CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52851 – IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF
https://notcve.org/view.php?id=CVE-2023-52851
In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF In the unlikely event that workqueue allocation fails and returns NULL in mlx5_mkey_cache_init(), delete the call to mlx5r_umr_resource_cleanup() (which frees the QP) in mlx5_ib_stage_post_ib_reg_umr_init(). This will avoid attempted double free of the same QP when __mlx5_ib_add() does its cleanup. Resolves a splat: Syzkaller reported a UAF in ib_destroy_qp_user workqueue: Failed to create a rescuer kthread for wq "mkey_cache": -EINTR infiniband mlx5_0: mlx5_mkey_cache_init:981:(pid 1642): failed to create work queue infiniband mlx5_0: mlx5_ib_stage_post_ib_reg_umr_init:4075:(pid 1642): mr cache init failed -12 ================================================================== BUG: KASAN: slab-use-after-free in ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073) Read of size 8 at addr ffff88810da310a8 by task repro_upstream/1642 Call Trace: <TASK> kasan_report (mm/kasan/report.c:590) ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073) mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198) __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4178) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ... </TASK> Allocated by task 1642: __kmalloc (./include/linux/kasan.h:198 mm/slab_common.c:1026 mm/slab_common.c:1039) create_qp (./include/linux/slab.h:603 ./include/linux/slab.h:720 . • https://git.kernel.org/stable/c/04876c12c19e94bbbc94bb0446c7bc7cd75163de https://git.kernel.org/stable/c/437f033e30c897bb3723eac9e9003cd9f88d00a3 https://git.kernel.org/stable/c/4f4a7a7d1404297f2a92df0046f7e64dc5c52dd9 https://git.kernel.org/stable/c/6387f269d84e6e149499408c4d1fc805017729b2 https://git.kernel.org/stable/c/2ef422f063b74adcc4a4a9004b0a87bb55e0a836 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52850 – media: hantro: Check whether reset op is defined before use
https://notcve.org/view.php?id=CVE-2023-52850
In the Linux kernel, the following vulnerability has been resolved: media: hantro: Check whether reset op is defined before use The i.MX8MM/N/P does not define the .reset op since reset of the VPU is done by genpd. Check whether the .reset op is defined before calling it to avoid NULL pointer dereference. Note that the Fixes tag is set to the commit which removed the reset op from i.MX8M Hantro G2 implementation, this is because before this commit all the implementations did define the .reset op. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: medios: hantro: compruebe si la operación de reinicio está definida antes de su uso. El i.MX8MM/N/P no define la operación .reset ya que genpd realiza el reinicio de la VPU. Compruebe si la operación .reset está definida antes de llamarla para evitar la desreferencia del puntero NULL. • https://git.kernel.org/stable/c/6971efb70ac3e43d19bf33ef5f83bea0271831ee https://git.kernel.org/stable/c/64f55cebb4339ae771e9e7f3f42bee2489e2fa00 https://git.kernel.org/stable/c/66b4c5f980d741f3a47e4b65eeaf2797f2d59294 https://git.kernel.org/stable/c/24c06295f28335ced3aad53dd4b0a0bae7b9b100 https://git.kernel.org/stable/c/88d4b23a629ebd34f682f770cb6c2116c851f7b8 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52849 – cxl/mem: Fix shutdown order
https://notcve.org/view.php?id=CVE-2023-52849
In the Linux kernel, the following vulnerability has been resolved: cxl/mem: Fix shutdown order Ira reports that removing cxl_mock_mem causes a crash with the following trace: BUG: kernel NULL pointer dereference, address: 0000000000000044 [..] RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core] [..] Call Trace: <TASK> cxl_region_detach+0xe8/0x210 [cxl_core] cxl_decoder_kill_region+0x27/0x40 [cxl_core] cxld_unregister+0x29/0x40 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 bus_remove_device+0xd7/0x150 device_del+0x155/0x3e0 device_unregister+0x13/0x60 devm_release_action+0x4d/0x90 ? __pfx_unregister_port+0x10/0x10 [cxl_core] delete_endpoint+0x121/0x130 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 bus_remove_device+0xd7/0x150 