Page 188 of 3787 results (0.011 seconds)

CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: NFC: port100: fix use-after-free in port100_send_complete Syzbot reported UAF in port100_send_complete(). The root case is in missing usb_kill_urb() calls on error handling path of ->probe function. port100_send_complete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free Fail log: BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 ... Allocated by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 alloc_dr drivers/base/devres.c:116 [inline] devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 devm_kzalloc include/linux/device.h:209 [inline] port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 Freed by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] __cache_free mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 release_nodes+0x112/0x1a0 drivers/base/devres.c:501 devres_release_all+0x114/0x190 drivers/base/devres.c:530 really_probe+0x626/0xcc0 drivers/base/dd.c:670 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: NFC: puerto100: corrige use-after-free en port100_send_complete Syzbot informó UAF en port100_send_complete(). El caso raíz es que faltan llamadas usb_kill_urb() en la ruta de manejo de errores de -&gt;función de sonda. port100_send_complete() accede a la memoria asignada por el desarrollador que se liberará en caso de falla de la sonda. Deberíamos eliminar estas urbs antes de devolver un error de la función de sonda para evitar el registro de errores de use-after-free: ERROR: KASAN: use-after-free en port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Lectura de tamaño 1 en addr ffff88801bb59540 por tarea ksoftirqd/2/26... • https://git.kernel.org/stable/c/0347a6ab300a1532c298823408d6e51ccf4e4f45 https://git.kernel.org/stable/c/205c4ec78e71cbf561794e6043da80e7bae6790f https://git.kernel.org/stable/c/32e866ae5a7af590597ef4bcff8451bf96d5f980 https://git.kernel.org/stable/c/b1db33d4e54bc35d8db96ce143ea0ef92e23d58e https://git.kernel.org/stable/c/cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161 https://git.kernel.org/stable/c/2b1c85f56512d49e43bc53741fce2f508cd90029 https://git.kernel.org/stable/c/0e721b8f2ee5e11376dd55363f9ccb539d754b8a https://git.kernel.org/stable/c/7194737e1be8fdc89d2a9382bd2f371f7 • CWE-416: Use After Free •

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: gianfar: ethtool: Fix refcount leak in gfar_get_ts_info The of_find_compatible_node() function returns a node pointer with refcount incremented, We should use of_node_put() on it when done Add the missing of_node_put() to release the refcount. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: gianfar: ethtool: corrige la fuga de refcount en gfar_get_ts_info La función of_find_compatible_node() devuelve un puntero de nodo con refcount incrementado. Deberíamos usar of_node_put() en ella cuando haya terminado. Agregue el of_node_put() que falta para liberar el recuento. • https://git.kernel.org/stable/c/7349a74ea75ca27606ead81df3ed67f1b32a94ba https://git.kernel.org/stable/c/6263f2eb93a85ad7df504daf0c341a7fb6bbe8a6 https://git.kernel.org/stable/c/f7b3b520349193f8a82cca74daf366199e06add9 https://git.kernel.org/stable/c/21044e679ed535345042d2023f7df0ca8e897e2a https://git.kernel.org/stable/c/f49f646f9ec296fc0afe7ae92c2bb47f23e3846c https://git.kernel.org/stable/c/0e1b9a2078e07fb1e6e91bf8badfd89ecab1e848 https://git.kernel.org/stable/c/2ac5b58e645c66932438bb021cb5b52097ce70b0 • CWE-401: Missing Release of Memory after Effective Lifetime •

CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: sctp: fix kernel-infoleak for SCTP sockets syzbot reported a kernel infoleak [1] of 4 bytes. After analysis, it turned out r->idiag_expires is not initialized if inet_sctp_diag_fill() calls inet_diag_msg_common_fill() Make sure to clear idiag_timer/idiag_retrans/idiag_expires and let inet_diag_msg_sctpasoc_fill() fill them again if needed. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 instrument_copy_to_user include/linux/instrumented.h:121 [inline] copyout lib/iov_iter.c:154 [inline] _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 copy_to_iter include/linux/uio.h:162 [inline] simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline] netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] __sys_recvfrom+0x795/0xa10 net/socket.c:2097 __do_sys_recvfrom net/socket.c:2115 [inline] __se_sys_recvfrom net/socket.c:2111 [inline] __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3247 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1158 [inline] netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248 __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373 netlink_dump_start include/linux/netlink.h:254 [inline] inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg net/socket.c:725 [inline] sock_write_iter+0x594/0x690 net/socket.c:1061 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_write.c:924 [inline] do_writev+0x645/0xe00 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline] __se_sys_writev fs/read_write.c:1037 [inline] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Bytes 68-71 of 2508 are uninitialized Memory access of size 2508 starts at ffff888114f9b000 Data copied to user address 00007f7fe09ff2e0 CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sctp: corrige la fuga de información del kernel para sockets SCTP syzbot informó una fuga de información del kernel [1] de 4 bytes. Después del análisis, resultó que r-&gt;idiag_expires no se inicializa si inet_sctp_diag_fill() llama a inet_diag_msg_common_fill(). Asegúrese de borrar idiag_timer/idiag_retrans/idiag_expires y deje que inet_diag_msg_sctpasoc_fill() los complete nuevamente si es necesario. [1] ERROR: KMSAN: kernel-infoleak en instrument_copy_to_user include/linux/instrumented.h:121 [en línea] ERROR: KMSAN: kernel-infoleak en copia lib/iov_iter.c:154 [en línea] ERROR: KMSAN: kernel-infoleak en _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 instrument_copy_to_user include/linux/instrumented.h:121 [en línea] copia lib/iov_iter.c:154 [en línea] _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 copy_to_iter include/linux/uio.h:162 [en línea] simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram .c:533 skb_copy_datagram_msg include/linux/skbuff.h:3696 [en línea] netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977 sock_recvmsg_nosec net/socket.c:948 [en línea] sock_recvmsg net/socket.c:966 [en línea] __sys_recvfrom+0x795/0xa10 net/socket.c:2097 __do_sys_recvfrom net/socket.c:2115 [en línea] __se_sys_recvfrom net/socket.c:2111 [en línea] __x64_sys_recvfrom+0x19d/0x210 net/socket.c: 2111 hacer_syscall_x64 arch/x86/entry/common.c:51 [en línea] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 Entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit se creó en: slab_post_alloc_hook mm/slab.h:737 [en línea ] slab_alloc_node mm/slub.c:3247 [en línea] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975 kmalloc_reserve net/core/skbuff.c:354 [en línea] __alloc_skb+0x545/0xf90 net/core/skbuff.c: 426 alloc_skb include/linux/skbuff.h:1158 [en línea] netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248 __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373 netlink_dump_start include/linux/netlink.h :254 [en línea] inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494 sock_diag_rcv+0x63/ 0x80 net/core/sock_diag.c : 277 netlink_unicast_kernel net/netlink/af_netlink.c: 1317 [en línea] netlink_unicast+0x1093/0x1360 netlink/af_netlink.c: 1343 netlink_sendmsg+0x14d9/0x1720 net/netlink/socks OCKE.C: 705 [en línea] sock_sendmsg net/socket.c:725 [en línea] sock_write_iter+0x594/0x690 net/socket.c:1061 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_ escribir.c :924 [en línea] do_writev+0x645/0xe00 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [en línea] __se_sys_writev fs/read_write.c:1037 [en línea] __x64_sys_writev+0xe5/0x120 fs/read_write.c: 1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 Entry_SYSCALL_64_after_hwframe+0x44/0xae Los bytes 68-71 de 2508 no están inicializados Acceso a memoria de tamaño 2508 comienza en ffff888114f9b000 Datos copiados a la dirección de usuario 00007f7fe09ff2e0 CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0 Nombre de hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 • https://git.kernel.org/stable/c/8f840e47f190cbe61a96945c13e9551048d42cef https://git.kernel.org/stable/c/3fc0fd724d199e061432b66a8d85b7d48fe485f7 https://git.kernel.org/stable/c/41a2864cf719c17294f417726edd411643462ab8 https://git.kernel.org/stable/c/2d8fa3fdf4542a2174a72d92018f488d65d848c5 https://git.kernel.org/stable/c/bbf59d7ae558940cfa2b36a287fd1e88d83f89f8 https://git.kernel.org/stable/c/b7e4d9ba2ddb78801488b4c623875b81fb46b545 https://git.kernel.org/stable/c/1502f15b9f29c41883a6139f2923523873282a83 https://git.kernel.org/stable/c/d828b0fe6631f3ae8709ac9a10c77c583 • CWE-401: Missing Release of Memory after Effective Lifetime •

CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net: arc_emac: Fix use after free in arc_mdio_probe() If bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free the "bus". But bus->name is still used in the next line, which will lead to a use after free. We can fix it by putting the name in a local variable and make the bus->name point to the rodata section "name",then use the name in the error message without referring to bus to avoid the uaf. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: arc_emac: corrige el use after free en arc_mdio_probe() Si bus-&gt;state es igual a MDIOBUS_ALLOCATED, mdiobus_free(bus) liberará el "bus". Pero bus-&gt;name todavía se usa en la siguiente línea, lo que conducirá a un uso posterior a free. Podemos solucionarlo poniendo el nombre en una variable local y haciendo que bus-&gt;nombre apunte a la sección "nombre" de rodata, luego use el nombre en el mensaje de error sin hacer referencia al bus para evitar el uaf. • https://git.kernel.org/stable/c/95b5fc03c189e4ea5c63785274cc0b77fcc3a818 https://git.kernel.org/stable/c/84c831803785c2c3bec5c28c0e8a0b72f6b41d4d https://git.kernel.org/stable/c/bc0e610a6eb0d46e4123fafdbe5e6141d9fff3be • CWE-416: Use After Free •

CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: swiotlb: fix info leak with DMA_FROM_DEVICE The problem I'm addressing was discovered by the LTP test covering cve-2018-1000204. A short description of what happens follows: 1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV and a corresponding dxferp. The peculiar thing about this is that TUR is not reading from the device. 2) In sg_start_req() the invocation of blk_rq_map_user() effectively bounces the user-space buffer. As if the device was to transfer into it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") we make sure this first bounce buffer is allocated with GFP_ZERO. 3) For the rest of the story we keep ignoring that we have a TUR, so the device won't touch the buffer we prepare as if the we had a DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device and the buffer allocated by SG is mapped by the function virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here scatter-gather and not scsi generics). • https://git.kernel.org/stable/c/c132f2ba716b5ee6b35f82226a6e5417d013d753 https://git.kernel.org/stable/c/971e5dadffd02beba1063e7dd9c3a82de17cf534 https://git.kernel.org/stable/c/8d9ac1b6665c73f23e963775f85d99679fd8e192 https://git.kernel.org/stable/c/6bfc5377a210dbda2a237f16d94d1bd4f1335026 https://git.kernel.org/stable/c/d4d975e7921079f877f828099bb8260af335508f https://git.kernel.org/stable/c/7403f4118ab94be837ab9d770507537a8057bc63 https://git.kernel.org/stable/c/270475d6d2410ec66e971bf181afe1958dad565e https://git.kernel.org/stable/c/ddbd89deb7d32b1fbb879f48d68fda1a8 •