CVSS: 5.1EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47455 – ptp: Fix possible memory leak in ptp_clock_register()
https://notcve.org/view.php?id=CVE-2021-47455
In the Linux kernel, the following vulnerability has been resolved: ptp: Fix possible memory leak in ptp_clock_register() I got memory leak as follows when doing fault injection test: unreferenced object 0xffff88800906c618 (size 8): comm "i2c-idt82p33931", pid 4421, jiffies 4294948083 (age 13.188s) hex dump (first 8 bytes): 70 74 70 30 00 00 00 00 ptp0.... backtrace: [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0 [<0000000079f6e2ff>] kvasprintf+0xb5/0x150 [<0000000026aae54f>] kvasprintf_const+0x60/0x190 [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150 [<000000004e35abdd>] dev_set_name+0xc0/0x100 [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp] [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33] When posix_clock_register() returns an error, the name allocated in dev_set_name() will be leaked, the put_device() should be used to give up the device reference, then the name will be freed in kobject_cleanup() and other memory will be freed in ptp_clock_release(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ptp: solucione una posible pérdida de memoria en ptp_clock_register() Obtuve una pérdida de memoria de la siguiente manera al realizar la prueba de inyección de fallas: objeto sin referencia 0xffff88800906c618 (tamaño 8): comm "i2c-idt82p33931", pid 4421, jiffies 4294948083 (edad 13,188 s) volcado hexadecimal (primeros 8 bytes): 70 74 70 30 00 00 00 00 ptp0.... backtrace: [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0 [<0000 000079f6e2ff>] kvasprintf+0xb5 /0x150 [<0000000026aae54f>] kvasprintf_const+0x60/0x190 [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150 [<000000004e35abdd>] dev_set_name+0xc0/0x100 0000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp] [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33] Cuando posix_clock_register() devuelve un error, el nombre asignado en dev_set_name() se filtrará, se debe usar put_device() para renunciar a la referencia del dispositivo, luego el nombre se liberará kobject_cleanup() y otra memoria se liberarán en ptp_clock_release(). • https://git.kernel.org/stable/c/a33121e5487b424339636b25c35d3a180eaa5f5e https://git.kernel.org/stable/c/5230ef61882d2d14deb846eb6b48370694816e4c https://git.kernel.org/stable/c/6f5e3bb7879ee1eb71c6c3cbaaffbb0da6cd7d57 https://git.kernel.org/stable/c/89e8fc989feaac00bf1a7f9a766289422e2f5768 https://git.kernel.org/stable/c/2dece4d6d13fe179ee3a5991811712725a56e2f7 https://git.kernel.org/stable/c/0393b8720128d5b39db8523e5bfbfc689f18c37c https://git.kernel.org/stable/c/bfa2e0cd3dfda64fde43c3dca3aeba298d2fe7ad https://git.kernel.org/stable/c/95c0a0c5ec8839f8f21672be786e87a10 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47445 – drm/msm: Fix null pointer dereference on pointer edp
https://notcve.org/view.php?id=CVE-2021-47445
In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix null pointer dereference on pointer edp The initialization of pointer dev dereferences pointer edp before edp is null checked, so there is a potential null pointer deference issue. Fix this by only dereferencing edp after edp has been null checked. Addresses-Coverity: ("Dereference before null check") En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/msm: corrige la desreferencia del puntero nulo en el puntero edp. La inicialización del puntero dev desreferencias del puntero edp antes de edp se marca como nula, por lo que existe un posible problema de deferencia del puntero nulo. Solucione este problema eliminando la referencia a edp únicamente después de que se haya marcado como nulo. Direcciones-Cobertura: ("Desreferencia antes de verificación nula") • https://git.kernel.org/stable/c/ab5b0107ccf3821a6837b0f2819270d6fa0b278f https://git.kernel.org/stable/c/f175b9a83e5c252d7c74acddc792840016caae0a https://git.kernel.org/stable/c/bacac7d26849c8e903ceb7466d9ce8dc3c2797eb https://git.kernel.org/stable/c/0cd063aa0a09822cc1620fc59a67fe2f9f6338ac https://git.kernel.org/stable/c/7f642b93710b6b1119bdff90be01e6b5a2a5d669 https://git.kernel.org/stable/c/f302be08e3de94db8863a0b2958b2bb3e8e998e6 https://git.kernel.org/stable/c/91a340768b012f5b910a203a805b97a345b3db37 https://git.kernel.org/stable/c/46c8ddede0273d1d132beefa9de8b8203 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47443 – NFC: digital: fix possible memory leak in digital_tg_listen_mdaa()
https://notcve.org/view.php?id=CVE-2021-47443
In the Linux kernel, the following vulnerability has been resolved: NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() 'params' is allocated in digital_tg_listen_mdaa(), but not free when digital_send_cmd() failed, which will cause memory leak. Fix it by freeing 'params' if digital_send_cmd() return failed. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: NFC: digital: corrige una posible pérdida de memoria en digital_tg_listen_mdaa() Los 'params' se asignan en digital_tg_listen_mdaa(), pero no están libres cuando falla digital_send_cmd(), lo que provocará una pérdida de memoria. Solucionelo liberando 'params' si falla la devolución de digital_send_cmd(). • https://git.kernel.org/stable/c/1c7a4c24fbfd99442cc6e14dc80fcb00f118e8b8 https://git.kernel.org/stable/c/429054ec51e648d241a7e0b465cf44f6633334c5 https://git.kernel.org/stable/c/a67d47e32c91e2b10402cb8c081774cbf08edb2e https://git.kernel.org/stable/c/b7b023e6ff567e991c31cd425b0e1d16779c938b https://git.kernel.org/stable/c/9881b0c860649f27ef2565deef011e516390f416 https://git.kernel.org/stable/c/7ab488d7228a9dceb2456867f1f0919decf6efed https://git.kernel.org/stable/c/3f2960b39f22e26cf8addae93c3f5884d1c183c9 https://git.kernel.org/stable/c/564249219e5b5673a8416b5181875d828 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47442 – NFC: digital: fix possible memory leak in digital_in_send_sdd_req()
https://notcve.org/view.php?id=CVE-2021-47442
In the Linux kernel, the following vulnerability has been resolved: NFC: digital: fix possible memory leak in digital_in_send_sdd_req() 'skb' is allocated in digital_in_send_sdd_req(), but not free when digital_in_send_cmd() failed, which will cause memory leak. Fix it by freeing 'skb' if digital_in_send_cmd() return failed. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: NFC: digital: corrige una posible pérdida de memoria en digital_in_send_sdd_req() 'skb' está asignado en digital_in_send_sdd_req(), pero no está libre cuando falla digital_in_send_cmd(), lo que provocará una pérdida de memoria. Solucionarlo liberando 'skb' si falla la devolución de digital_in_send_cmd(). • https://git.kernel.org/stable/c/2c66daecc4092e6049673c281b2e6f0d5e59a94c https://git.kernel.org/stable/c/74569c78aa84f8c958f1334b465bc530906ec99a https://git.kernel.org/stable/c/88c890b0b9a1fb9fcd01c61ada515e8b636c34f9 https://git.kernel.org/stable/c/fcce6e5255474ca33c27dda0cdf9bf5087278873 https://git.kernel.org/stable/c/071bdef36391958c89af5fa2172f691b31baa212 https://git.kernel.org/stable/c/2bde4aca56db9fe25405d39ddb062531493a65db https://git.kernel.org/stable/c/50cb95487c265187289810addec5093d4fed8329 https://git.kernel.org/stable/c/6432d7f1d1c3aa74cfe8f5e3afdf81b78 •
CVSS: 7.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47441 – mlxsw: thermal: Fix out-of-bounds memory accesses
https://notcve.org/view.php?id=CVE-2021-47441
