CVE-2021-47610 – drm/msm: Fix null ptr access msm_ioctl_gem_submit()
https://notcve.org/view.php?id=CVE-2021-47610
In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix null ptr access msm_ioctl_gem_submit() Fix the below null pointer dereference in msm_ioctl_gem_submit(): 26545.260705: Call trace: 26545.263223: kref_put+0x1c/0x60 26545.266452: msm_ioctl_gem_submit+0x254/0x744 26545.270937: drm_ioctl_kernel+0xa8/0x124 26545.274976: drm_ioctl+0x21c/0x33c 26545.278478: drm_compat_ioctl+0xdc/0xf0 26545.282428: __arm64_compat_sys_ioctl+0xc8/0x100 26545.287169: el0_svc_common+0xf8/0x250 26545.291025: do_el0_svc_compat+0x28/0x54 26545.295066: el0_svc_compat+0x10/0x1c 26545.298838: el0_sync_compat_handler+0xa8/0xcc 26545.303403: el0_sync_compat+0x188/0x1c0 26545.307445: Code: d503201f d503201f 52800028 4b0803e8 (b8680008) 26545.318799: Kernel panic - not syncing: Oops: Fatal exception En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/msm: corrige el acceso ptr nulo msm_ioctl_gem_submit() Corrige la siguiente desreferencia del puntero nulo en msm_ioctl_gem_submit(): 26545.260705: Rastreo de llamadas: 26545.263223: kref_put+0x1c/0x60 26545.266452 msm: _ioctl_gem_submit+ 0x254/0x744 26545.270937: drm_ioctl_kernel+0xa8/0x124 26545.274976: drm_ioctl+0x21c/0x33c 26545.278478: drm_compat_ioctl+0xdc/0xf0 : __arm64_compat_sys_ioctl+0xc8/0x100 26545.287169: el0_svc_common+0xf8/0x250 26545.291025: do_el0_svc_compat+0x28/0x54 26545.295066: 0 /0x1c 26545.298838: el0_sync_compat_handler+0xa8/0xcc 26545.303403: el0_sync_compat+0x188/0x1c0 26545.307445: Código: d503201f d503201f 52800028 4b0803e8 680008) 26545.318799: Pánico del kernel: no se sincroniza: Ups: excepción fatal • https://git.kernel.org/stable/c/f6db3d98f876870c35e96693cfd54752f6199e59 https://git.kernel.org/stable/c/26d776fd0f79f093a5d0ce1a4c7c7a992bc3264c •
CVE-2021-47606 – net: netlink: af_netlink: Prevent empty skb by adding a check on len.
https://notcve.org/view.php?id=CVE-2021-47606
In the Linux kernel, the following vulnerability has been resolved: net: netlink: af_netlink: Prevent empty skb by adding a check on len. Adding a check on len parameter to avoid empty skb. This prevents a division error in netem_enqueue function which is caused when skb->len=0 and skb->data_len=0 in the randomized corruption step as shown below. skb->data[prandom_u32() % skb_headlen(skb)] ^= 1<<(prandom_u32() % 8); Crash Report: [ 343.170349] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 343.216110] netem: version 1.3 [ 343.235841] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 343.236680] CPU: 3 PID: 4288 Comm: reproducer Not tainted 5.16.0-rc1+ [ 343.237569] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 [ 343.238707] RIP: 0010:netem_enqueue+0x1590/0x33c0 [sch_netem] [ 343.239499] Code: 89 85 58 ff ff ff e8 5f 5d e9 d3 48 8b b5 48 ff ff ff 8b 8d 50 ff ff ff 8b 85 58 ff ff ff 48 8b bd 70 ff ff ff 31 d2 2b 4f 74 <f7> f1 48 b8 00 00 00 00 00 fc ff df 49 01 d5 4c 89 e9 48 c1 e9 03 [ 343.241883] RSP: 0018:ffff88800bcd7368 EFLAGS: 00010246 [ 343.242589] RAX: 00000000ba7c0a9c RBX: 0000000000000001 RCX: 0000000000000000 [ 343.243542] RDX: 0000000000000000 RSI: ffff88800f8edb10 RDI: ffff88800f8eda40 [ 343.244474] RBP: ffff88800bcd7458 R08: 0000000000000000 R09: ffffffff94fb8445 [ 343.245403] R10: ffffffff94fb8336 R11: ffffffff94fb8445 R12: 0000000000000000 [ 343.246355] R13: ffff88800a5a7000 R14: ffff88800a5b5800 R15: 0000000000000020 [ 343.247291] FS: 00007fdde2bd7700(0000) GS:ffff888109780000(0000) knlGS:0000000000000000 [ 343.248350] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 343.249120] CR2: 00000000200000c0 CR3: 000000000ef4c000 CR4: 00000000000006e0 [ 343.250076] Call Trace: [ 343.250423] <TASK> [ 343.250713] ? memcpy+0x4d/0x60 [ 343.251162] ? netem_init+0xa0/0xa0 [sch_netem] [ 343.251795] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.252443] netem_enqueue+0xe28/0x33c0 [sch_netem] [ 343.253102] ? • https://git.kernel.org/stable/c/c54a60c8fbaa774f828e26df79f66229a8a0e010 https://git.kernel.org/stable/c/40cf2e058832d9cfaae98dfd77334926275598b6 https://git.kernel.org/stable/c/54e785f7d5c197bc06dbb8053700df7e2a093ced https://git.kernel.org/stable/c/ff3f517bf7138e01a17369042908a3f345c0ee41 https://git.kernel.org/stable/c/c0315e93552e0d840e9edc6abd71c7db82ec8f51 https://git.kernel.org/stable/c/dadce61247c6230489527cc5e343b6002d1114c5 https://git.kernel.org/stable/c/4c986072a8c9249b9398c7a18f216dc26a9f0e35 https://git.kernel.org/stable/c/f123cffdd8fe8ea6c7fded4b88516a427 • CWE-369: Divide By Zero •
CVE-2021-47602 – mac80211: track only QoS data frames for admission control
https://notcve.org/view.php?id=CVE-2021-47602
In the Linux kernel, the following vulnerability has been resolved: mac80211: track only QoS data frames for admission control For admission control, obviously all of that only works for QoS data frames, otherwise we cannot even access the QoS field in the header. Syzbot reported (see below) an uninitialized value here due to a status of a non-QoS nullfunc packet, which isn't even long enough to contain the QoS header. Fix this to only do anything for QoS data packets. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mac80211: rastrea solo frameworks de datos QoS para control de admisión. Para el control de admisión, obviamente todo eso solo funciona para frameworks de datos QoS; de lo contrario, ni siquiera podemos acceder al campo QoS en el encabezado. Syzbot informó (ver más abajo) un valor no inicializado aquí debido al estado de un paquete nullfunc sin QoS, que ni siquiera es lo suficientemente largo para contener el encabezado de QoS. Solucione este problema para hacer algo únicamente con los paquetes de datos QoS. • https://git.kernel.org/stable/c/02219b3abca59fca81711bfe7ee78df7abad97ce https://git.kernel.org/stable/c/69f054d6642c8f6173724ce17e7ee3ff66b8f682 https://git.kernel.org/stable/c/46b9e29db2012a4d2a40a26101862e002ccf387b https://git.kernel.org/stable/c/eed897a22230e3231a740eddd7d6d95ba476625f https://git.kernel.org/stable/c/42d08e97b196479f593499e887a9ab81446a34b9 https://git.kernel.org/stable/c/d5e568c3a4ec2ddd23e7dc5ad5b0c64e4f22981a •
CVE-2021-47600 – dm btree remove: fix use after free in rebalance_children()
https://notcve.org/view.php?id=CVE-2021-47600
