CVE-2021-47309 – net: validate lwtstate->data before returning from skb_tunnel_info()
https://notcve.org/view.php?id=CVE-2021-47309
In the Linux kernel, the following vulnerability has been resolved: net: validate lwtstate->data before returning from skb_tunnel_info() skb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info type without validation. lwtstate->data can have various types such as mpls_iptunnel_encap, etc and these are not compatible. So skb_tunnel_info() should validate before returning that pointer. Splat looks like: BUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan] Read of size 2 at addr ffff888106ec2698 by task ping/811 CPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195 Call Trace: dump_stack_lvl+0x56/0x7b print_address_description.constprop.8.cold.13+0x13/0x2ee ? vxlan_get_route+0x418/0x4b0 [vxlan] ? vxlan_get_route+0x418/0x4b0 [vxlan] kasan_report.cold.14+0x83/0xdf ? vxlan_get_route+0x418/0x4b0 [vxlan] vxlan_get_route+0x418/0x4b0 [vxlan] [ ... ] vxlan_xmit_one+0x148b/0x32b0 [vxlan] [ ... ] vxlan_xmit+0x25c5/0x4780 [vxlan] [ ... ] dev_hard_start_xmit+0x1ae/0x6e0 __dev_queue_xmit+0x1f39/0x31a0 [ ... ] neigh_xmit+0x2f9/0x940 mpls_xmit+0x911/0x1600 [mpls_iptunnel] lwtunnel_xmit+0x18f/0x450 ip_finish_output2+0x867/0x2040 [ ... ] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: validar lwtstate->data antes de regresar de skb_tunnel_info() skb_tunnel_info() devuelve un puntero de lwtstate->data como tipo ip_tunnel_info sin validación. lwtstate->data puede tener varios tipos como mpls_iptunnel_encap, etc. y estos no son compatibles. Entonces skb_tunnel_info() debería validarse antes de devolver ese puntero. • https://git.kernel.org/stable/c/61adedf3e3f1d3f032c5a6a299978d91eff6d555 https://git.kernel.org/stable/c/e7f3c9df40515a6c6b46f36c4c94cf48a043f887 https://git.kernel.org/stable/c/b61d327cd3cc5ea591f3bf751dd11e034f388bb5 https://git.kernel.org/stable/c/83bdcfbd968bcc91a0632b7b625e4a9b0cba5e0d https://git.kernel.org/stable/c/8bb1589c89e61e3b182dd546f1021928ebb5c2a6 https://git.kernel.org/stable/c/8aa13a86964cdec4fd969ef677c6614ff068641a https://git.kernel.org/stable/c/2179d96ec702cc33ead02a9ce40ece599b8538c5 https://git.kernel.org/stable/c/a915379594f1e045421635c6316d8f3ff •
CVE-2021-47308 – scsi: libfc: Fix array index out of bound exception
https://notcve.org/view.php?id=CVE-2021-47308
In the Linux kernel, the following vulnerability has been resolved: scsi: libfc: Fix array index out of bound exception Fix array index out of bound exception in fc_rport_prli_resp(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: libfc: Corregir excepción de índice de matriz fuera de los límites. Corregir excepción de índice de matriz fuera de los límites en fc_rport_prli_resp(). • https://git.kernel.org/stable/c/44651522941c623e20882b3b443f23f77de1ea8b https://git.kernel.org/stable/c/4921b1618045ffab71b1050bf0014df3313a2289 https://git.kernel.org/stable/c/0fe70c15f9435bb3c50954778245d62ee38b0e03 https://git.kernel.org/stable/c/a4a54c54af2516caa9c145015844543cfc84316a https://git.kernel.org/stable/c/8511293e643a18b248510ae5734e4f360754348c https://git.kernel.org/stable/c/b27c4577557045f1ab3cdfeabfc7f3cd24aca1fe • CWE-125: Out-of-bounds Read •
CVE-2021-47307 – cifs: prevent NULL deref in cifs_compose_mount_options()
https://notcve.org/view.php?id=CVE-2021-47307
In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL deref in cifs_compose_mount_options() The optional @ref parameter might contain an NULL node_name, so prevent dereferencing it in cifs_compose_mount_options(). Addresses-Coverity: 1476408 ("Explicit null dereferenced") En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cifs: evita la eliminación de desreferencias NULL en cifs_compose_mount_options() El parámetro @ref opcional puede contener un nombre de nodo NULL, por lo que se debe evitar eliminar la referencia a él en cifs_compose_mount_options(). Direcciones-Cobertura: 1476408 ("Nulo explícito desreferenciado") • https://git.kernel.org/stable/c/f7d1fa65e74263d11f90ddd33b4d4cd905a93759 https://git.kernel.org/stable/c/e58c162789becede894d3e94c0ce6695a2ef5796 https://git.kernel.org/stable/c/ae3d181f4e912f51af7776ea165f199b16fc165d https://git.kernel.org/stable/c/03313d1c3a2f086bb60920607ab79ac8f8578306 •
CVE-2021-47305 – dma-buf/sync_file: Don't leak fences on merge failure
https://notcve.org/view.php?id=CVE-2021-47305
In the Linux kernel, the following vulnerability has been resolved: dma-buf/sync_file: Don't leak fences on merge failure Each add_fence() call does a dma_fence_get() on the relevant fence. In the error path, we weren't calling dma_fence_put() so all those fences got leaked. Also, in the krealloc_array failure case, we weren't freeing the fences array. Instead, ensure that i and fences are always zero-initialized and dma_fence_put() all the fences and kfree(fences) on every error path. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dma-buf/sync_file: no filtrar barreras en caso de falla de fusión. • https://git.kernel.org/stable/c/a02b9dc90d844cc7df7b63264e7920cc425052d9 https://git.kernel.org/stable/c/19f51c2529339280d2c8c6427cd3e21ddf1ac3f8 https://git.kernel.org/stable/c/e0355a0ad31a1d677b2a4514206de4902bd550e8 https://git.kernel.org/stable/c/41f45e91c92c8480242ea448d54e28c753b13902 https://git.kernel.org/stable/c/0d514185ae792d3a1903c8e1a83899aa996705ce https://git.kernel.org/stable/c/19edcd97727aae9362444a859a24d99a8730cb27 https://git.kernel.org/stable/c/ffe000217c5068c5da07ccb1c0f8cce7ad767435 •
CVE-2021-47297 – net: fix uninit-value in caif_seqpkt_sendmsg
https://notcve.org/view.php?id=CVE-2021-47297
In the Linux kernel, the following vulnerability has been resolved: net: fix uninit-value in caif_seqpkt_sendmsg When nr_segs equal to zero in iovec_from_user, the object msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg which is defined in ___sys_sendmsg. So we cann't just judge msg->msg_iter.iov->base directlly. We can use nr_segs to judge msg in caif_seqpkt_sendmsg whether has data buffers. ===================================================== BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x220 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg net/socket.c:672 [inline] ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343 ___sys_sendmsg net/socket.c:2397 [inline] __sys_sendmmsg+0x808/0xc90 net/socket.c:2480 __compat_sys_sendmmsg net/compat.c:656 [inline] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: corrige el valor uninit en caif_seqpkt_sendmsg. Cuando nr_segs es igual a cero en iovec_from_user, el objeto msg->msg_iter.iov es la memoria de pila uninit en caif_seqpkt_sendmsg que está definida en ___sys_sendmsg. Entonces no podemos simplemente juzgar msg->msg_iter.iov->base directamente. • https://git.kernel.org/stable/c/bece7b2398d073d11b2e352405a3ecd3a1e39c60 https://git.kernel.org/stable/c/d9d646acad2c3590e189bb5d5c86ab8bd8a2dfc3 https://git.kernel.org/stable/c/5c6d8e2f7187b8e45a18c27acb7a3885f03ee3db https://git.kernel.org/stable/c/ffe31dd70b70a40cd6b21b78c1713a23e021843a https://git.kernel.org/stable/c/452c3ed7bf63721b07bc2238ed1261bb26027e85 https://git.kernel.org/stable/c/9413c0abb57f70a953b1116318d6aa478013c35d https://git.kernel.org/stable/c/1582a02fecffcee306663035a295e28e1c4aaaff https://git.kernel.org/stable/c/d4c7797ab1517515f0d08b3bc1c6b4888 •