Page 211 of 3306 results (0.021 seconds)

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix possible use-after-free issue in ftrace_location() KASAN reports a bug: BUG: KASAN: use-after-free in ftrace_location+0x90/0x120 Read of size 8 at addr ffff888141d40010 by task insmod/424 CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+ [...] Call Trace: <TASK> dump_stack_lvl+0x68/0xa0 print_report+0xcf/0x610 kasan_report+0xb5/0xe0 ftrace_location+0x90/0x120 register_kprobe+0x14b/0xa40 kprobe_init+0x2d/0xff0 [kprobe_example] do_one_initcall+0x8f/0x2d0 do_init_module+0x13a/0x3c0 load_module+0x3082/0x33d0 init_module_from_file+0xd2/0x130 __x64_sys_finit_module+0x306/0x440 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79 The root cause is that, in lookup_rec(), ftrace record of some address is being searched in ftrace pages of some module, but those ftrace pages at the same time is being freed in ftrace_release_mod() as the corresponding module is being deleted: CPU1 | CPU2 register_kprobes() { | delete_module() { check_kprobe_address_safe() { | arch_check_ftrace_location() { | ftrace_location() { | lookup_rec() // USE! | ftrace_release_mod() // Free! To fix this issue: 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range(); 2. Use ftrace_location_range() instead of lookup_rec() in ftrace_location(); 3. • https://git.kernel.org/stable/c/ae6aa16fdc163afe6b04b6c073ad4ddd4663c03b https://git.kernel.org/stable/c/1880a324af1c95940a7c954b6b937e86844a33bd https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831 https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461 https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6 https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986f •

CVSS: -EPSS: 0%CPEs: 9EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: speakup: Fix sizeof() vs ARRAY_SIZE() bug The "buf" pointer is an array of u16 values. This code should be using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), otherwise it can the still got out of bounds. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Speakup: corrige el error sizeof() vs ARRAY_SIZE() El puntero "buf" es una matriz de valores u16. Este código debería usar ARRAY_SIZE() (que es 256) en lugar de sizeof() (que es 512), de lo contrario aún puede salirse de los límites. • https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222 https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8 https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595 https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76 https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4e •

CVSS: 4.1EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: r8169: Fix possible ring buffer corruption on fragmented Tx packets. An issue was found on the RTL8125b when transmitting small fragmented packets, whereby invalid entries were inserted into the transmit ring buffer, subsequently leading to calls to dma_unmap_single() with a null address. This was caused by rtl8169_start_xmit() not noticing changes to nr_frags which may occur when small packets are padded (to work around hardware quirks) in rtl8169_tso_csum_v2(). To fix this, postpone inspecting nr_frags until after any padding has been applied. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: r8169: corrige una posible corrupción del búfer en anillo en paquetes Tx fragmentados. Se encontró un problema en el RTL8125b al transmitir pequeños paquetes fragmentados, por el cual se insertaban entradas no válidas en el búfer del anillo de transmisión, lo que posteriormente generaba llamadas a dma_unmap_single() con una dirección nula. Esto se debió a que rtl8169_start_xmit() no notó los cambios en nr_frags que pueden ocurrir cuando se rellenan paquetes pequeños (para evitar peculiaridades del hardware) en rtl8169_tso_csum_v2(). Para solucionar este problema, posponga la inspección de nr_frags hasta que se haya aplicado el relleno. • https://git.kernel.org/stable/c/9020845fb5d6bb4876a38fdf1259600e7d9a63d4 https://git.kernel.org/stable/c/61c1c98e2607120ce9c3fa1bf75e6da909712b27 https://git.kernel.org/stable/c/b6d21cf40de103d63ae78551098a7c06af8c98dd https://git.kernel.org/stable/c/0c48185a95309556725f818b82120bb74e9c627d https://git.kernel.org/stable/c/68222d7b4b72aa321135cd453dac37f00ec41fd1 https://git.kernel.org/stable/c/078d5b7500d70af2de6b38e226b03f0b932026a6 https://git.kernel.org/stable/c/54e7a0d111240c92c0f02ceba6eb8f26bf6d6479 https://git.kernel.org/stable/c/c71e3a5cffd5309d7f84444df03d5b726 • CWE-457: Use of Uninitialized Variable •

