CVE-2021-47475 – comedi: vmk80xx: fix transfer-buffer overflows
https://notcve.org/view.php?id=CVE-2021-47475
In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix transfer-buffer overflows The driver uses endpoint-sized USB transfer buffers but up until recently had no sanity checks on the sizes. Commit e1f13c879a7c ("staging: comedi: check validity of wMaxPacketSize of usb endpoints found") inadvertently fixed NULL-pointer dereferences when accessing the transfer buffers in case a malicious device has a zero wMaxPacketSize. Make sure to allocate buffers large enough to handle also the other accesses that are done without a size check (e.g. byte 18 in vmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond the buffers, for example, when doing descriptor fuzzing. The original driver was for a low-speed device with 8-byte buffers. Support was later added for a device that uses bulk transfers and is presumably a full-speed device with a maximum 64-byte wMaxPacketSize. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: vmk80xx: corrige desbordamientos del búfer de transferencia El controlador utiliza búferes de transferencia USB del tamaño de un terminal, pero hasta hace poco no tenía controles de cordura sobre los tamaños. el commit e1f13c879a7c ("staging: comedi: verificar la validez de wMaxPacketSize de los endpoints USB encontrados") corrigió inadvertidamente las desreferencias de puntero NULL al acceder a los buffers de transferencia en caso de que un dispositivo malicioso tenga un wMaxPacketSize cero. Asegúrese de asignar buffers lo suficientemente grandes para manejar también los otros accesos que se realizan sin una verificación de tamaño (por ejemplo, el byte 18 en vmk80xx_cnt_insn_read() para VMK8061_MODEL) para evitar escribir más allá de los buffers, por ejemplo, cuando se realiza una confusión de descriptores. El controlador original era para un dispositivo de baja velocidad con buffers de 8 bytes. Posteriormente se agregó soporte para un dispositivo que utiliza transferencias masivas y presumiblemente es un dispositivo de velocidad completa con un wMaxPacketSize máximo de 64 bytes. • https://git.kernel.org/stable/c/985cafccbf9b7f862aa1c5ee566801e18b5161fb https://git.kernel.org/stable/c/5229159f1d052821007aff1a1beb7873eacf1a9f https://git.kernel.org/stable/c/ec85bcff4ed09260243d8f39faba99e1041718ba https://git.kernel.org/stable/c/40d2a7e278e2e7c0a5fd7e997e7eb63945bf93f7 https://git.kernel.org/stable/c/7a2021b896de1ad559d33b5c5cdd20b982242088 https://git.kernel.org/stable/c/199acd8c110e3ae62833c24f632b0bb1c9f012a9 https://git.kernel.org/stable/c/33d7a470730dfe7c9bfc8da84575cf2cedd60d00 https://git.kernel.org/stable/c/278484ae93297b1bb1ce755f9d3b6d95a •
CVE-2021-47474 – comedi: vmk80xx: fix bulk-buffer overflow
https://notcve.org/view.php?id=CVE-2021-47474
In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix bulk-buffer overflow The driver is using endpoint-sized buffers but must not assume that the tx and rx buffers are of equal size or a malicious device could overflow the slab-allocated receive buffer when doing bulk transfers. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: vmk80xx: corrige el desbordamiento masivo del búfer El controlador utiliza búferes del tamaño de un endpoint, pero no debe asumir que los búferes tx y rx son del mismo tamaño o un dispositivo malicioso podría desbordar el búfer de recepción asignado por losa al realizar transferencias masivas. • https://git.kernel.org/stable/c/985cafccbf9b7f862aa1c5ee566801e18b5161fb https://git.kernel.org/stable/c/e0e6a63fd97ad95fe05dfd77268a1952551e11a7 https://git.kernel.org/stable/c/7cfb35db607760698d299fd1cf7402dfa8f09973 https://git.kernel.org/stable/c/0866dcaa828c21bc2f94dac00e086078f11b5772 https://git.kernel.org/stable/c/063f576c43d589a4c153554b681d32b3f8317c7b https://git.kernel.org/stable/c/1ae4715121a57bc6fa29fd992127b01907f2f993 https://git.kernel.org/stable/c/b7fd7f3387f070215e6be341e68eb5c087eeecc0 https://git.kernel.org/stable/c/7b0e356189327287d0eb98ec081bd6dd9 •
CVE-2021-47473 – scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()
https://notcve.org/view.php?id=CVE-2021-47473
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els() Commit 8c0eb596baa5 ("[SCSI] qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()"), intended to change: bsg_job->request->msgcode == FC_BSG_HST_ELS_NOLOGIN bsg_job->request->msgcode != FC_BSG_RPT_ELS but changed it to: bsg_job->request->msgcode == FC_BSG_RPT_ELS instead. Change the == to a != to avoid leaking the fcport structure or freeing unallocated memory. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: qla2xxx: corrige una pérdida de memoria en una ruta de error de qla2x00_process_els() Commit 8c0eb596baa5 ("[SCSI] qla2xxx: corrige una pérdida de memoria en una ruta de error de qla2x00_process_els()" ), destinado a cambiar: bsg_job->request->msgcode == FC_BSG_HST_ELS_NOLOGIN bsg_job->request->msgcode != FC_BSG_RPT_ELS pero lo cambió a: bsg_job->request->msgcode == FC_BSG_RPT_ELS en su lugar. • https://git.kernel.org/stable/c/8c0eb596baa51f2b43949c698c644727ef17805c https://git.kernel.org/stable/c/96f0aebf29be25254fa585af43924e34aa21fd9a https://git.kernel.org/stable/c/a7fbb56e6c941d9f59437b96412a348e66388d3e https://git.kernel.org/stable/c/7fb223d0ad801f633c78cbe42b1d1b55f5d163ad •
CVE-2021-47469 – spi: Fix deadlock when adding SPI controllers on SPI buses
https://notcve.org/view.php?id=CVE-2021-47469
In the Linux kernel, the following vulnerability has been resolved: spi: Fix deadlock when adding SPI controllers on SPI buses Currently we have a global spi_add_lock which we take when adding new devices so that we can check that we're not trying to reuse a chip select that's already controlled. This means that if the SPI device is itself a SPI controller and triggers the instantiation of further SPI devices we trigger a deadlock as we try to register and instantiate those devices while in the process of doing so for the parent controller and hence already holding the global spi_add_lock. Since we only care about concurrency within a single SPI bus move the lock to be per controller, avoiding the deadlock. This can be easily triggered in the case of spi-mux. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spi: soluciona el punto muerto al agregar controladores SPI en buses SPI. Actualmente tenemos un spi_add_lock global que utilizamos cuando agregamos nuevos dispositivos para que podamos verificar que no estamos intentando reutilizar un selección de chip que ya está controlado. • https://git.kernel.org/stable/c/aa3f3d7bef59583f2d3234173105a27ff61ef8fe https://git.kernel.org/stable/c/c8dce228db6f81dbc897a018dfc5c418e917cf64 https://git.kernel.org/stable/c/722ef19a161ce3fffb3d1b01ce2301c306639bdd https://git.kernel.org/stable/c/6098475d4cb48d821bdf453c61118c56e26294f0 •
CVE-2021-47468 – isdn: mISDN: Fix sleeping function called from invalid context
https://notcve.org/view.php?id=CVE-2021-47468
In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: Fix sleeping function called from invalid context The driver can call card->isac.release() function from an atomic context. Fix this by calling this function after releasing the lock. The following log reveals it: [ 44.168226 ] BUG: sleeping function called from invalid context at kernel/workqueue.c:3018 [ 44.168941 ] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 5475, name: modprobe [ 44.169574 ] INFO: lockdep is turned off. [ 44.169899 ] irq event stamp: 0 [ 44.170160 ] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 44.170627 ] hardirqs last disabled at (0): [<ffffffff814209ed>] copy_process+0x132d/0x3e00 [ 44.171240 ] softirqs last enabled at (0): [<ffffffff81420a1a>] copy_process+0x135a/0x3e00 [ 44.171852 ] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 44.172318 ] Preemption disabled at: [ 44.172320 ] [<ffffffffa009b0a9>] nj_release+0x69/0x500 [netjet] [ 44.174441 ] Call Trace: [ 44.174630 ] dump_stack_lvl+0xa8/0xd1 [ 44.174912 ] dump_stack+0x15/0x17 [ 44.175166 ] ___might_sleep+0x3a2/0x510 [ 44.175459 ] ? nj_release+0x69/0x500 [netjet] [ 44.175791 ] __might_sleep+0x82/0xe0 [ 44.176063 ] ? start_flush_work+0x20/0x7b0 [ 44.176375 ] start_flush_work+0x33/0x7b0 [ 44.176672 ] ? trace_irq_enable_rcuidle+0x85/0x170 [ 44.177034 ] ? kasan_quarantine_put+0xaa/0x1f0 [ 44.177372 ] ? • https://git.kernel.org/stable/c/6f95c97e0f9d6eb39c3f2cb45e8fa4268d1b372b https://git.kernel.org/stable/c/ef269a8808cb1759245a98a7fe16fceaebad894c https://git.kernel.org/stable/c/37e4f57b22cc5ebb3f80cf0f74fdeb487f082367 https://git.kernel.org/stable/c/a5b34409d3fc52114c828be4adbc30744fa3258b https://git.kernel.org/stable/c/4054b869dc263228d30a4755800b78f0f2ba0c89 https://git.kernel.org/stable/c/9f591cbdbed3d7822b2bdba89b34a6d7b434317d https://git.kernel.org/stable/c/f5966ba53013149bcf94e1536644a958dd00a026 https://git.kernel.org/stable/c/6510e80a0b81b5d814e3aea6297ba42f5 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •