CVSS: 6.2EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47503 – scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()
https://notcve.org/view.php?id=CVE-2021-47503
In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc() Calling scsi_remove_host() before scsi_add_host() results in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000108 RIP: 0010:device_del+0x63/0x440 Call Trace: device_unregister+0x17/0x60 scsi_remove_host+0xee/0x2a0 pm8001_pci_probe+0x6ef/0x1b90 [pm80xx] local_pci_probe+0x3f/0x90 We cannot call scsi_remove_host() in pm8001_alloc() because scsi_add_host() has not been called yet at that point in time. Function call tree: pm8001_pci_probe() | `- pm8001_pci_alloc() | | | `- pm8001_alloc() | | | `- scsi_remove_host() | `- scsi_add_host() En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: pm80xx: No llamar a scsi_remove_host() en pm8001_alloc() Llamar a scsi_remove_host() antes de scsi_add_host() produce un bloqueo: ERROR: desreferencia del puntero NULL del kernel, dirección: 00000000000000108 RIP : 0010:device_del+0x63/0x440 Seguimiento de llamadas: device_unregister+0x17/0x60 scsi_remove_host+0xee/0x2a0 pm8001_pci_probe+0x6ef/0x1b90 [pm80xx] local_pci_probe+0x3f/0x90 No podemos llamar a scsi_remove_host() en pm8001_ alloc() porque scsi_add_host() no lo ha hecho sido llamado todavía en ese momento. Árbol de llamadas a funciones: pm8001_pci_probe() | `- pm8001_pci_alloc() | | | `- pm8001_alloc() | | | `- scsi_remove_host() | `- scsi_add_host() • https://git.kernel.org/stable/c/05c6c029a44d9f43715577e33e95eba87f44d285 https://git.kernel.org/stable/c/1e434d2687e8bc0b3cdc9dd093c0e9047c0b4add https://git.kernel.org/stable/c/f8dccc1bdea7e21b5ec06c957aef8831c772661c https://git.kernel.org/stable/c/653926205741add87a6cf452e21950eebc6ac10b • CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47502 – ASoC: codecs: wcd934x: handle channel mappping list correctly
https://notcve.org/view.php?id=CVE-2021-47502
In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd934x: handle channel mappping list correctly Currently each channel is added as list to dai channel list, however there is danger of adding same channel to multiple dai channel list which endups corrupting the other list where its already added. This patch ensures that the channel is actually free before adding to the dai channel list and also ensures that the channel is on the list before deleting it. This check was missing previously, and we did not hit this issue as we were testing very simple usecases with sequence of amixer commands. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: códecs: wcd934x: maneja correctamente la lista de asignación de canales Actualmente, cada canal se agrega como lista a la lista de canales dai, sin embargo, existe el peligro de agregar el mismo canal a varias listas de canales dai, lo que termina corrompiendo la otra lista donde ya está agregada. Este parche garantiza que el canal esté realmente libre antes de agregarlo a la lista de canales dai y también garantiza que el canal esté en la lista antes de eliminarlo. Esta verificación faltaba anteriormente y no encontramos este problema ya que estábamos probando casos de uso muy simples con una secuencia de comandos de amixer. • https://git.kernel.org/stable/c/a70d9245759a48e57bb1dc9f63213dcf3017db32 https://git.kernel.org/stable/c/1089dac26c6b4b833323ae6c0ceab29fb30ede72 https://git.kernel.org/stable/c/339ffb5b56005582aacc860524d2d208604049d1 https://git.kernel.org/stable/c/23ba28616d3063bd4c4953598ed5e439ca891101 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47501 – i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc
https://notcve.org/view.php?id=CVE-2021-47501
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc When trying to dump VFs VSI RX/TX descriptors using debugfs there was a crash due to NULL pointer dereference in i40e_dbg_dump_desc. Added a check to i40e_dbg_dump_desc that checks if VSI type is correct for dumping RX/TX descriptors. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: i40e: Se corrigió la desreferencia del puntero NULL en i40e_dbg_dump_desc Al intentar volcar los descriptores VF VSI RX/TX usando debugfs, se produjo un bloqueo debido a la desreferencia del puntero NULL en i40e_dbg_dump_desc. Se agregó una verificación a i40e_dbg_dump_desc que verifica si el tipo de VSI es correcto para volcar descriptores RX/TX. • https://git.kernel.org/stable/c/02e9c290814cc143ceccecb14eac3e7a05da745e https://git.kernel.org/stable/c/e5b7fb2198abc50058f1a29c395b004f76ab1c83 https://git.kernel.org/stable/c/16431e442db248ecd8aa9457cf0a656f1885f56e https://git.kernel.org/stable/c/23ec111bf3549aae37140330c31a16abfc172421 https://access.redhat.com/security/cve/CVE-2021-47501 https://bugzilla.redhat.com/show_bug.cgi?id=2283453 • CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47500 – iio: mma8452: Fix trigger reference couting