CVSS: -EPSS: 0%CPEs: 9EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free of timer for log writer thread Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: corrige el use-after-free del temporizador para el hilo del escritor de registros Serie de parches "nilfs2: corrige problemas relacionados con el escritor de registros". Esta serie de corrección de errores cubre tres problemas relacionados con el escritor de registros nilfs2, incluido un problema de use-after-free del temporizador y un posible problema de bloqueo al desmontar, y un posible problema de congelación en la sincronización de eventos encontrado durante su análisis. Los detalles se describen en cada registro de confirmación. • https://git.kernel.org/stable/c/fdce895ea5dd4e24edf1f4d693827349a4e5b3b4 https://git.kernel.org/stable/c/822ae5a8eac30478578a75f7e064f0584931bf2d https://git.kernel.org/stable/c/82933c84f188dcfe89eb26b0b48ab5d1ca99d164 https://git.kernel.org/stable/c/67fa90d4a2ccd9ebb0e1e168c7d0b5d0cf3c7148 https://git.kernel.org/stable/c/e65ccf3a4de4f0c763d94789615b83e11f204438 https://git.kernel.org/stable/c/86a30d6302deddb9fb97ba6fc4b04d0e870b582a https://git.kernel.org/stable/c/f9186bba4ea282b07293c1c892441df3a5441cb0 https://git.kernel.org/stable/c/2f12b2c03c5dae1a0de0a9e5853177e3d •

CVSS: -EPSS: 0%CPEs: 9EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential hang in nilfs_detach_log_writer() Syzbot has reported a potential hang in nilfs_detach_log_writer() called during nilfs2 unmount. Analysis revealed that this is because nilfs_segctor_sync(), which synchronizes with the log writer thread, can be called after nilfs_segctor_destroy() terminates that thread, as shown in the call trace below: nilfs_detach_log_writer nilfs_segctor_destroy nilfs_segctor_kill_thread --> Shut down log writer thread flush_work nilfs_iput_work_func nilfs_dispose_list iput nilfs_evict_inode nilfs_transaction_commit nilfs_construct_segment (if inode needs sync) nilfs_segctor_sync --> Attempt to synchronize with log writer thread *** DEADLOCK *** Fix this issue by changing nilfs_segctor_sync() so that the log writer thread returns normally without synchronizing after it terminates, and by forcing tasks that are already waiting to complete once after the thread terminates. The skipped inode metadata flushout will then be processed together in the subsequent cleanup work in nilfs_segctor_destroy(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nilfs2: soluciona un posible bloqueo en nilfs_detach_log_writer() Syzbot ha informado de un posible bloqueo en nilfs_detach_log_writer() llamado durante el desmontaje de nilfs2. El análisis reveló que esto se debe a que nilfs_segctor_sync(), que se sincroniza con el hilo del escritor de registros, puede ser llamado después de que nilfs_segctor_destroy() finalice ese hilo, como se muestra en el seguimiento de llamadas a continuación: nilfs_detach_log_writer nilfs_segctor_destroy nilfs_segctor_kill_thread --&gt; Apagar el hilo del escritor de registros Flush_work nilfs_iput_work_func nilfs_dispose_list iput nilfs_evict_inode nilfs_transaction_commit nilfs_construct_segment (si el inodo necesita sincronización) nilfs_segctor_sync --&gt; Intente sincronizar con el hilo del escritor de registros *** DEADLOCK *** Solucione este problema cambiando nilfs_segctor_sync() para que el hilo del escritor de registros regrese normalmente sin sincronizarse después de que termine y forzando las tareas que ya están esperando a completarse una vez que finaliza el hilo. La eliminación de metadatos del inodo omitido se procesará en conjunto en el trabajo de limpieza posterior en nilfs_segctor_destroy(). • https://git.kernel.org/stable/c/911d38be151921a5d152bb55e81fd752384c6830 https://git.kernel.org/stable/c/bc9cee50a4a4ca23bdc49f75ea8242d8a2193b3b https://git.kernel.org/stable/c/eff7cdf890b02596b8d73e910bdbdd489175dbdb https://git.kernel.org/stable/c/06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd https://git.kernel.org/stable/c/1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0 https://git.kernel.org/stable/c/a8799662fed1f8747edae87a1937549288baca6a https://git.kernel.org/stable/c/6e5c8e8e024e147b834f56f2115aad241433679b https://git.kernel.org/stable/c/c516db6ab9eabbedbc430b4f93b0d8728 •