iter btree_iter se usa de dos maneras: ya sea asignado en la pila con un tamaño fijo MAX_BSETS, o desde un mempool con un tamaño dinámico basado en el conjunto de caché específico. Anteriormente, la estructura tenía una matriz de longitud fija de tamaño MAX_BSETS que estaba indexada fuera de los límites para los iteradores de tamaño dinámico, lo que provoca que UBSAN se queje. Este parche utiliza el mismo enfoque que en sort_iter de bcachefs y divide el iterador en un btree_iter con un miembro de matriz flexible y un btree_iter_stack que incorpora un btree_iter así como una matriz de datos de longitud fija. • https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023 https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02 https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148 https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671 https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31 • CWE-770: Allocation of Resources Without Limits or Throttling •