Page 250 of 3607 results (0.010 seconds)

CVSS: -EPSS: 0%CPEs: 3EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: ARM: 9170/1: fix panic when kasan and kprobe are enabled arm32 uses software to simulate the instruction replaced by kprobe. some instructions may be simulated by constructing assembly functions. therefore, before executing instruction simulation, it is necessary to construct assembly function execution environment in C language through binding registers. after kasan is enabled, the register binding relationship will be destroyed, resulting in instruction simulation errors and causing kernel panic. the kprobe emulate instruction function is distributed in three files: actions-common.c actions-arm.c actions-thumb.c, so disable KASAN when compiling these files. for example, use kprobe insert on cap_capable+20 after kasan enabled, the cap_capable assembly code is as follows: <cap_capable>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c add r0, r0, #108 ; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [pc, #144] ; ebfc7bf8 bl c03aa4b4 <__asan_load4> e595706c ldr r7, [r5, #108] ; 0x6c e2859014 add r9, r5, #20 ...... The emulate_ldr assembly code after enabling kasan is as follows: c06f1384 <emulate_ldr>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c add r8, r2, #60 ; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 <__asan_load4> e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f and sl, r5, #15 0a000001 beq c06f13bc <emulate_ldr+0x38> e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 <__asan_load4> e084010a add r0, r4, sl, lsl #2 ebf3545a bl c03c6530 <__asan_load4> e2890010 add r0, r9, #16 ebf35458 bl c03c6530 <__asan_load4> e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 1a000014 bne c06f1430 <emulate_ldr+0xac> e1a06000 mov r6, r0 e2840040 add r0, r4, #64 ; 0x40 ...... when running in emulate_ldr to simulate the ldr instruction, panic occurred, and the log is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, *pmd=00000000 Internal error: Oops: 206 [#1] SMP ARM PC is at cap_capable+0x14/0xb0 LR is at emulate_ldr+0x50/0xc0 psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 32c5387d Table: 2d546400 DAC: 55555555 Process bash (pid: 1643, stack limit = 0xecd60190) (cap_capable) from (kprobe_handler+0x218/0x340) (kprobe_handler) from (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) (do_undefinstr) from (__und_svc_finish+0x0/0x30) (__und_svc_finish) from (cap_capable+0x18/0xb0) (cap_capable) from (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) from (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) from (copy_process.constprop.5+0x16b4/0x25c8) (copy_process.constprop.5) from (_do_fork+0xe8/0x55c) (_do_fork) from (SyS_clone+0x1c/0x24) (SyS_clone) from (__sys_trace_return+0x0/0x10) Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ARM: 9170/1: soluciona el pánico cuando kasan y kprobe están habilitados arm32 usa software para simular la instrucción reemplazada por kprobe. Algunas instrucciones pueden simularse mediante la construcción de funciones de ensamblaje. por lo tanto, antes de ejecutar la simulación de instrucciones, es necesario construir un entorno de ejecución de funciones de ensamblaje en lenguaje C mediante registros vinculantes. después de habilitar kasan, la relación de enlace de registros se destruirá, lo que provocará errores de simulación de instrucciones y provocará pánico en el kernel. La función de emulación de instrucciones de kprobe se distribuye en tres archivos: acciones-common.c acciones-arm.c acciones-thumb.c, por lo tanto, desactive KASAN al compilar estos archivos. por ejemplo, use kprobe insert en cap_capable+20 después de habilitar kasan, el código ensamblador de cap_capable es el siguiente: : e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c agregue r0, r0, #108; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [ordenador personal, #144]; ebfc7bf8 bl c03aa4b4 &lt;__asan_load4&gt; e595706c ldr r7, [r5, #108]; 0x6c e2859014 add