CVSS: 6.2EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52844 – media: vidtv: psi: Add check for kstrdup
https://notcve.org/view.php?id=CVE-2023-52844
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: psi: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: vidtv: psi: Agregar verificación para kstrdup. Agregue verificación para el valor de retorno de kstrdup() y devuelva el error si falla para evitar la desreferencia al puntero NULL. • https://git.kernel.org/stable/c/7a7899f6f58e3270ccfd200ee63ebced5ddba3c9 https://git.kernel.org/stable/c/3387490c89b10aeb4e71d78b65dbc9ba4b2385b9 https://git.kernel.org/stable/c/d17269fb9161995303985ab2fe6f16cfb72152f9 https://git.kernel.org/stable/c/5c26aae3723965c291c65dd2ecad6a3240d422b0 https://git.kernel.org/stable/c/5cfcc8de7d733a1137b86954cc28ce99972311ad https://git.kernel.org/stable/c/a51335704a3f90eaf23a6864faefca34b382490a https://git.kernel.org/stable/c/76a2c5df6ca8bd8ada45e953b8c72b746f42918d • CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2023-52843 – llc: verify mac len before reading mac header
https://notcve.org/view.php?id=CVE-2023-52843
In the Linux kernel, the following vulnerability has been resolved: llc: verify mac len before reading mac header LLC reads the mac header with eth_hdr without verifying that the skb has an Ethernet header. Syzbot was able to enter llc_rcv on a tun device. Tun can insert packets without mac len and with user configurable skb->protocol (passing a tun_pi header when not configuring IFF_NO_PI). BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218 __netif_receive_skb_one_core net/core/dev.c:5523 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 netif_receive_skb_internal net/core/dev.c:5723 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5782 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002 Add a mac_len test before all three eth_hdr(skb) calls under net/llc. There are further uses in include/net/llc_pdu.h. All these are protected by a test skb->protocol == ETH_P_802_2. Which does not protect against this tun scenario. But the mac_len test added in this patch in llc_fixup_skb will indirectly protect those too. That is called from llc_rcv before any other LLC code. It is tempting to just add a blanket mac_len check in llc_rcv, but not sure whether that could break valid LLC paths that do not assume an Ethernet header. 802.2 LLC may be used on top of non-802.3 protocols in principle. • https://git.kernel.org/stable/c/f83f1768f833cb45bc93429fdc552252a4f55ac3 https://git.kernel.org/stable/c/900a4418e3f66a32db6baaf23f92b99c20ae6535 https://git.kernel.org/stable/c/9a3f9054a5227d7567cba1fb821df48ccecad10c https://git.kernel.org/stable/c/cbdcdf42d15dac74c7287679fb2a9d955f8feb1f https://git.kernel.org/stable/c/3a2653828ffc6101aef80bf58d5b77484239f779 https://git.kernel.org/stable/c/352887b3edd007cf9b0abc30fe9d98622acd859b https://git.kernel.org/stable/c/f980e9a57dfb9530f1f4ee41a2420f2a256d7b29 https://git.kernel.org/stable/c/0a720d0259ad3521ec6c9e4199f9f6fc7 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2023-52842 – virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()
https://notcve.org/view.php?id=CVE-2023-52842
In the Linux kernel, the following vulnerability has been resolved: virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt() KMSAN reported the following uninit-value access issue: ===================================================== BUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit was stored to memory at: virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline] virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit was created at: slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline] virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58 virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline] virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 CPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: vsock-loopback vsock_loopback_work ===================================================== The following simple reproducer can cause the issue described above: int main(void) { int sock; struct sockaddr_vm addr = { .svm_family = AF_VSOCK, .svm_cid = VMADDR_CID_ANY, .svm_port = 1234, }; sock = socket(AF_VSOCK, SOCK_STREAM, 0); connect(sock, (struct sockaddr *)&addr, sizeof(addr)); return 0; } This issue occurs because the `buf_alloc` and `fwd_cnt` fields of the `struct virtio_vsock_hdr` are not initialized when a new skb is allocated in `virtio_transport_init_hdr()`. This patch resolves the issue by initializing these fields during allocation. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio/vsock: corrige el valor uninit en virtio_transport_recv_pkt(). KMSAN informó el siguiente problema de acceso al valor uninit: ================ ===================================== ERROR: KMSAN: valor uninit en virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 Process_one_work workqueue.c:2630 [en línea] process_scheduled_works+ 0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit se almacenó en la memoria en: virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [en línea] virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virt io_transport_common.c:1415 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 Process_one_work kernel/workqueue.c:2630 [en línea] Process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 trabajador_thread+0xeca/0x14d0 kernel/workqueue.c:2784 hilo +0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit se creó en: slab_post_alloc_hook+ 0x105/0xad0 mm/slab.h: 767 slab_alloc_node mm/slub.c: 3478 [inline] kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c: 3523 kmalloc_reserve+0x13c/0x4a0 net/skbuff. fd /0x770 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [en línea] virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [en línea] virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c: 58 virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [en línea] virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/v sock_loopback.c:120 proceso_one_work kernel/workqueue.c:2630 [en línea] Process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 trabajador_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/ Process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 CPU: 1 PID: 10664 Comm: kworker/1:5 No contaminado 6.6.0-rc3-00146-g9f3ebbef746f #3 Nombre de hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 01/04/2014 Cola de trabajo: vsock-loopback vsock_loopback_work ===================== ================================= El siguiente reproductor simple puede causar el problema descrito anteriormente: int main(void) { calcetín interno; struct sockaddr_vm addr = { .svm_family = AF_VSOCK, .svm_cid = VMADDR_CID_ANY, .svm_port = 1234, }; sock = socket(AF_VSOCK, SOCK_STREAM, 0); connect(socket, (struct sockaddr *)&addr, sizeof(addr)); return 0; } Este problema ocurre porque los campos `buf_alloc` y `fwd_cnt` de `struct virtio_vsock_hdr` no se inicializan cuando se asigna un nuevo skb en `virtio_transport_init_hdr()`. Este parche resuelve el problema inicializando estos campos durante la asignación. • https://git.kernel.org/stable/c/71dc9ec9ac7d3eee785cdc986c3daeb821381e20 https://git.kernel.org/stable/c/0b8906fb48b99e993d6e8a12539f618f4854dd26 https://git.kernel.org/stable/c/34c4effacfc329aeca5635a69fd9e0f6c90b4101 https://git.kernel.org/stable/c/cd12535b97dd7d18cf655ec78ce1cf1f29a576be •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52841 – media: vidtv: mux: Add check and kfree for kstrdup
https://notcve.org/view.php?id=CVE-2023-52841
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: mux: Add check and kfree for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. Moreover, use kfree() in the later error handling in order to avoid memory leak. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: vidtv: mux: Add check and kfree for kstrdup. Agregue check para el valor de retorno de kstrdup() y devuelva el error si falla para evitar la desreferencia al puntero NULL. Además, utilice kfree() en el manejo de errores posterior para evitar pérdidas de memoria. • https://git.kernel.org/stable/c/c2f78f0cb294aa6f009d3a170f4ee8ad199ba5da https://git.kernel.org/stable/c/64863ba8e6b7651d994c6e6d506cc8aa2ac45edb https://git.kernel.org/stable/c/980be4c3b0d51c0f873fd750117774561c66cf68 https://git.kernel.org/stable/c/a254ee1ddc592ae1efcce96b8c014e1bd2d5a2b4 https://git.kernel.org/stable/c/cb13001411999adb158b39e76d94705eb2da100d https://git.kernel.org/stable/c/aae7598aff291d4d140be1355aa20930af948785 https://git.kernel.org/stable/c/1fd6eb12642e0c32692924ff359c07de4b781d78 •
CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52840 – Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
https://notcve.org/view.php?id=CVE-2023-52840
In the Linux kernel, the following vulnerability has been resolved: Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() The put_device() calls rmi_release_function() which frees "fn" so the dereference on the next line "fn->num_of_irqs" is a use after free. Move the put_device() to the end to fix this. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Entrada: synaptics-rmi4 - corrige el use after free en rmi_unregister_function(). El put_device() llama a rmi_release_function() que libera "fn", por lo que se elimina la referencia en la siguiente línea "fn-> num_of_irqs" es un uso después de ser gratuito. Mueva put_device() hasta el final para solucionar este problema. • https://git.kernel.org/stable/c/24d28e4f1271cb2f91613dada8f2acccd00eff56 https://git.kernel.org/stable/c/2f236d8638f5b43e0c72919a6a27fe286c32053f https://git.kernel.org/stable/c/50d12253666195a14c6cd2b81c376e2dbeedbdff https://git.kernel.org/stable/c/6c71e065befb2fae8f1461559b940c04e1071bd5 https://git.kernel.org/stable/c/303766bb92c5c225cf40f9bbbe7e29749406e2f2 https://git.kernel.org/stable/c/7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f https://git.kernel.org/stable/c/cc56c4d17721dcb10ad4e9c9266e449be1462683 https://git.kernel.org/stable/c/c8e639f5743cf4b01f8c65e0df075fe4d • CWE-416: Use After Free •