CVE-2021-47542 – net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
https://notcve.org/view.php?id=CVE-2021-47542
In the Linux kernel, the following vulnerability has been resolved: net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() In qlcnic_83xx_add_rings(), the indirect function of ahw->hw_ops->alloc_mbx_args will be called to allocate memory for cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(), which could lead to a NULL pointer dereference on failure of the indirect function like qlcnic_83xx_alloc_mbx_args(). Fix this bug by adding a check of alloc_mbx_args(), this patch imitates the logic of mbx_cmd()'s failure handling. This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_QLCNIC=m show no new warnings, and our static analyzer no longer warns about this code. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: qlogic: qlcnic: corrigió una desreferencia de puntero NULL en qlcnic_83xx_add_rings() En qlcnic_83xx_add_rings(), se llamará a la función indirecta de ahw->hw_ops->alloc_mbx_args para asignar memoria para cmd.req.arg, y hay una desreferencia del mismo en qlcnic_83xx_add_rings(), lo que podría llevar a una desreferencia del puntero NULL en caso de falla de la función indirecta como qlcnic_83xx_alloc_mbx_args(). Corrija este error agregando una verificación de alloc_mbx_args(); este parche imita la lógica del manejo de fallas de mbx_cmd(). • https://git.kernel.org/stable/c/7f9664525f9cb507de9198a395a111371413f230 https://git.kernel.org/stable/c/3a061d54e260b701b538873b43e399d9b8b83e03 https://git.kernel.org/stable/c/b4f217d6fcc00c3fdc0921a7691f30be7490b073 https://git.kernel.org/stable/c/550658a2d61e4eaf522c8ebc7fad76dc376bfb45 https://git.kernel.org/stable/c/57af54a56024435d83e44c78449513b414eb6edf https://git.kernel.org/stable/c/bbeb0325a7460ebf1e03f5e0bfc5c652fba9519f https://git.kernel.org/stable/c/15fa12c119f869173f9b710cbe6a4a14071d2105 https://git.kernel.org/stable/c/c5ef33c1489b2cd74368057fa00b5d218 • CWE-476: NULL Pointer Dereference •
CVE-2021-47541 – net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
https://notcve.org/view.php?id=CVE-2021-47541
In the Linux kernel, the following vulnerability has been resolved: net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv(). After that mlx4_en_alloc_resources() is called and there is a dereference of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to a use after free problem on failure of mlx4_en_copy_priv(). Fix this bug by adding a check of mlx4_en_copy_priv() This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_MLX4_EN=m show no new warnings, and our static analyzer no longer warns about this code. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx4_en: corrige un error de use-after-free en mlx4_en_try_alloc_resources() En mlx4_en_try_alloc_resources(), se llama a mlx4_en_copy_priv() y se liberará tmp->tx_cq en la ruta del error de mlx4_en_copy_priv(). Después de eso, se llama a mlx4_en_alloc_resources() y hay una desreferencia de &tmp->tx_cq[t][i] en mlx4_en_alloc_resources(), lo que podría llevar a un problema de use-after-free si falla mlx4_en_copy_priv(). • https://git.kernel.org/stable/c/ec25bc04ed8e12947738468cbe2191f1529f9e39 https://git.kernel.org/stable/c/be12572c5ddc8ad7453bada4eec8fa46967dc757 https://git.kernel.org/stable/c/676dc7d9b15bf8733233a2db1ec3f9091ab34275 https://git.kernel.org/stable/c/e461a9816a1ac5b4aeb61621b817225b61e46a68 https://git.kernel.org/stable/c/f1d43efa59f1edd3e7eca0e94559b4c6b1cd4e2b https://git.kernel.org/stable/c/75917372eef0dbfb290ae45474314d35f97aea18 https://git.kernel.org/stable/c/addad7643142f500080417dd7272f49b7a185570 • CWE-416: Use After Free •
CVE-2021-47540 – mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode
https://notcve.org/view.php?id=CVE-2021-47540
