Page 23 of 3189 results (0.024 seconds)

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix error path in multi-packet WQE transmit Remove the erroneous unmap in case no DMA mapping was established The multi-packet WQE transmit code attempts to obtain a DMA mapping for the skb. This could fail, e.g. under memory pressure, when the IOMMU driver just can't allocate more memory for page tables. While the code tries to handle this in the path below the err_unmap label it erroneously unmaps one entry from the sq's FIFO list of active mappings. Since the current map attempt failed this unmap is removing some random DMA mapping that might still be required. If the PCI function now presents that IOVA, the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI function in error state. The erroneous behavior was seen in a stress-test environment that created memory pressure. • https://git.kernel.org/stable/c/5af75c747e2a868abbf8611494b50ed5e076fca7 https://git.kernel.org/stable/c/ca36d6c1a49b6965c86dd528a73f38bc62d9c625 https://git.kernel.org/stable/c/ce828b347cf1b3c1b12b091d02463c35ce5097f5 https://git.kernel.org/stable/c/fc357e78176945ca7bcacf92ab794b9ccd41b4f4 https://git.kernel.org/stable/c/26fad69b34fcba80d5c7d9e651f628e6ac927754 https://git.kernel.org/stable/c/ecf310aaf256acbc8182189fe0aa1021c3ddef72 https://git.kernel.org/stable/c/8bb8c12fb5e2b1f03d603d493c92941676f109b5 https://git.kernel.org/stable/c/2bcae12c795f32ddfbf8c80d1b5f1d328 •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix memory disclosure When applying padding, the buffer is not zeroed, which results in memory disclosure. The mentioned data is observed on the wire. This patch uses skb_put_padto() to pad Ethernet frames properly. The mentioned function zeroes the expanded buffer. In case the packet cannot be padded it is silently dropped. Statistics are also not incremented. • https://git.kernel.org/stable/c/504d4721ee8e432af4b5f196a08af38bc4dac5fe https://git.kernel.org/stable/c/185df159843d30fb71f821e7ea4368c2a3bfcd36 https://git.kernel.org/stable/c/469856f76f4802c5d7e3d20e343185188de1e2db https://git.kernel.org/stable/c/2bf4c101d7c99483b8b15a0c8f881e3f399f7e18 https://git.kernel.org/stable/c/e66e38d07b31e177ca430758ed97fbc79f27d966 https://git.kernel.org/stable/c/1097bf16501ed5e35358d848b0a94ad2830b0f65 https://git.kernel.org/stable/c/431b122933b197820d319eb3987a67d04346ce9e https://git.kernel.org/stable/c/45c0de18ff2dc9af01236380404bbd6a4 •

CVSS: -EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix buffer overflow when parsing NFS reparse points ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength. Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable len. Member InodeType is present only when reparse buffer is large enough. Check for ReparseDataLength before accessing InodeType to prevent another invalid memory access. Major and minor rdev values are present also only when reparse buffer is large enough. Check for reparse buffer size before calling reparse_mkdev(). • https://git.kernel.org/stable/c/d5ecebc4900df7f6e8dff0717574668885110553 https://git.kernel.org/stable/c/c6db81c550cea0c73bd72ef55f579991e0e4ba07 https://git.kernel.org/stable/c/803b3a39cb096d8718c0aebc03fd19f11c7dc919 https://git.kernel.org/stable/c/c173d47b69f07cd7ca08efb4e458adbd4725d8e9 https://git.kernel.org/stable/c/e2a8910af01653c1c268984855629d71fb81f404 •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: tipc: guard against string buffer overrun Smatch reports that copying media_name and if_name to name_parts may overwrite the destination. .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) This does seem to be the case so guard against this possibility by using strscpy() and failing if truncation occurs. Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") Compile tested only. • https://git.kernel.org/stable/c/e2b2558971e02ca33eb637a8350d68a48b3e8e46 https://git.kernel.org/stable/c/54dae0e9063ed23c9acf8d5ab9b18d3426a8ac18 https://git.kernel.org/stable/c/80c0be7bcf940ce9308311575c3aff8983c9b97a https://git.kernel.org/stable/c/12d26aa7fd3cbdbc5149b6e516563478d575026e https://git.kernel.org/stable/c/2ed7f42dfd3edb387034128ca5b0f639836d4ddd https://git.kernel.org/stable/c/a18c7b239d02aafb791ae2c45226f6bb40641792 https://git.kernel.org/stable/c/6555a2a9212be6983d2319d65276484f7c5f431a •

CVSS: -EPSS: 0%CPEs: 3EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: block: fix integer overflow in BLKSECDISCARD I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infinite loop inside blkdev_issue_secure_erase(): a.out: attempt to access beyond end of device loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048 bio_check_eod: 3286214 callbacks suppressed • https://git.kernel.org/stable/c/0842ddd83939eb4db940b9af7d39e79722bc41aa https://git.kernel.org/stable/c/6c9915fa9410cbb9bd75ee283c03120046c56d3d https://git.kernel.org/stable/c/697ba0b6ec4ae04afb67d3911799b5e2043b4455 •