CVSS: 4.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-52771 – cxl/port: Fix delete_endpoint() vs parent unregistration race
https://notcve.org/view.php?id=CVE-2023-52771
In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix delete_endpoint() vs parent unregistration race The CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of ports (struct cxl_port objects) between an endpoint and the root of a CXL topology. Each port including the endpoint port is attached to the cxl_port driver. Given that setup, it follows that when either any port in that lineage goes through a cxl_port ->remove() event, or the memdev goes through a cxl_mem ->remove() event. The hierarchy below the removed port, or the entire hierarchy if the memdev is removed needs to come down. The delete_endpoint() callback is careful to check whether it is being called to tear down the hierarchy, or if it is only being called to teardown the memdev because an ancestor port is going through ->remove(). That care needs to take the device_lock() of the endpoint's parent. Which requires 2 bugs to be fixed: 1/ A reference on the parent is needed to prevent use-after-free scenarios like this signature: BUG: spinlock bad magic on CPU#0, kworker/u56:0/11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023 Workqueue: cxl_port detach_memdev [cxl_core] RIP: 0010:spin_bug+0x65/0xa0 Call Trace: do_raw_spin_lock+0x69/0xa0 __mutex_lock+0x695/0xb80 delete_endpoint+0xad/0x150 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 detach_memdev+0x15/0x20 [cxl_core] process_one_work+0x1e3/0x4c0 worker_thread+0x1dd/0x3d0 2/ In the case of RCH topologies, the parent device that needs to be locked is not always @port->dev as returned by cxl_mem_find_port(), use endpoint->dev.parent instead. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cxl/port: corrige delete_endpoint() frente a la ejecución de cancelación del registro principal. El subsistema CXL, en el momento cxl_mem ->probe(), establece un linaje de puertos (objetos struct cxl_port) entre un punto final y la raíz de una topología CXL. • https://git.kernel.org/stable/c/8dd2bc0f8e02d39bd80851ca787bcbdb7d495e69 https://git.kernel.org/stable/c/37179fcc916bce8c3cc7b36d67ef814cce55142b https://git.kernel.org/stable/c/6b2e428e673b3f55965674a426c40922e91388aa https://git.kernel.org/stable/c/8d2ad999ca3c64cb08cf6a58d227b9d9e746d708 https://access.redhat.com/security/cve/CVE-2023-52771 https://bugzilla.redhat.com/show_bug.cgi?id=2282720 • CWE-413: Improper Resource Locking •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52770 – f2fs: split initial and dynamic conditions for extent_cache
https://notcve.org/view.php?id=CVE-2023-52770
In the Linux kernel, the following vulnerability has been resolved: f2fs: split initial and dynamic conditions for extent_cache Let's allocate the extent_cache tree without dynamic conditions to avoid a missing condition causing a panic as below. # create a file w/ a compressed flag # disable the compression # panic while updating extent_cache F2FS-fs (dm-64): Swapfile: last extent is not aligned to section F2FS-fs (dm-64): Swapfile (3) is not align to section: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N) Adding 124996k swap on ./swap-file. Priority:0 extents:2 across:17179494468k ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline] BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline] BUG: KASAN: null-ptr-deref in queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline] BUG: KASAN: null-ptr-deref in __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline] BUG: KASAN: null-ptr-deref in _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295 Write of size 4 at addr 0000000000000030 by task syz-executor154/3327 CPU: 0 PID: 3327 Comm: syz-executor154 Tainted: G O 5.10.185 #1 Hardware name: emulation qemu-x86/qemu-x86, BIOS 2023.01-21885-gb3cc1cd24d 01/01/2023 Call Trace: __dump_stack out/common/lib/dump_stack.c:77 [inline] dump_stack_lvl+0x17e/0x1c4 out/common/lib/dump_stack.c:118 __kasan_report+0x16c/0x260 out/common/mm/kasan/report.c:415 kasan_report+0x51/0x70 out/common/mm/kasan/report.c:428 kasan_check_range+0x2f3/0x340 out/common/mm/kasan/generic.c:186 __kasan_check_write+0x14/0x20 out/common/mm/kasan/shadow.c:37 instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline] atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline] queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline] __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline] _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295 __drop_extent_tree+0xdf/0x2f0 out/common/fs/f2fs/extent_cache.c:1155 f2fs_drop_extent_tree+0x17/0x30 out/common/fs/f2fs/extent_cache.c:1172 f2fs_insert_range out/common/fs/f2fs/file.c:1600 [inline] f2fs_fallocate+0x19fd/0x1f40 out/common/fs/f2fs/file.c:1764 vfs_fallocate+0x514/0x9b0 out/common/fs/open.c:310 ksys_fallocate out/common/fs/open.c:333 [inline] __do_sys_fallocate out/common/fs/open.c:341 [inline] __se_sys_fallocate out/common/fs/open.c:339 [inline] __x64_sys_fallocate+0xb8/0x100 out/common/fs/open.c:339 do_syscall_64+0x35/0x50 out/common/arch/x86/entry/common.c:46 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: f2fs: condiciones iniciales y dinámicas divididas para extend_cache. Asignemos el árbol extend_cache sin condiciones dinámicas para evitar que una condición faltante cause pánico como se muestra a continuación. # crear un archivo con una bandera comprimida # desactivar la compresión # entrar en pánico al actualizar extend_cache F2FS-fs (dm-64): Swapfile: la última extensión no está alineada con la sección F2FS-fs (dm-64): Swapfile (3) es no alinearse con la sección: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N) Agregando 124996k swap en ./swap-file. • https://git.kernel.org/stable/c/72840cccc0a1a0a0dc1bb27b669a9111be6d0f6a https://git.kernel.org/stable/c/4377b1d3b19e1369d094a94596211a9815ddbb04 https://git.kernel.org/stable/c/9de787139b0258a5dd1f498780c26d76b61d2958 https://git.kernel.org/stable/c/d83309e7e006cee8afca83523559017c824fbf7a https://git.kernel.org/stable/c/f803982190f0265fd36cf84670aa6daefc2b0768 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52768 – wifi: wilc1000: use vmm_table as array in wilc struct