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode Fix the following NULL pointer dereference in mt7915_get_phy_mode routine adding an ibss interface to the mt7915 driver. [ 101.137097] wlan0: Trigger new scan to find an IBSS to join [ 102.827039] wlan0: Creating new IBSS network, BSSID 26:a4:50:1a:6e:69 [ 103.064756] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 103.073670] Mem abort info: [ 103.076520] ESR = 0x96000005 [ 103.079614] EC = 0x25: DABT (current EL), IL = 32 bits [ 103.084934] SET = 0, FnV = 0 [ 103.088042] EA = 0, S1PTW = 0 [ 103.091215] Data abort info: [ 103.094104] ISV = 0, ISS = 0x00000005 [ 103.098041] CM = 0, WnR = 0 [ 103.101044] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000460b1000 [ 103.107565] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 103.116590] Internal error: Oops: 96000005 [#1] SMP [ 103.189066] CPU: 1 PID: 333 Comm: kworker/u4:3 Not tainted 5.10.75 #0 [ 103.195498] Hardware name: MediaTek MT7622 RFB1 board (DT) [ 103.201124] Workqueue: phy0 ieee80211_iface_work [mac80211] [ 103.206695] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--) [ 103.212705] pc : mt7915_get_phy_mode+0x68/0x120 [mt7915e] [ 103.218103] lr : mt7915_mcu_add_bss_info+0x11c/0x760 [mt7915e] [ 103.223927] sp : ffffffc011cdb9e0 [ 103.227235] x29: ffffffc011cdb9e0 x28: ffffff8006563098 [ 103.232545] x27: ffffff8005f4da22 x26: ffffff800685ac40 [ 103.237855] x25: 0000000000000001 x24: 000000000000011f [ 103.243165] x23: ffffff8005f4e260 x22: ffffff8006567918 [ 103.248475] x21: ffffff8005f4df80 x20: ffffff800685ac58 [ 103.253785] x19: ffffff8006744400 x18: 0000000000000000 [ 103.259094] x17: 0000000000000000 x16: 0000000000000001 [ 103.264403] x15: 000899c3a2d9d2e4 x14: 000899bdc3c3a1c8 [ 103.269713] x13: 0000000000000000 x12: 0000000000000000 [ 103.275024] x11: ffffffc010e30c20 x10: 0000000000000000 [ 103.280333] x9 : 0000000000000050 x8 : ffffff8006567d88 [ 103.285642] x7 : ffffff8006563b5c x6 : ffffff8006563b44 [ 103.290952] x5 : 0000000000000002 x4 : 0000000000000001 [ 103.296262] x3 : 0000000000000001 x2 : 0000000000000001 [ 103.301572] x1 : 0000000000000000 x0 : 0000000000000011 [ 103.306882] Call trace: [ 103.309328] mt7915_get_phy_mode+0x68/0x120 [mt7915e] [ 103.314378] mt7915_bss_info_changed+0x198/0x200 [mt7915e] [ 103.319941] ieee80211_bss_info_change_notify+0x128/0x290 [mac80211] [ 103.326360] __ieee80211_sta_join_ibss+0x308/0x6c4 [mac80211] [ 103.332171] ieee80211_sta_create_ibss+0x8c/0x10c [mac80211] [ 103.337895] ieee80211_ibss_work+0x3dc/0x614 [mac80211] [ 103.343185] ieee80211_iface_work+0x388/0x3f0 [mac80211] [ 103.348495] process_one_work+0x288/0x690 [ 103.352499] worker_thread+0x70/0x464 [ 103.356157] kthread+0x144/0x150 [ 103.359380] ret_from_fork+0x10/0x18 [ 103.362952] Code: 394008c3 52800220 394000e4 7100007f (39400023) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mt76: mt7915: corrige la desreferencia del puntero NULL en mt7915_get_phy_mode. Corrija la siguiente desreferencia del puntero NULL en la rutina mt7915_get_phy_mode agregando una interfaz ibss al controlador mt7915. [ 101.137097] wlan0: activa una nueva exploración para encontrar un IBSS al que unirse [ 102.827039] wlan0: crea una nueva red IBSS, BSSID 26:a4:50:1a:6e:69 [ 103.064756] No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000000 [ 103.073670] Información de cancelación de memoria: [ 103.076520] ESR = 0x96000005 [ 103.079614] EC = 0x25: DABT (EL actual), IL = 32 bits [ 103.084934] SET = 0, FnV = 0 [ 103.088042] EA = 0, 1PTW = 0 [ 103.091215] Información de cancelación de datos: [ 103.094104] ISV = 0, ISS = 0x00000005 [ 103.098041] CM = 0, WnR = 0 [ 103.101044] tabla de páginas de usuario: páginas de 4k, VA de 39 bits, pgdp=00000000460 b1000 [ 103.107565 ] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [103.116590] Error interno: Ups: 96000005 [#1] SMP [103.189066] CPU: 1 PID: 333 Comunicaciones: kworker/u4:3 No contaminado 5.10.75 #0 [ 103.195498 ] Nombre del hardware: Placa MediaTek MT7622 RFB1 (DT) [103.201124] Cola de trabajo: phy0 ieee80211_iface_work [mac80211] [103.206695] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--) [103.212705] pc: t7915_get_phy_mode+0x68/ 0x120 [MT7915E] [103.218103] LR: MT7915_MCU_ADD_BSS_INFO+0X11C/0X760 [MT7915E] [103.223927] SP: FFFFFFFC011CDB9E0 [103.222235] x29: F8006563098 [103.232545] x27: ffffff8005f4da22 x26: ffffff800685ac40 [103.237855] x25: 000000000000000001 x24: 000000000000011f [ 103.243165] x23: ffffff8005f4e260 x22: ffffff8006567918 [ 103.248475] x21: ffffff8005f4df80 x20: ffffff800685ac58 [ 103.253785] x19: 44400 x18: 0000000000000000 [ 103.259094] x17: 0000000000000000 x16: 0000000000000001 [ 103.264403] x15: 000899c3a2d9d2e4 x14: 99bdc3c3a1c8 [103.269713] x13: 0000000000000000 x12: 0000000000000000 [ 103.275024] x11: ffffffc010e30c20 x10: 0000000000000000 [ 103.280333] x9 : 0000000000000050 x8: ffffff8006567d88 [103.285642] x7: ffffff8006563b5c x6: ffffff8006563b44 [103.290952] x5: 00000000000000002 x4: 0000000000000001 [ 103.2 96262] x3: 0000000000000001 x2: 0000000000000001 [ 103.301572] x1: 0000000000000000 x0: 0000000000000011 [103.306882] Rastreo de llamadas: [103.309328] mt7915_get_phy_mode+0x68/0x120 [mt7915e] [ 378] mt7915_bss_info_changed+0x198/0x200 [mt7915e] [ 103.319941] ieee80211_bss_info_change_notify+0x128/0x290 [mac80211] [ 103.326360] __ieee80211_sta_join_ibss+0x308/0x6c4 [mac80211] [ 103.332171] ieee80211_sta_create_ibss+0x8c/0x10c [mac80211] [ 103.337895] 614 [mac80211] [ 103.343185] ieee80211_iface_work+0x388/0x3f0 [mac80211] [ 103.348495] Process_one_work+0x288/0x690 [ 103.352499] work_thread+0x70/0x464 [ 103.356157] kthread+0x144/0x150 [ 103.359380] ret_from_fork+0x10/0x18 [ 103.362952] Código: 394008c3 52800220 00e4 7100007f (39400023) • https://git.kernel.org/stable/c/37f4ca907c462d7c8a1ac9e7e3473681b5f893dd https://git.kernel.org/stable/c/932b338f4e5c4cb0c2ed640da3bced1e63620198 https://git.kernel.org/stable/c/14b03b8cebdf18ff13c39d58501b625411314de2 https://git.kernel.org/stable/c/6e53d6d26920d5221d3f4d4f5ffdd629ea69aa5c • CWE-476: NULL Pointer Dereference •
CVE-2021-47539 – rxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle()
https://notcve.org/view.php?id=CVE-2021-47539
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle() Need to call rxrpc_put_peer() for bundle candidate before kfree() as it holds a ref to rxrpc_peer. [DH: v2: Changed to abstract out the bundle freeing code into a function] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: rxrpc: corrige la fuga de rxrpc_peer en rxrpc_look_up_bundle() Es necesario llamar a rxrpc_put_peer() para el paquete candidato antes de kfree(), ya que contiene una referencia a rxrpc_peer. [DH: v2: modificado para abstraer el código de liberación del paquete en una función] • https://git.kernel.org/stable/c/245500d853e9f20036cec7df4f6984ece4c6bf26 https://git.kernel.org/stable/c/35b40f724c4ef0f683d94dab3af9ab38261d782b https://git.kernel.org/stable/c/bc97458620e38961af9505cc060ad4cf5c9e4af7 https://git.kernel.org/stable/c/ca77fba821351190777b236ce749d7c4d353102e •
CVE-2021-47538 – rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
https://notcve.org/view.php?id=CVE-2021-47538
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() Need to call rxrpc_put_local() for peer candidate before kfree() as it holds a ref to rxrpc_local. [DH: v2: Changed to abstract the peer freeing code out into a function] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: rxrpc: corrigió la fuga de rxrpc_local en rxrpc_lookup_peer() Es necesario llamar a rxrpc_put_local() para el candidato par antes de kfree(), ya que contiene una referencia a rxrpc_local. [DH: v2: modificado para abstraer el código de liberación del par en una función] • https://git.kernel.org/stable/c/e8e51ce79c157188e209e5ea0afaf6b42dd76104 https://git.kernel.org/stable/c/9ebeddef58c41bd700419cdcece24cf64ce32276 https://git.kernel.org/stable/c/9b7fc03b4cdbfb668b6891967105258691c6d3b5 https://git.kernel.org/stable/c/913c24af2d13a3fd304462916ee98e298d56bdce https://git.kernel.org/stable/c/3e70e3a72d80b16094faccbe438cd53761c3503a https://git.kernel.org/stable/c/60f0b9c42cb80833a03ca57c1c8b078d716e71d1 https://git.kernel.org/stable/c/9469273e616ca8f1b6e3773c5019f21b4c8d828c https://git.kernel.org/stable/c/beacff50edbd6c9659a6f15fc7f612690 •