CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47458 – ocfs2: mount fails with buffer overflow in strlen
https://notcve.org/view.php?id=CVE-2021-47458
In the Linux kernel, the following vulnerability has been resolved: ocfs2: mount fails with buffer overflow in strlen Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the trace below. Problem seems to be that strings for cluster stack and cluster name are not guaranteed to be null terminated in the disk representation, while strlcpy assumes that the source string is always null terminated. This causes a read outside of the source string triggering the buffer overflow detection. detected buffer overflow in strlen ------------[ cut here ]------------ kernel BUG at lib/string.c:1149! invalid opcode: 0000 [#1] SMP PTI CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 Debian 5.14.6-2 RIP: 0010:fortify_panic+0xf/0x11 ... Call Trace: ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] ocfs2_fill_super+0x359/0x19b0 [ocfs2] mount_bdev+0x185/0x1b0 legacy_get_tree+0x27/0x40 vfs_get_tree+0x25/0xb0 path_mount+0x454/0xa20 __x64_sys_mount+0x103/0x140 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ocfs2: el montaje falla con desbordamiento del búfer en strlen. A partir del kernel 5.11 compilado con CONFIG_FORTIFY_SOURCE, la conexión de un sistema de archivos ocfs2 con una pila de clúster o2cb o pcmk falla con el siguiente seguimiento. • https://git.kernel.org/stable/c/ac011cb3ff7a76b3e0e6e77158ee4ba2f929e1fb https://git.kernel.org/stable/c/4b74ddcc22ee6455946e80a9c4808801f8f8561e https://git.kernel.org/stable/c/232ed9752510de4436468b653d145565669c8498 https://git.kernel.org/stable/c/7623b1035ca2d17bde0f6a086ad6844a34648df1 https://git.kernel.org/stable/c/d3a83576378b4c904f711598dde2c5e881c4295c https://git.kernel.org/stable/c/93be0eeea14cf39235e585c8f56df3b3859deaad https://git.kernel.org/stable/c/0e677ea5b7396f715a76b6b0ef441430e4c4b57f https://git.kernel.org/stable/c/b15fa9224e6e1239414525d8d556d8247 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47457 – can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()
https://notcve.org/view.php?id=CVE-2021-47457
In the Linux kernel, the following vulnerability has been resolved: can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible() Using wait_event_interruptible() to wait for complete transmission, but do not check the result of wait_event_interruptible() which can be interrupted. It will result in TX buffer has multiple accessors and the later process interferes with the previous process. Following is one of the problems reported by syzbot. ============================================================= WARNING: CPU: 0 PID: 0 at net/can/isotp.c:840 isotp_tx_timer_handler+0x2e0/0x4c0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc7+ #68 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 RIP: 0010:isotp_tx_timer_handler+0x2e0/0x4c0 Call Trace: <IRQ> ? isotp_setsockopt+0x390/0x390 __hrtimer_run_queues+0xb8/0x610 hrtimer_run_softirq+0x91/0xd0 ? rcu_read_lock_sched_held+0x4d/0x80 __do_softirq+0xe8/0x553 irq_exit_rcu+0xf8/0x100 sysvec_apic_timer_interrupt+0x9e/0xc0 </IRQ> asm_sysvec_apic_timer_interrupt+0x12/0x20 Add result check for wait_event_interruptible() in isotp_sendmsg() to avoid multiple accessers for tx buffer. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: can: isotp: isotp_sendmsg(): agregar verificación de resultado para wait_event_interruptible() Usar wait_event_interruptible() para esperar la transmisión completa, pero no verificar el resultado de wait_event_interruptible() que puede ser interrumpido. • https://git.kernel.org/stable/c/e057dd3fc20ffb3d7f150af46542a51b59b90127 https://git.kernel.org/stable/c/053bc12df0d6097c1126d0e14fa778a0a8faeb64 https://git.kernel.org/stable/c/a76abedd2be3926d6deba236a935c7f98abf9110 https://git.kernel.org/stable/c/9acf636215a6ce9362fe618e7da4913b8bfe84c8 •