In the Linux kernel, the following vulnerability has been resolved: dm btree remove: fix use after free in rebalance_children() Move dm_tm_unlock() after dm_tm_dec(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dm btree remove: corrige el use after free en rebalance_children() Mueve dm_tm_unlock() después de dm_tm_dec(). • https://git.kernel.org/stable/c/a48f6a2bf33734ec5669ee03067dfb6c5b4818d6 https://git.kernel.org/stable/c/66ea642af6fd4eacb5d0271a922130fcf8700424 https://git.kernel.org/stable/c/b03abd0aa09c05099f537cb05b8460c4298f0861 https://git.kernel.org/stable/c/293f957be5e39720778fb1851ced7f5fba6d51c3 https://git.kernel.org/stable/c/501ecd90efdc9b2edc6c28852ecd098a4adf8f00 https://git.kernel.org/stable/c/0e21e6cd5eebfc929ac5fa3b97ca2d4ace3cb6a3 https://git.kernel.org/stable/c/607beb420b3fe23b948a9bf447d993521a02fbbb https://git.kernel.org/stable/c/1b8d2789dad0005fd5e7d35dab26a8e12 •
CVE-2021-47599 – btrfs: use latest_dev in btrfs_show_devname
https://notcve.org/view.php?id=CVE-2021-47599
In the Linux kernel, the following vulnerability has been resolved: btrfs: use latest_dev in btrfs_show_devname The test case btrfs/238 reports the warning below: WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs] CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72 Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: btrfs_show_devname+0x108/0x1b4 [btrfs] show_mountinfo+0x234/0x2c4 m_show+0x28/0x34 seq_read_iter+0x12c/0x3c4 vfs_read+0x29c/0x2c8 ksys_read+0x80/0xec __arm64_sys_read+0x28/0x34 invoke_syscall+0x50/0xf8 do_el0_svc+0x88/0x138 el0_svc+0x2c/0x8c el0t_64_sync_handler+0x84/0xe4 el0t_64_sync+0x198/0x19c Reason: While btrfs_prepare_sprout() moves the fs_devices::devices into fs_devices::seed_list, the btrfs_show_devname() searches for the devices and found none, leading to the warning as in above. Fix: latest_dev is updated according to the changes to the device list. That means we could use the latest_dev->name to show the device name in /proc/self/mounts, the pointer will be always valid as it's assigned before the device is deleted from the list in remove or replace. The RCU protection is sufficient as the device structure is freed after synchronization. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: utilice Latest_dev en btrfs_show_devname El caso de prueba btrfs/238 informa la siguiente advertencia: ADVERTENCIA: CPU: 3 PID: 481 en fs/btrfs/super.c:2509 btrfs_show_devname+0x104 /0x1e8 [btrfs] CPU: 2 PID: 1 Comunicación: systemd Contaminado: GWO 5.14.0-rc1-custom #72 Nombre de hardware: QEMU Máquina virtual QEMU, BIOS 0.0.0 06/02/2015 Rastreo de llamadas: btrfs_show_devname+0x108/ 0x1b4 [btrfs] show_mountinfo+0x234/0x2c4 m_show+0x28/0x34 seq_read_iter+0x12c/0x3c4 vfs_read+0x29c/0x2c8 ksys_read+0x80/0xec __arm64_sys_read+0x28/0x34 x50/0xf8 do_el0_svc+0x88/0x138 el0_svc+0x2c/0x8c el0t_64_sync_handler +0x84/0xe4 el0t_64_sync+0x198/0x19c Motivo: mientras btrfs_prepare_sprout() mueve fs_devices::devices a fs_devices::seed_list, btrfs_show_devname() busca los dispositivos y no encuentra ninguno, lo que genera la advertencia como se muestra arriba. Solución: last_dev se actualiza según los cambios en la lista de dispositivos. Eso significa que podríamos usar el último_dev->name para mostrar el nombre del dispositivo en /proc/self/mounts, el puntero siempre será válido tal como está asignado antes de que el dispositivo se elimine de la lista en eliminar o reemplazar. La protección de la RCU es suficiente, ya que la estructura del dispositivo se libera después de la sincronización. • https://git.kernel.org/stable/c/e342c2558016ead462f376b6c6c2ac5efc17f3b1 https://git.kernel.org/stable/c/6605fd2f394bba0a0059df2b6cfc87b0b6d393a2 •