CVE-2021-47477 – comedi: dt9812: fix DMA buffers on stack
https://notcve.org/view.php?id=CVE-2021-47477
In the Linux kernel, the following vulnerability has been resolved: comedi: dt9812: fix DMA buffers on stack USB transfer buffers are typically mapped for DMA and must not be allocated on the stack or transfers will fail. Allocate proper transfer buffers in the various command helpers and return an error on short transfers instead of acting on random stack data. Note that this also fixes a stack info leak on systems where DMA is not used as 32 bytes are always sent to the device regardless of how short the command is. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: dt9812: corrige los búferes DMA en la pila Los búferes de transferencia USB generalmente están asignados para DMA y no deben asignarse en la pila o las transferencias fallarán. Asigne búferes de transferencia adecuados en los distintos asistentes de comando y devuelva un error en transferencias cortas en lugar de actuar sobre datos de pila aleatorios. Tenga en cuenta que esto también soluciona una fuga de información de la pila en sistemas donde no se usa DMA, ya que siempre se envían 32 bytes al dispositivo, independientemente de cuán corto sea el comando. • https://git.kernel.org/stable/c/63274cd7d38a3322d90b66a5bc976de1fb899051 https://git.kernel.org/stable/c/a6af69768d5cb4b2528946d53be5fa19ade37723 https://git.kernel.org/stable/c/365a346cda82f51d835c49136a00a9df8a78c7f2 https://git.kernel.org/stable/c/8a52bc480992c7c9da3ebfea456af731f50a4b97 https://git.kernel.org/stable/c/39ea61037ae78f14fa121228dd962ea3280eacf3 https://git.kernel.org/stable/c/3efb7af8ac437085b6c776e5b54830b149d86efe https://git.kernel.org/stable/c/786f5b03450454557ff858a8bead5d7c0cbf78d6 https://git.kernel.org/stable/c/3ac273d154d634e2034508a14db82a95d •
CVE-2021-47469 – spi: Fix deadlock when adding SPI controllers on SPI buses
https://notcve.org/view.php?id=CVE-2021-47469
In the Linux kernel, the following vulnerability has been resolved: spi: Fix deadlock when adding SPI controllers on SPI buses Currently we have a global spi_add_lock which we take when adding new devices so that we can check that we're not trying to reuse a chip select that's already controlled. This means that if the SPI device is itself a SPI controller and triggers the instantiation of further SPI devices we trigger a deadlock as we try to register and instantiate those devices while in the process of doing so for the parent controller and hence already holding the global spi_add_lock. Since we only care about concurrency within a single SPI bus move the lock to be per controller, avoiding the deadlock. This can be easily triggered in the case of spi-mux. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spi: soluciona el punto muerto al agregar controladores SPI en buses SPI. Actualmente tenemos un spi_add_lock global que utilizamos cuando agregamos nuevos dispositivos para que podamos verificar que no estamos intentando reutilizar un selección de chip que ya está controlado. • https://git.kernel.org/stable/c/722ef19a161ce3fffb3d1b01ce2301c306639bdd https://git.kernel.org/stable/c/6098475d4cb48d821bdf453c61118c56e26294f0 •
CVE-2021-47468 – isdn: mISDN: Fix sleeping function called from invalid context
https://notcve.org/view.php?id=CVE-2021-47468
In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: Fix sleeping function called from invalid context The driver can call card->isac.release() function from an atomic context. Fix this by calling this function after releasing the lock. The following log reveals it: [ 44.168226 ] BUG: sleeping function called from invalid context at kernel/workqueue.c:3018 [ 44.168941 ] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 5475, name: modprobe [ 44.169574 ] INFO: lockdep is turned off. [ 44.169899 ] irq event stamp: 0 [ 44.170160 ] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 44.170627 ] hardirqs last disabled at (0): [<ffffffff814209ed>] copy_process+0x132d/0x3e00 [ 44.171240 ] softirqs last enabled at (0): [<ffffffff81420a1a>] copy_process+0x135a/0x3e00 [ 44.171852 ] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 44.172318 ] Preemption disabled at: [ 44.172320 ] [<ffffffffa009b0a9>] nj_release+0x69/0x500 [netjet] [ 44.174441 ] Call Trace: [ 44.174630 ] dump_stack_lvl+0xa8/0xd1 [ 44.174912 ] dump_stack+0x15/0x17 [ 44.175166 ] ___might_sleep+0x3a2/0x510 [ 44.175459 ] ? nj_release+0x69/0x500 [netjet] [ 44.175791 ] __might_sleep+0x82/0xe0 [ 44.176063 ] ? start_flush_work+0x20/0x7b0 [ 44.176375 ] start_flush_work+0x33/0x7b0 [ 44.176672 ] ? trace_irq_enable_rcuidle+0x85/0x170 [ 44.177034 ] ? kasan_quarantine_put+0xaa/0x1f0 [ 44.177372 ] ? • https://git.kernel.org/stable/c/6f95c97e0f9d6eb39c3f2cb45e8fa4268d1b372b https://git.kernel.org/stable/c/ef269a8808cb1759245a98a7fe16fceaebad894c https://git.kernel.org/stable/c/37e4f57b22cc5ebb3f80cf0f74fdeb487f082367 https://git.kernel.org/stable/c/a5b34409d3fc52114c828be4adbc30744fa3258b https://git.kernel.org/stable/c/4054b869dc263228d30a4755800b78f0f2ba0c89 https://git.kernel.org/stable/c/9f591cbdbed3d7822b2bdba89b34a6d7b434317d https://git.kernel.org/stable/c/f5966ba53013149bcf94e1536644a958dd00a026 https://git.kernel.org/stable/c/6510e80a0b81b5d814e3aea6297ba42f5 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVE-2021-47467 – kunit: fix reference count leak in kfree_at_end
https://notcve.org/view.php?id=CVE-2021-47467
In the Linux kernel, the following vulnerability has been resolved: kunit: fix reference count leak in kfree_at_end The reference counting issue happens in the normal path of kfree_at_end(). When kunit_alloc_and_get_resource() is invoked, the function forgets to handle the returned resource object, whose refcount increased inside, causing a refcount leak. Fix this issue by calling kunit_alloc_resource() instead of kunit_alloc_and_get_resource(). Fixed the following when applying: Shuah Khan <skhan@linuxfoundation.org> CHECK: Alignment should match open parenthesis + kunit_alloc_resource(test, NULL, kfree_res_free, GFP_KERNEL, (void *)to_free); En el kernel de Linux, se resolvió la siguiente vulnerabilidad: kunit: corrige la fuga del recuento de referencias en kfree_at_end El problema del recuento de referencias ocurre en la ruta normal de kfree_at_end(). Cuando se invoca kunit_alloc_and_get_resource(), la función se olvida de manejar el objeto de recurso devuelto, cuyo recuento aumentó en el interior, lo que provoca una fuga de recuento. Solucione este problema llamando a kunit_alloc_resource() en lugar de kunit_alloc_and_get_resource(). Se corrigió lo siguiente al aplicar: Shuah Khan VERIFICAR: La alineación debe coincidir con el paréntesis abierto + kunit_alloc_resource(test, NULL, kfree_res_free, GFP_KERNEL, (void *)to_free); • https://git.kernel.org/stable/c/bbdd158b40b66a9403391a517f24ef6613573446 https://git.kernel.org/stable/c/f62314b1ced25c58b86e044fc951cd6a1ea234cf •
CVE-2021-47458 – ocfs2: mount fails with buffer overflow in strlen
https://notcve.org/view.php?id=CVE-2021-47458
In the Linux kernel, the following vulnerability has been resolved: ocfs2: mount fails with buffer overflow in strlen Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the trace below. Problem seems to be that strings for cluster stack and cluster name are not guaranteed to be null terminated in the disk representation, while strlcpy assumes that the source string is always null terminated. This causes a read outside of the source string triggering the buffer overflow detection. detected buffer overflow in strlen ------------[ cut here ]------------ kernel BUG at lib/string.c:1149! invalid opcode: 0000 [#1] SMP PTI CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 Debian 5.14.6-2 RIP: 0010:fortify_panic+0xf/0x11 ... Call Trace: ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] ocfs2_fill_super+0x359/0x19b0 [ocfs2] mount_bdev+0x185/0x1b0 legacy_get_tree+0x27/0x40 vfs_get_tree+0x25/0xb0 path_mount+0x454/0xa20 __x64_sys_mount+0x103/0x140 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ocfs2: el montaje falla con desbordamiento del búfer en strlen. A partir del kernel 5.11 compilado con CONFIG_FORTIFY_SOURCE, la conexión de un sistema de archivos ocfs2 con una pila de clúster o2cb o pcmk falla con el siguiente seguimiento. • https://git.kernel.org/stable/c/ac011cb3ff7a76b3e0e6e77158ee4ba2f929e1fb https://git.kernel.org/stable/c/4b74ddcc22ee6455946e80a9c4808801f8f8561e https://git.kernel.org/stable/c/232ed9752510de4436468b653d145565669c8498 https://git.kernel.org/stable/c/7623b1035ca2d17bde0f6a086ad6844a34648df1 https://git.kernel.org/stable/c/d3a83576378b4c904f711598dde2c5e881c4295c https://git.kernel.org/stable/c/93be0eeea14cf39235e585c8f56df3b3859deaad https://git.kernel.org/stable/c/0e677ea5b7396f715a76b6b0ef441430e4c4b57f https://git.kernel.org/stable/c/b15fa9224e6e1239414525d8d556d8247 •