CVE-2023-52808 – scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs
https://notcve.org/view.php?id=CVE-2023-52808
In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs If init debugfs failed during device registration due to memory allocation failure, debugfs_remove_recursive() is called, after which debugfs_dir is not set to NULL. debugfs_remove_recursive() will be called again during device removal. As a result, illegal pointer is accessed. [ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs! ... [ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 [ 1669.872669] pc : down_write+0x24/0x70 [ 1669.876315] lr : down_write+0x1c/0x70 [ 1669.879961] sp : ffff000036f53a30 [ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8 [ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000 [ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270 [ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8 [ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310 [ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10 [ 1669.914982] x17: 0000000000000000 x16: 0000000000000000 [ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870 [ 1669.925555] x13: 0000000000000040 x12: 0000000000000228 [ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0 [ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10 [ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff [ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00 [ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000 [ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001 [ 1669.962563] Call trace: [ 1669.965000] down_write+0x24/0x70 [ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0 [ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main] [ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw] [ 1669.984175] pci_device_remove+0x48/0xd8 [ 1669.988082] device_release_driver_internal+0x1b4/0x250 [ 1669.993282] device_release_driver+0x28/0x38 [ 1669.997534] pci_stop_bus_device+0x84/0xb8 [ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40 [ 1670.007244] remove_store+0xfc/0x140 [ 1670.010802] dev_attr_store+0x44/0x60 [ 1670.014448] sysfs_kf_write+0x58/0x80 [ 1670.018095] kernfs_fop_write+0xe8/0x1f0 [ 1670.022000] __vfs_write+0x60/0x190 [ 1670.025472] vfs_write+0xac/0x1c0 [ 1670.028771] ksys_write+0x6c/0xd8 [ 1670.032071] __arm64_sys_write+0x24/0x30 [ 1670.035977] el0_svc_common+0x78/0x130 [ 1670.039710] el0_svc_handler+0x38/0x78 [ 1670.043442] el0_svc+0x8/0xc To fix this, set debugfs_dir to NULL after debugfs_remove_recursive(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: scsi: hisi_sas: establezca el puntero debugfs_dir en NULL después de eliminar debugfs. Si init debugfs falló durante el registro del dispositivo debido a un fallo en la asignación de memoria, se llama a debugfs_remove_recursive(), después de lo cual debugfs_dir no se configura en NULO. • https://git.kernel.org/stable/c/f0bfc8a5561fb0b2c48183dcbfe00bdd6d973bd3 https://git.kernel.org/stable/c/33331b265aac9441ac0c1a5442e3f05d038240ec https://git.kernel.org/stable/c/75a2656260fe8c7eeabda6ff4600b29e183f48db https://git.kernel.org/stable/c/b4465009e7d60c6111946db4c8f1e50d401ed7be https://git.kernel.org/stable/c/6de426f9276c448e2db7238911c97fb157cb23be •
CVE-2023-52806 – ALSA: hda: Fix possible null-ptr-deref when assigning a stream
https://notcve.org/view.php?id=CVE-2023-52806
In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix possible null-ptr-deref when assigning a stream While AudioDSP drivers assign streams exclusively of HOST or LINK type, nothing blocks a user to attempt to assign a COUPLED stream. As supplied substream instance may be a stub, what is the case when code-loading, such scenario ends with null-ptr-deref. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: ALSA: hda: Corrige posible null-ptr-deref al asignar un flujo. Si bien los controladores AudioDSP asignan flujos exclusivamente de tipo HOST o LINK, nada impide que un usuario intente asignar un flujo ACOPLADO. Como la instancia de subsecuencia proporcionada puede ser un código auxiliar, cuál es el caso cuando se carga el código, dicho escenario termina con null-ptr-deref. • https://git.kernel.org/stable/c/7de25112de8222fd20564769e6c99dc9f9738a0b https://git.kernel.org/stable/c/758c7733cb821041f5fd403b7b97c0b95d319323 https://git.kernel.org/stable/c/2527775616f3638f4fd54649eba8c7b84d5e4250 https://git.kernel.org/stable/c/25354bae4fc310c3928e8a42fda2d486f67745d7 https://git.kernel.org/stable/c/631a96e9eb4228ff75fce7e72d133ca81194797e https://git.kernel.org/stable/c/43b91df291c8802268ab3cfd8fccfdf135800ed4 https://git.kernel.org/stable/c/fe7c1a0c2b25c82807cb46fc3aadbf2664a682b0 https://git.kernel.org/stable/c/4a320da7f7cbdab2098b103c47f45d506 • CWE-476: NULL Pointer Dereference •
