CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52851 – IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF
https://notcve.org/view.php?id=CVE-2023-52851
In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF In the unlikely event that workqueue allocation fails and returns NULL in mlx5_mkey_cache_init(), delete the call to mlx5r_umr_resource_cleanup() (which frees the QP) in mlx5_ib_stage_post_ib_reg_umr_init(). This will avoid attempted double free of the same QP when __mlx5_ib_add() does its cleanup. Resolves a splat: Syzkaller reported a UAF in ib_destroy_qp_user workqueue: Failed to create a rescuer kthread for wq "mkey_cache": -EINTR infiniband mlx5_0: mlx5_mkey_cache_init:981:(pid 1642): failed to create work queue infiniband mlx5_0: mlx5_ib_stage_post_ib_reg_umr_init:4075:(pid 1642): mr cache init failed -12 ================================================================== BUG: KASAN: slab-use-after-free in ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073) Read of size 8 at addr ffff88810da310a8 by task repro_upstream/1642 Call Trace: <TASK> kasan_report (mm/kasan/report.c:590) ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073) mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198) __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4178) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ... </TASK> Allocated by task 1642: __kmalloc (./include/linux/kasan.h:198 mm/slab_common.c:1026 mm/slab_common.c:1039) create_qp (./include/linux/slab.h:603 ./include/linux/slab.h:720 . • https://git.kernel.org/stable/c/04876c12c19e94bbbc94bb0446c7bc7cd75163de https://git.kernel.org/stable/c/437f033e30c897bb3723eac9e9003cd9f88d00a3 https://git.kernel.org/stable/c/4f4a7a7d1404297f2a92df0046f7e64dc5c52dd9 https://git.kernel.org/stable/c/6387f269d84e6e149499408c4d1fc805017729b2 https://git.kernel.org/stable/c/2ef422f063b74adcc4a4a9004b0a87bb55e0a836 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52850 – media: hantro: Check whether reset op is defined before use
https://notcve.org/view.php?id=CVE-2023-52850
In the Linux kernel, the following vulnerability has been resolved: media: hantro: Check whether reset op is defined before use The i.MX8MM/N/P does not define the .reset op since reset of the VPU is done by genpd. Check whether the .reset op is defined before calling it to avoid NULL pointer dereference. Note that the Fixes tag is set to the commit which removed the reset op from i.MX8M Hantro G2 implementation, this is because before this commit all the implementations did define the .reset op. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: medios: hantro: compruebe si la operación de reinicio está definida antes de su uso. El i.MX8MM/N/P no define la operación .reset ya que genpd realiza el reinicio de la VPU. Compruebe si la operación .reset está definida antes de llamarla para evitar la desreferencia del puntero NULL. • https://git.kernel.org/stable/c/6971efb70ac3e43d19bf33ef5f83bea0271831ee https://git.kernel.org/stable/c/64f55cebb4339ae771e9e7f3f42bee2489e2fa00 https://git.kernel.org/stable/c/66b4c5f980d741f3a47e4b65eeaf2797f2d59294 https://git.kernel.org/stable/c/24c06295f28335ced3aad53dd4b0a0bae7b9b100 https://git.kernel.org/stable/c/88d4b23a629ebd34f682f770cb6c2116c851f7b8 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52849 – cxl/mem: Fix shutdown order
https://notcve.org/view.php?id=CVE-2023-52849
In the Linux kernel, the following vulnerability has been resolved: cxl/mem: Fix shutdown order Ira reports that removing cxl_mock_mem causes a crash with the following trace: BUG: kernel NULL pointer dereference, address: 0000000000000044 [..] RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core] [..] Call Trace: <TASK> cxl_region_detach+0xe8/0x210 [cxl_core] cxl_decoder_kill_region+0x27/0x40 [cxl_core] cxld_unregister+0x29/0x40 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 bus_remove_device+0xd7/0x150 device_del+0x155/0x3e0 device_unregister+0x13/0x60 devm_release_action+0x4d/0x90 ? __pfx_unregister_port+0x10/0x10 [cxl_core] delete_endpoint+0x121/0x130 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 bus_remove_device+0xd7/0x150 device_del+0x155/0x3e0 ? lock_release+0x142/0x290 cdev_device_del+0x15/0x50 cxl_memdev_unregister+0x54/0x70 [cxl_core] This crash is due to the clearing out the cxl_memdev's driver context (@cxlds) before the subsystem is done with it. This is ultimately due to the region(s), that this memdev is a member, being torn down and expecting to be able to de-reference @cxlds, like here: static int cxl_region_decode_reset(struct cxl_region *cxlr, int count) ... if (cxlds->rcd) goto endpoint_reset; ... Fix it by keeping the driver context valid until memdev-device unregistration, and subsequently the entire stack of related dependencies, unwinds. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: cxl/mem: arreglo del orden de apagado. • https://git.kernel.org/stable/c/9cc238c7a526dba9ee8c210fa2828886fc65db66 https://git.kernel.org/stable/c/964a9834492210f48b360baa9e20a9eedf4d08ff https://git.kernel.org/stable/c/20bd0198bebdd706bd4614b3933ef70d7c19618f https://git.kernel.org/stable/c/7c7371b41a14e86f53e7dbe5baa7b1d3e0ab324b https://git.kernel.org/stable/c/cad22a757029c3a1985c221a2d4a6491ad4035ae https://git.kernel.org/stable/c/0ca074f7d788627a4e0b047ca5fbdb5fc567220c https://git.kernel.org/stable/c/88d3917f82ed4215a2154432c26de1480a61b209 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52848 – f2fs: fix to drop meta_inode's page cache in f2fs_put_super()
