CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47491 – mm: khugepaged: skip huge page collapse for special files
https://notcve.org/view.php?id=CVE-2021-47491
In the Linux kernel, the following vulnerability has been resolved: mm: khugepaged: skip huge page collapse for special files The read-only THP for filesystems will collapse THP for files opened readonly and mapped with VM_EXEC. The intended usecase is to avoid TLB misses for large text segments. But it doesn't restrict the file types so a THP could be collapsed for a non-regular file, for example, block device, if it is opened readonly and mapped with EXEC permission. This may cause bugs, like [1] and [2]. This is definitely not the intended usecase, so just collapse THP for regular files in order to close the attack surface. [shy828301@gmail.com: fix vm_file check [3]] En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: khugepaged: omitir el colapso de página enorme para archivos especiales El THP de solo lectura para sistemas de archivos colapsará el THP para archivos abiertos de solo lectura y asignados con VM_EXEC. El caso de uso previsto es evitar errores de TLB en segmentos de texto grandes. • https://git.kernel.org/stable/c/99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 https://git.kernel.org/stable/c/6d67b2a73b8e3a079c355bab3c1aef7d85a044b8 https://git.kernel.org/stable/c/5fcb6fce74ffa614d964667110cf1a516c48c6d9 https://git.kernel.org/stable/c/a4aeaa06d45e90f9b279f0b09de84bd00006e733 https://access.redhat.com/security/cve/CVE-2021-47491 https://bugzilla.redhat.com/show_bug.cgi?id=2282925 • CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2021-47490 – drm/ttm: fix memleak in ttm_transfered_destroy
https://notcve.org/view.php?id=CVE-2021-47490
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix memleak in ttm_transfered_destroy We need to cleanup the fences for ghost objects as well. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214029 Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214447 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/ttm: corrige memleak en ttm_transfered_destroy También necesitamos limpiar las barreras para detectar objetos fantasma. Error: https://bugzilla.kernel.org/show_bug.cgi?id=214029 Error: https://bugzilla.kernel.org/show_bug.cgi? • https://git.kernel.org/stable/c/bd99782f3ca491879e8524c89b1c0f40071903bd https://git.kernel.org/stable/c/960b1fdfc39aba8f41e9e27b2de0c925c74182d9 https://git.kernel.org/stable/c/c21b4002214c1c7e7b627b9b53375612f7aab6db https://git.kernel.org/stable/c/bbc920fb320f1c241cc34ac85edaa0058922246a https://git.kernel.org/stable/c/132a3d998d6753047f22152731fba2b0d6b463dd https://git.kernel.org/stable/c/0db55f9a1bafbe3dac750ea669de9134922389b5 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47489 – drm/amdgpu: Fix even more out of bound writes from debugfs
https://notcve.org/view.php?id=CVE-2021-47489
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix even more out of bound writes from debugfs CVE-2021-42327 was fixed by: commit f23750b5b3d98653b31d4469592935ef6364ad67 Author: Thelford Williams <tdwilliamsiv@gmail.com> Date: Wed Oct 13 16:04:13 2021 -0400 drm/amdgpu: fix out of bounds write but amdgpu_dm_debugfs.c contains more of the same issue so fix the remaining ones. v2: * Add missing fix in dp_max_bpc_write (Harry Wentland) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdgpu: corrige aún más escrituras fuera de los límites desde debugfs CVE-2021-42327 fue solucionado por: commit f23750b5b3d98653b31d4469592935ef6364ad67 Autor: Thelford Williams Fecha: miércoles 13 de octubre 16:04:13 2021 -0400 drm/amdgpu: corrige la escritura fuera de los límites, pero amdgpu_dm_debugfs.c contiene más del mismo problema, así que solucione los restantes. v2: * Agregar corrección faltante en dp_max_bpc_write (Harry Wentland) • https://git.kernel.org/stable/c/918698d5c2b50433714d2042f55b55b090faa167 https://git.kernel.org/stable/c/9eb4bdd554fc31a5ef6bf645a20ff21618ce45a9 https://git.kernel.org/stable/c/3f4e54bd312d3dafb59daf2b97ffa08abebe60f5 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47488 – cgroup: Fix memory leak caused by missing cgroup_bpf_offline
https://notcve.org/view.php?id=CVE-2021-47488
