Page 17 of 5064 results (0.020 seconds)

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net: af_can: do not leave a dangling sk pointer in can_create() On error can_create() frees the allocated sk object, but sock_init_data() has already attached it to the provided sock object. This will leave a dangling sk pointer in the sock object and may cause use-after-free later. • https://git.kernel.org/stable/c/884ae8bcee749be43a071d6ed2d89058dbd2425c https://git.kernel.org/stable/c/ce39b5576785bb3e66591145aad03d66bc3e778d https://git.kernel.org/stable/c/1fe625f12d090d69f3f084990c7e4c1ff94bfe5f https://git.kernel.org/stable/c/5947c9ac08f0771ea8ed64186b0d52e9029cb6c0 https://git.kernel.org/stable/c/db207d19adbac96058685f6257720906ad41d215 https://git.kernel.org/stable/c/8df832e6b945e1ba61467d7f1c9305e314ae92fe https://git.kernel.org/stable/c/811a7ca7320c062e15d0f5b171fe6ad8592d1434 •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() sock_init_data() attaches the allocated sk object to the provided sock object. If ieee802154_create() fails later, the allocated sk object is freed, but the dangling pointer remains in the provided sock object, which may allow use-after-free. Clear the sk pointer in the sock object on error. • https://git.kernel.org/stable/c/1d5fe782c0ff068d80933f9cfd0fd39d5434bbc9 https://git.kernel.org/stable/c/14959fd7538b3be6d7617d9e60e404d6a8d4fd1f https://git.kernel.org/stable/c/2b46994a6e76c8cc5556772932b9b60d03a55cd8 https://git.kernel.org/stable/c/e8bd6c5f5dc2234b4ea714380aedeea12a781754 https://git.kernel.org/stable/c/b4982fbf13042e3bb33e04eddfea8b1506b5ea65 https://git.kernel.org/stable/c/03caa9bfb9fde97fb53d33decd7364514e6825cb https://git.kernel.org/stable/c/b4fcd63f6ef79c73cafae8cf4a114def5fc3d80d •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net: inet: do not leave a dangling sk pointer in inet_create() sock_init_data() attaches the allocated sk object to the provided sock object. If inet_create() fails later, the sk object is freed, but the sock object retains the dangling pointer, which may create use-after-free later. Clear the sk pointer in the sock object on error. • https://git.kernel.org/stable/c/f8a3f255f7509a209292871715cda03779640c8d https://git.kernel.org/stable/c/2bc34d8c8898ae9fddf4612501aabb22d76c2b2c https://git.kernel.org/stable/c/3e8258070b0f2aba66b3ef18883de229674fb288 https://git.kernel.org/stable/c/b4513cfd3a10c03c660d5d3d26c2e322efbfdd9b https://git.kernel.org/stable/c/25447c6aaa7235f155292b0c58a067347e8ae891 https://git.kernel.org/stable/c/691d6d816f93b2a1008c14178399061466e674ef https://git.kernel.org/stable/c/9365fa510c6f82e3aa550a09d0c5c6b44dbc78ff •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net: inet6: do not leave a dangling sk pointer in inet6_create() sock_init_data() attaches the allocated sk pointer to the provided sock object. If inet6_create() fails later, the sk object is released, but the sock object retains the dangling sk pointer, which may cause use-after-free later. Clear the sock sk pointer on error. • https://git.kernel.org/stable/c/f2709d1271cfdf55c670ab5c5982139ab627ddc7 https://git.kernel.org/stable/c/35360255ca30776dee34d9fa764cffa24d0a5f65 https://git.kernel.org/stable/c/276a473c956fb55a6f3affa9ff232e10fffa7b43 https://git.kernel.org/stable/c/79e16a0d339532ea832d85798eb036fc4f9e0cea https://git.kernel.org/stable/c/706b07b7b37f886423846cb38919132090bc40da https://git.kernel.org/stable/c/f44fceb71d72d29fb00e0ac84cdf9c081b03cd06 https://git.kernel.org/stable/c/9df99c395d0f55fb444ef39f4d6f194ca437d884 •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: avoid NULL pointer error during sdio remove When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON is set to yes, kernel panic will happen: Call trace: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c This is because during 'rmmod ath10k', ath10k_sdio_remove() will call ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release() will finally be called in ath10k_core_destroy(). This function will free struct cfg80211_registered_device *rdev and all its members, including wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON. After device release, destroy_workqueue() will use NULL pointer then the kernel panic happen. Call trace: ath10k_sdio_remove ->ath10k_core_unregister …… ->ath10k_core_stop ->ath10k_hif_stop ->ath10k_sdio_irq_disable ->ath10k_hif_power_down ->del_timer_sync(&ar_sdio->sleep_timer) ->ath10k_core_destroy ->ath10k_mac_destroy ->ieee80211_free_hw ->wiphy_free …… ->wiphy_dev_release ->destroy_workqueue Need to call destroy_workqueue() before ath10k_core_destroy(), free the work queue buffer first and then free pointer of work queue by ath10k_core_destroy(). This order matches the error path order in ath10k_sdio_probe(). No work will be queued on sdio workqueue between it is destroyed and ath10k_core_destroy() is called. • https://git.kernel.org/stable/c/543c0924d446b21f35701ca084d7feca09511220 https://git.kernel.org/stable/c/95c38953cb1ecf40399a676a1f85dfe2b5780a9a •