https://notcve.org/view.php?id=CVE-2023-52848
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to drop meta_inode's page cache in f2fs_put_super() syzbot reports a kernel bug as below: F2FS-fs (loop1): detect filesystem reference count leak during umount, type: 10, count: 1 kernel BUG at fs/f2fs/super.c:1639! CPU: 0 PID: 15451 Comm: syz-executor.1 Not tainted 6.5.0-syzkaller-09338-ge0152e7481c6 #0 RIP: 0010:f2fs_put_super+0xce1/0xed0 fs/f2fs/super.c:1639 Call Trace: generic_shutdown_super+0x161/0x3c0 fs/super.c:693 kill_block_super+0x3b/0x70 fs/super.c:1646 kill_f2fs_super+0x2b7/0x3d0 fs/f2fs/super.c:4879 deactivate_locked_super+0x9a/0x170 fs/super.c:481 deactivate_super+0xde/0x100 fs/super.c:514 cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254 task_work_run+0x14d/0x240 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd In f2fs_put_super(), it tries to do sanity check on dirty and IO reference count of f2fs, once there is any reference count leak, it will trigger panic. The root case is, during f2fs_put_super(), if there is any IO error in f2fs_wait_on_all_pages(), we missed to truncate meta_inode's page cache later, result in panic, fix this case. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: f2fs: corrección para eliminar el caché de la página de meta_inode en f2fs_put_super() syzbot informa un error en el kernel como se muestra a continuación: F2FS-fs (loop1): detecta pérdida del recuento de referencias del sistema de archivos durante el desmontaje, escriba: 10 , recuento: ¡1 BUG del kernel en fs/f2fs/super.c:1639! CPU: 0 PID: 15451 Comm: syz-executor.1 No contaminado 6.5.0-syzkaller-09338-ge0152e7481c6 #0 RIP: 0010:f2fs_put_super+0xce1/0xed0 fs/f2fs/super.c:1639 Seguimiento de llamadas: generic_shutdown_super+0x161 /0x3c0 fs/super.c:693 kill_block_super+0x3b/0x70 fs/super.c:1646 kill_f2fs_super+0x2b7/0x3d0 fs/f2fs/super.c:4879 deactivate_locked_super+0x9a/0x170 fs/super.c:481 deactivate_super+0xde /0x100 fs/super.c:514 cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254 task_work_run+0x14d/0x240 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [en línea] exit_to_user_mode_loop kernel/entry /common.c:171 [en línea] exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [en línea] syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86 Entry_SYSCALL_64_after_hwframe+0x63/0xcd En f2fs_put_super(), intenta realizar una verificación de cordura en el recuento de referencias sucias y de IO de f2fs, una vez que hay alguna fuga en el recuento de referencias, provocará pánico. El caso raíz es que, durante f2fs_put_super(), si hay algún error de IO en f2fs_wait_on_all_pages(), no pudimos truncar el caché de la página de meta_inode más tarde, lo que generó pánico, solucionemos este caso. • https://git.kernel.org/stable/c/20872584b8c0b006c007da9588a272c9e28d2e18 https://git.kernel.org/stable/c/0e2577074b459bba7f4016f4d725ede37d48bb22 https://git.kernel.org/stable/c/eb42e1862aa7934c2c21890097ce4993c5e0d192 https://git.kernel.org/stable/c/10b2a6c0dade67b5a2b2d17fb75c457ea1985fad https://git.kernel.org/stable/c/a4639380bbe66172df329f8b54aa7d2e943f0f64 •
CVSS: 5.2EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52847 – media: bttv: fix use after free error due to btv->timeout timer
https://notcve.org/view.php?id=CVE-2023-52847
In the Linux kernel, the following vulnerability has been resolved: media: bttv: fix use after free error due to btv->timeout timer There may be some a race condition between timer function bttv_irq_timeout and bttv_remove. The timer is setup in probe and there is no timer_delete operation in remove function. When it hit kfree btv, the function might still be invoked, which will cause use after free bug. This bug is found by static analysis, it may be false positive. Fix it by adding del_timer_sync invoking to the remove function. cpu0 cpu1 bttv_probe ->timer_setup ->bttv_set_dma ->mod_timer; bttv_remove ->kfree(btv); ->bttv_irq_timeout ->USE btv En el kernel de Linux, se resolvió la siguiente vulnerabilidad: medio: bttv: corrección de uso después de error gratuito debido a btv->timeout timer. Puede haber alguna condición de ejecución entre la función del temporizador bttv_irq_timeout y bttv_remove. El temporizador está configurado en la sonda y no hay ninguna operación timer_delete en la función de eliminación. • https://git.kernel.org/stable/c/162e6376ac58440beb6a2d2ee294f5d88ea58dd1 https://git.kernel.org/stable/c/bbc3b8dd2cb7817e703f112d988e4f4728f0f2a9 https://git.kernel.org/stable/c/b35fdade92c5058a5e727e233fe263b828de2c9a https://git.kernel.org/stable/c/2f3d9198cdae1cb079ec8652f4defacd481eab2b https://git.kernel.org/stable/c/51c94256a83fe4e17406c66ff3e1ad7d242d8574 https://git.kernel.org/stable/c/20568d06f6069cb835e05eed432edf962645d226 https://git.kernel.org/stable/c/1871014d6ef4812ad11ef7d838d73ce09d632267 https://git.kernel.org/stable/c/847599fffa528b2cdec4e21b6bf7586da • CWE-416: Use After Free •