CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47615 – RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow
https://notcve.org/view.php?id=CVE-2021-47615
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow For the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though it is a user MR. This causes function mlx5_free_priv_descs() to think that it is a kernel MR, leading to wrongly accessing mr->descs that will get wrong values in the union which leads to attempt to release resources that were not allocated in the first place. For example: DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes] WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0 RIP: 0010:check_unmap+0x54f/0x8b0 Call Trace: debug_dma_unmap_page+0x57/0x60 mlx5_free_priv_descs+0x57/0x70 [mlx5_ib] mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib] ib_dereg_mr_user+0x60/0x140 [ib_core] uverbs_destroy_uobject+0x59/0x210 [ib_uverbs] uobj_destroy+0x3f/0x80 [ib_uverbs] ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs] ? uverbs_finalize_object+0x50/0x50 [ib_uverbs] ? lock_acquire+0xc4/0x2e0 ? lock_acquired+0x12/0x380 ? • https://git.kernel.org/stable/c/f18ec422311767738ef4033b61e91cae07163b22 https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701 https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9 https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47614 – RDMA/irdma: Fix a user-after-free in add_pble_prm
https://notcve.org/view.php?id=CVE-2021-47614
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix a user-after-free in add_pble_prm When irdma_hmc_sd_one fails, 'chunk' is freed while its still on the PBLE info list. Add the chunk entry to the PBLE info list only after successful setting of the SD in irdma_hmc_sd_one. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: RDMA/irdma: corrige un user-after-free en add_pble_prm Cuando falla irdma_hmc_sd_one, el 'fragmento' se libera mientras todavía está en la lista de información de PBLE. Agregue la entrada del fragmento a la lista de información de PBLE solo después de configurar correctamente la SD en irdma_hmc_sd_one. • https://git.kernel.org/stable/c/e8c4dbc2fcacf5a7468d312168bb120c27c38b32 https://git.kernel.org/stable/c/11eebcf63e98fcf047a876a51d76afdabc3b8b9b https://git.kernel.org/stable/c/1e11a39a82e95ce86f849f40dda0d9c0498cebd9 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47613 – i2c: virtio: fix completion handling
https://notcve.org/view.php?id=CVE-2021-47613
In the Linux kernel, the following vulnerability has been resolved: i2c: virtio: fix completion handling The driver currently assumes that the notify callback is only received when the device is done with all the queued buffers. However, this is not true, since the notify callback could be called without any of the queued buffers being completed (for example, with virtio-pci and shared interrupts) or with only some of the buffers being completed (since the driver makes them available to the device in multiple separate virtqueue_add_sgs() calls). This can lead to incorrect data on the I2C bus or memory corruption in the guest if the device operates on buffers which are have been freed by the driver. (The WARN_ON in the driver is also triggered.) BUG kmalloc-128 (Tainted: G W ): Poison overwritten First byte 0x0 instead of 0x6b Allocated in i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28 memdup_user+0x2e/0xbd i2cdev_ioctl_rdwr+0x9d/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Freed in i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28 kfree+0x1bd/0x1cc i2cdev_ioctl_rdwr+0x1bb/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Fix this by calling virtio_get_buf() from the notify handler like other virtio drivers and by actually waiting for all the buffers to be completed. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: i2c: virtio: manejo de finalización de reparación El controlador actualmente supone que la devolución de llamada de notificación solo se recibe cuando el dispositivo termina con todos los búferes en cola. Sin embargo, esto no es cierto, ya que la devolución de llamada de notificación podría llamarse sin que se complete ninguno de los búferes en cola (por ejemplo, con virtio-pci e interrupciones compartidas) o con solo algunos de los búferes completados (ya que el controlador los pone a disposición). al dispositivo en múltiples llamadas virtqueue_add_sgs() separadas). Esto puede provocar datos incorrectos en el bus I2C o daños en la memoria del huésped si el dispositivo funciona con búferes que han sido liberados por el controlador. • https://git.kernel.org/stable/c/3cfc88380413d20f777dc6648a38f683962e52bf https://git.kernel.org/stable/c/9cbb957441ed8873577d7d313a3d79d69f1dad5c https://git.kernel.org/stable/c/b503de239f62eca898cfb7e820d9a35499137d22 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47612 – nfc: fix segfault in nfc_genl_dump_devices_done
https://notcve.org/view.php?id=CVE-2021-47612
In the Linux kernel, the following vulnerability has been resolved: nfc: fix segfault in nfc_genl_dump_devices_done When kmalloc in nfc_genl_dump_devices() fails then nfc_genl_dump_devices_done() segfaults as below KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:klist_iter_exit+0x26/0x80 Call Trace: <TASK> class_dev_iter_exit+0x15/0x20 nfc_genl_dump_devices_done+0x3b/0x50 genl_lock_done+0x84/0xd0 netlink_sock_destruct+0x8f/0x270 __sk_destruct+0x64/0x3b0 sk_destruct+0xa8/0xd0 __sk_free+0x2e8/0x3d0 sk_free+0x51/0x90 netlink_sock_destruct_work+0x1c/0x20 process_one_work+0x411/0x710 worker_thread+0x6fd/0xa80 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfc: corrige el error de segmentación en nfc_genl_dump_devices_done Cuando falla kmalloc en nfc_genl_dump_devices(), entonces el error de segmentación de nfc_genl_dump_devices_done() se muestra a continuación KASAN: null-ptr-deref en el rango [0x0000000000000008-0x00 0000000000000f] CPU: 0 PID : 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5 Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/ 2014 Cola de trabajo: eventos netlink_sock_destruct_work RIP: 0010:klist_iter_exit+0x26/0x80 Seguimiento de llamadas: class_dev_iter_exit+0x15/0x20 nfc_genl_dump_devices_done+0x3b/0x50 genl_lock_done+0x84/0xd0 estructura+0x8f/0x270 __sk_destruct+0x64/0x3b0 sk_destruct+0xa8/0xd0 __sk_free+0x2e8/0x3d0 sk_free+0x51/0x90 netlink_sock_destruct_work+0x1c/0x20 Process_one_work+0x411/0x710 trabajador_thread+0x6fd/0xa80 • https://git.kernel.org/stable/c/ea55b3797878752aa076b118afb727dcf79cac34 https://git.kernel.org/stable/c/214af18abbe39db05beb305b2d11e87d09a6529c https://git.kernel.org/stable/c/6644989642844de830f9b072cd65c553cb55946c https://git.kernel.org/stable/c/2a8845b9603c545fddd17862282dc4c4ce0971e3 https://git.kernel.org/stable/c/d731ecc6f2eaec68f4ad1542283bbc7d07bd0112 https://git.kernel.org/stable/c/c602863ad28ec86794cb4ab4edea5324f555f181 https://git.kernel.org/stable/c/d89e4211b51752daf063d638af50abed2fd5f96d https://git.kernel.org/stable/c/fd79a0cbf0b2e34bcc45b13acf962e203 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47611 – mac80211: validate extended element ID is present
https://notcve.org/view.php?id=CVE-2021-47611
In the Linux kernel, the following vulnerability has been resolved: mac80211: validate extended element ID is present Before attempting to parse an extended element, verify that the extended element ID is present. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mac80211: validar que el ID del elemento extendido esté presente Antes de intentar analizar un elemento extendido, verifique que el ID del elemento extendido esté presente. • https://git.kernel.org/stable/c/41cbb0f5a29592874355e4159489eb08337cd50e https://git.kernel.org/stable/c/03029bb044ccee60adbc93e70713f3ae58abc3a1 https://git.kernel.org/stable/c/a19cf6844b509d44ecbd536f33d314d91ecdd2b5 https://git.kernel.org/stable/c/7fd214fc7f2ee3a89f91e717e3cfad55f5a27045 https://git.kernel.org/stable/c/c62b16f98688ae7bc0ab23a6490481f4ce9b3a49 https://git.kernel.org/stable/c/768c0b19b50665e337c96858aa2b7928d6dcf756 •