https://notcve.org/view.php?id=CVE-2021-47500
In the Linux kernel, the following vulnerability has been resolved: iio: mma8452: Fix trigger reference couting The mma8452 driver directly assigns a trigger to the struct iio_dev. The IIO core when done using this trigger will call `iio_trigger_put()` to drop the reference count by 1. Without the matching `iio_trigger_get()` in the driver the reference count can reach 0 too early, the trigger gets freed while still in use and a use-after-free occurs. Fix this by getting a reference to the trigger before assigning it to the IIO device. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iio: mma8452: corrección del cálculo de referencia del disparador El controlador mma8452 asigna directamente un disparador a la estructura iio_dev. El núcleo de IIO, cuando termine de usar este activador, llamará a `iio_trigger_put()` para reducir el recuento de referencias en 1. Sin el `iio_trigger_get()` coincidente en el controlador, el recuento de referencias puede llegar a 0 demasiado pronto, el activador se libera mientras aún está en se produce un uso y un use-after-free. • https://git.kernel.org/stable/c/ae6d9ce05691bf79694074db7c7da980080548af https://git.kernel.org/stable/c/094d513b78b1714113bc016684b8142382e071ba https://git.kernel.org/stable/c/fb75cc4740d81264cd5bcb0e17d961d018a8be96 https://git.kernel.org/stable/c/794c0898f6bf39a458655d5fb4af70ec43a5cfcb https://git.kernel.org/stable/c/f5deab10ced368c807866283f8b79144c4823be8 https://git.kernel.org/stable/c/acf0088ac073ca6e7f4cad6acac112177e08df5e https://git.kernel.org/stable/c/db12d95085367de8b0223929d1332731024441f1 https://git.kernel.org/stable/c/c43517071dfc9fce34f8f69dbb98a8601 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47499 – iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
https://notcve.org/view.php?id=CVE-2021-47499
In the Linux kernel, the following vulnerability has been resolved: iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove When ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the memory allocated by iio_triggered_buffer_setup() will not be freed, and cause memory leak as follows: unreferenced object 0xffff888009551400 (size 512): comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (age 83.852s) hex dump (first 32 bytes): 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff ........ ....... backtrace: [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360 [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf] [<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer] [<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013] Fix it by remove data->dready_trig condition in probe and remove. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: iio: accel: kxcjk-1013: corrija la posible pérdida de memoria en la sonda y elimínela. Cuando el tipo ACPI es ACPI_SMO8500, data->dready_trig no se configurará, la memoria asignada por iio_triggered_buffer_setup( ) no se liberará y provocará una pérdida de memoria de la siguiente manera: objeto sin referencia 0xffff888009551400 (tamaño 512): comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (edad 83,852 s) volcado hexadecimal (primeros 32 bytes): 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff .... .... ....... retroceso: [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360 [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf] [<000000004b40c1f5>] ed_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer] [ <000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013] Solucionarlo eliminando la condición data->dready_trig en la sonda y eliminándola. • https://git.kernel.org/stable/c/a25691c1f9674090fb66586cf4c5d60d3efdf339 https://git.kernel.org/stable/c/8c1d43f3a3fc7184c42d7398bdf59a2a2903e4fc https://git.kernel.org/stable/c/60a55b9d91ba99eb8cf015bc46dc2de05e168a15 https://git.kernel.org/stable/c/3899700ddacbf7aaafadf44464fff3ff0d4e3307 https://git.kernel.org/stable/c/a3730f74159ad00a28960c0efe2a931fe6fe6b45 https://git.kernel.org/stable/c/8c163a14277115ca962103910ab4cce55e862ffb https://git.kernel.org/stable/c/ee86d0bad80bdcd11a87e188a596727f41b62320 https://git.kernel.org/stable/c/14508fe13b1c578b3d2ba574f1d48b351 •