CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47542 – net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
https://notcve.org/view.php?id=CVE-2021-47542
In the Linux kernel, the following vulnerability has been resolved: net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() In qlcnic_83xx_add_rings(), the indirect function of ahw->hw_ops->alloc_mbx_args will be called to allocate memory for cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(), which could lead to a NULL pointer dereference on failure of the indirect function like qlcnic_83xx_alloc_mbx_args(). Fix this bug by adding a check of alloc_mbx_args(), this patch imitates the logic of mbx_cmd()'s failure handling. This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_QLCNIC=m show no new warnings, and our static analyzer no longer warns about this code. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: qlogic: qlcnic: corrigió una desreferencia de puntero NULL en qlcnic_83xx_add_rings() En qlcnic_83xx_add_rings(), se llamará a la función indirecta de ahw->hw_ops->alloc_mbx_args para asignar memoria para cmd.req.arg, y hay una desreferencia del mismo en qlcnic_83xx_add_rings(), lo que podría llevar a una desreferencia del puntero NULL en caso de falla de la función indirecta como qlcnic_83xx_alloc_mbx_args(). Corrija este error agregando una verificación de alloc_mbx_args(); este parche imita la lógica del manejo de fallas de mbx_cmd(). • https://git.kernel.org/stable/c/7f9664525f9cb507de9198a395a111371413f230 https://git.kernel.org/stable/c/3a061d54e260b701b538873b43e399d9b8b83e03 https://git.kernel.org/stable/c/b4f217d6fcc00c3fdc0921a7691f30be7490b073 https://git.kernel.org/stable/c/550658a2d61e4eaf522c8ebc7fad76dc376bfb45 https://git.kernel.org/stable/c/57af54a56024435d83e44c78449513b414eb6edf https://git.kernel.org/stable/c/bbeb0325a7460ebf1e03f5e0bfc5c652fba9519f https://git.kernel.org/stable/c/15fa12c119f869173f9b710cbe6a4a14071d2105 https://git.kernel.org/stable/c/c5ef33c1489b2cd74368057fa00b5d218 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-47541 – net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
https://notcve.org/view.php?id=CVE-2021-47541
In the Linux kernel, the following vulnerability has been resolved: net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv(). After that mlx4_en_alloc_resources() is called and there is a dereference of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to a use after free problem on failure of mlx4_en_copy_priv(). Fix this bug by adding a check of mlx4_en_copy_priv() This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_MLX4_EN=m show no new warnings, and our static analyzer no longer warns about this code. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx4_en: corrige un error de use-after-free en mlx4_en_try_alloc_resources() En mlx4_en_try_alloc_resources(), se llama a mlx4_en_copy_priv() y se liberará tmp->tx_cq en la ruta del error de mlx4_en_copy_priv(). Después de eso, se llama a mlx4_en_alloc_resources() y hay una desreferencia de &tmp->tx_cq[t][i] en mlx4_en_alloc_resources(), lo que podría llevar a un problema de use-after-free si falla mlx4_en_copy_priv(). • https://git.kernel.org/stable/c/ec25bc04ed8e12947738468cbe2191f1529f9e39 https://git.kernel.org/stable/c/be12572c5ddc8ad7453bada4eec8fa46967dc757 https://git.kernel.org/stable/c/676dc7d9b15bf8733233a2db1ec3f9091ab34275 https://git.kernel.org/stable/c/e461a9816a1ac5b4aeb61621b817225b61e46a68 https://git.kernel.org/stable/c/f1d43efa59f1edd3e7eca0e94559b4c6b1cd4e2b https://git.kernel.org/stable/c/75917372eef0dbfb290ae45474314d35f97aea18 https://git.kernel.org/stable/c/addad7643142f500080417dd7272f49b7a185570 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47540 – mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode
https://notcve.org/view.php?id=CVE-2021-47540