device_del+0x155/0x3e0 ? lock_release+0x142/0x290 cdev_device_del+0x15/0x50 cxl_memdev_unregister+0x54/0x70 [cxl_core] This crash is due to the clearing out the cxl_memdev's driver context (@cxlds) before the subsystem is done with it. This is ultimately due to the region(s), that this memdev is a member, being torn down and expecting to be able to de-reference @cxlds, like here: static int cxl_region_decode_reset(struct cxl_region *cxlr, int count) ... if (cxlds->rcd) goto endpoint_reset; ... Fix it by keeping the driver context valid until memdev-device unregistration, and subsequently the entire stack of related dependencies, unwinds. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: cxl/mem: arreglo del orden de apagado. • https://git.kernel.org/stable/c/9cc238c7a526dba9ee8c210fa2828886fc65db66 https://git.kernel.org/stable/c/964a9834492210f48b360baa9e20a9eedf4d08ff https://git.kernel.org/stable/c/20bd0198bebdd706bd4614b3933ef70d7c19618f https://git.kernel.org/stable/c/7c7371b41a14e86f53e7dbe5baa7b1d3e0ab324b https://git.kernel.org/stable/c/cad22a757029c3a1985c221a2d4a6491ad4035ae https://git.kernel.org/stable/c/0ca074f7d788627a4e0b047ca5fbdb5fc567220c https://git.kernel.org/stable/c/88d3917f82ed4215a2154432c26de1480a61b209 •
CVSS: 5.2EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52847 – media: bttv: fix use after free error due to btv->timeout timer
https://notcve.org/view.php?id=CVE-2023-52847
In the Linux kernel, the following vulnerability has been resolved: media: bttv: fix use after free error due to btv->timeout timer There may be some a race condition between timer function bttv_irq_timeout and bttv_remove. The timer is setup in probe and there is no timer_delete operation in remove function. When it hit kfree btv, the function might still be invoked, which will cause use after free bug. This bug is found by static analysis, it may be false positive. Fix it by adding del_timer_sync invoking to the remove function. cpu0 cpu1 bttv_probe ->timer_setup ->bttv_set_dma ->mod_timer; bttv_remove ->kfree(btv); ->bttv_irq_timeout ->USE btv En el kernel de Linux, se resolvió la siguiente vulnerabilidad: medio: bttv: corrección de uso después de error gratuito debido a btv->timeout timer. Puede haber alguna condición de ejecución entre la función del temporizador bttv_irq_timeout y bttv_remove. El temporizador está configurado en la sonda y no hay ninguna operación timer_delete en la función de eliminación. • https://git.kernel.org/stable/c/162e6376ac58440beb6a2d2ee294f5d88ea58dd1 https://git.kernel.org/stable/c/bbc3b8dd2cb7817e703f112d988e4f4728f0f2a9 https://git.kernel.org/stable/c/b35fdade92c5058a5e727e233fe263b828de2c9a https://git.kernel.org/stable/c/2f3d9198cdae1cb079ec8652f4defacd481eab2b https://git.kernel.org/stable/c/51c94256a83fe4e17406c66ff3e1ad7d242d8574 https://git.kernel.org/stable/c/20568d06f6069cb835e05eed432edf962645d226 https://git.kernel.org/stable/c/1871014d6ef4812ad11ef7d838d73ce09d632267 https://git.kernel.org/stable/c/847599fffa528b2cdec4e21b6bf7586da • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52846 – hsr: Prevent use after free in prp_create_tagged_frame()
https://notcve.org/view.php?id=CVE-2023-52846
In the Linux kernel, the following vulnerability has been resolved: hsr: Prevent use after free in prp_create_tagged_frame() The prp_fill_rct() function can fail. In that situation, it frees the skb and returns NULL. Meanwhile on the success path, it returns the original skb. So it's straight forward to fix bug by using the returned value. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hsr: impedir el uso después de liberar en prp_create_tagged_frame(). • https://git.kernel.org/stable/c/451d8123f89791bb628277c0bdb4cae34a3563e6 https://git.kernel.org/stable/c/ddf4e04e946aaa6c458b8b6829617cc44af2bffd https://git.kernel.org/stable/c/a1a485e45d24b1cd8fe834fd6f1b06e2903827da https://git.kernel.org/stable/c/6086258bd5ea7b5c706ff62da42b8e271b2401db https://git.kernel.org/stable/c/1787b9f0729d318d67cf7c5a95f0c3dba9a7cc18 https://git.kernel.org/stable/c/d103fb6726904e353b4773188ee3d3acb4078363 https://git.kernel.org/stable/c/876f8ab52363f649bcc74072157dfd7adfbabc0d •