CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47453 – ice: Avoid crash from unnecessary IDA free
https://notcve.org/view.php?id=CVE-2021-47453
In the Linux kernel, the following vulnerability has been resolved: ice: Avoid crash from unnecessary IDA free In the remove path, there is an attempt to free the aux_idx IDA whether it was allocated or not. This can potentially cause a crash when unloading the driver on systems that do not initialize support for RDMA. But, this free cannot be gated by the status bit for RDMA, since it is allocated if the driver detects support for RDMA at probe time, but the driver can enter into a state where RDMA is not supported after the IDA has been allocated at probe time and this would lead to a memory leak. Initialize aux_idx to an invalid value and check for a valid value when unloading to determine if an IDA free is necessary. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ice: Evite fallas por IDA innecesario libre en la ruta de eliminación, hay un intento de liberar el IDA aux_idx, ya sea que esté asignado o no. Potencialmente, esto puede provocar un bloqueo al descargar el controlador en sistemas que no inicializan la compatibilidad con RDMA. Sin embargo, esta liberación no puede ser controlada por el bit de estado para RDMA, ya que se asigna si el controlador detecta soporte para RDMA en el momento de la prueba, pero el controlador puede entrar en un estado en el que RDMA no es compatible después de que se haya asignado el IDA en el momento de la prueba. tiempo y esto provocaría una pérdida de memoria. • https://git.kernel.org/stable/c/d25a0fc41c1f927bb914e72a03c1898052557406 https://git.kernel.org/stable/c/777682e59840e24e6c5672197e6ffbcf4bff823b https://git.kernel.org/stable/c/73e30a62b19b9fbb4e6a3465c59da186630d5f2e •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47452 – netfilter: nf_tables: skip netdev events generated on netns removal
https://notcve.org/view.php?id=CVE-2021-47452
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: skip netdev events generated on netns removal syzbot reported following (harmless) WARN: WARNING: CPU: 1 PID: 2648 at net/netfilter/core.c:468 nft_netdev_unregister_hooks net/netfilter/nf_tables_api.c:230 [inline] nf_tables_unregister_hook include/net/netfilter/nf_tables.h:1090 [inline] __nft_release_basechain+0x138/0x640 net/netfilter/nf_tables_api.c:9524 nft_netdev_event net/netfilter/nft_chain_filter.c:351 [inline] nf_tables_netdev_event+0x521/0x8a0 net/netfilter/nft_chain_filter.c:382 reproducer: unshare -n bash -c 'ip link add br0 type bridge; nft add table netdev t ; \ nft add chain netdev t ingress \{ type filter hook ingress device "br0" \ priority 0\; policy drop\; \}' Problem is that when netns device exit hooks create the UNREGISTER event, the .pre_exit hook for nf_tables core has already removed the base hook. Notifier attempts to do this again. The need to do base hook unregister unconditionally was needed in the past, because notifier was last stage where reg->dev dereference was safe. Now that nf_tables does the hook removal in .pre_exit, this isn't needed anymore. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: omitir eventos de netdev generados al eliminar netns syzbot informó lo siguiente (inofensivo) ADVERTENCIA: ADVERTENCIA: CPU: 1 PID: 2648 en net/netfilter/core.c:468 nft_netdev_unregister_hooks net/netfilter/nf_tables_api.c:230 [en línea] nf_tables_unregister_hook include/net/netfilter/nf_tables.h:1090 [en línea] __nft_release_basechain+0x138/0x640 net/netfilter/nf_tables_api.c:9524 nft_netdev_event net/netfilter/nft_ filtro_cadena.c: 351 [en línea] nf_tables_netdev_event+0x521/0x8a0 net/netfilter/nft_chain_filter.c:382 reproductor: dejar de compartir -n bash -c 'ip link agregar puente tipo br0; nft agregar tabla netdev t; \ nft add chain netdev t ingress \{ tipo filtro gancho ingreso dispositivo "br0" \ prioridad 0\; caída de la política\; \}' El problema es que cuando los ganchos de salida del dispositivo netns crean el evento UNREGISTER, el gancho .pre_exit para nf_tables core ya ha eliminado el gancho base. Notifier intenta hacer esto nuevamente. La necesidad de cancelar el registro del enlace base incondicionalmente era necesaria en el pasado, porque el notificador era la última etapa donde la desreferencia reg->dev era segura. • https://git.kernel.org/stable/c/767d1216bff82507c945e92fe719dff2083bb2f4 https://git.kernel.org/stable/c/b110391d1e806167254d3c7ae5d637191d913175 https://git.kernel.org/stable/c/0a0e5d47670b753d3dbf88f3c77a97a30864d9bd https://git.kernel.org/stable/c/90c7c58aa2bd02c65a4c63b7dfe0b16eab12cf9f https://git.kernel.org/stable/c/68a3765c659f809dcaac20030853a054646eb739 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47451 – netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value
