CVSS: 6.7EPSS: 0%CPEs: 7EXPL: 0CVE-2021-47609 – firmware: arm_scpi: Fix string overflow in SCPI genpd driver
https://notcve.org/view.php?id=CVE-2021-47609
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Fix string overflow in SCPI genpd driver Without the bound checks for scpi_pd->name, it could result in the buffer overflow when copying the SCPI device name from the corresponding device tree node as the name string is set at maximum size of 30. Let us fix it by using devm_kasprintf so that the string buffer is allocated dynamically. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: firmware: arm_scp... • https://git.kernel.org/stable/c/8bec4337ad4023b26de35d3b0c3a3b2735ffc5c7 • CWE-787: Out-of-bounds Write •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47608 – bpf: Fix kernel address leakage in atomic fetch
https://notcve.org/view.php?id=CVE-2021-47608
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix kernel address leakage in atomic fetch The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH") around check_mem_access() handling is buggy since this would allow for unprivileged users to leak kernel pointers. For example, an atomic fetch/and with -1 on a stack destination which holds a spilled pointer will migrate the spilled register type into a scalar, which can then be exported o... • https://git.kernel.org/stable/c/37086bfdc737ea6f66bf68dcf16757004d68e1e1 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47607 – bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg
https://notcve.org/view.php?id=CVE-2021-47607
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg The implementation of BPF_CMPXCHG on a high level has the following parameters: .-[old-val] .-[new-val] BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG) `-[mem-loc] `-[old-val] Given a BPF insn can only have two registers (dst, src), the R0 is fixed and used as an auxilliary register... • https://git.kernel.org/stable/c/5ffa25502b5ab3d639829a2d1e316cff7f59a41e •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47606 – net: netlink: af_netlink: Prevent empty skb by adding a check on len.
https://notcve.org/view.php?id=CVE-2021-47606
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: net: netlink: af_netlink: Prevent empty skb by adding a check on len. Adding a check on len parameter to avoid empty skb. This prevents a division error in netem_enqueue function which is caused when skb->len=0 and skb->data_len=0 in the randomized corruption step as shown below. skb->data[prandom_u32() % skb_headlen(skb)] ^= 1<<(prandom_u32() % 8); Crash Report: [ 343.170349] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0... • https://git.kernel.org/stable/c/c54a60c8fbaa774f828e26df79f66229a8a0e010 • CWE-369: Divide By Zero •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47605 – vduse: fix memory corruption in vduse_dev_ioctl()
https://notcve.org/view.php?id=CVE-2021-47605
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: vduse: fix memory corruption in vduse_dev_ioctl() The "config.offset" comes from the user. There needs to a check to prevent it being out of bounds. The "config.offset" and "dev->config_size" variables are both type u32. So if the offset if out of bounds then the "dev->config_size - config.offset" subtraction results in a very high u32 value. The out of bounds offset can result in memory corruption. • https://git.kernel.org/stable/c/c8a6153b6c59d95c0e091f053f6f180952ade91e •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47604 – vduse: check that offset is within bounds in get_config()
https://notcve.org/view.php?id=CVE-2021-47604
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: vduse: check that offset is within bounds in get_config() This condition checks "len" but it does not check "offset" and that could result in an out of bounds read if "offset > dev->config_size". The problem is that since both variables are unsigned the "dev->config_size - offset" subtraction would result in a very high unsigned value. I think these checks might not be necessary because "len" and "offset" are supposed to already have bee... • https://git.kernel.org/stable/c/c8a6153b6c59d95c0e091f053f6f180952ade91e •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2021-47603 – audit: improve robustness of the audit queue handling
https://notcve.org/view.php?id=CVE-2021-47603
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: audit: improve robustness of the audit queue handling If the audit daemon were ever to get stuck in a stopped state the kernel's kauditd_thread() could get blocked attempting to send audit records to the userspace audit daemon. With the kernel thread blocked it is possible that the audit queue could grow unbounded as certain audit record generating events must be exempt from the queue limits else the system enter a deadlock state. This ... • https://git.kernel.org/stable/c/5b52330bbfe63b3305765354d6046c9f7f89c011 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47602 – mac80211: track only QoS data frames for admission control
https://notcve.org/view.php?id=CVE-2021-47602
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: mac80211: track only QoS data frames for admission control For admission control, obviously all of that only works for QoS data frames, otherwise we cannot even access the QoS field in the header. Syzbot reported (see below) an uninitialized value here due to a status of a non-QoS nullfunc packet, which isn't even long enough to contain the QoS header. Fix this to only do anything for QoS data packets. En el kernel de Linux, se resolvió... • https://git.kernel.org/stable/c/02219b3abca59fca81711bfe7ee78df7abad97ce •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47601 – tee: amdtee: fix an IS_ERR() vs NULL bug
https://notcve.org/view.php?id=CVE-2021-47601
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: tee: amdtee: fix an IS_ERR() vs NULL bug The __get_free_pages() function does not return error pointers it returns NULL so fix this condition to avoid a NULL dereference. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tee: amdtee: corrige un error IS_ERR() vs NULL La función __get_free_pages() no devuelve punteros de error, devuelve NULL, así que corrija esta condición para evitar una desreferencia a NULL. • https://git.kernel.org/stable/c/757cc3e9ff1d72d014096399d6e2bf03974d9da1 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47600 – dm btree remove: fix use after free in rebalance_children()
https://notcve.org/view.php?id=CVE-2021-47600
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: dm btree remove: fix use after free in rebalance_children() Move dm_tm_unlock() after dm_tm_dec(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dm btree remove: corrige el use after free en rebalance_children() Mueve dm_tm_unlock() después de dm_tm_dec(). • https://git.kernel.org/stable/c/a48f6a2bf33734ec5669ee03067dfb6c5b4818d6 •