CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47306 – net: fddi: fix UAF in fza_probe
https://notcve.org/view.php?id=CVE-2021-47306
In the Linux kernel, the following vulnerability has been resolved: net: fddi: fix UAF in fza_probe fp is netdev private data and it cannot be used after free_netdev() call. Using fp after free_netdev() can cause UAF bug. Fix it by moving free_netdev() after error message. TURBOchannel adapter") En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: fddi: corrige UAF en fza_probe fp son datos privados de netdev y no se pueden usar después de la llamada a free_netdev(). Usar fp después de free_netdev() puede causar un error UAF. Solucionadlo moviendo free_netdev() después del mensaje de error. • https://git.kernel.org/stable/c/61414f5ec9834df8aa4f55c90de16b71a3d6ca8d https://git.kernel.org/stable/c/04b06716838bfc26742dbed3ae1d3697fe5317ee https://git.kernel.org/stable/c/f33605908a9b6063525e9f68e62d739948c5fccf https://git.kernel.org/stable/c/bdfbb51f7a437ae8ea91317a5c133ec13adf3c47 https://git.kernel.org/stable/c/deb7178eb940e2c5caca1b1db084a69b2e59b4c9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2021-47305 – dma-buf/sync_file: Don't leak fences on merge failure
https://notcve.org/view.php?id=CVE-2021-47305
In the Linux kernel, the following vulnerability has been resolved: dma-buf/sync_file: Don't leak fences on merge failure Each add_fence() call does a dma_fence_get() on the relevant fence. In the error path, we weren't calling dma_fence_put() so all those fences got leaked. Also, in the krealloc_array failure case, we weren't freeing the fences array. Instead, ensure that i and fences are always zero-initialized and dma_fence_put() all the fences and kfree(fences) on every error path. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dma-buf/sync_file: no filtrar barreras en caso de falla de fusión. • https://git.kernel.org/stable/c/a02b9dc90d844cc7df7b63264e7920cc425052d9 https://git.kernel.org/stable/c/19f51c2529339280d2c8c6427cd3e21ddf1ac3f8 https://git.kernel.org/stable/c/e0355a0ad31a1d677b2a4514206de4902bd550e8 https://git.kernel.org/stable/c/41f45e91c92c8480242ea448d54e28c753b13902 https://git.kernel.org/stable/c/0d514185ae792d3a1903c8e1a83899aa996705ce https://git.kernel.org/stable/c/19edcd97727aae9362444a859a24d99a8730cb27 https://git.kernel.org/stable/c/ffe000217c5068c5da07ccb1c0f8cce7ad767435 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47304 – tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized
https://notcve.org/view.php?id=CVE-2021-47304
In the Linux kernel, the following vulnerability has been resolved: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized This commit fixes a bug (found by syzkaller) that could cause spurious double-initializations for congestion control modules, which could cause memory leaks or other problems for congestion control modules (like CDG) that allocate memory in their init functions. The buggy scenario constructed by syzkaller was something like: (1) create a TCP socket (2) initiate a TFO connect via sendto() (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION), which calls: tcp_set_congestion_control() -> tcp_reinit_congestion_control() -> tcp_init_congestion_control() (4) receive ACK, connection is established, call tcp_init_transfer(), set icsk_ca_initialized=0 (without first calling cc->release()), call tcp_init_congestion_control() again. Note that in this sequence tcp_init_congestion_control() is called twice without a cc->release() call in between. Thus, for CC modules that allocate memory in their init() function, e.g, CDG, a memory leak may occur. The syzkaller tool managed to find a reproducer that triggered such a leak in CDG. The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(), missing the possibility for a sequence like the one above, where a process could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()), which would call tcp_init_congestion_control(). It did not intend to reset any initialization that the user had already explicitly made; it just missed the possibility of that particular sequence (which syzkaller managed to find). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: corrige tcp_init_transfer() para no restablecer icsk_ca_initialized Esta confirmación corrige un error (encontrado por syzkaller) que podría causar dobles inicializaciones falsas para los módulos de control de congestión, lo que podría causar pérdidas de memoria o Otros problemas para los módulos de control de congestión (como CDG) que asignan memoria en sus funciones de inicio. • https://git.kernel.org/stable/c/8919a9b31eb4fb4c0a93e5fb350a626924302aa6 https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7 https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc https://access.redhat.com/security/cve/CVE-2021-47304 https://bugzilla.redhat.com/show_bug.cgi?id=2282479 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47303 – bpf: Track subprog poke descriptors correctly and fix use-after-free
