CVE-2024-41011 – drm/amdkfd: don't allow mapping the MMIO HDP page with large pages
https://notcve.org/view.php?id=CVE-2024-41011
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages We don't get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdkfd: no permite mapear la página MMIO HDP con páginas grandes. • https://git.kernel.org/stable/c/d8e408a82704c86ba87c3d58cfe69dcdb758aa07 https://git.kernel.org/stable/c/009c4d78bcf07c4ac2e3dd9f275b4eaa72b4f884 https://git.kernel.org/stable/c/f7276cdc1912325b64c33fcb1361952c06e55f63 https://git.kernel.org/stable/c/8ad4838040e5515939c071a0f511ce2661a0889d https://git.kernel.org/stable/c/89fffbdf535ce659c1a26b51ad62070566e33b28 https://git.kernel.org/stable/c/4b4cff994a27ebf7bd3fb9a798a1cdfa8d01b724 https://git.kernel.org/stable/c/6186c93560889265bfe0914609c274eff40bbeb5 https://git.kernel.org/stable/c/be4a2a81b6b90d1a47eaeaace4cc8e2cb •
CVE-2022-48865 – tipc: fix kernel panic when enabling bearer
https://notcve.org/view.php?id=CVE-2022-48865
In the Linux kernel, the following vulnerability has been resolved: tipc: fix kernel panic when enabling bearer When enabling a bearer on a node, a kernel panic is observed: [ 4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc] ... [ 4.520030] Call Trace: [ 4.520689] <IRQ> [ 4.521236] tipc_link_build_proto_msg+0x375/0x750 [tipc] [ 4.522654] tipc_link_build_state_msg+0x48/0xc0 [tipc] [ 4.524034] __tipc_node_link_up+0xd7/0x290 [tipc] [ 4.525292] tipc_rcv+0x5da/0x730 [tipc] [ 4.526346] ? __netif_receive_skb_core+0xb7/0xfc0 [ 4.527601] tipc_l2_rcv_msg+0x5e/0x90 [tipc] [ 4.528737] __netif_receive_skb_list_core+0x20b/0x260 [ 4.530068] netif_receive_skb_list_internal+0x1bf/0x2e0 [ 4.531450] ? dev_gro_receive+0x4c2/0x680 [ 4.532512] napi_complete_done+0x6f/0x180 [ 4.533570] virtnet_poll+0x29c/0x42e [virtio_net] ... The node in question is receiving activate messages in another thread after changing bearer status to allow message sending/ receiving in current thread: thread 1 | thread 2 -------- | -------- | tipc_enable_bearer() | test_and_set_bit_lock() | tipc_bearer_xmit_skb() | | tipc_l2_rcv_msg() | tipc_rcv() | __tipc_node_link_up() | tipc_link_build_state_msg() | tipc_link_build_proto_msg() | tipc_mon_prep() | { | ... | // null-pointer dereference | u16 gen = mon->dom_gen; | ... | } // Not being executed yet | tipc_mon_create() | { | ... | // allocate | mon = kzalloc(); | ... | } | Monitoring pointer in thread 2 is dereferenced before monitoring data is allocated in thread 1. • https://git.kernel.org/stable/c/35c55c9877f8de0ab129fa1a309271d0ecc868b9 https://git.kernel.org/stable/c/2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5 https://git.kernel.org/stable/c/f96dc3adb9a97b8f3dfdb88796483491a3006b71 https://git.kernel.org/stable/c/f4f59fdbc748805b08c13dae14c01f0518c77c94 https://git.kernel.org/stable/c/be4977b847f5d5cedb64d50eaaf2218c3a55a3a3 • CWE-476: NULL Pointer Dereference •
CVE-2022-48863 – mISDN: Fix memory leak in dsp_pipeline_build()
https://notcve.org/view.php?id=CVE-2022-48863
In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, "|"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mISDN: corrige la pérdida de memoria en dsp_pipeline_build() dsp_pipeline_build() asigna el puntero dup mediante kstrdup(cfg), pero luego actualiza la variable dup mediante strsep(&dup, "|"). Como resultado, cuando llama a kfree(dup), la variable dup contiene NULL. Encontrado por el proyecto de verificación de controladores de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/960366cf8dbb3359afaca30cf7fdbf69a6d6dda7 https://git.kernel.org/stable/c/a3d5fcc6cf2ecbba5a269631092570aa285a24cb https://git.kernel.org/stable/c/7777b1f795af1bb43867375d8a776080111aae1b https://git.kernel.org/stable/c/640445d6fc059d4514ffea79eb4196299e0e2d0f https://git.kernel.org/stable/c/c6a502c2299941c8326d029cfc8a3bc8a4607ad5 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2022-48860 – ethernet: Fix error handling in xemaclite_of_probe
