CVE-2023-52597 – KVM: s390: fix setting of fpc register
https://notcve.org/view.php?id=CVE-2023-52597
In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix setting of fpc register kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control (fpc) register of a guest cpu. The new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the host process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space / host process fpc register value, however it will be discarded, when returning to user space. In result the host process will incorrectly continue to run with the value that was supposed to be used for a guest cpu. Fix this by simply removing the test. There is another test right before the SIE context is entered which will handles invalid values. This results in a change of behaviour: invalid values will now be accepted instead of that the ioctl fails with -EINVAL. This seems to be acceptable, given that this interface is most likely not used anymore, and this is in addition the same behaviour implemented with the memory mapped interface (replace invalid values with zero) - see sync_regs() in kvm-s390.c. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: KVM: s390: configuración fija del registro fpc kvm_arch_vcpu_ioctl_set_fpu() permite configurar el registro de control de punto flotante (fpc) de una CPU invitada. • https://git.kernel.org/stable/c/3a04410b0bc7e056e0843ac598825dd359246d18 https://git.kernel.org/stable/c/5e63c9ae8055109d805aacdaf2a4fe2c3b371ba1 https://git.kernel.org/stable/c/150a3a3871490e8c454ffbac2e60abeafcecff99 https://git.kernel.org/stable/c/732a3bea7aba5b15026ea42d14953c3425cc7dc2 https://git.kernel.org/stable/c/0671f42a9c1084db10d68ac347d08dbf6689ecb3 https://git.kernel.org/stable/c/c87d7d910775a025e230fd6359b60627e392460f https://git.kernel.org/stable/c/2823db0010c400e4b2b12d02aa5d0d3ecb15d7c7 https://git.kernel.org/stable/c/b988b1bb0053c0dcd26187d29ef07566a • CWE-20: Improper Input Validation •
CVE-2023-52596 – sysctl: Fix out of bounds access for empty sysctl registers
https://notcve.org/view.php?id=CVE-2023-52596
In the Linux kernel, the following vulnerability has been resolved: sysctl: Fix out of bounds access for empty sysctl registers When registering tables to the sysctl subsystem there is a check to see if header is a permanently empty directory (used for mounts). This check evaluates the first element of the ctl_table. This results in an out of bounds evaluation when registering empty directories. The function register_sysctl_mount_point now passes a ctl_table of size 1 instead of size 0. It now relies solely on the type to identify a permanently empty register. Make sure that the ctl_table has at least one element before testing for permanent emptiness. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: sysctl: corrige el acceso fuera de los límites para registros sysctl vacíos. • https://git.kernel.org/stable/c/15893975e9e382f8294ea8d926f08dc2d8d39ede https://git.kernel.org/stable/c/2ae7081bc10123b187e36a4f3a8e53768de31489 https://git.kernel.org/stable/c/315552310c7de92baea4e570967066569937a843 •
CVE-2023-52595 – wifi: rt2x00: restart beacon queue when hardware reset
https://notcve.org/view.php?id=CVE-2023-52595
In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00: restart beacon queue when hardware reset When a hardware reset is triggered, all registers are reset, so all queues are forced to stop in hardware interface. However, mac80211 will not automatically stop the queue. If we don't manually stop the beacon queue, the queue will be deadlocked and unable to start again. This patch fixes the issue where Apple devices cannot connect to the AP after calling ieee80211_restart_hw(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: rt2x00: reinicia la cola de baliza cuando se reinicia el hardware Cuando se activa un reinicio de hardware, todos los registros se reinician, por lo que todas las colas se ven obligadas a detenerse en la interfaz de hardware. Sin embargo, mac80211 no detendrá automáticamente la cola. • https://git.kernel.org/stable/c/e1f113b57ddd18274d7c83618deca25cc880bc48 https://git.kernel.org/stable/c/69e905beca193125820c201ab3db4fb0e245124e https://git.kernel.org/stable/c/4cc198580a7b93a36f5beb923f40f7ae27a3716c https://git.kernel.org/stable/c/739b3ccd9486dff04af95f9a890846d088a84957 https://git.kernel.org/stable/c/04cfe4a5da57ab9358cdfadea22bcb37324aaf83 https://git.kernel.org/stable/c/fdb580ed05df8973aa5149cafa598c64bebcd0cb https://git.kernel.org/stable/c/a11d965a218f0cd95b13fe44d0bcd8a20ce134a8 https://lists.debian.org/debian-lts-announce/2024/06/ • CWE-20: Improper Input Validation •
CVE-2023-52594 – wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
https://notcve.org/view.php?id=CVE-2023-52594
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug occurs when txs->cnt, data from a URB provided by a USB device, is bigger than the size of the array txs->txstatus, which is HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug handling code after the check. Make the function return if that is the case. Found by a modified version of syzkaller. UBSAN: array-index-out-of-bounds in htc_drv_txrx.c index 13 is out of range for type '__wmi_event_txstatus [12]' Call Trace: ath9k_htc_txstatus ath9k_wmi_event_tasklet tasklet_action_common __do_softirq irq_exit_rxu sysvec_apic_timer_interrupt En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath9k: corrige una posible lectura de índice de matriz fuera de los límites en ath9k_htc_txstatus(). Corrige una lectura de índice de matriz fuera de los límites en ath9k_htc_txstatus(). • https://git.kernel.org/stable/c/f44f073c78112ff921a220d01b86d09f2ace59bc https://git.kernel.org/stable/c/f11f0fd1ad6c11ae7856d4325fe9d05059767225 https://git.kernel.org/stable/c/84770a996ad8d7f121ff2fb5a8d149aad52d64c1 https://git.kernel.org/stable/c/9003fa9a0198ce004b30738766c67eb7373479c9 https://git.kernel.org/stable/c/25c6f49ef59b7a9b80a3f7ab9e95268a1b01a234 https://git.kernel.org/stable/c/e4f4bac7d3b64eb75f70cd3345712de6f68a215d https://git.kernel.org/stable/c/be609c7002dd4504b15b069cb7582f4c778548d1 https://git.kernel.org/stable/c/2adc886244dff60f948497b59affb6c6e • CWE-125: Out-of-bounds Read •
CVE-2023-52593 – wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()
https://notcve.org/view.php?id=CVE-2023-52593
In the Linux kernel, the following vulnerability has been resolved: wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap() Since 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()' should check the return value before examining skb data. So convert the latter to return an appropriate error code and propagate it to return from 'wfx_start_ap()' as well. Compile tested only. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wifi: wfx: corrige la posible desreferencia del puntero NULL en wfx_set_mfp_ap() Dado que 'ieee80211_beacon_get()' puede devolver NULL, 'wfx_set_mfp_ap()' debe verificar el valor de retorno antes de examinar los datos de skb. Así que convierta este último para que devuelva un código de error apropiado y propáguelo para que regrese también desde 'wfx_start_ap()'. • https://git.kernel.org/stable/c/574dcd3126aa2eed75437137843f254b1190dd03 https://git.kernel.org/stable/c/9ab224744a47363f74ea29c6894c405e3bcf5132 https://git.kernel.org/stable/c/3739121443f5114c6bcf6d841a5124deb006b878 https://git.kernel.org/stable/c/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d •