CVE-2021-47535 – drm/msm/a6xx: Allocate enough space for GMU registers
https://notcve.org/view.php?id=CVE-2021-47535
In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Allocate enough space for GMU registers In commit 142639a52a01 ("drm/msm/a6xx: fix crashstate capture for A650") we changed a6xx_get_gmu_registers() to read 3 sets of registers. Unfortunately, we didn't change the memory allocation for the array. That leads to a KASAN warning (this was on the chromeos-5.4 kernel, which has the problematic commit backported to it): BUG: KASAN: slab-out-of-bounds in _a6xx_get_gmu_registers+0x144/0x430 Write of size 8 at addr ffffff80c89432b0 by task A618-worker/209 CPU: 5 PID: 209 Comm: A618-worker Tainted: G W 5.4.156-lockdep #22 Hardware name: Google Lazor Limozeen without Touchscreen (rev5 - rev8) (DT) Call trace: dump_backtrace+0x0/0x248 show_stack+0x20/0x2c dump_stack+0x128/0x1ec print_address_description+0x88/0x4a0 __kasan_report+0xfc/0x120 kasan_report+0x10/0x18 __asan_report_store8_noabort+0x1c/0x24 _a6xx_get_gmu_registers+0x144/0x430 a6xx_gpu_state_get+0x330/0x25d4 msm_gpu_crashstate_capture+0xa0/0x84c recover_worker+0x328/0x838 kthread_worker_fn+0x32c/0x574 kthread+0x2dc/0x39c ret_from_fork+0x10/0x18 Allocated by task 209: __kasan_kmalloc+0xfc/0x1c4 kasan_kmalloc+0xc/0x14 kmem_cache_alloc_trace+0x1f0/0x2a0 a6xx_gpu_state_get+0x164/0x25d4 msm_gpu_crashstate_capture+0xa0/0x84c recover_worker+0x328/0x838 kthread_worker_fn+0x32c/0x574 kthread+0x2dc/0x39c ret_from_fork+0x10/0x18 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/msm/a6xx: asigne suficiente espacio para los registros GMU. En el commit 142639a52a01 ("drm/msm/a6xx: corrija la captura del estado de falla para A650") cambiamos a6xx_get_gmu_registers() para que diga 3 conjuntos de registros. Desafortunadamente, no cambiamos la asignación de memoria para la matriz. • https://git.kernel.org/stable/c/142639a52a01e90c512a9a8d2156997e02a65b53 https://git.kernel.org/stable/c/d646856a600e8635ba498f20b194219b158626e8 https://git.kernel.org/stable/c/83e54fcf0b14ca2d869dd37abe1bb6542805f538 https://git.kernel.org/stable/c/b4d25abf9720b69a03465b09d0d62d1998ed6708 • CWE-787: Out-of-bounds Write •
CVE-2021-47527 – serial: core: fix transmit-buffer reset and memleak
https://notcve.org/view.php?id=CVE-2021-47527
In the Linux kernel, the following vulnerability has been resolved: serial: core: fix transmit-buffer reset and memleak Commit 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") converted serial core to use tty_port_close() but failed to notice that the transmit buffer still needs to be freed on final close. Not freeing the transmit buffer means that the buffer is no longer cleared on next open so that any ioctl() waiting for the buffer to drain might wait indefinitely (e.g. on termios changes) or that stale data can end up being transmitted in case tx is restarted. Furthermore, the buffer of any port that has been opened would leak on driver unbind. Note that the port lock is held when clearing the buffer pointer due to the ldisc race worked around by commit a5ba1d95e46e ("uart: fix race between uart_put_char() and uart_shutdown()"). Also note that the tty-port shutdown() callback is not called for console ports so it is not strictly necessary to free the buffer page after releasing the lock (cf. d72402145ace ("tty/serial: do not free trasnmit buffer page under port lock")). