CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47459 – can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
https://notcve.org/view.php?id=CVE-2021-47459
22 May 2024 — In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv It will trigger UAF for rx_kref of j1939_priv as following. cpu0 cpu1 j1939_sk_bind(socket0, ndev0, ...) j1939_netdev_start j1939_sk_bind(socket1, ndev0, ...) j1939_netdev_start j1939_priv_set j1939_priv_get_by_ndev_locked j1939_jsk_add ..... j1939_netdev_stop kref_put_lock(&priv->rx_kref, ...) kref_get(&priv->rx_kref, ...) REFCOUNT_WARN("addition on 0;...") ===============... • https://git.kernel.org/stable/c/9d71dd0c70099914fcd063135da3c580865e924c • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47458 – ocfs2: mount fails with buffer overflow in strlen
https://notcve.org/view.php?id=CVE-2021-47458
22 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: mount fails with buffer overflow in strlen Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the trace below. Problem seems to be that strings for cluster stack and cluster name are not guaranteed to be null terminated in the disk representation, while strlcpy assumes that the source string is always null terminated. This causes a read outside of t... • https://git.kernel.org/stable/c/ac011cb3ff7a76b3e0e6e77158ee4ba2f929e1fb •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47457 – can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()
https://notcve.org/view.php?id=CVE-2021-47457
22 May 2024 — In the Linux kernel, the following vulnerability has been resolved: can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible() Using wait_event_interruptible() to wait for complete transmission, but do not check the result of wait_event_interruptible() which can be interrupted. It will result in TX buffer has multiple accessors and the later process interferes with the previous process. Following is one of the problems reported by syzbot. ===================================================... • https://git.kernel.org/stable/c/e057dd3fc20ffb3d7f150af46542a51b59b90127 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 8.4EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47456 – can: peak_pci: peak_pci_remove(): fix UAF
https://notcve.org/view.php?id=CVE-2021-47456
22 May 2024 — In the Linux kernel, the following vulnerability has been resolved: can: peak_pci: peak_pci_remove(): fix UAF When remove the module peek_pci, referencing 'chan' again after releasing 'dev' will cause UAF. Fix this by releasing 'dev' later. The following log reveals it: [ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537 [ 35.965513 ] Call Trace: [ 35.965718 ] dump_stack_lvl+0xa8/0xd1 [ 35.966028 ] pri... • https://git.kernel.org/stable/c/e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd • CWE-416: Use After Free CWE-467: Use of sizeof() on a Pointer Type •
CVSS: 5.1EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47455 – ptp: Fix possible memory leak in ptp_clock_register()
https://notcve.org/view.php?id=CVE-2021-47455
22 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ptp: Fix possible memory leak in ptp_clock_register() I got memory leak as follows when doing fault injection test: unreferenced object 0xffff88800906c618 (size 8): comm "i2c-idt82p33931", pid 4421, jiffies 4294948083 (age 13.188s) hex dump (first 8 bytes): 70 74 70 30 00 00 00 00 ptp0.... backtrace: [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0 [<0000000079f6e2ff>] kvasprintf+0xb5/0x150 [<0000000026aae54f>] kvasprintf_const+0x60/... • https://git.kernel.org/stable/c/a33121e5487b424339636b25c35d3a180eaa5f5e •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47454 – powerpc/smp: do not decrement idle task preempt count in CPU offline
https://notcve.org/view.php?id=CVE-2021-47454
22 May 2024 — In the Linux kernel, the following vulnerability has been resolved: powerpc/smp: do not decrement idle task preempt count in CPU offline With PREEMPT_COUNT=y, when a CPU is offlined and then onlined again, we get: BUG: scheduling while atomic: swapper/1/0/0x00000000 no locks held by swapper/1/0. CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.0-rc2+ #100 Call Trace: dump_stack_lvl+0xac/0x108 __schedule_bug+0xac/0xe0 __schedule+0xcf8/0x10d0 schedule_idle+0x3c/0x70 do_idle+0x2d8/0x4a0 cpu_startup_entry+0x38/0x... • https://git.kernel.org/stable/c/bdf4d33e8342b90386156204e1da0cdfdb4bf146 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47452 – netfilter: nf_tables: skip netdev events generated on netns removal
https://notcve.org/view.php?id=CVE-2021-47452
22 May 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: skip netdev events generated on netns removal syzbot reported following (harmless) WARN: WARNING: CPU: 1 PID: 2648 at net/netfilter/core.c:468 nft_netdev_unregister_hooks net/netfilter/nf_tables_api.c:230 [inline] nf_tables_unregister_hook include/net/netfilter/nf_tables.h:1090 [inline] __nft_release_basechain+0x138/0x640 net/netfilter/nf_tables_api.c:9524 nft_netdev_event net/netfilter/nft_chain_filter.c:351 [inline] ... • https://git.kernel.org/stable/c/767d1216bff82507c945e92fe719dff2083bb2f4 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47451 – netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value
https://notcve.org/view.php?id=CVE-2021-47451
22 May 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value Currently, when the rule related to IDLETIMER is added, idletimer_tg timer structure is initialized by kmalloc on executing idletimer_tg_create function. However, in this process timer->timer_type is not defined to a specific value. Thus, timer->timer_type has garbage value and it occurs kernel panic. So, this commit fixes the panic by initializing timer->timer... • https://git.kernel.org/stable/c/68983a354a655c35d3fb204489d383a2a051fda7 •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47448 – mptcp: fix possible stall on recvmsg()
https://notcve.org/view.php?id=CVE-2021-47448
22 May 2024 — In the Linux kernel, the following vulnerability has been resolved: mptcp: fix possible stall on recvmsg() recvmsg() can enter an infinite loop if the caller provides the MSG_WAITALL, the data present in the receive queue is not sufficient to fulfill the request, and no more data is received by the peer. When the above happens, mptcp_wait_data() will always return with no wait, as the MPTCP_DATA_READY flag checked by such function is set and never cleared in such code path. Leveraging the above syzbot was a... • https://git.kernel.org/stable/c/7a6a6cbc3e592e339ad23e4e8ede9a3f6160bda8 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47447 – drm/msm/a3xx: fix error handling in a3xx_gpu_init()
https://notcve.org/view.php?id=CVE-2021-47447
22 May 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/msm/a3xx: fix error handling in a3xx_gpu_init() These error paths returned 1 on failure, instead of a negative error code. This would lead to an Oops in the caller. A second problem is that the check for "if (ret != -ENODATA)" did not work because "ret" was set to 1. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/msm/a3xx: corrige el manejo de errores en a3xx_gpu_init() Estas rutas de error devolvieron 1 en caso de ... • https://git.kernel.org/stable/c/5785dd7a8ef0de8049f40a1a109de6a1bf17b479 •