CVE-2021-47383 – tty: Fix out-of-bound vmalloc access in imageblit
https://notcve.org/view.php?id=CVE-2021-47383
In the Linux kernel, the following vulnerability has been resolved: tty: Fix out-of-bound vmalloc access in imageblit This issue happens when a userspace program does an ioctl FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct containing only the fields xres, yres, and bits_per_pixel with values. If this struct is the same as the previous ioctl, the vc_resize() detects it and doesn't call the resize_screen(), leaving the fb_var_screeninfo incomplete. And this leads to the updatescrollmode() calculates a wrong value to fbcon_display->vrows, which makes the real_y() return a wrong value of y, and that value, eventually, causes the imageblit to access an out-of-bound address value. To solve this issue I made the resize_screen() be called even if the screen does not need any resizing, so it will "fix and fill" the fb_var_screeninfo independently. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tty: corrige el acceso vmalloc fuera de los límites en imageblit. Este problema ocurre cuando un programa de espacio de usuario realiza un ioctl FBIOPUT_VSCREENINFO pasando la estructura fb_var_screeninfo que contiene solo los campos xres, yres y bits_per_pixel con valores. Si esta estructura es la misma que la ioctl anterior, vc_resize() la detecta y no llama a resize_screen(), dejando fb_var_screeninfo incompleto. • https://git.kernel.org/stable/c/7e71fcedfda6f7de18f850a6b36e78d78b04476f https://git.kernel.org/stable/c/70aed03b1d5a5df974f456cdc8eedb213c94bb8b https://git.kernel.org/stable/c/067c694d06040db6f0c65281bb358452ca6d85b9 https://git.kernel.org/stable/c/8a6a240f52e14356386030d8958ae8b1761d2325 https://git.kernel.org/stable/c/883f7897a25e3ce14a7f274ca4c73f49ac84002a https://git.kernel.org/stable/c/d570c48dd37dbe8fc6875d4461d01a9554ae2560 https://git.kernel.org/stable/c/699d926585daa6ec44be556cdc1ab89e5d54557b https://git.kernel.org/stable/c/3b0c406124719b625b1aba431659f5cdc • CWE-125: Out-of-bounds Read •
CVE-2021-47380 – HID: amd_sfh: Fix potential NULL pointer dereference
https://notcve.org/view.php?id=CVE-2021-47380
In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: Fix potential NULL pointer dereference devm_add_action_or_reset() can suddenly invoke amd_mp2_pci_remove() at registration that will cause NULL pointer dereference since corresponding data is not initialized yet. The patch moves initialization of data before devm_add_action_or_reset(). Found by Linux Driver Verification project (linuxtesting.org). [jkosina@suse.cz: rebase] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: HID: amd_sfh: corrige una posible desreferencia del puntero NULL devm_add_action_or_reset() puede invocar repentinamente amd_mp2_pci_remove() en el registro, lo que provocará una desreferencia del puntero NULL ya que los datos correspondientes aún no se han inicializado. El parche mueve la inicialización de los datos antes de devm_add_action_or_reset(). Encontrado por el proyecto de verificación de controladores de Linux (linuxtesting.org). [jkosina@suse.cz: rebase] • https://git.kernel.org/stable/c/283e4bee701dfcd409dd293f19a268bb2bc8ff38 https://git.kernel.org/stable/c/d46ef750ed58cbeeba2d9a55c99231c30a172764 •
CVE-2021-47379 – blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd
https://notcve.org/view.php?id=CVE-2021-47379
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd KASAN reports a use-after-free report when doing fuzz test: [693354.104835] ================================================================== [693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160 [693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338 [693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 [693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 [693354.105612] Call Trace: [693354.105621] dump_stack+0xf1/0x19b [693354.105626] ? show_regs_print_info+0x5/0x5 [693354.105634] ? printk+0x9c/0xc3 [693354.105638] ? cpumask_weight+0x1f/0x1f [693354.105648] print_address_description+0x70/0x360 [693354.105654] kasan_report+0x1b2/0x330 [693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105665] ? • https://git.kernel.org/stable/c/d12ddd843f1877de1f7dd2aeea4907cf9ff3ac08 https://git.kernel.org/stable/c/f58d305887ad7b24986d58e881f6806bb81b2bdf https://git.kernel.org/stable/c/7c2c69e010431b0157c9454adcdd2305809bf9fb https://git.kernel.org/stable/c/858560b27645e7e97aca37ee8f232cccd658fbd2 •
