CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-52775 – net/smc: avoid data corruption caused by decline
https://notcve.org/view.php?id=CVE-2023-52775
In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid data corruption caused by decline We found a data corruption issue during testing of SMC-R on Redis applications. The benchmark has a low probability of reporting a strange error as shown below. "Error: Protocol error, got "\xe2" as reply type byte" Finally, we found that the retrieved error data was as follows: 0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C 0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2 It is quite obvious that this is a SMC DECLINE message, which means that the applications received SMC protocol message. We found that this was caused by the following situations: client server ¦ clc proposal -------------> ¦ clc accept <------------- ¦ clc confirm -------------> wait llc confirm send llc confirm ¦failed llc confirm ¦ x------ (after 2s)timeout wait llc confirm rsp wait decline (after 1s) timeout (after 2s) timeout ¦ decline --------------> ¦ decline <-------------- As a result, a decline message was sent in the implementation, and this message was read from TCP by the already-fallback connection. This patch double the client timeout as 2x of the server value, With this simple change, the Decline messages should never cross or collide (during Confirm link timeout). This issue requires an immediate solution, since the protocol updates involve a more long-term solution. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/smc: evita la corrupción de datos causada por el rechazo. Encontramos un problema de corrupción de datos durante las pruebas de SMC-R en aplicaciones Redis. El punto de referencia tiene una baja probabilidad de informar un error extraño, como se muestra a continuación. "Error: Error de protocolo, obtuve "\xe2" como byte de tipo de respuesta" Finalmente, encontramos que los datos de error recuperados eran los siguientes: 0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C 0xCB 0x04 0x02 1 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2 Es bastante obvio que este es un mensaje SMC DECLINE, lo que significa que las aplicaciones recibieron un mensaje de protocolo SMC. • https://git.kernel.org/stable/c/0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1 https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563 https://access.redhat.com/security/cve/CVE-2023-52775 https://bugzilla.redhat.com/show_bug.cgi?id=2282690 • CWE-20: Improper Input Validation •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52774 – s390/dasd: protect device queue against concurrent access
https://notcve.org/view.php?id=CVE-2023-52774
In the Linux kernel, the following vulnerability has been resolved: s390/dasd: protect device queue against concurrent access In dasd_profile_start() the amount of requests on the device queue are counted. The access to the device queue is unprotected against concurrent access. With a lot of parallel I/O, especially with alias devices enabled, the device queue can change while dasd_profile_start() is accessing the queue. In the worst case this leads to a kernel panic due to incorrect pointer accesses. Fix this by taking the device lock before accessing the queue and counting the requests. Additionally the check for a valid profile data pointer can be done earlier to avoid unnecessary locking in a hot path. • https://git.kernel.org/stable/c/4fa52aa7a82f9226b3874a69816bda3af821f002 https://git.kernel.org/stable/c/ebdc569a07a3e8dbe66b4184922ad6f88ac0b96f https://git.kernel.org/stable/c/f75617cc8df4155374132f0b500b0b3ebb967458 https://git.kernel.org/stable/c/f1ac7789406e2ca9ac51c41ad2daa597f47bdd4d https://git.kernel.org/stable/c/c841de6247e94e07566d57163d3c0d8b29278f7a https://git.kernel.org/stable/c/6062c527d0403cef27c54b91ac8390c3a497b250 https://git.kernel.org/stable/c/dc96fde8fcb2b896fd6c64802a7f4ece2e69b0be https://git.kernel.org/stable/c/9372aab5d0ff621ea203c8c603e7e5f75 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2023-52766 – i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler
https://notcve.org/view.php?id=CVE-2023-52766
In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: i3c: mipi-i3c-hci: corrige el acceso fuera de los límites en hci_dma_irq_handler. No realice bucles sobre encabezados de anillo en hci_dma_irq_handler() que no estén asignados y habilitados en hci_dma_init(). De lo contrario, el acceso fuera de los límites se producirá desde el acceso de anillos->encabezados[i] cuando i >= número de encabezados de anillo asignados. • https://git.kernel.org/stable/c/d23ad76f240c0f597b7a9eb79905d246f27d40df https://git.kernel.org/stable/c/8be39f66915b40d26ea2c18ba84b5c3d5da6809b https://git.kernel.org/stable/c/7c2b91b30d74d7c407118ad72502d4ca28af1af6 https://git.kernel.org/stable/c/4c86cb2321bd9c72d3b945ce7f747961beda8e65 https://git.kernel.org/stable/c/45a832f989e520095429589d5b01b0c65da9b574 •
CVSS: 4.4EPSS: 0%CPEs: 9EXPL: 0CVE-2023-52764 – media: gspca: cpia1: shift-out-of-bounds in set_flicker
https://notcve.org/view.php?id=CVE-2023-52764
In the Linux kernel, the following vulnerability has been resolved: media: gspca: cpia1: shift-out-of-bounds in set_flicker Syzkaller reported the following issue: UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 shift exponent 245 is too large for 32-bit type 'int' When the value of the variable "sd->params.exposure.gain" exceeds the number of bits in an integer, a shift-out-of-bounds error is reported. It is triggered because the variable "currentexp" cannot be left-shifted by more than the number of bits in an integer. In order to avoid invalid range during left-shift, the conditional expression is added. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: media: gspca: cpia1: desplazamiento fuera de los límites en set_flicker. Syzkaller informó el siguiente problema: UBSAN: desplazamiento fuera de los límites en drivers/media/usb/gspca /cpia1.c:1031:27 el exponente de desplazamiento 245 es demasiado grande para el tipo 'int' de 32 bits. • https://git.kernel.org/stable/c/69bba62600bd91d6b7c1e8ca181faf8ac64f7060 https://git.kernel.org/stable/c/2eee8edfff90e22980a6b22079d238c3c9d323bb https://git.kernel.org/stable/c/8f83c85ee88225319c52680792320c02158c2a9b https://git.kernel.org/stable/c/c6b6b8692218da73b33b310d7c1df90f115bdd9a https://git.kernel.org/stable/c/09cd8b561aa9796903710a1046957f2b112c8f26 https://git.kernel.org/stable/c/a647f27a7426d2fe1b40da7c8fa2b81354a51177 https://git.kernel.org/stable/c/93bddd6529f187f510eec759f37d0569243c9809 https://git.kernel.org/stable/c/e2d7149b913d14352c82624e723ce1c21 • CWE-125: Out-of-bounds Read •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2023-52763 – i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.
https://notcve.org/view.php?id=CVE-2023-52763
In the Linux kernel, the following vulnerability has been resolved: i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data. The `i3c_master_bus_init` function may attach the I2C devices before the I3C bus initialization. In this flow, the DAT `alloc_entry`` will be used before the DAT `init`. Additionally, if the `i3c_master_bus_init` fails, the DAT `cleanup` will execute before the device is detached, which will execue DAT `free_entry` function. The above scenario can cause the driver to use DAT_data when it is NULL. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: i3c: master: mipi-i3c-hci: se corrigió un pánico del kernel al acceder a DAT_data. • https://git.kernel.org/stable/c/39c71357e68e2f03766f9321b9f4882e49ff1442 https://git.kernel.org/stable/c/e64d23dc65810be4e3395d72df0c398f60c991f9 https://git.kernel.org/stable/c/3cb79a365e7cce8f121bba91312e2ddd206b9781 https://git.kernel.org/stable/c/eed74230435c61eeb58abaa275b1820e6a4b7f02 https://git.kernel.org/stable/c/b53e9758a31c683fc8615df930262192ed5f034b •