CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47537 – octeontx2-af: Fix a memleak bug in rvu_mbox_init()
https://notcve.org/view.php?id=CVE-2021-47537
In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Fix a memleak bug in rvu_mbox_init() In rvu_mbox_init(), mbox_regions is not freed or passed out under the switch-default region, which could lead to a memory leak. Fix this bug by changing 'return err' to 'goto free_regions'. This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_OCTEONTX2_AF=y show no new warnings, and our static analyzer no longer warns about this code. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: octeontx2-af: corrige un error de memleak en rvu_mbox_init() En rvu_mbox_init(), mbox_regions no se libera ni se pasa en la región predeterminada del conmutador, lo que podría provocar una pérdida de memoria. Corrija este error cambiando 'return err' por 'goto free_regions'. • https://git.kernel.org/stable/c/98c5611163603d3d8012b1bf64ab48fd932cf734 https://git.kernel.org/stable/c/1c0ddef45b7e3dbe3ed073695d20faa572b7056a https://git.kernel.org/stable/c/e07a097b4986afb8f925d0bb32612e1d3e88ce15 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47536 – net/smc: fix wrong list_del in smc_lgr_cleanup_early
https://notcve.org/view.php?id=CVE-2021-47536
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix wrong list_del in smc_lgr_cleanup_early smc_lgr_cleanup_early() meant to delete the link group from the link group list, but it deleted the list head by mistake. This may cause memory corruption since we didn't remove the real link group from the list and later memseted the link group structure. We got a list corruption panic when testing: [ 231.277259] list_del corruption. prev->next should be ffff8881398a8000, but was 0000000000000000 [ 231.278222] ------------[ cut here ]------------ [ 231.278726] kernel BUG at lib/list_debug.c:53! [ 231.279326] invalid opcode: 0000 [#1] SMP NOPTI [ 231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435 [ 231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014 [ 231.281248] Workqueue: events smc_link_down_work [ 231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90 [ 231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c 60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 <0f> 0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc [ 231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292 [ 231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000 [ 231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040 [ 231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001 [ 231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001 [ 231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003 [ 231.288337] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 [ 231.289160] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0 [ 231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 231.291940] Call Trace: [ 231.292211] smc_lgr_terminate_sched+0x53/0xa0 [ 231.292677] smc_switch_conns+0x75/0x6b0 [ 231.293085] ? update_load_avg+0x1a6/0x590 [ 231.293517] ? ttwu_do_wakeup+0x17/0x150 [ 231.293907] ? update_load_avg+0x1a6/0x590 [ 231.294317] ? • https://git.kernel.org/stable/c/a0a62ee15a829ebf8aeec55a4f1688230439b3e0 https://git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529 https://git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c https://git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47535 – drm/msm/a6xx: Allocate enough space for GMU registers
https://notcve.org/view.php?id=CVE-2021-47535
