CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2021-47343 – dm btree remove: assign new_root only when removal succeeds
https://notcve.org/view.php?id=CVE-2021-47343
In the Linux kernel, the following vulnerability has been resolved: dm btree remove: assign new_root only when removal succeeds remove_raw() in dm_btree_remove() may fail due to IO read error (e.g. read the content of origin block fails during shadowing), and the value of shadow_spine::root is uninitialized, but the uninitialized value is still assign to new_root in the end of dm_btree_remove(). For dm-thin, the value of pmd->details_root or pmd->root will become an uninitialized value, so if trying to read details_info tree again out-of-bound memory may occur as showed below: general protection fault, probably for non-canonical address 0x3fdcb14c8d7520 CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6 Hardware name: QEMU Standard PC RIP: 0010:metadata_ll_load_ie+0x14/0x30 Call Trace: sm_metadata_count_is_more_than_one+0xb9/0xe0 dm_tm_shadow_block+0x52/0x1c0 shadow_step+0x59/0xf0 remove_raw+0xb2/0x170 dm_btree_remove+0xf4/0x1c0 dm_pool_delete_thin_device+0xc3/0x140 pool_message+0x218/0x2b0 target_message+0x251/0x290 ctl_ioctl+0x1c4/0x4d0 dm_ctl_ioctl+0xe/0x20 __x64_sys_ioctl+0x7b/0xb0 do_syscall_64+0x40/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixing it by only assign new_root when removal succeeds En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dm btree remove: asigna new_root solo cuando la eliminación se realiza correctamente. remove_raw() en dm_btree_remove() puede fallar debido a un error de lectura de E/S (por ejemplo, la lectura del contenido del bloque de origen falla durante el sombreado), y el valor de shadow_spine::root no está inicializado, pero el valor no inicializado aún se asigna a new_root al final de dm_btree_remove(). Para dm-thin, el valor de pmd->details_root o pmd->root se convertirá en un valor no inicializado, por lo que si intenta leer el árbol de detalles_info nuevamente, puede ocurrir que la memoria esté fuera de los límites, como se muestra a continuación: falla de protección general, probablemente para no usuarios. -dirección canónica 0x3fdcb14c8d7520 CPU: 4 PID: 515 Comm: dmsetup No contaminado 5.13.0-rc6 Nombre de hardware: QEMU PC estándar RIP: 0010:metadata_ll_load_ie+0x14/0x30 Seguimiento de llamadas: sm_metadata_count_is_more_than_one+0xb9/0xe0 m_shadow_block+0x52/0x1c0 sombra_paso+ 0x59/0xf0 remove_raw+0xb2/0x170 dm_btree_remove+0xf4/0x1c0 dm_pool_delete_thin_device+0xc3/0x140 pool_message+0x218/0x2b0 target_message+0x251/0x290 ctl_ioctl+0x1c4/0x4d0 _ctl_ioctl+0xe/0x20 __x64_sys_ioctl+0x7b/0xb0 do_syscall_64+0x40/0xb0 entrada_SYSCALL_64_after_hwframe+ 0x44/0xae Se soluciona asignando new_root únicamente cuando la eliminación se realiza correctamente • https://git.kernel.org/stable/c/4c84b3e0728ffe10d89c633694c35a02b5c477dc https://git.kernel.org/stable/c/c154775619186781aaf8a99333ac07437a1768d5 https://git.kernel.org/stable/c/73f27adaa73e3057a9ec464e33c4f54d34ea5de3 https://git.kernel.org/stable/c/8fbae4a1bdb5b889490cdee929e68540151536e5 https://git.kernel.org/stable/c/964d57d1962d7e68f0f578f05d9ae4a104d74851 https://git.kernel.org/stable/c/ba47e65a5de3e0e8270301a409fc63d3129fdb9e https://git.kernel.org/stable/c/89bf942314b78d454db92427201421b5dec132d9 https://git.kernel.org/stable/c/ad365e9351ac2b450e7e79932ff6abf59 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47342 – ext4: fix possible UAF when remounting r/o a mmp-protected file system
https://notcve.org/view.php?id=CVE-2021-47342
In the Linux kernel, the following vulnerability has been resolved: ext4: fix possible UAF when remounting r/o a mmp-protected file system After commit 618f003199c6 ("ext4: fix memory leak in ext4_fill_super"), after the file system is remounted read-only, there is a race where the kmmpd thread can exit, causing sbi->s_mmp_tsk to point at freed memory, which the call to ext4_stop_mmpd() can trip over. Fix this by only allowing kmmpd() to exit when it is stopped via ext4_stop_mmpd(). Bug-Report-Link: <20210629143603.2166962-1-yebin10@huawei.com> En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: corrige posible UAF al remontar el sistema de archivos protegido por r/oa mmp. Después del commit 618f003199c6 ("ext4: corrige la pérdida de memoria en ext4_fill_super"), después de que se vuelve a montar el sistema de archivos solo que hay una ejecución donde el hilo kmmpd puede salir, causando que sbi->s_mmp_tsk apunte a la memoria liberada, con la que la llamada a ext4_stop_mmpd() puede tropezar. Solucione este problema permitiendo que kmmpd() salga solo cuando se detiene a través de ext4_stop_mmpd(). Enlace de informe de error: <20210629143603.2166962-1-yebin10@huawei.com> • https://git.kernel.org/stable/c/b663890d854403e566169f7e90aed5cd6ff64f6b https://git.kernel.org/stable/c/7ed572cdf11081f8f9e07abd4bea56a3f2c4edbd https://git.kernel.org/stable/c/61bb4a1c417e5b95d9edb4f887f131de32e419cb •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2021-47340 – jfs: fix GPF in diFree
https://notcve.org/view.php?id=CVE-2021-47340