r9, r5, #20 ...... El código ensamblador emulate_ldr después de habilitar kasan es el siguiente: c06f1384 : e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c agregue r8, r2, #60; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 &lt;__asan_load 4&gt; e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f y sl, r5, #15 0a000001 beq c06f13bc e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 &lt;__asan_load4&gt; e084010a add r0, 4, sl, lsl #2 ebf3545a bl c03c6530 &lt;__asan_load4&gt; e2890010 agregar r0, r9, #16 ebf35458 bl c03c6530 &lt;__asan_load4&gt; e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 14 bne c06f1430 e1a06000 mov r6, r0 e2840040 agregar r0, r4, #64; 0x40 ...... cuando se ejecuta emulate_ldr para simular la instrucción ldr, se produce pánico y el registro es el siguiente: No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, * pmd=00000000 Error interno: Ups: 206 [#1] La PC SMP ARM está en cap_capable+0x14/0xb0 LR está en emulate_ldr+0x50/0xc0 psr: 600d0293 sp: ecd63af8 ip: 00000004 fp: c0a7c30c r10: r9: c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Banderas: nZCv IRQ desactivadas FIQ activadas Modo SVC_3 2 Usuario de segmento ISA ARM Control: 32c5387d Tabla: 2d546400 DAC: 55555555 Proceso bash (pid: 1643, límite de pila = 0xecd60190) (cap_capable) de (kprobe_handler+0x218/0x340) (kprobe_handler) de (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) de (do_undefinstr+0x13c/0x364) (do_undefinstr) de (__ und_svc_finish+ 0x0/0x30) (__und_svc_finish) de (cap_capable+0x18/0xb0) (cap_capable) de (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) de (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) de (copy_process .constprop.5+0x16b4/ 0x25c8) (copy_process.constprop.5) de (_do_fork+0xe8/0x55c) (_do_fork) de (SyS_clone+0x1c/0x24) (SyS_clone) de (__sys_trace_return+0x0/0x10) Código: 0050a0e1 6c0080e2 0260a0e1 (f801f0e7) • https://git.kernel.org/stable/c/35aa1df4328340f38edc46f00837f08d33d49f63 https://git.kernel.org/stable/c/1515e72aae803fc6b466adf918e71c4e4c9d5b3d https://git.kernel.org/stable/c/ba1863be105b06e10d0e2f6b1b8a0570801cfc71 https://git.kernel.org/stable/c/8b59b0a53c840921b625378f137e88adfa87647e •

CVSS: -EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: PCI: pciehp: Fix infinite loop in IRQ handler upon power fault The Power Fault Detected bit in the Slot Status register differs from all other hotplug events in that it is sticky: It can only be cleared after turning off slot power. Per PCIe r5.0, sec. 6.7.1.8: If a power controller detects a main power fault on the hot-plug slot, it must automatically set its internal main power fault latch [...]. The main power fault latch is cleared when software turns off power to the hot-plug slot. The stickiness used to cause interrupt storms and infinite loops which were fixed in 2009 by commits 5651c48cfafe ("PCI pciehp: fix power fault interrupt storm problem") and 99f0169c17f3 ("PCI: pciehp: enable software notification on empty slots"). Unfortunately in 2020 the infinite loop issue was inadvertently reintroduced by commit 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race"): The hardirq handler pciehp_isr() clears the PFD bit until pciehp's power_fault_detected flag is set. That happens in the IRQ thread pciehp_ist(), which never learns of the event because the hardirq handler is stuck in an infinite loop. Fix by setting the power_fault_detected flag already in the hardirq handler. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: PCI: pciehp: soluciona el bucle infinito en el controlador IRQ ante un fallo de alimentación. • https://git.kernel.org/stable/c/a8cc52270f3d8e8f4faf01ffd6c4a95bbfb55ba4 https://git.kernel.org/stable/c/4667358dab9cc07da044d5bc087065545b1000df https://git.kernel.org/stable/c/8edf5332c39340b9583cf9cba659eb7ec71f75b5 https://git.kernel.org/stable/c/ff27f7d0333cff89ec85c419f431aca1b38fb16a https://git.kernel.org/stable/c/464da38ba827f670deac6500a1de9a4f0f44c41d https://git.kernel.org/stable/c/3b4c966fb156ff3e70b2526d964952ff7c1574d9 https://git.kernel.org/stable/c/1db58c6584a72102e98af2e600ea184ddaf2b8af https://git.kernel.org/stable/c/6d6f1f0dac3e3441ecdb1103d4efb11b9 •