In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Allocate enough space for GMU registers In commit 142639a52a01 ("drm/msm/a6xx: fix crashstate capture for A650") we changed a6xx_get_gmu_registers() to read 3 sets of registers. Unfortunately, we didn't change the memory allocation for the array. That leads to a KASAN warning (this was on the chromeos-5.4 kernel, which has the problematic commit backported to it): BUG: KASAN: slab-out-of-bounds in _a6xx_get_gmu_registers+0x144/0x430 Write of size 8 at addr ffffff80c89432b0 by task A618-worker/209 CPU: 5 PID: 209 Comm: A618-worker Tainted: G W 5.4.156-lockdep #22 Hardware name: Google Lazor Limozeen without Touchscreen (rev5 - rev8) (DT) Call trace: dump_backtrace+0x0/0x248 show_stack+0x20/0x2c dump_stack+0x128/0x1ec print_address_description+0x88/0x4a0 __kasan_report+0xfc/0x120 kasan_report+0x10/0x18 __asan_report_store8_noabort+0x1c/0x24 _a6xx_get_gmu_registers+0x144/0x430 a6xx_gpu_state_get+0x330/0x25d4 msm_gpu_crashstate_capture+0xa0/0x84c recover_worker+0x328/0x838 kthread_worker_fn+0x32c/0x574 kthread+0x2dc/0x39c ret_from_fork+0x10/0x18 Allocated by task 209: __kasan_kmalloc+0xfc/0x1c4 kasan_kmalloc+0xc/0x14 kmem_cache_alloc_trace+0x1f0/0x2a0 a6xx_gpu_state_get+0x164/0x25d4 msm_gpu_crashstate_capture+0xa0/0x84c recover_worker+0x328/0x838 kthread_worker_fn+0x32c/0x574 kthread+0x2dc/0x39c ret_from_fork+0x10/0x18 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/msm/a6xx: asigne suficiente espacio para los registros GMU. En el commit 142639a52a01 ("drm/msm/a6xx: corrija la captura del estado de falla para A650") cambiamos a6xx_get_gmu_registers() para que diga 3 conjuntos de registros. Desafortunadamente, no cambiamos la asignación de memoria para la matriz. • https://git.kernel.org/stable/c/142639a52a01e90c512a9a8d2156997e02a65b53 https://git.kernel.org/stable/c/d646856a600e8635ba498f20b194219b158626e8 https://git.kernel.org/stable/c/83e54fcf0b14ca2d869dd37abe1bb6542805f538 https://git.kernel.org/stable/c/b4d25abf9720b69a03465b09d0d62d1998ed6708 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47534 – drm/vc4: kms: Add missing drm_crtc_commit_put
https://notcve.org/view.php?id=CVE-2021-47534
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: kms: Add missing drm_crtc_commit_put Commit 9ec03d7f1ed3 ("drm/vc4: kms: Wait on previous FIFO users before a commit") introduced a global state for the HVS, with each FIFO storing the current CRTC commit so that we can properly synchronize commits. However, the refcounting was off and we thus ended up leaking the drm_crtc_commit structure every commit. Add a drm_crtc_commit_put to prevent the leakage. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/vc4: kms: agregar drm_crtc_commit_put faltante el commit 9ec03d7f1ed3 ("drm/vc4: kms: esperar a los usuarios FIFO anteriores antes de una confirmación") introdujo un estado global para HVS, con cada FIFO almacena El commit CRTC actual para que podamos sincronizar correctamente las confirmaciones. Sin embargo, el recuento no se realizó y, por lo tanto, terminamos filtrando la estructura drm_crtc_commit en cada confirmación. Agregue un drm_crtc_commit_put para evitar la fuga. • https://git.kernel.org/stable/c/9ec03d7f1ed394897891319a4dda75f52c5d292d https://git.kernel.org/stable/c/53f9601e908d42481addd67cdb01a9288c611124 https://git.kernel.org/stable/c/049cfff8d53a30cae3349ff71a4c01b7d9981bc2 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47533 – drm/vc4: kms: Clear the HVS FIFO commit pointer once done
https://notcve.org/view.php?id=CVE-2021-47533
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: kms: Clear the HVS FIFO commit pointer once done Commit 9ec03d7f1ed3 ("drm/vc4: kms: Wait on previous FIFO users before a commit") introduced a wait on the previous commit done on a given HVS FIFO. However, we never cleared that pointer once done. Since drm_crtc_commit_put can free the drm_crtc_commit structure directly if we were the last user, this means that it can lead to a use-after free if we were to duplicate the state, and that stale pointer would even be copied to the new state. Set the pointer to NULL once we're done with the wait so that we don't carry over a pointer to a free'd structure. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/vc4: kms: borre el puntero de commit FIFO de HVS una vez realizado. El commit 9ec03d7f1ed3 ("drm/vc4: kms: espere a los usuarios FIFO anteriores antes de una confirmación") introdujo una espera en el commit anterior realizada en un HVS FIFO determinado. Sin embargo, nunca borramos ese puntero una vez hecho. • https://git.kernel.org/stable/c/9ec03d7f1ed394897891319a4dda75f52c5d292d https://git.kernel.org/stable/c/2931db9a5ed219546cf2ae0546698faf78281b89 https://git.kernel.org/stable/c/d134c5ff71c7f2320fc7997f2fbbdedf0c76889a •