In the Linux kernel, the following vulnerability has been resolved: jfs: fix GPF in diFree Avoid passing inode with JFS_SBI(inode->i_sb)->ipimap == NULL to diFree()[1]. GFP will appear: struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap; struct inomap *imap = JFS_IP(ipimap)->i_imap; JFS_IP() will return invalid pointer when ipimap == NULL Call Trace: diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1] jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154 evict+0x2ed/0x750 fs/inode.c:578 iput_final fs/inode.c:1654 [inline] iput.part.0+0x3fe/0x820 fs/inode.c:1680 iput+0x58/0x70 fs/inode.c:1670 En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: jfs: corrige GPF en diFree. Evite pasar el inodo con JFS_SBI(inode->i_sb)->ipimap == NULL a diFree()[1]. Aparecerá GFP: struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap; estructura inomap *imap = JFS_IP(ipimap)->i_imap; JFS_IP() devolverá un puntero no válido cuando ipimap == NULL Seguimiento de llamadas: diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1] jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154 evict+0x2ed/ 0x750 fs/inode.c:578 iput_final fs/inode.c:1654 [en línea] iput.part.0+0x3fe/0x820 fs/inode.c:1680 iput+0x58/0x70 fs/inode.c:1670 • https://git.kernel.org/stable/c/7bde24bde490f3139eee147efc6d60d6040fe975 https://git.kernel.org/stable/c/745c9a59422c63f661f4374ed5181740db4130a1 https://git.kernel.org/stable/c/49def1b0644892e3b113673c13d650c3060b43bc https://git.kernel.org/stable/c/aff8d95b69051d0cf4acc3d91f22299fdbb9dfb3 https://git.kernel.org/stable/c/a21e5cb1a64c904f1f0ef7b2d386fc7d2b1d2ce2 https://git.kernel.org/stable/c/8018936950360f1c503bb385e158cfc5e4945d18 https://git.kernel.org/stable/c/3bb27e27240289b47d3466f647a55c567adbdc3a https://git.kernel.org/stable/c/42f102ea1943ecb10a0756bf75424de5d •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47339 – media: v4l2-core: explicitly clear ioctl input data
https://notcve.org/view.php?id=CVE-2021-47339
In the Linux kernel, the following vulnerability has been resolved: media: v4l2-core: explicitly clear ioctl input data As seen from a recent syzbot bug report, mistakes in the compat ioctl implementation can lead to uninitialized kernel stack data getting used as input for driver ioctl handlers. The reported bug is now fixed, but it's possible that other related bugs are still present or get added in the future. As the drivers need to check user input already, the possible impact is fairly low, but it might still cause an information leak. To be on the safe side, always clear the entire ioctl buffer before calling the conversion handler functions that are meant to initialize them. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: medios: v4l2-core: borrar explícitamente los datos de entrada de ioctl. Como se ve en un informe de error reciente de syzbot, los errores en la implementación de compat ioctl pueden llevar a que los datos de la pila del kernel no inicializados se utilicen como entrada para controladores de ioctl del conductor. El error informado ya está solucionado, pero es posible que otros errores relacionados sigan presentes o se agreguen en el futuro. • https://git.kernel.org/stable/c/dc02c0b2bd6096f2f3ce63e1fc317aeda05f74d8 https://git.kernel.org/stable/c/bfb48b54db25c3b4ef4bef5e0691464ebc4aa335 https://git.kernel.org/stable/c/7b53cca764f9b291b7907fcd39d9e66ad728ee0b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47336 – smackfs: restrict bytes count in smk_set_cipso()
https://notcve.org/view.php?id=CVE-2021-47336
In the Linux kernel, the following vulnerability has been resolved: smackfs: restrict bytes count in smk_set_cipso() Oops, I failed to update subject line. From 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001 Date: Mon, 12 Apr 2021 22:25:06 +0900 Subject: [PATCH] smackfs: restrict bytes count in smk_set_cipso() Commit 7ef4c19d245f3dc2 ("smackfs: restrict bytes count in smackfs write functions") missed that count > SMK_CIPSOMAX check applies to only format == SMK_FIXED24_FMT case. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: smackfs: restringir el recuento de bytes en smk_set_cipso() Oops, no pude actualizar la línea de asunto. De 07571157c91b98ce1a4aa70967531e64b78e8346 lunes 17 de septiembre 00:00:00 2001 Fecha: lunes 12 de abril de 2021 22:25:06 +0900 Asunto: [PATCH] smackfs: restringir el recuento de bytes en smk_set_cipso() Confirmación 7ef4c1 9d245f3dc2 ("smackfs: restringir el recuento de bytes en smackfs funciones de escritura") perdió ese recuento > La verificación SMK_CIPSOMAX se aplica solo al formato == caso SMK_FIXED24_FMT. • https://git.kernel.org/stable/c/5f9880403e6b71d56924748ba331daf836243fca https://git.kernel.org/stable/c/5c2dca9a7a7ff6a2df34158903515e2e4fd3d2b2 https://git.kernel.org/stable/c/cbd87ba6a13891acf6180783f8234a8b7a3e3d4d https://git.kernel.org/stable/c/135122f174c357b7a3e58f40fa5792156c5e93e6 https://git.kernel.org/stable/c/3780348c1a0e14ffefcaf1fc521f815bcaac94b0 https://git.kernel.org/stable/c/8f5c773a2871cf446e3f36b2834fb25bbb28512b https://git.kernel.org/stable/c/258fd821f69378453c071b9dd767b298810fc766 https://git.kernel.org/stable/c/49ec114a6e62d8d320037ce71c1aaf965 •