CVE-2021-47378 – nvme-rdma: destroy cm id before destroy qp to avoid use after free
https://notcve.org/view.php?id=CVE-2021-47378
In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: destroy cm id before destroy qp to avoid use after free We should always destroy cm_id before destroy qp to avoid to get cma event after qp was destroyed, which may lead to use after free. In RDMA connection establishment error flow, don't destroy qp in cm event handler.Just report cm_error to upper level, qp will be destroy in nvme_rdma_alloc_queue() after destroy cm id. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nvme-rdma: destruye cm id antes de destruir qp para evitar su use after free. Siempre debemos destruir cm_id antes de destruir qp para evitar que se produzca un evento cma después de que se destruya qp, lo que puede llevar a use after free. En el flujo de error de establecimiento de conexión RDMA, no destruya qp en el controlador de eventos cm. Simplemente informe cm_error al nivel superior, qp se destruirá en nvme_rdma_alloc_queue() después de destruir cm id. • https://git.kernel.org/stable/c/ecf0dc5a904830c926a64feffd8e01141f89822f https://git.kernel.org/stable/c/d268a182c56e8361e19fb781137411643312b994 https://git.kernel.org/stable/c/9817d763dbe15327b9b3ff4404fa6f27f927e744 https://access.redhat.com/security/cve/CVE-2021-47378 https://bugzilla.redhat.com/show_bug.cgi?id=2282362 • CWE-416: Use After Free •
CVE-2021-47376 – bpf: Add oversize check before call kvcalloc()
https://notcve.org/view.php?id=CVE-2021-47376
In the Linux kernel, the following vulnerability has been resolved: bpf: Add oversize check before call kvcalloc() Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the oversize check. When the allocation is larger than what kmalloc() supports, the following warning triggered: WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597 Modules linked in: CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597 Call Trace: kvmalloc include/linux/mm.h:806 [inline] kvmalloc_array include/linux/mm.h:824 [inline] kvcalloc include/linux/mm.h:829 [inline] check_btf_line kernel/bpf/verifier.c:9925 [inline] check_btf_info kernel/bpf/verifier.c:10049 [inline] bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759 bpf_prog_load kernel/bpf/syscall.c:2301 [inline] __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Agregar verificación de tamaño excesivo antes de llamar a kvcalloc() Confirmación 7661809d493b ("mm: no permitir llamadas a kvmalloc() de gran tamaño") agregar la verificación de tamaño excesivo. Cuando la asignación es mayor que lo que admite kmalloc(), se activa la siguiente advertencia: ADVERTENCIA: CPU: 0 PID: 8408 en mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597 Módulos vinculados en: CPU : 0 PID: 8408 Comm: syz-executor221 No contaminado 5.14.0-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvmalloc_node+0x108/0x110 mm/util .c:597 Seguimiento de llamadas: kvmalloc include/linux/mm.h:806 [en línea] kvmalloc_array include/linux/mm.h:824 [en línea] kvcalloc include/linux/mm.h:829 [en línea] check_btf_line kernel/bpf /verifier.c:9925 [en línea] check_btf_info kernel/bpf/verifier.c:10049 [en línea] bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759 bpf_prog_load kernel/bpf/syscall.c:2301 [en línea] __sys_bpf +0x11181/0x126e0 kernel/bpf/syscall.c:4587 __do_sys_bpf kernel/bpf/syscall.c:4691 [en línea] __se_sys_bpf kernel/bpf/syscall.c:4689 [en línea] __x64_sys_bpf+0x78/0x90 pf/syscall.c:4689 do_syscall_x64 arch/x86/entry/common.c:50 [en línea] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae • https://git.kernel.org/stable/c/93937596e0652d50973f9dc944fea1694ac8cdfd https://git.kernel.org/stable/c/6345a0bee80139ea00a341c4202ebfd1534b5eb0 https://git.kernel.org/stable/c/b5fe7cdfee5901ce5513c30e554d51536e003bde https://git.kernel.org/stable/c/0e6491b559704da720f6da09dd0a52c4df44c514 •