https://notcve.org/view.php?id=CVE-2021-47303
In the Linux kernel, the following vulnerability has been resolved: bpf: Track subprog poke descriptors correctly and fix use-after-free Subprograms are calling map_poke_track(), but on program release there is no hook to call map_poke_untrack(). However, on program release, the aux memory (and poke descriptor table) is freed even though we still have a reference to it in the element list of the map aux data. When we run map_poke_run(), we then end up accessing free'd memory, triggering KASAN in prog_array_map_poke_run(): [...] [ 402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e [ 402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337 [ 402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G I 5.12.0+ #399 [ 402.824715] Call Trace: [ 402.824719] dump_stack+0x93/0xc2 [ 402.824727] print_address_description.constprop.0+0x1a/0x140 [ 402.824736] ? prog_array_map_poke_run+0xc2/0x34e [ 402.824740] ? prog_array_map_poke_run+0xc2/0x34e [ 402.824744] kasan_report.cold+0x7c/0xd8 [ 402.824752] ? • https://git.kernel.org/stable/c/a748c6975dea325da540610c2ba9b5f332c603e6 https://git.kernel.org/stable/c/a9f36bf3613c65cb587c70fac655c775d911409b https://git.kernel.org/stable/c/599148d40366bd5d1d504a3a8fcd65e21107e500 https://git.kernel.org/stable/c/f263a81451c12da5a342d90572e317e611846f2c •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47302 – igc: Fix use-after-free error during reset
https://notcve.org/view.php?id=CVE-2021-47302
In the Linux kernel, the following vulnerability has been resolved: igc: Fix use-after-free error during reset Cleans the next descriptor to watch (next_to_watch) when cleaning the TX ring. Failure to do so can cause invalid memory accesses. If igc_poll() runs while the controller is being reset this can lead to the driver try to free a skb that was already freed. Log message: [ 101.525242] refcount_t: underflow; use-after-free. [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0 [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E) ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E) rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E) soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E) iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E) soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E) [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E) e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E) usbcore(E) drm(E) button(E) video(E) [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017 [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0 [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3 [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286 [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001 [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50 [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00 [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40 [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000 [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0 [ 101.525343] Call Trace: [ 101.525346] sock_wfree+0x9c/0xa0 [ 101.525353] unix_destruct_scm+0x7b/0xa0 [ 101.525358] skb_release_head_state+0x40/0x90 [ 101.525362] skb_release_all+0xe/0x30 [ 101.525364] napi_consume_skb+0x57/0x160 [ 101.525367] igc_poll+0xb7/0xc80 [igc] [ 101.525376] ? sched_clock+0x5/0x10 [ 101.525381] ? sched_clock_cpu+0xe/0x100 [ 101.525385] net_rx_action+0x14c/0x410 [ 101.525388] __do_softirq+0xe9/0x2f4 [ 101.525391] __local_bh_enable_ip+0xe3/0x110 [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0 [ 101.525398] irq_forced_thread_fn+0x6a/0x80 [ 101.525401] irq_thread+0xe8/0x180 [ 101.525403] ? • https://git.kernel.org/stable/c/13b5b7fd6a4a96dffe604f25e7b64cfbd9520924 https://git.kernel.org/stable/c/a9508e0edfe369ac95d0825bcdca976436ce780f https://git.kernel.org/stable/c/e15f629036bac005fc758b4ad17896cf2312add4 https://git.kernel.org/stable/c/ea5e36b7367ea0a36ef73a163768f16d2977bd83 https://git.kernel.org/stable/c/56ea7ed103b46970e171eb1c95916f393d64eeff •