https://notcve.org/view.php?id=CVE-2022-48860
In the Linux kernel, the following vulnerability has been resolved: ethernet: Fix error handling in xemaclite_of_probe This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. As the remove function do. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ethernet: corrige el manejo de errores en xemaclite_of_probe Este puntero de nodo lo devuelve of_parse_phandle() con refcount incrementado en esta función. Llamar a of_node_put() para evitar la fuga de recuento. • https://git.kernel.org/stable/c/5cdaaa12866e916d0ada8b56c5f0e543cfc7fe3d https://git.kernel.org/stable/c/669172ce976608b25a2f76f3c65d47f042d125c9 https://git.kernel.org/stable/c/b7220f8e9d6c6b9594ddfb3125dad938cd478b1f https://git.kernel.org/stable/c/8609e29611befc4bfbe7a91bb50fc65ae72ff549 https://git.kernel.org/stable/c/8ee065a7a9b6a3976c16340503677efc4d8351f6 https://git.kernel.org/stable/c/979b418b96e35f07136f77962ccfaa54cf3e30e1 https://git.kernel.org/stable/c/5e7c402892e189a7bc152b125e72261154aa585d https://git.kernel.org/stable/c/1852854ee349881efb78ccdbbb2378389 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2022-48858 – net/mlx5: Fix a race on command flush flow
https://notcve.org/view.php?id=CVE-2022-48858
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix a race on command flush flow Fix a refcount use after free warning due to a race on command entry. Such race occurs when one of the commands releases its last refcount and frees its index and entry while another process running command flush flow takes refcount to this command entry. The process which handles commands flush may see this command as needed to be flushed if the other process released its refcount but didn't release the index yet. Fix it by adding the needed spin lock. It fixes the following warning trace: refcount_t: addition on 0; use-after-free. WARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 ... RIP: 0010:refcount_warn_saturate+0x80/0xe0 ... Call Trace: <TASK> mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core] mlx5_cmd_flush+0x3a/0xf0 [mlx5_core] enter_error_state+0x44/0x80 [mlx5_core] mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core] process_one_work+0x1be/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x141/0x160 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30 </TASK> En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: Corregir una ejecución en el flujo de descarga de comandos. • https://git.kernel.org/stable/c/073fff8102062cd675170ceb54d90da22fe7e668 https://git.kernel.org/stable/c/50b2412b7e7862c5af0cbf4b10d93bc5c712d021 https://git.kernel.org/stable/c/da87ea137373689dec9d3fafa34a57787320a4b3 https://git.kernel.org/stable/c/1a4017926eeea56c7540cc41b42106746ee8a0ee https://git.kernel.org/stable/c/f3331bc17449f15832c31823f27573f4c0e13e5f https://git.kernel.org/stable/c/7c519f769f555ff7d9d4ccba3497bbb589df360a https://git.kernel.org/stable/c/0401bfb27a91d7bdd74b1635c1aae57cbb128da6 https://git.kernel.org/stable/c/063bd355595428750803d8736a9bb7c8d • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •