CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47504 – io_uring: ensure task_work gets run as part of cancelations
https://notcve.org/view.php?id=CVE-2021-47504
In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure task_work gets run as part of cancelations If we successfully cancel a work item but that work item needs to be processed through task_work, then we can be sleeping uninterruptibly in io_uring_cancel_generic() and never process it. Hence we don't make forward progress and we end up with an uninterruptible sleep warning. While in there, correct a comment that should be IFF, not IIF. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: garantiza que task_work se ejecute como parte de las cancelaciones. Si cancelamos con éxito un elemento de trabajo pero ese elemento de trabajo debe procesarse a través de task_work, entonces podemos estar durmiendo ininterrumpidamente en io_uring_cancel_generic() y nunca procesarlo. Por lo tanto, no avanzamos y terminamos con un aviso de sueño ininterrumpido. • https://git.kernel.org/stable/c/8e12976c0c19ebc14b60046b1348c516a74c25a2 https://git.kernel.org/stable/c/78a780602075d8b00c98070fa26e389b3b3efa72 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47501 – i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc
https://notcve.org/view.php?id=CVE-2021-47501
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc When trying to dump VFs VSI RX/TX descriptors using debugfs there was a crash due to NULL pointer dereference in i40e_dbg_dump_desc. Added a check to i40e_dbg_dump_desc that checks if VSI type is correct for dumping RX/TX descriptors. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: i40e: Se corrigió la desreferencia del puntero NULL en i40e_dbg_dump_desc Al intentar volcar los descriptores VF VSI RX/TX usando debugfs, se produjo un bloqueo debido a la desreferencia del puntero NULL en i40e_dbg_dump_desc. Se agregó una verificación a i40e_dbg_dump_desc que verifica si el tipo de VSI es correcto para volcar descriptores RX/TX. • https://git.kernel.org/stable/c/02e9c290814cc143ceccecb14eac3e7a05da745e https://git.kernel.org/stable/c/e5b7fb2198abc50058f1a29c395b004f76ab1c83 https://git.kernel.org/stable/c/16431e442db248ecd8aa9457cf0a656f1885f56e https://git.kernel.org/stable/c/23ec111bf3549aae37140330c31a16abfc172421 https://access.redhat.com/security/cve/CVE-2021-47501 https://bugzilla.redhat.com/show_bug.cgi?id=2283453 • CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47500 – iio: mma8452: Fix trigger reference couting
https://notcve.org/view.php?id=CVE-2021-47500
In the Linux kernel, the following vulnerability has been resolved: iio: mma8452: Fix trigger reference couting The mma8452 driver directly assigns a trigger to the struct iio_dev. The IIO core when done using this trigger will call `iio_trigger_put()` to drop the reference count by 1. Without the matching `iio_trigger_get()` in the driver the reference count can reach 0 too early, the trigger gets freed while still in use and a use-after-free occurs. Fix this by getting a reference to the trigger before assigning it to the IIO device. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iio: mma8452: corrección del cálculo de referencia del disparador El controlador mma8452 asigna directamente un disparador a la estructura iio_dev. El núcleo de IIO, cuando termine de usar este activador, llamará a `iio_trigger_put()` para reducir el recuento de referencias en 1. Sin el `iio_trigger_get()` coincidente en el controlador, el recuento de referencias puede llegar a 0 demasiado pronto, el activador se libera mientras aún está en se produce un uso y un use-after-free. • https://git.kernel.org/stable/c/ae6d9ce05691bf79694074db7c7da980080548af https://git.kernel.org/stable/c/094d513b78b1714113bc016684b8142382e071ba https://git.kernel.org/stable/c/fb75cc4740d81264cd5bcb0e17d961d018a8be96 https://git.kernel.org/stable/c/794c0898f6bf39a458655d5fb4af70ec43a5cfcb https://git.kernel.org/stable/c/f5deab10ced368c807866283f8b79144c4823be8 https://git.kernel.org/stable/c/acf0088ac073ca6e7f4cad6acac112177e08df5e https://git.kernel.org/stable/c/db12d95085367de8b0223929d1332731024441f1 https://git.kernel.org/stable/c/c43517071dfc9fce34f8f69dbb98a8601 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47499 – iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
https://notcve.org/view.php?id=CVE-2021-47499
In the Linux kernel, the following vulnerability has been resolved: iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove When ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the memory allocated by iio_triggered_buffer_setup() will not be freed, and cause memory leak as follows: unreferenced object 0xffff888009551400 (size 512): comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (age 83.852s) hex dump (first 32 bytes): 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff ........ ....... backtrace: [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360 [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf] [<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer] [<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013] Fix it by remove data->dready_trig condition in probe and remove. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: iio: accel: kxcjk-1013: corrija la posible pérdida de memoria en la sonda y elimínela. Cuando el tipo ACPI es ACPI_SMO8500, data->dready_trig no se configurará, la memoria asignada por iio_triggered_buffer_setup( ) no se liberará y provocará una pérdida de memoria de la siguiente manera: objeto sin referencia 0xffff888009551400 (tamaño 512): comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (edad 83,852 s) volcado hexadecimal (primeros 32 bytes): 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff .... .... ....... retroceso: [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360 [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf] [<000000004b40c1f5>] ed_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer] [ <000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013] Solucionarlo eliminando la condición data->dready_trig en la sonda y eliminándola. • https://git.kernel.org/stable/c/a25691c1f9674090fb66586cf4c5d60d3efdf339 https://git.kernel.org/stable/c/8c1d43f3a3fc7184c42d7398bdf59a2a2903e4fc https://git.kernel.org/stable/c/60a55b9d91ba99eb8cf015bc46dc2de05e168a15 https://git.kernel.org/stable/c/3899700ddacbf7aaafadf44464fff3ff0d4e3307 https://git.kernel.org/stable/c/a3730f74159ad00a28960c0efe2a931fe6fe6b45 https://git.kernel.org/stable/c/8c163a14277115ca962103910ab4cce55e862ffb https://git.kernel.org/stable/c/ee86d0bad80bdcd11a87e188a596727f41b62320 https://git.kernel.org/stable/c/14508fe13b1c578b3d2ba574f1d48b351 •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36013 – Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
https://notcve.org/view.php?id=CVE-2024-36013
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: L2CAP: corrige slab-use-after-free en l2cap_connect() Amplia una sección crítica para evitar que chan se libere anticipadamente. También anule el tipo de retorno l2cap_connect(). Nada utiliza el valor devuelto, pero es feo devolver un puntero potencialmente liberado. • https://git.kernel.org/stable/c/73ffa904b78287f6acf8797e040150aa26a4af4a https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5 https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6 https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658 http://www.openwall.com/lists/oss-security/2024/05/30/1 http://www.openwall.com/lists/oss-security/2024/05/30/2 • CWE-416: Use After Free •