CVE-2023-52805 – jfs: fix array-index-out-of-bounds in diAlloc
https://notcve.org/view.php?id=CVE-2023-52805
In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in diAlloc Currently there is not check against the agno of the iag while allocating new inodes to avoid fragmentation problem. Added the check which is required. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jfs: corrige el índice de matriz fuera de los límites en diAlloc. Actualmente no se verifica el agno del iag al asignar nuevos inodos para evitar problemas de fragmentación. Se agregó la comprobación que se requiere. • https://git.kernel.org/stable/c/2308d0fb0dc32446b4e6ca37cd09c30374bb64e9 https://git.kernel.org/stable/c/cf7e3e84df36a9953796c737f080712f631d7083 https://git.kernel.org/stable/c/7467ca10a5ff09b0e87edf6c4d2a4bfdee69cf2c https://git.kernel.org/stable/c/1ba7df5457dc1c1071c5f92ac11323533a6430e1 https://git.kernel.org/stable/c/64f062baf202b82f54987a3f614a6c8f3e466641 https://git.kernel.org/stable/c/8c68af2af697ba2ba3b138be0c6d72e2ce3a3d6d https://git.kernel.org/stable/c/665b44e55c2767a4f899c3b18f49e9e1c9983777 https://git.kernel.org/stable/c/1708d0a9917fea579cc9da3d87b154285 •
CVE-2023-52804 – fs/jfs: Add validity check for db_maxag and db_agpref
https://notcve.org/view.php?id=CVE-2023-52804
In the Linux kernel, the following vulnerability has been resolved: fs/jfs: Add validity check for db_maxag and db_agpref Both db_maxag and db_agpref are used as the index of the db_agfree array, but there is currently no validity check for db_maxag and db_agpref, which can lead to errors. The following is related bug reported by Syzbot: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20 index 7936 is out of range for type 'atomic_t[128]' Add checking that the values of db_maxag and db_agpref are valid indexes for the db_agfree array. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: fs/jfs: agregue verificación de validez para db_maxag y db_agpref. Tanto db_maxag como db_agpref se utilizan como índice de la matriz db_agfree, pero actualmente no hay verificación de validez para db_maxag y db_agpref, lo cual puede dar lugar a errores. El siguiente es un error relacionado reportado por Syzbot: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20 el índice 7936 está fuera de rango para el tipo 'atomic_t[128]' Agregue verificando que el Los valores de db_maxag y db_agpref son índices válidos para la matriz db_agfree. • https://git.kernel.org/stable/c/a0649e2dd4a3595b5595a29d0064d047c2fae2fb https://git.kernel.org/stable/c/ce15b0f1a431168f07b1cc6c9f71206a2db5c809 https://git.kernel.org/stable/c/32bd8f1cbcf8b663e29dd1f908ba3a129541a11b https://git.kernel.org/stable/c/c6c8863fb3f57700ab583d875adda04caaf2278a https://git.kernel.org/stable/c/1f74d336990f37703a8eee77153463d65b67f70e https://git.kernel.org/stable/c/5013f8269887642cca784adc8db9b5f0b771533f https://git.kernel.org/stable/c/dca403bb035a565bb98ecc1dda5d30f676feda40 https://git.kernel.org/stable/c/2323de34a3ae61a9f9b544c18583f71ce •
CVE-2023-52799 – jfs: fix array-index-out-of-bounds in dbFindLeaf
https://notcve.org/view.php?id=CVE-2023-52799
In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in dbFindLeaf Currently while searching for dmtree_t for sufficient free blocks there is an array out of bounds while getting element in tp->dm_stree. To add the required check for out of bound we first need to determine the type of dmtree. Thus added an extra parameter to dbFindLeaf so that the type of tree can be determined and the required check can be applied. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: jfs: corrige el índice de matriz fuera de los límites en dbFindLeaf. Actualmente, mientras se busca dmtree_t para suficientes bloques libres, hay una matriz fuera de los límites al obtener el elemento en tp->dm_stree . • https://git.kernel.org/stable/c/20f9310a18e3e99fc031e036fcbed67105ae1859 https://git.kernel.org/stable/c/86df90f3fea7c5591f05c8a0010871d435e83046 https://git.kernel.org/stable/c/ecfb47f13b08b02cf28b7b50d4941eefa21954d2 https://git.kernel.org/stable/c/81aa58cd8495b8c3b527f58ccbe19478d8087f61 https://git.kernel.org/stable/c/da3da5e1e6f71c21d8e6149d7076d936ef5d4cb9 https://git.kernel.org/stable/c/a50b796d36719757526ee094c703378895ab5e67 https://git.kernel.org/stable/c/88b7894a8f8705bf4e7ea90b10229376abf14514 https://git.kernel.org/stable/c/87c681ab49e99039ff2dd3e7185241738 •