CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47403 – ipack: ipoctal: fix module reference leak
https://notcve.org/view.php?id=CVE-2021-47403
In the Linux kernel, the following vulnerability has been resolved: ipack: ipoctal: fix module reference leak A reference to the carrier module was taken on every open but was only released once when the final reference to the tty struct was dropped. Fix this by taking the module reference and initialising the tty driver data when installing the tty. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ipack: ipoctal: reparar fuga de referencia del módulo. Se tomó una referencia al módulo portador en cada apertura, pero solo se publicó una vez cuando se eliminó la referencia final a la estructura tty. Solucione este problema tomando la referencia del módulo e inicializando los datos del controlador tty al instalar el tty. • https://git.kernel.org/stable/c/82a82340bab6c251e0705339f60763718eaa2a22 https://git.kernel.org/stable/c/31398849b84ebae0d43a1cf379cb9895597f221a https://git.kernel.org/stable/c/c0adb5a947dec6cff7050ec56d78ecd3916f9ce6 https://git.kernel.org/stable/c/dde4c1429b97383689f755ce92b4ed1e84a9c92b https://git.kernel.org/stable/c/9c5b77a7ffc983b2429ce158b50497c5d3c86a69 https://git.kernel.org/stable/c/3253c87e1e5bc0107aab773af2f135ebccf38666 https://git.kernel.org/stable/c/7cea848678470daadbfdaa6a112b823c290f900c https://git.kernel.org/stable/c/811178f296b16af30264def74c8d2179a • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47401 – ipack: ipoctal: fix stack information leak
https://notcve.org/view.php?id=CVE-2021-47401
In the Linux kernel, the following vulnerability has been resolved: ipack: ipoctal: fix stack information leak The tty driver name is used also after registering the driver and must specifically not be allocated on the stack to avoid leaking information to user space (or triggering an oops). Drivers should not try to encode topology information in the tty device name but this one snuck in through staging without anyone noticing and another driver has since copied this malpractice. Fixing the ABI is a separate issue, but this at least plugs the security hole. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ipack: ipoctal: corrige la fuga de información de la pila. El nombre del controlador tty también se usa después de registrar el controlador y específicamente no debe asignarse en la pila para evitar filtrar información al espacio del usuario (o activar un ups). Los controladores no deberían intentar codificar información de topología en el nombre del dispositivo tty, pero este se coló durante la preparación sin que nadie se diera cuenta y desde entonces otro controlador copió esta mala práctica. Arreglar la ABI es un tema aparte, pero esto al menos tapa el agujero de seguridad. • https://git.kernel.org/stable/c/ba4dc61fe8c545a5d6a68b63616776556b771f51 https://git.kernel.org/stable/c/acb96e782bad427ca4bb1bd94af660acd1462380 https://git.kernel.org/stable/c/741ea2670e021350e54f491106bdaa22dc50e6a0 https://git.kernel.org/stable/c/2725925982dc96a78069cd118ea3d66759bfdad7 https://git.kernel.org/stable/c/829f13d6079cf7a2465522f39acb43033e9b320d https://git.kernel.org/stable/c/8657158a3b68c85234e6da3d8eae33d6183588b7 https://git.kernel.org/stable/c/5f6a309a699675680df15d9b6d389114515b4426 https://git.kernel.org/stable/c/0a9c36a2e06a249acbed64e8e0b84637c •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47396 – mac80211-hwsim: fix late beacon hrtimer handling
https://notcve.org/view.php?id=CVE-2021-47396
In the Linux kernel, the following vulnerability has been resolved: mac80211-hwsim: fix late beacon hrtimer handling Thomas explained in https://lore.kernel.org/r/87mtoeb4hb.ffs@tglx that our handling of the hrtimer here is wrong: If the timer fires late (e.g. due to vCPU scheduling, as reported by Dmitry/syzbot) then it tries to actually rearm the timer at the next deadline, which might be in the past already: 1 2 3 N N+1 | | | ... | | ^ intended to fire here (1) ^ next deadline here (2) ^ actually fired here The next time it fires, it's later, but will still try to schedule for the next deadline (now 3), etc. until it catches up with N, but that