CVSS: -EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HCI: Remove HCI_AMP support Since BT_HS has been remove HCI_AMP controllers no longer has any use so remove it along with the capability of creating AMP controllers. Since we no longer need to differentiate between AMP and Primary controllers, as only HCI_PRIMARY is left, this also remove hdev->dev_type altogether. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: HCI: eliminar la compatibilidad con HCI_AMP Dado que se eliminó BT_HS, los controladores HCI_AMP ya no tienen ningún uso, así que elimínelos junto con la capacidad de crear controladores AMP. Como ya no necesitamos diferenciar entre los controladores AMP y primarios, ya que solo queda HCI_PRIMARY, esto también elimina hdev-&gt;dev_type por completo. • https://git.kernel.org/stable/c/244bc377591c3882f454882357bc730c90cbedb5 https://git.kernel.org/stable/c/5af2e235b0d5b797e9531a00c50058319130e156 https://git.kernel.org/stable/c/d3c7b012d912b31ad23b9349c0e499d6dddd48ec https://git.kernel.org/stable/c/af1d425b6dc67cd67809f835dd7afb6be4d43e03 https://git.kernel.org/stable/c/84a4bb6548a29326564f0e659fb8064503ecc1c7 •

CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Check whether the media is initialized The member "uzonesize" of struct alauda_info will remain 0 if alauda_init_media() fails, potentially causing divide errors in alauda_read_data() and alauda_write_lba(). - Add a member "media_initialized" to struct alauda_info. - Change a condition in alauda_check_media() to ensure the first initialization. - Add an error check for the return value of alauda_init_media(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: usb-storage: alauda: compruebe si el medio está inicializado. El miembro "uzonesize" de la estructura alauda_info permanecerá 0 si alauda_init_media() falla, lo que podría provocar errores de división en alauda_read_data() y alauda_write_lba(). - Agregue un miembro "media_initialized" a la estructura alauda_info. - Cambiar una condición en alauda_check_media() para asegurar la primera inicialización. - Agregue una verificación de errores para el valor de retorno de alauda_init_media(). • https://git.kernel.org/stable/c/e80b0fade09ef1ee67b0898d480d4c588f124d5f https://git.kernel.org/stable/c/e0aab7b07a9375337847c9d74a5ec044071e01c8 https://git.kernel.org/stable/c/51fe16c058acb22f847e69bc598066ed0bcd5c15 https://git.kernel.org/stable/c/f68820f1256b21466ff094dd97f243b7e708f9c1 https://git.kernel.org/stable/c/3eee13ab67f65606faa66e0c3c729e4f514838fd https://git.kernel.org/stable/c/e0e2eec76920a133dd49a4fbe4656d83596a1361 https://git.kernel.org/stable/c/2cc32639ec347e3365075b130f9953ef16cb13f1 https://git.kernel.org/stable/c/24bff7f714bdff97c2a75a0ff6a368cdf • CWE-457: Use of Uninitialized Variable •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: RDMA: Fix use-after-free in rxe_queue_cleanup On error handling path in rxe_qp_from_init() qp->sq.queue is freed and then rxe_create_qp() will drop last reference to this object. qp clean up function will try to free this queue one time and it causes UAF bug. Fix it by zeroing queue pointer after freeing queue in rxe_qp_from_init(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: RDMA: corrige el use-after-free en rxe_queue_cleanup En la ruta de manejo de errores en rxe_qp_from_init() qp-&gt;sq.queue se libera y luego rxe_create_qp() eliminará la última referencia a este objeto. La función de limpieza qp intentará liberar esta cola una vez y provocará un error UAF. Solucionarlo poniendo a cero el puntero de la cola después de liberar la cola en rxe_qp_from_init(). • https://git.kernel.org/stable/c/514aee660df493cd673154a6ba6bab745ec47b8c https://git.kernel.org/stable/c/acb53e47db1fbc7cd37ab10b46388f045a76e383 https://git.kernel.org/stable/c/84b01721e8042cdd1e8ffeb648844a09cd4213e0 •