https://notcve.org/view.php?id=CVE-2021-47451
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value Currently, when the rule related to IDLETIMER is added, idletimer_tg timer structure is initialized by kmalloc on executing idletimer_tg_create function. However, in this process timer->timer_type is not defined to a specific value. Thus, timer->timer_type has garbage value and it occurs kernel panic. So, this commit fixes the panic by initializing timer->timer_type using kzalloc instead of kmalloc. Test commands: # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test $ cat /sys/class/xt_idletimer/timers/test Killed Splat looks like: BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70 Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917 CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x6e/0x9c kasan_report.cold+0x112/0x117 ? alarm_expires_remaining+0x49/0x70 __asan_load8+0x86/0xb0 alarm_expires_remaining+0x49/0x70 idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] dev_attr_show+0x3c/0x60 sysfs_kf_seq_show+0x11d/0x1f0 ? • https://git.kernel.org/stable/c/68983a354a655c35d3fb204489d383a2a051fda7 https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650 https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47450 – KVM: arm64: Fix host stage-2 PGD refcount
https://notcve.org/view.php?id=CVE-2021-47450
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix host stage-2 PGD refcount The KVM page-table library refcounts the pages of concatenated stage-2 PGDs individually. However, when running KVM in protected mode, the host's stage-2 PGD is currently managed by EL2 as a single high-order compound page, which can cause the refcount of the tail pages to reach 0 when they shouldn't, hence corrupting the page-table. Fix this by introducing a new hyp_split_page() helper in the EL2 page allocator (matching the kernel's split_page() function), and make use of it from host_s2_zalloc_pages_exact(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: KVM: arm64: corrige el recuento de PGD de etapa 2 del host La librería de tablas de páginas de KVM vuelve a contar las páginas de los PGD de etapa 2 concatenados individualmente. Sin embargo, cuando se ejecuta KVM en modo protegido, EL2 administra actualmente el PGD de etapa 2 del host como una única página compuesta de alto orden, lo que puede causar que el recuento de las páginas finales llegue a 0 cuando no debería, corrompiendo así el tabla de páginas. Solucione este problema introduciendo un nuevo asistente hyp_split_page() en el asignador de páginas EL2 (que coincida con la función split_page() del kernel) y utilícelo desde host_s2_zalloc_pages_exact(). • https://git.kernel.org/stable/c/1025c8c0c6accfcbdc8f52ca1940160f65cd87d6 https://git.kernel.org/stable/c/b372264c66ef78f2cab44e877fbd765ad6d24c39 https://git.kernel.org/stable/c/1d58a17ef54599506d44c45ac95be27273a4d2b1 •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-47449 – ice: fix locking for Tx timestamp tracking flush
https://notcve.org/view.php?id=CVE-2021-47449
In the Linux kernel, the following vulnerability has been resolved: ice: fix locking for Tx timestamp tracking flush Commit 4dd0d5c33c3e ("ice: add lock around Tx timestamp tracker flush") added a lock around the Tx timestamp tracker flow which is used to cleanup any left over SKBs and prepare for device removal. This lock is problematic because it is being held around a call to ice_clear_phy_tstamp. The clear function takes a mutex to send a PHY write command to firmware. This could lead to a deadlock if the mutex actually sleeps, and causes the following warning on a kernel with preemption debugging enabled: [ 715.419426] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:573 [ 715.427900] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 3100, name: rmmod [ 715.435652] INFO: lockdep is turned off. [ 715.439591] Preemption disabled at: [ 715.439594] [<0000000000000000>] 0x0 [ 715.446678] CPU: 52 PID: 3100 Comm: rmmod Tainted: G W OE 5.15.0-rc4+ #42 bdd7ec3018e725f159ca0d372ce8c2c0e784891c [ 715.458058] Hardware name: Intel Corporation S2600STQ/S2600STQ, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020 [ 715.468483] Call Trace: [ 715.470940] dump_stack_lvl+0x6a/0x9a [ 715.474613] ___might_sleep.cold+0x224/0x26a [ 715.478895] __mutex_lock+0xb3/0x1440 [ 715.482569] ? stack_depot_save+0x378/0x500 [ 715.486763] ? ice_sq_send_cmd+0x78/0x14c0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] [ 715.494979] ? • https://git.kernel.org/stable/c/46720ac66c21bf85e08823664b7b314b85e43f26 https://git.kernel.org/stable/c/61616be899975404df44c20ab902464b60882cd7 https://git.kernel.org/stable/c/4d4a223a86afe658cd878800f09458e8bb54415d • CWE-129: Improper Validation of Array Index •