In the Linux kernel, the following vulnerability has been resolved: mlxsw: thermal: Fix out-of-bounds memory accesses Currently, mlxsw allows cooling states to be set above the maximum cooling state supported by the driver: # cat /sys/class/thermal/thermal_zone2/cdev0/type mlxsw_fan # cat /sys/class/thermal/thermal_zone2/cdev0/max_state 10 # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state # echo $? 0 This results in out-of-bounds memory accesses when thermal state transition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the transition table is accessed with a too large index (state) [1]. According to the thermal maintainer, it is the responsibility of the driver to reject such operations [2]. Therefore, return an error when the state to be set exceeds the maximum cooling state supported by the driver. To avoid dead code, as suggested by the thermal maintainer [3], partially revert commit a421ce088ac8 ("mlxsw: core: Extend cooling device with cooling levels") that tried to interpret these invalid cooling states (above the maximum) in a special way. The cooling levels array is not removed in order to prevent the fans going below 20% PWM, which would cause them to get stuck at 0% PWM. [1] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290 Read of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5 CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122 Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2FO"/"SA000874", BIOS 4.6.5 03/08/2016 Workqueue: events_freezable_power_ thermal_zone_device_check Call Trace: dump_stack_lvl+0x8b/0xb3 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x7f/0x11b thermal_cooling_device_stats_update+0x271/0x290 __thermal_cdev_update+0x15e/0x4e0 thermal_cdev_update+0x9f/0xe0 step_wise_throttle+0x770/0xee0 thermal_zone_device_update+0x3f6/0xdf0 process_one_work+0xa42/0x1770 worker_thread+0x62f/0x13e0 kthread+0x3ee/0x4e0 ret_from_fork+0x1f/0x30 Allocated by task 1: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 thermal_cooling_device_setup_sysfs+0x153/0x2c0 __thermal_cooling_device_register.part.0+0x25b/0x9c0 thermal_cooling_device_register+0xb3/0x100 mlxsw_thermal_init+0x5c5/0x7e0 __mlxsw_core_bus_device_register+0xcb3/0x19c0 mlxsw_core_bus_device_register+0x56/0xb0 mlxsw_pci_probe+0x54f/0x710 local_pci_probe+0xc6/0x170 pci_device_probe+0x2b2/0x4d0 really_probe+0x293/0xd10 __driver_probe_device+0x2af/0x440 driver_probe_device+0x51/0x1e0 __driver_attach+0x21b/0x530 bus_for_each_dev+0x14c/0x1d0 bus_add_driver+0x3ac/0x650 driver_register+0x241/0x3d0 mlxsw_sp_module_init+0xa2/0x174 do_one_initcall+0xee/0x5f0 kernel_init_freeable+0x45a/0x4de kernel_init+0x1f/0x210 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff8881052f7800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 1016 bytes inside of 1024-byte region [ffff8881052f7800, ffff8881052f7c00) The buggy address belongs to the page: page:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0 head:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x200000000010200(slab|head|node=0|zone=2) raw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67- ---truncated--- En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mlxsw: Thermal: corrige accesos a memoria fuera de los límites Actualmente, mlxsw permite establecer estados de enfriamiento por encima del estado de enfriamiento máximo admitido por el controlador: # cat /sys/class/ Thermal/thermal_zone2/cdev0/type mlxsw_fan # cat /sys/class/thermal/thermal_zone2/cdev0/max_state 10 # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state # echo $? 0 Esto da como resultado accesos a la memoria fuera de los límites cuando las estadísticas de transición de estado térmico están habilitadas (CONFIG_THERMAL_STATISTICS=y), ya que se accede a la tabla de transición con un índice (estado) demasiado grande [1]. • https://git.kernel.org/stable/c/a50c1e35650b929500bd89be61c89d95a267ce56 https://git.kernel.org/stable/c/ae0993739e14a102d506aa09e11b0065f3144f10 https://git.kernel.org/stable/c/e59d839743b50cb1d3f42a786bea48cc5621d254 https://git.kernel.org/stable/c/df8e58716afb3bee2b59de66b1ba1033f2e26303 https://git.kernel.org/stable/c/332fdf951df8b870e3da86b122ae304e2aabe88c https://access.redhat.com/security/cve/CVE-2021-47441 https://bugzilla.redhat.com/show_bug.cgi?id=2282851 • CWE-787: Out-of-bounds Write •