might take a long time, causing stalls etc. Now, all of this is simulation, so we just have to fix it, but note that the behaviour is wrong even per spec, since there's no value then in sending all those beacons unaligned - they should be aligned to the TBTT (1, 2, 3, ... in the picture), and if we're a bit (or a lot) late, then just resume at that point. Therefore, change the code to use hrtimer_forward_now() which will ensure that the next firing of the timer would be at N+1 (in the picture), i.e. the next interval point after the current time. • https://git.kernel.org/stable/c/01e59e467ecf976c782eecd4dc99644802cc60e2 https://git.kernel.org/stable/c/9bee85de2c8155388c09a2e1530a243ec1c96f05 https://git.kernel.org/stable/c/2c204cf594df3b9468368dc9d0b24d482d93cda7 https://git.kernel.org/stable/c/ed2adf69e29848d1eb9df99633dde655421c92ed https://git.kernel.org/stable/c/313bbd1990b6ddfdaa7da098d0c56b098a833572 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47391 – RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests
https://notcve.org/view.php?id=CVE-2021-47391
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests The FSM can run in a circle allowing rdma_resolve_ip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice. CPU 1 CPU 2 rdma_resolve_addr(): RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1 process_one_req(): for #1 addr_handler(): RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND mutex_unlock(&id_priv->handler_mutex); [.. handler still running ..] rdma_resolve_addr(): RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) !! two requests are now on the req_list rdma_destroy_id(): destroy_id_handler_unlock(): _destroy_id(): cma_cancel_operation(): rdma_addr_cancel() // process_one_req() self removes it spin_lock_bh(&lock); cancel_delayed_work(&req->work); if (!list_empty(&req->list)) == true ! rdma_addr_cancel() returns after process_on_req #1 is done kfree(id_priv) process_one_req(): for #2 addr_handler(): mutex_lock(&id_priv->handler_mutex); !! • https://git.kernel.org/stable/c/e51060f08a61965c4dd91516d82fe90617152590 https://git.kernel.org/stable/c/9a085fa9b7d644a234465091e038c1911e1a4f2a https://git.kernel.org/stable/c/03d884671572af8bcfbc9e63944c1021efce7589 https://git.kernel.org/stable/c/305d568b72f17f674155a2a8275f865f207b3808 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2021-47388 – mac80211: fix use-after-free in CCMP/GCMP RX
https://notcve.org/view.php?id=CVE-2021-47388
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix use-after-free in CCMP/GCMP RX When PN checking is done in mac80211, for fragmentation we need to copy the PN to the RX struct so we can later use it to do a comparison, since commit bf30ca922a0c ("mac80211: check defrag PN against current frame"). Unfortunately, in that commit I used the 'hdr' variable without it being necessarily valid, so use-after-free could occur if it was necessary to reallocate (parts of) the frame. Fix this by reloading the variable after the code that results in the reallocations, if any. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mac80211: corrige el use after free en CCMP/GCMP RX. Cuando se realiza la verificación de PN en mac80211, para la fragmentación necesitamos copiar el PN a la estructura RX para poder usarlo más tarde. para hacer una comparación, desde la confirmación bf30ca922a0c ("mac80211: verifique la desfragmentación PN con el marco actual"). Desafortunadamente, en esa confirmación utilicé la variable 'hdr' sin que fuera necesariamente válida, por lo que podría ocurrir un use after free si fuera necesario reasignar (partes de) el marco. • https://git.kernel.org/stable/c/608b0a2ae928a74a2f89e02227339dd79cdb63cf https://git.kernel.org/stable/c/d0f613fe6de344dc17ba04a88921a2094c13d3fa https://git.kernel.org/stable/c/a9b57952fed41556c950a92123086724eaf11919 https://git.kernel.org/stable/c/0f716b48ed25503e6961f4b5b40ece36f7e4ed26 https://git.kernel.org/stable/c/c8b3a6150dc8ac78d5fdd5fbdfc4806249ef8b2c https://git.kernel.org/stable/c/e64ea0597050157f926ac2ba9b478a44ee5be945 https://git.kernel.org/stable/c/bf30ca922a0c0176007e074b0acc77ed345e9990 https://git.kernel.org/stable/c/1f0bf30c01d3f4de7d6c5e27b102a808c •