In the Linux kernel, the following vulnerability has been resolved: cgroup: Fix memory leak caused by missing cgroup_bpf_offline When enabling CONFIG_CGROUP_BPF, kmemleak can be observed by running the command as below: $mount -t cgroup -o none,name=foo cgroup cgroup/ $umount cgroup/ unreferenced object 0xc3585c40 (size 64): comm "mount", pid 425, jiffies 4294959825 (age 31.990s) hex dump (first 32 bytes): 01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ......(......... 00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ........lC...... backtrace: [<e95a2f9e>] cgroup_bpf_inherit+0x44/0x24c [<1f03679c>] cgroup_setup_root+0x174/0x37c [<ed4b0ac5>] cgroup1_get_tree+0x2c0/0x4a0 [<f85b12fd>] vfs_get_tree+0x24/0x108 [<f55aec5c>] path_mount+0x384/0x988 [<e2d5e9cd>] do_mount+0x64/0x9c [<208c9cfe>] sys_mount+0xfc/0x1f4 [<06dd06e0>] ret_fast_syscall+0x0/0x48 [<a8308cb3>] 0xbeb4daa8 This is because that since the commit 2b0d3d3e4fcf ("percpu_ref: reduce memory footprint of percpu_ref in fast path") root_cgrp->bpf.refcnt.data is allocated by the function percpu_ref_init in cgroup_bpf_inherit which is called by cgroup_setup_root when mounting, but not freed along with root_cgrp when umounting. Adding cgroup_bpf_offline which calls percpu_ref_kill to cgroup_kill_sb can free root_cgrp->bpf.refcnt.data in umount path. This patch also fixes the commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself"). A cgroup_bpf_offline is needed to do a cleanup that frees the resources which are allocated by cgroup_bpf_inherit in cgroup_setup_root. And inside cgroup_bpf_offline, cgroup_get() is at the beginning and cgroup_put is at the end of cgroup_bpf_release which is called by cgroup_bpf_offline. So cgroup_bpf_offline can keep the balance of cgroup's refcount. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: cgroup: corrige la pérdida de memoria causada por la falta de cgroup_bpf_offline Al habilitar CONFIG_CGROUP_BPF, se puede observar kmemleak ejecutando el siguiente comando: $mount -t cgroup -o none,name=foo cgroup cgroup / $umount cgroup/ objeto sin referencia 0xc3585c40 (tamaño 64): comm "mount", pid 425, sjiffies 4294959825 (edad 31.990s) volcado hexadecimal (primeros 32 bytes): 01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ......(....... 00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ........lC...... retroceso : [] cgroup_bpf_inherit+0x44/0x24c [<1f03679c>] cgroup_setup_root+0x174/0x37c [] cgroup1_get_tree+0x2c0/0x4a0 [] 8 [] ruta_montaje+0x384/ 0x988 [] do_mount+0x64/0x9c [<208c9cfe>] sys_mount+0xfc/0x1f4 [<06dd06e0>] ret_fast_syscall+0x0/0x48 [] 0xbeb4daa8 Esto se debe a que desde El commit 2b0d3d3e4f cf ("percpu_ref: reducir huella de memoria de percpu_ref en la ruta rápida") root_cgrp->bpf.refcnt.data es asignada por la función percpu_ref_init en cgroup_bpf_inherit, que es llamada por cgroup_setup_root al montar, pero no se libera junto con root_cgrp al desmontar. • https://git.kernel.org/stable/c/4bfc0bb2c60e2f4cc8eb60f03cf8dfa72336272a https://git.kernel.org/stable/c/01599bf7cc2b49c3d2be886cb438647dc25446ed https://git.kernel.org/stable/c/b529f88d93884cf8ccafda793ee3d27b82fa578d https://git.kernel.org/stable/c/04f8ef5643bcd8bcde25dfdebef998aea480b2ba •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47486 – riscv, bpf: Fix potential NULL dereference
https://notcve.org/view.php?id=CVE-2021-47486
In the Linux kernel, the following vulnerability has been resolved: riscv, bpf: Fix potential NULL dereference The bpf_jit_binary_free() function requires a non-NULL argument. When the RISC-V BPF JIT fails to converge in NR_JIT_ITERATIONS steps, jit_data->header will be NULL, which triggers a NULL dereference. Avoid this by checking the argument, prior calling the function. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: riscv, bpf: corrige una posible desreferencia NULL La función bpf_jit_binary_free() requiere un argumento que no sea NULL. Cuando el JIT BPF de RISC-V no logra converger en los pasos NR_JIT_ITERATION, jit_data->header será NULL, lo que desencadena una desreferencia NULL. • https://git.kernel.org/stable/c/ca6cb5447ceca6a87d6b62c9e5d41042c34f7ffa https://git.kernel.org/stable/c/cac6b043cea3e120f4fccec16f7381747cbfdc0d https://git.kernel.org/stable/c/e1b80a5ebe5431caeb20f88c32d4a024777a2d41 https://git.kernel.org/stable/c/27de809a3d83a6199664479ebb19712533d6fd9b • CWE-476: NULL Pointer Dereference •