CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47458 – ocfs2: mount fails with buffer overflow in strlen
https://notcve.org/view.php?id=CVE-2021-47458
In the Linux kernel, the following vulnerability has been resolved: ocfs2: mount fails with buffer overflow in strlen Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the trace below. Problem seems to be that strings for cluster stack and cluster name are not guaranteed to be null terminated in the disk representation, while strlcpy assumes that the source string is always null terminated. This causes a read outside of the source string triggering the buffer overflow detection. detected buffer overflow in strlen ------------[ cut here ]------------ kernel BUG at lib/string.c:1149! invalid opcode: 0000 [#1] SMP PTI CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 Debian 5.14.6-2 RIP: 0010:fortify_panic+0xf/0x11 ... Call Trace: ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] ocfs2_fill_super+0x359/0x19b0 [ocfs2] mount_bdev+0x185/0x1b0 legacy_get_tree+0x27/0x40 vfs_get_tree+0x25/0xb0 path_mount+0x454/0xa20 __x64_sys_mount+0x103/0x140 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ocfs2: el montaje falla con desbordamiento del búfer en strlen. A partir del kernel 5.11 compilado con CONFIG_FORTIFY_SOURCE, la conexión de un sistema de archivos ocfs2 con una pila de clúster o2cb o pcmk falla con el siguiente seguimiento. • https://git.kernel.org/stable/c/ac011cb3ff7a76b3e0e6e77158ee4ba2f929e1fb https://git.kernel.org/stable/c/4b74ddcc22ee6455946e80a9c4808801f8f8561e https://git.kernel.org/stable/c/232ed9752510de4436468b653d145565669c8498 https://git.kernel.org/stable/c/7623b1035ca2d17bde0f6a086ad6844a34648df1 https://git.kernel.org/stable/c/d3a83576378b4c904f711598dde2c5e881c4295c https://git.kernel.org/stable/c/93be0eeea14cf39235e585c8f56df3b3859deaad https://git.kernel.org/stable/c/0e677ea5b7396f715a76b6b0ef441430e4c4b57f https://git.kernel.org/stable/c/b15fa9224e6e1239414525d8d556d8247 •
CVSS: 8.4EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47456 – can: peak_pci: peak_pci_remove(): fix UAF
https://notcve.org/view.php?id=CVE-2021-47456
In the Linux kernel, the following vulnerability has been resolved: can: peak_pci: peak_pci_remove(): fix UAF When remove the module peek_pci, referencing 'chan' again after releasing 'dev' will cause UAF. Fix this by releasing 'dev' later. The following log reveals it: [ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537 [ 35.965513 ] Call Trace: [ 35.965718 ] dump_stack_lvl+0xa8/0xd1 [ 35.966028 ] print_address_description+0x87/0x3b0 [ 35.966420 ] kasan_report+0x172/0x1c0 [ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170 [ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.967945 ] __asan_report_load8_noabort+0x14/0x20 [ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.968752 ] pci_device_remove+0xa9/0x250 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: can: pico_pci: pico_pci_remove(): arreglar UAF Cuando se elimina el módulo peek_pci, hacer referencia a 'chan' nuevamente después de liberar 'dev' causará UAF. Solucione este problema lanzando 'dev' más tarde. • https://git.kernel.org/stable/c/e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd https://git.kernel.org/stable/c/1c616528ba4aeb1125a06b407572ab7b56acae38 https://git.kernel.org/stable/c/447d44cd2f67a20b596ede3ca3cd67086dfd9ca9 https://git.kernel.org/stable/c/34914971bb3244db4ce2be44e9438a9b30c56250 https://git.kernel.org/stable/c/adbda14730aacce41c0d3596415aa39ad63eafd9 https://git.kernel.org/stable/c/1248582e47a9f7ce0ecd156c39fc61f8b6aa3699 https://git.kernel.org/stable/c/28f28e4bc3a5e0051faa963f10b778ab38c1db69 https://git.kernel.org/stable/c/0e5afdc2315b0737edcf55bede4ee1640 • CWE-416: Use After Free CWE-467: Use of sizeof() on a Pointer Type •
CVSS: 5.1EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47455 – ptp: Fix possible memory leak in ptp_clock_register()
https://notcve.org/view.php?id=CVE-2021-47455
In the Linux kernel, the following vulnerability has been resolved: ptp: Fix possible memory leak in ptp_clock_register() I got memory leak as follows when doing fault injection test: unreferenced object 0xffff88800906c618 (size 8): comm "i2c-idt82p33931", pid 4421, jiffies 4294948083 (age 13.188s) hex dump (first 8 bytes): 70 74 70 30 00 00 00 00 ptp0.... backtrace: [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0 [<0000000079f6e2ff>] kvasprintf+0xb5/0x150 [<0000000026aae54f>] kvasprintf_const+0x60/0x190 [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150 [<000000004e35abdd>] dev_set_name+0xc0/0x100 [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp] [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33] When posix_clock_register() returns an error, the name allocated in dev_set_name() will be leaked, the put_device() should be used to give up the device reference, then the name will be freed in kobject_cleanup() and other memory will be freed in ptp_clock_release(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ptp: solucione una posible pérdida de memoria en ptp_clock_register() Obtuve una pérdida de memoria de la siguiente manera al realizar la prueba de inyección de fallas: objeto sin referencia 0xffff88800906c618 (tamaño 8): comm "i2c-idt82p33931", pid 4421, jiffies 4294948083 (edad 13,188 s) volcado hexadecimal (primeros 8 bytes): 70 74 70 30 00 00 00 00 ptp0.... backtrace: [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0 [<0000 000079f6e2ff>] kvasprintf+0xb5 /0x150 [<0000000026aae54f>] kvasprintf_const+0x60/0x190 [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150 [<000000004e35abdd>] dev_set_name+0xc0/0x100 0000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp] [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33] Cuando posix_clock_register() devuelve un error, el nombre asignado en dev_set_name() se filtrará, se debe usar put_device() para renunciar a la referencia del dispositivo, luego el nombre se liberará kobject_cleanup() y otra memoria se liberarán en ptp_clock_release(). • https://git.kernel.org/stable/c/a33121e5487b424339636b25c35d3a180eaa5f5e https://git.kernel.org/stable/c/5230ef61882d2d14deb846eb6b48370694816e4c https://git.kernel.org/stable/c/6f5e3bb7879ee1eb71c6c3cbaaffbb0da6cd7d57 https://git.kernel.org/stable/c/89e8fc989feaac00bf1a7f9a766289422e2f5768 https://git.kernel.org/stable/c/2dece4d6d13fe179ee3a5991811712725a56e2f7 https://git.kernel.org/stable/c/0393b8720128d5b39db8523e5bfbfc689f18c37c https://git.kernel.org/stable/c/bfa2e0cd3dfda64fde43c3dca3aeba298d2fe7ad https://git.kernel.org/stable/c/95c0a0c5ec8839f8f21672be786e87a10 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47452 – netfilter: nf_tables: skip netdev events generated on netns removal
https://notcve.org/view.php?id=CVE-2021-47452
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: skip netdev events generated on netns removal syzbot reported following (harmless) WARN: WARNING: CPU: 1 PID: 2648 at net/netfilter/core.c:468 nft_netdev_unregister_hooks net/netfilter/nf_tables_api.c:230 [inline] nf_tables_unregister_hook include/net/netfilter/nf_tables.h:1090 [inline] __nft_release_basechain+0x138/0x640 net/netfilter/nf_tables_api.c:9524 nft_netdev_event net/netfilter/nft_chain_filter.c:351 [inline] nf_tables_netdev_event+0x521/0x8a0 net/netfilter/nft_chain_filter.c:382 reproducer: unshare -n bash -c 'ip link