https://notcve.org/view.php?id=CVE-2023-52768
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: use vmm_table as array in wilc struct Enabling KASAN and running some iperf tests raises some memory issues with vmm_table: BUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4 Write of size 4 at addr c3a61540 by task wlan0-tx/95 KASAN detects that we are writing data beyond range allocated to vmm_table. There is indeed a mismatch between the size passed to allocator in wilc_wlan_init, and the range of possible indexes used later: allocation size is missing a multiplication by sizeof(u32) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wifi: wilc1000: use vmm_table como matriz en wilc struct. Al habilitar KASAN y ejecutar algunas pruebas de iperf se generan algunos problemas de memoria con vmm_table: BUG: KASAN: slab-out-of-bounds en wilc_wlan_handle_txq +0x6ac/0xdb4 Escritura de tamaño 4 en la dirección c3a61540 mediante la tarea wlan0-tx/95 KASAN detecta que estamos escribiendo datos más allá del rango asignado a vmm_table. De hecho, existe una discrepancia entre el tamaño pasado al asignador en wilc_wlan_init y el rango de posibles índices utilizados más adelante: al tamaño de la asignación le falta una multiplicación por sizeof(u32) • https://git.kernel.org/stable/c/32dd0b22a5ba1dd296ccf2caf46ad44c3a8d5d98 https://git.kernel.org/stable/c/40b717bfcefab28a0656b8caa5e43d5449e5a671 https://git.kernel.org/stable/c/5212d958f6518003cd98c9886f8e8aedcfc25741 https://git.kernel.org/stable/c/541b3757fd443a68ed8d25968eae511a8275e7c8 https://git.kernel.org/stable/c/4b0d6ddb6466d10df878a7787f175a0e4adc3e27 https://git.kernel.org/stable/c/6aaf7cd8bdfe245d3c9a8b48fe70c2011965948e https://git.kernel.org/stable/c/3ce1c2c3999b232258f7aabab311d47dda75605c https://git.kernel.org/stable/c/05ac1a198a63ad66bf5ae8b7321407c10 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2023-52766 – i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler
https://notcve.org/view.php?id=CVE-2023-52766
In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: i3c: mipi-i3c-hci: corrige el acceso fuera de los límites en hci_dma_irq_handler. No realice bucles sobre encabezados de anillo en hci_dma_irq_handler() que no estén asignados y habilitados en hci_dma_init(). De lo contrario, el acceso fuera de los límites se producirá desde el acceso de anillos->encabezados[i] cuando i >= número de encabezados de anillo asignados. • https://git.kernel.org/stable/c/d23ad76f240c0f597b7a9eb79905d246f27d40df https://git.kernel.org/stable/c/8be39f66915b40d26ea2c18ba84b5c3d5da6809b https://git.kernel.org/stable/c/7c2b91b30d74d7c407118ad72502d4ca28af1af6 https://git.kernel.org/stable/c/4c86cb2321bd9c72d3b945ce7f747961beda8e65 https://git.kernel.org/stable/c/45a832f989e520095429589d5b01b0c65da9b574 •
CVSS: 6.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52765 – mfd: qcom-spmi-pmic: Fix revid implementation
https://notcve.org/view.php?id=CVE-2023-52765
In the Linux kernel, the following vulnerability has been resolved: mfd: qcom-spmi-pmic: Fix revid implementation The Qualcomm SPMI PMIC revid implementation is broken in multiple ways. First, it assumes that just because the sibling base device has been registered that means that it is also bound to a driver, which may not be the case (e.g. due to probe deferral or asynchronous probe). This could trigger a NULL-pointer dereference when attempting to access the driver data of the unbound device. Second, it accesses driver data of a sibling device directly and without any locking, which means that the driver data may be freed while it is being accessed (e.g. on driver unbind). Third, it leaks a struct device reference to the sibling device which is looked up using the spmi_device_from_of() every time a function (child) device is calling the revid function (e.g. on probe). Fix this mess by reimplementing the revid lookup so that it is done only at probe of the PMIC device; the base device fetches the revid info from the hardware, while any secondary SPMI device fetches the information from the base device and caches it so that it can be accessed safely from its children. If the base device has not been probed yet then probe of a secondary device is deferred. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mfd: qcom-spmi-pmic: reparación de la implementación revid. La implementación revid de Qualcomm SPMI PMIC está rota de varias maneras. • https://git.kernel.org/stable/c/e9c11c6e3a0e93903f5a13f8d2f97ae1bba512e1 https://git.kernel.org/stable/c/db98de0809f12b0edb9cd1be78e1ec1bfeba8f40 https://git.kernel.org/stable/c/4ce77b023d42a9f1062eecf438df1af4b4072eb2 https://git.kernel.org/stable/c/affae18838db5e6b463ee30c821385695af56dc2 https://git.kernel.org/stable/c/7b439aaa62fee474a0d84d67a25f4984467e7b95 • CWE-476: NULL Pointer Dereference •