CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47542 – net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
https://notcve.org/view.php?id=CVE-2021-47542
In the Linux kernel, the following vulnerability has been resolved: net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() In qlcnic_83xx_add_rings(), the indirect function of ahw->hw_ops->alloc_mbx_args will be called to allocate memory for cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(), which could lead to a NULL pointer dereference on failure of the indirect function like qlcnic_83xx_alloc_mbx_args(). Fix this bug by adding a check of alloc_mbx_args(), this patch imitates the logic of mbx_cmd()'s failure handling. This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_QLCNIC=m show no new warnings, and our static analyzer no longer warns about this code. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: qlogic: qlcnic: corrigió una desreferencia de puntero NULL en qlcnic_83xx_add_rings() En qlcnic_83xx_add_rings(), se llamará a la función indirecta de ahw->hw_ops->alloc_mbx_args para asignar memoria para cmd.req.arg, y hay una desreferencia del mismo en qlcnic_83xx_add_rings(), lo que podría llevar a una desreferencia del puntero NULL en caso de falla de la función indirecta como qlcnic_83xx_alloc_mbx_args(). Corrija este error agregando una verificación de alloc_mbx_args(); este parche imita la lógica del manejo de fallas de mbx_cmd(). • https://git.kernel.org/stable/c/7f9664525f9cb507de9198a395a111371413f230 https://git.kernel.org/stable/c/3a061d54e260b701b538873b43e399d9b8b83e03 https://git.kernel.org/stable/c/b4f217d6fcc00c3fdc0921a7691f30be7490b073 https://git.kernel.org/stable/c/550658a2d61e4eaf522c8ebc7fad76dc376bfb45 https://git.kernel.org/stable/c/57af54a56024435d83e44c78449513b414eb6edf https://git.kernel.org/stable/c/bbeb0325a7460ebf1e03f5e0bfc5c652fba9519f https://git.kernel.org/stable/c/15fa12c119f869173f9b710cbe6a4a14071d2105 https://git.kernel.org/stable/c/c5ef33c1489b2cd74368057fa00b5d218 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-47541 – net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
https://notcve.org/view.php?id=CVE-2021-47541
In the Linux kernel, the following vulnerability has been resolved: net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv(). After that mlx4_en_alloc_resources() is called and there is a dereference of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to a use after free problem on failure of mlx4_en_copy_priv(). Fix this bug by adding a check of mlx4_en_copy_priv() This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_MLX4_EN=m show no new warnings, and our static analyzer no longer warns about this code. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx4_en: corrige un error de use-after-free en mlx4_en_try_alloc_resources() En mlx4_en_try_alloc_resources(), se llama a mlx4_en_copy_priv() y se liberará tmp->tx_cq en la ruta del error de mlx4_en_copy_priv(). Después de eso, se llama a mlx4_en_alloc_resources() y hay una desreferencia de &tmp->tx_cq[t][i] en mlx4_en_alloc_resources(), lo que podría llevar a un problema de use-after-free si falla mlx4_en_copy_priv(). • https://git.kernel.org/stable/c/ec25bc04ed8e12947738468cbe2191f1529f9e39 https://git.kernel.org/stable/c/be12572c5ddc8ad7453bada4eec8fa46967dc757 https://git.kernel.org/stable/c/676dc7d9b15bf8733233a2db1ec3f9091ab34275 https://git.kernel.org/stable/c/e461a9816a1ac5b4aeb61621b817225b61e46a68 https://git.kernel.org/stable/c/f1d43efa59f1edd3e7eca0e94559b4c6b1cd4e2b https://git.kernel.org/stable/c/75917372eef0dbfb290ae45474314d35f97aea18 https://git.kernel.org/stable/c/addad7643142f500080417dd7272f49b7a185570 • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47523 – IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr
https://notcve.org/view.php?id=CVE-2021-47523
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr This buffer is currently allocated in hfi1_init(): if (reinit) ret = init_after_reset(dd); else ret = loadtime_init(dd); if (ret) goto done; /* allocate dummy tail memory for all receive contexts */ dd->rcvhdrtail_dummy_kvaddr = dma_alloc_coherent(&dd->pcidev->dev, sizeof(u64), &dd->rcvhdrtail_dummy_dma, GFP_KERNEL); if (!dd->rcvhdrtail_dummy_kvaddr) { dd_dev_err(dd, "cannot allocate dummy tail memory\n"); ret = -ENOMEM; goto done; } The reinit triggered path will overwrite the old allocation and leak it. Fix by moving the allocation to hfi1_alloc_devdata() and the deallocation to hfi1_free_devdata(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: IB/hfi1: Corrección de fuga de rcvhdrtail_dummy_kvaddr. Este búfer está actualmente asignado en hfi1_init(): if (reinit) ret = init_after_reset(dd); de lo contrario ret = loadtime_init(dd); si (ret) ir a hecho; /* asigna memoria de cola ficticia para todos los contextos de recepción */ dd->rcvhdrtail_dummy_kvaddr = dma_alloc_coherent(&dd->pcidev->dev, sizeof(u64), &dd->rcvhdrtail_dummy_dma, GFP_KERNEL); if (!dd->rcvhdrtail_dummy_kvaddr) { dd_dev_err(dd, "no se puede asignar memoria de cola ficticia\n"); ret = -ENOMEM; ir a hacer; } La ruta activada por reinicio sobrescribirá la asignación anterior y la filtrará. • https://git.kernel.org/stable/c/46b010d3eeb8eb29c740c4ef09c666485f5c07e6 https://git.kernel.org/stable/c/2c08271f4ed0e24633b3f81ceff61052b9d45efc https://git.kernel.org/stable/c/834d0fb978643eaf09da425de197cc16a7c2761b https://git.kernel.org/stable/c/60a8b5a1611b4a26de4839ab9c1fc2a9cf3e17c1 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47522 – HID: bigbenff: prevent null pointer dereference
https://notcve.org/view.php?id=CVE-2021-47522
In the Linux kernel, the following vulnerability has been resolved: HID: bigbenff: prevent null pointer dereference When emulating the device through uhid, there is a chance we don't have output reports and so report_field is null. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: bigbenff: evita la desreferencia del puntero nulo Al emular el dispositivo a través de uhid, existe la posibilidad de que no tengamos informes de salida y, por lo tanto, report_field sea nulo. • https://git.kernel.org/stable/c/8e0ceff632f48175ec7fb4706129c55ca8a7c7bd https://git.kernel.org/stable/c/6272b17001e6fdcf7b4a16206287010a1523fa6e https://git.kernel.org/stable/c/58f15f5ae7786c824868f3a7e093859b74669ce7 https://git.kernel.org/stable/c/918aa1ef104d286d16b9e7ef139a463ac7a296f0 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47521 – can: sja1000: fix use after free in ems_pcmcia_add_card()
https://notcve.org/view.php?id=CVE-2021-47521
In the Linux kernel, the following vulnerability has been resolved: can: sja1000: fix use after free in ems_pcmcia_add_card() If the last channel is not available then "dev" is freed. Fortunately, we can just use "pdev->irq" instead. Also we should check if at least one channel was set up. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: can: sja1000: arreglar el use after free en ems_pcmcia_add_card() Si el último canal no está disponible entonces se libera "dev". Afortunadamente, podemos usar "pdev->irq" en su lugar. También debemos comprobar si se configuró al menos un canal. • https://git.kernel.org/stable/c/fd734c6f25aea4b2b44b045e489aec67b388577e https://git.kernel.org/stable/c/cbd86110546f7f730a1f5d7de56c944a336c15c4 https://git.kernel.org/stable/c/1dd5b819f7e406dc15bbc7670596ff25261aaa2a https://git.kernel.org/stable/c/c8718026ba287168ff9ad0ccc4f9a413062cba36 https://git.kernel.org/stable/c/ccf070183e4655824936c0f96c4a2bcca93419aa https://git.kernel.org/stable/c/1a295fea90e1acbe80c6d4940f5ff856edcd6bec https://git.kernel.org/stable/c/923f4dc5df679f678e121c20bf2fd70f7bf3e288 https://git.kernel.org/stable/c/474f9a8534f5f89841240a7e978bafd6e • CWE-416: Use After Free •