CVSS: 8.4EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47456 – can: peak_pci: peak_pci_remove(): fix UAF
https://notcve.org/view.php?id=CVE-2021-47456
In the Linux kernel, the following vulnerability has been resolved: can: peak_pci: peak_pci_remove(): fix UAF When remove the module peek_pci, referencing 'chan' again after releasing 'dev' will cause UAF. Fix this by releasing 'dev' later. The following log reveals it: [ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537 [ 35.965513 ] Call Trace: [ 35.965718 ] dump_stack_lvl+0xa8/0xd1 [ 35.966028 ] print_address_description+0x87/0x3b0 [ 35.966420 ] kasan_report+0x172/0x1c0 [ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170 [ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.967945 ] __asan_report_load8_noabort+0x14/0x20 [ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.968752 ] pci_device_remove+0xa9/0x250 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: can: pico_pci: pico_pci_remove(): arreglar UAF Cuando se elimina el módulo peek_pci, hacer referencia a 'chan' nuevamente después de liberar 'dev' causará UAF. Solucione este problema lanzando 'dev' más tarde. • https://git.kernel.org/stable/c/e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd https://git.kernel.org/stable/c/1c616528ba4aeb1125a06b407572ab7b56acae38 https://git.kernel.org/stable/c/447d44cd2f67a20b596ede3ca3cd67086dfd9ca9 https://git.kernel.org/stable/c/34914971bb3244db4ce2be44e9438a9b30c56250 https://git.kernel.org/stable/c/adbda14730aacce41c0d3596415aa39ad63eafd9 https://git.kernel.org/stable/c/1248582e47a9f7ce0ecd156c39fc61f8b6aa3699 https://git.kernel.org/stable/c/28f28e4bc3a5e0051faa963f10b778ab38c1db69 https://git.kernel.org/stable/c/0e5afdc2315b0737edcf55bede4ee1640 • CWE-416: Use After Free CWE-467: Use of sizeof() on a Pointer Type •
CVSS: 5.1EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47455 – ptp: Fix possible memory leak in ptp_clock_register()
https://notcve.org/view.php?id=CVE-2021-47455
In the Linux kernel, the following vulnerability has been resolved: ptp: Fix possible memory leak in ptp_clock_register() I got memory leak as follows when doing fault injection test: unreferenced object 0xffff88800906c618 (size 8): comm "i2c-idt82p33931", pid 4421, jiffies 4294948083 (age 13.188s) hex dump (first 8 bytes): 70 74 70 30 00 00 00 00 ptp0.... backtrace: [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0 [<0000000079f6e2ff>] kvasprintf+0xb5/0x150 [<0000000026aae54f>] kvasprintf_const+0x60/0x190 [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150 [<000000004e35abdd>] dev_set_name+0xc0/0x100 [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp] [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33] When posix_clock_register() returns an error, the name allocated in dev_set_name() will be leaked, the put_device() should be used to give up the device reference, then the name will be freed in kobject_cleanup() and other memory will be freed in ptp_clock_release(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ptp: solucione una posible pérdida de memoria en ptp_clock_register() Obtuve una pérdida de memoria de la siguiente manera al realizar la prueba de inyección de fallas: objeto sin referencia 0xffff88800906c618 (tamaño 8): comm "i2c-idt82p33931", pid 4421, jiffies 4294948083 (edad 13,188 s) volcado hexadecimal (primeros 8 bytes): 70 74 70 30 00 00 00 00 ptp0.... backtrace: [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0 [<0000 000079f6e2ff>] kvasprintf+0xb5 /0x150 [<0000000026aae54f>] kvasprintf_const+0x60/0x190 [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150 [<000000004e35abdd>] dev_set_name+0xc0/0x100 0000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp] [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33] Cuando posix_clock_register() devuelve un error, el nombre asignado en dev_set_name() se filtrará, se debe usar put_device() para renunciar a la referencia del dispositivo, luego el nombre se liberará kobject_cleanup() y otra memoria se liberarán en ptp_clock_release(). • https://git.kernel.org/stable/c/a33121e5487b424339636b25c35d3a180eaa5f5e https://git.kernel.org/stable/c/5230ef61882d2d14deb846eb6b48370694816e4c https://git.kernel.org/stable/c/6f5e3bb7879ee1eb71c6c3cbaaffbb0da6cd7d57 https://git.kernel.org/stable/c/89e8fc989feaac00bf1a7f9a766289422e2f5768 https://git.kernel.org/stable/c/2dece4d6d13fe179ee3a5991811712725a56e2f7 https://git.kernel.org/stable/c/0393b8720128d5b39db8523e5bfbfc689f18c37c https://git.kernel.org/stable/c/bfa2e0cd3dfda64fde43c3dca3aeba298d2fe7ad https://git.kernel.org/stable/c/95c0a0c5ec8839f8f21672be786e87a10 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47454 – powerpc/smp: do not decrement idle task preempt count in CPU offline
https://notcve.org/view.php?id=CVE-2021-47454
In the Linux kernel, the following vulnerability has been resolved: powerpc/smp: do not decrement idle task preempt count in CPU offline With PREEMPT_COUNT=y, when a CPU is offlined and then onlined again, we get: BUG: scheduling while atomic: swapper/1/0/0x00000000 no locks held by swapper/1/0. CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.0-rc2+ #100 Call Trace: dump_stack_lvl+0xac/0x108 __schedule_bug+0xac/0xe0 __schedule+0xcf8/0x10d0 schedule_idle+0x3c/0x70 do_idle+0x2d8/0x4a0 cpu_startup_entry+0x38/0x40 start_secondary+0x2ec/0x3a0 start_secondary_prolog+0x10/0x14 This is because powerpc's arch_cpu_idle_dead() decrements the idle task's preempt count, for reasons explained in commit a7c2bb8279d2 ("powerpc: Re-enable preemption before cpu_die()"), specifically "start_secondary() expects a preempt_count() of 0." However, since commit 2c669ef6979c ("powerpc/preempt: Don't touch the idle task's preempt_count during hotplug") and commit f1a0a376ca0c ("sched/core: Initialize the idle task with preemption disabled"), that justification no longer holds. The idle task isn't supposed to re-enable preemption, so remove the vestigial preempt_enable() from the CPU offline path. Tested with pseries and powernv in qemu, and pseries on PowerVM. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/smp: no disminuye el recuento de prioridad de tareas inactivas en la CPU fuera de línea Con PREEMPT_COUNT=y, cuando una CPU está fuera de línea y luego vuelve a estar en línea, obtenemos: ERROR: programación mientras es atómica: swapper/1/0/0x00000000 no hay bloqueos retenidos por swapper/1/0. CPU: 1 PID: 0 Comunicaciones: swapper/1 No contaminado 5.15.0-rc2+ #100 Seguimiento de llamadas: dump_stack_lvl+0xac/0x108 __schedule_bug+0xac/0xe0 __schedule+0xcf8/0x10d0 Schedule_idle+0x3c/0x70 do_idle+0x2d8/0x4a0 entrada_arriba+ 0x38/0x40 start_secondary+0x2ec/0x3a0 start_secondary_prolog+0x10/0x14 Esto se debe a que arch_cpu_idle_dead() de powerpc disminuye el recuento de apropiación de tareas inactivas, por razones explicadas en el commit a7c2bb8279d2 ("powerpc: volver a habilitar la apropiación antes de cpu_die()"), específicamente " start_secondary() espera un preempt_count() de 0." Sin embargo, desde el commit 2c669ef6979c ("powerpc/preempt: no toque el preempt_count de la tarea inactiva durante la conexión en caliente") y el commit f1a0a376ca0c ("sched/core: inicialice la tarea inactiva con la preferencia deshabilitada"), esa justificación ya no se cumple. • https://git.kernel.org/stable/c/bdf4d33e8342b90386156204e1da0cdfdb4bf146 https://git.kernel.org/stable/c/2c669ef6979c370f98d4b876e54f19613c81e075 https://git.kernel.org/stable/c/2b6148ef2bd6d8ddc76e7873114f7769b6aa25f0 https://git.kernel.org/stable/c/20a015e948b825afb47855de2efce7cae7c2608f https://git.kernel.org/stable/c/53770a411559cf7bc0906d1df319cc533d2f4f58 https://git.kernel.org/stable/c/3ea0b497a7a2fff6a4b7090310c9f52c91975934 https://git.kernel.org/stable/c/787252a10d9422f3058df9a4821f389e5326c440 •