add br0 type bridge; nft add table netdev t ; \ nft add chain netdev t ingress \{ type filter hook ingress device "br0" \ priority 0\; policy drop\; \}' Problem is that when netns device exit hooks create the UNREGISTER event, the .pre_exit hook for nf_tables core has already removed the base hook. Notifier attempts to do this again. The need to do base hook unregister unconditionally was needed in the past, because notifier was last stage where reg->dev dereference was safe. Now that nf_tables does the hook removal in .pre_exit, this isn't needed anymore. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: omitir eventos de netdev generados al eliminar netns syzbot informó lo siguiente (inofensivo) ADVERTENCIA: ADVERTENCIA: CPU: 1 PID: 2648 en net/netfilter/core.c:468 nft_netdev_unregister_hooks net/netfilter/nf_tables_api.c:230 [en línea] nf_tables_unregister_hook include/net/netfilter/nf_tables.h:1090 [en línea] __nft_release_basechain+0x138/0x640 net/netfilter/nf_tables_api.c:9524 nft_netdev_event net/netfilter/nft_ filtro_cadena.c: 351 [en línea] nf_tables_netdev_event+0x521/0x8a0 net/netfilter/nft_chain_filter.c:382 reproductor: dejar de compartir -n bash -c 'ip link agregar puente tipo br0; nft agregar tabla netdev t; \ nft add chain netdev t ingress \{ tipo filtro gancho ingreso dispositivo "br0" \ prioridad 0\; caída de la política\; \}' El problema es que cuando los ganchos de salida del dispositivo netns crean el evento UNREGISTER, el gancho .pre_exit para nf_tables core ya ha eliminado el gancho base. Notifier intenta hacer esto nuevamente. La necesidad de cancelar el registro del enlace base incondicionalmente era necesaria en el pasado, porque el notificador era la última etapa donde la desreferencia reg->dev era segura. • https://git.kernel.org/stable/c/767d1216bff82507c945e92fe719dff2083bb2f4 https://git.kernel.org/stable/c/b110391d1e806167254d3c7ae5d637191d913175 https://git.kernel.org/stable/c/0a0e5d47670b753d3dbf88f3c77a97a30864d9bd https://git.kernel.org/stable/c/90c7c58aa2bd02c65a4c63b7dfe0b16eab12cf9f https://git.kernel.org/stable/c/68a3765c659f809dcaac20030853a054646eb739 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47445 – drm/msm: Fix null pointer dereference on pointer edp
https://notcve.org/view.php?id=CVE-2021-47445
In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix null pointer dereference on pointer edp The initialization of pointer dev dereferences pointer edp before edp is null checked, so there is a potential null pointer deference issue. Fix this by only dereferencing edp after edp has been null checked. Addresses-Coverity: ("Dereference before null check") En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/msm: corrige la desreferencia del puntero nulo en el puntero edp. La inicialización del puntero dev desreferencias del puntero edp antes de edp se marca como nula, por lo que existe un posible problema de deferencia del puntero nulo. Solucione este problema eliminando la referencia a edp únicamente después de que se haya marcado como nulo. Direcciones-Cobertura: ("Desreferencia antes de verificación nula") • https://git.kernel.org/stable/c/ab5b0107ccf3821a6837b0f2819270d6fa0b278f https://git.kernel.org/stable/c/f175b9a83e5c252d7c74acddc792840016caae0a https://git.kernel.org/stable/c/bacac7d26849c8e903ceb7466d9ce8dc3c2797eb https://git.kernel.org/stable/c/0cd063aa0a09822cc1620fc59a67fe2f9f6338ac https://git.kernel.org/stable/c/7f642b93710b6b1119bdff90be01e6b5a2a5d669 https://git.kernel.org/stable/c/f302be08e3de94db8863a0b2958b2bb3e8e998e6 https://git.kernel.org/stable/c/91a340768b012f5b910a203a805b97a345b3db37 https://git.kernel.org/stable/c/46c8ddede0273d1d132beefa9de8b8203 •