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: serial: core: fix transmit-buffer reset y memleak commit 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") núcleo serial convertido para usar tty_port_close() pero no se dio cuenta que el búfer de transmisión todavía necesita ser liberado en el cierre final. No liberar el búfer de transmisión significa que el búfer ya no se borra en la próxima apertura, por lo que cualquier ioctl() que espere a que se drene el búfer podría esperar indefinidamente (por ejemplo, en cambios de termios) o que los datos obsoletos pueden terminar transmitiéndose en caso de que tx sea reiniciado. Además, el búfer de cualquier puerto que se haya abierto se filtraría al desvincular el controlador. Tenga en cuenta que el bloqueo del puerto se mantiene al borrar el puntero del búfer debido a la ejecución de ldisc solucionada mediante el commit a5ba1d95e46e ("uart: corrige la ejecución entre uart_put_char() y uart_shutdown()"). • https://git.kernel.org/stable/c/761ed4a94582ab291aa24dcbea4e01e8936488c8 https://git.kernel.org/stable/c/011f6c92b5bf6e1fbfdedc8b5232f64c1c493206 https://git.kernel.org/stable/c/e74d9663fd57640fc3394abb5c76fa95b9cc2f2e https://git.kernel.org/stable/c/1179b168fa3f3a6aae3bd140000455a0e58457db https://git.kernel.org/stable/c/c5da8aa441053958594f94254592bb41264bdfbf https://git.kernel.org/stable/c/e1722acf4f0d4d67b60f57e08ce16f8b66cd4b8f https://git.kernel.org/stable/c/64e491c1634b73d3bddc081d08620bdc92ab2c12 https://git.kernel.org/stable/c/00de977f9e0aa9760d9a79d1e41ff780f • CWE-400: Uncontrolled Resource Consumption •
CVE-2021-47526 – serial: liteuart: Fix NULL pointer dereference in ->remove()
https://notcve.org/view.php?id=CVE-2021-47526
In the Linux kernel, the following vulnerability has been resolved: serial: liteuart: Fix NULL pointer dereference in ->remove() drvdata has to be set in _probe() - otherwise platform_get_drvdata() causes null pointer dereference BUG in _remove(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: serial: liteuart: se corrige la desreferencia del puntero NULL en ->remove() drvdata debe configurarse en _probe(); de lo contrario, platform_get_drvdata() provoca un ERROR de desreferencia del puntero nulo en _remove(). • https://git.kernel.org/stable/c/1da81e5562fac8286567422cc56a7fbd0dc646d4 https://git.kernel.org/stable/c/189c99c629bbf85916c02c153f904649cc0a9d7f https://git.kernel.org/stable/c/0f55f89d98c8b3e12b4f55f71c127a173e29557c • CWE-476: NULL Pointer Dereference •
CVE-2021-47525 – serial: liteuart: fix use-after-free and memleak on unbind
https://notcve.org/view.php?id=CVE-2021-47525
In the Linux kernel, the following vulnerability has been resolved: serial: liteuart: fix use-after-free and memleak on unbind Deregister the port when unbinding the driver to prevent it from being used after releasing the driver data and leaking memory allocated by serial core. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: serial: liteuart: corrige use-after-free y memleak al desvincular. Cancelar el registro del puerto al desvincular el controlador para evitar que se use después de liberar los datos del controlador y pérdida de memoria asignada por el núcleo serie. • https://git.kernel.org/stable/c/1da81e5562fac8286567422cc56a7fbd0dc646d4 https://git.kernel.org/stable/c/602824cf9aa9db8830ffe5cfb2cd54365cada4fe https://git.kernel.org/stable/c/05f929b395dec8957b636ff14e66b277ed022ed9 • CWE-416: Use After Free •
CVE-2021-47524 – serial: liteuart: fix minor-number leak on probe errors
https://notcve.org/view.php?id=CVE-2021-47524
In the Linux kernel, the following vulnerability has been resolved: serial: liteuart: fix minor-number leak on probe errors Make sure to release the allocated minor number before returning on probe errors. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: serial: liteuart: corrige la fuga de números menores en errores de sonda. Asegúrese de liberar el número menor asignado antes de regresar por errores de sonda. • https://git.kernel.org/stable/c/1da81e5562fac8286567422cc56a7fbd0dc646d4 https://git.kernel.org/stable/c/888fc81107cacd2a4f681bac7bb785cef868214f https://git.kernel.org/stable/c/dd5e90b16cca8a697cbe17b72e2a5f49291cabb2 •