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode Fix the following NULL pointer dereference in mt7915_get_phy_mode routine adding an ibss interface to the mt7915 driver. [ 101.137097] wlan0: Trigger new scan to find an IBSS to join [ 102.827039] wlan0: Creating new IBSS network, BSSID 26:a4:50:1a:6e:69 [ 103.064756] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 103.073670] Mem abort info: [ 103.076520] ESR = 0x96000005 [ 103.079614] EC = 0x25: DABT (current EL), IL = 32 bits [ 103.084934] SET = 0, FnV = 0 [ 103.088042] EA = 0, S1PTW = 0 [ 103.091215] Data abort info: [ 103.094104] ISV = 0, ISS = 0x00000005 [ 103.098041] CM = 0, WnR = 0 [ 103.101044] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000460b1000 [ 103.107565] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 103.116590] Internal error: Oops: 96000005 [#1] SMP [ 103.189066] CPU: 1 PID: 333 Comm: kworker/u4:3 Not tainted 5.10.75 #0 [ 103.195498] Hardware name: MediaTek MT7622 RFB1 board (DT) [ 103.201124] Workqueue: phy0 ieee80211_iface_work [mac80211] [ 103.206695] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--) [ 103.212705] pc : mt7915_get_phy_mode+0x68/0x120 [mt7915e] [ 103.218103] lr : mt7915_mcu_add_bss_info+0x11c/0x760 [mt7915e] [ 103.223927] sp : ffffffc011cdb9e0 [ 103.227235] x29: ffffffc011cdb9e0 x28: ffffff8006563098 [ 103.232545] x27: ffffff8005f4da22 x26: ffffff800685ac40 [ 103.237855] x25: 0000000000000001 x24: 000000000000011f [ 103.243165] x23: ffffff8005f4e260 x22: ffffff8006567918 [ 103.248475] x21: ffffff8005f4df80 x20: ffffff800685ac58 [ 103.253785] x19: ffffff8006744400 x18: 0000000000000000 [ 103.259094] x17: 0000000000000000 x16: 0000000000000001 [ 103.264403] x15: 000899c3a2d9d2e4 x14: 000899bdc3c3a1c8 [ 103.269713] x13: 0000000000000000 x12: 0000000000000000 [ 103.275024] x11: ffffffc010e30c20 x10: 0000000000000000 [ 103.280333] x9 : 0000000000000050 x8 : ffffff8006567d88 [ 103.285642] x7 : ffffff8006563b5c x6 : ffffff8006563b44 [ 103.290952] x5 : 0000000000000002 x4 : 0000000000000001 [ 103.296262] x3 : 0000000000000001 x2 : 0000000000000001 [ 103.301572] x1 : 0000000000000000 x0 : 0000000000000011 [ 103.306882] Call trace: [ 103.309328] mt7915_get_phy_mode+0x68/0x120 [mt7915e] [ 103.314378] mt7915_bss_info_changed+0x198/0x200 [mt7915e] [ 103.319941] ieee80211_bss_info_change_notify+0x128/0x290 [mac80211] [ 103.326360] __ieee80211_sta_join_ibss+0x308/0x6c4 [mac80211] [ 103.332171] ieee80211_sta_create_ibss+0x8c/0x10c [mac80211] [ 103.337895] ieee80211_ibss_work+0x3dc/0x614 [mac80211] [ 103.343185] ieee80211_iface_work+0x388/0x3f0 [mac80211] [ 103.348495] process_one_work+0x288/0x690 [ 103.352499] worker_thread+0x70/0x464 [ 103.356157] kthread+0x144/0x150 [ 103.359380] ret_from_fork+0x10/0x18 [ 103.362952] Code: 394008c3 52800220 394000e4 7100007f (39400023) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mt76: mt7915: corrige la desreferencia del puntero NULL en mt7915_get_phy_mode. Corrija la siguiente desreferencia del puntero NULL en la rutina mt7915_get_phy_mode agregando una interfaz ibss al controlador mt7915. [ 101.137097] wlan0: activa una nueva exploración para encontrar un IBSS al que unirse [ 102.827039] wlan0: crea una nueva red IBSS, BSSID 26:a4:50:1a:6e:69 [ 103.064756] No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000000 [ 103.073670] Información de cancelación de memoria: [ 103.076520] ESR = 0x96000005 [ 103.079614] EC = 0x25: DABT (EL actual), IL = 32 bits [ 103.084934] SET = 0, FnV = 0 [ 103.088042] EA = 0, 1PTW = 0 [ 103.091215] Información de cancelación de datos: [ 103.094104] ISV = 0, ISS = 0x00000005 [ 103.098041] CM = 0, WnR = 0 [ 103.101044] tabla de páginas de usuario: páginas de 4k, VA de 39 bits, pgdp=00000000460 b1000 [ 103.107565 ] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [103.116590] Error interno: Ups: 96000005 [#1] SMP [103.189066] CPU: 1 PID: 333 Comunicaciones: kworker/u4:3 No contaminado 5.10.75 #0 [ 103.195498 ] Nombre del hardware: Placa MediaTek MT7622 RFB1 (DT) [103.201124] Cola de trabajo: phy0 ieee80211_iface_work [mac80211] [103.206695] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--) [103.212705] pc: t7915_get_phy_mode+0x68/ 0x120 [MT7915E] [103.218103] LR: MT7915_MCU_ADD_BSS_INFO+0X11C/0X760 [MT7915E] [103.223927] SP: FFFFFFFC011CDB9E0 [103.222235] x29: F8006563098 [103.232545] x27: ffffff8005f4da22 x26: ffffff800685ac40 [103.237855] x25: 000000000000000001 x24: 000000000000011f [ 103.243165] x23: ffffff8005f4e260 x22: ffffff8006567918 [ 103.248475] x21: ffffff8005f4df80 x20: ffffff800685ac58 [ 103.253785] x19: 44400 x18: 0000000000000000 [ 103.259094] x17: 0000000000000000 x16: 0000000000000001 [ 103.264403] x15: 000899c3a2d9d2e4 x14: 99bdc3c3a1c8 [103.269713] x13: 0000000000000000 x12: 0000000000000000 [ 103.275024] x11: ffffffc010e30c20 x10: 0000000000000000 [ 103.280333] x9 : 0000000000000050 x8: ffffff8006567d88 [103.285642] x7: ffffff8006563b5c x6: ffffff8006563b44 [103.290952] x5: 00000000000000002 x4: 0000000000000001 [ 103.2 96262] x3: 0000000000000001 x2: 0000000000000001 [ 103.301572] x1: 0000000000000000 x0: 0000000000000011 [103.306882] Rastreo de llamadas: [103.309328] mt7915_get_phy_mode+0x68/0x120 [mt7915e] [ 378] mt7915_bss_info_changed+0x198/0x200 [mt7915e] [ 103.319941] ieee80211_bss_info_change_notify+0x128/0x290 [mac80211] [ 103.326360] __ieee80211_sta_join_ibss+0x308/0x6c4 [mac80211] [ 103.332171] ieee80211_sta_create_ibss+0x8c/0x10c [mac80211] [ 103.337895] 614 [mac80211] [ 103.343185] ieee80211_iface_work+0x388/0x3f0 [mac80211] [ 103.348495] Process_one_work+0x288/0x690 [ 103.352499] work_thread+0x70/0x464 [ 103.356157] kthread+0x144/0x150 [ 103.359380] ret_from_fork+0x10/0x18 [ 103.362952] Código: 394008c3 52800220 00e4 7100007f (39400023) • https://git.kernel.org/stable/c/37f4ca907c462d7c8a1ac9e7e3473681b5f893dd https://git.kernel.org/stable/c/932b338f4e5c4cb0c2ed640da3bced1e63620198 https://git.kernel.org/stable/c/14b03b8cebdf18ff13c39d58501b625411314de2 https://git.kernel.org/stable/c/6e53d6d26920d5221d3f4d4f5ffdd629ea69aa5c • CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2021-47538 – rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
https://notcve.org/view.php?id=CVE-2021-47538
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() Need to call rxrpc_put_local() for peer candidate before kfree() as it holds a ref to rxrpc_local. [DH: v2: Changed to abstract the peer freeing code out into a function] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: rxrpc: corrigió la fuga de rxrpc_local en rxrpc_lookup_peer() Es necesario llamar a rxrpc_put_local() para el candidato par antes de kfree(), ya que contiene una referencia a rxrpc_local. [DH: v2: modificado para abstraer el código de liberación del par en una función] • https://git.kernel.org/stable/c/e8e51ce79c157188e209e5ea0afaf6b42dd76104 https://git.kernel.org/stable/c/9ebeddef58c41bd700419cdcece24cf64ce32276 https://git.kernel.org/stable/c/9b7fc03b4cdbfb668b6891967105258691c6d3b5 https://git.kernel.org/stable/c/913c24af2d13a3fd304462916ee98e298d56bdce https://git.kernel.org/stable/c/3e70e3a72d80b16094faccbe438cd53761c3503a https://git.kernel.org/stable/c/60f0b9c42cb80833a03ca57c1c8b078d716e71d1 https://git.kernel.org/stable/c/9469273e616ca8f1b6e3773c5019f21b4c8d828c https://git.kernel.org/stable/c/beacff50edbd6c9659a6f15fc7f612690 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47536 – net/smc: fix wrong list_del in smc_lgr_cleanup_early
https://notcve.org/view.php?id=CVE-2021-47536
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix wrong list_del in smc_lgr_cleanup_early smc_lgr_cleanup_early() meant to delete the link group from the link group list, but it deleted the list head by mistake. This may cause memory corruption since we didn't remove the real link group from the list and later memseted the link group structure. We got a list corruption panic when testing: [ 231.277259] list_del corruption. prev->next should be ffff8881398a8000, but was 0000000000000000 [ 231.278222] ------------[ cut here ]------------ [ 231.278726] kernel BUG at lib/list_debug.c:53! [ 231.279326] invalid opcode: 0000 [#1] SMP NOPTI [ 231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435 [ 231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014 [ 231.281248] Workqueue: events smc_link_down_work [ 231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90 [ 231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c 60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 <0f> 0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc [ 231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292 [ 231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000 [ 231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040 [ 231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001 [ 231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001 [ 231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003 [ 231.288337] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 [ 231.289160] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0 [ 231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 231.291940] Call Trace: [ 231.292211] smc_lgr_terminate_sched+0x53/0xa0 [ 231.292677] smc_switch_conns+0x75/0x6b0 [ 231.293085] ? update_load_avg+0x1a6/0x590 [ 231.293517] ? ttwu_do_wakeup+0x17/0x150 [ 231.293907] ? update_load_avg+0x1a6/0x590 [ 231.294317] ? • https://git.kernel.org/stable/c/a0a62ee15a829ebf8aeec55a4f1688230439b3e0 https://git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529 https://git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c https://git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba •