CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52757 – smb: client: fix potential deadlock when releasing mids
https://notcve.org/view.php?id=CVE-2023-52757
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential deadlock when releasing mids All release_mid() callers seem to hold a reference of @mid so there is no need to call kref_put(&mid->refcount, __release_mid) under @server->mid_lock spinlock. If they don't, then an use-after-free bug would have occurred anyways. By getting rid of such spinlock also fixes a potential deadlock as shown below CPU 0 CPU 1 ------------------------------------------------------------------ cifs_demultiplex_thread() cifs_debug_data_proc_show() release_mid() spin_lock(&server->mid_lock); spin_lock(&cifs_tcp_ses_lock) spin_lock(&server->mid_lock) __release_mid() smb2_find_smb_tcon() spin_lock(&cifs_tcp_ses_lock) *deadlock* En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: client: corrige un posible punto muerto al liberar mids. Todos los llamadores de release_mid() parecen tener una referencia de @mid, por lo que no hay necesidad de llamar a kref_put(&mid->refcount, __release_mid ) en @servidor->mid_lock spinlock. Si no lo hacen, de todos modos se habría producido un error de use after free. Al deshacerse de dicho bloqueo de giro, también se soluciona un posible punto muerto como se muestra a continuación CPU 0 CPU 1 -------------------------------- ---------------------------------- cifs_demultiplex_thread() cifs_debug_data_proc_show() release_mid() spin_lock(&servidor->mid_lock) ; spin_lock(&cifs_tcp_ses_lock) spin_lock(&servidor->mid_lock) __release_mid() smb2_find_smb_tcon() spin_lock(&cifs_tcp_ses_lock) *punto muerto* • https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29 https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26 https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7 https://access.redhat.com/security/cve/CVE-2023-52757 https://bugzilla.redhat.com/show_bug.cgi?id=2282641 • CWE-833: Deadlock •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52754 – media: imon: fix access to invalid resource for the second interface
https://notcve.org/view.php?id=CVE-2023-52754
In the Linux kernel, the following vulnerability has been resolved: media: imon: fix access to invalid resource for the second interface imon driver probes two USB interfaces, and at the probe of the second interface, the driver assumes blindly that the first interface got bound with the same imon driver. It's usually true, but it's still possible that the first interface is bound with another driver via a malformed descriptor. Then it may lead to a memory corruption, as spotted by syzkaller; imon driver accesses the data from drvdata as struct imon_context object although it's a completely different one that was assigned by another driver. This patch adds a sanity check -- whether the first interface is really bound with the imon driver or not -- for avoiding the problem above at the probe time. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: medios: imon: corrige el acceso a un recurso no válido para la segunda interfaz. El controlador imon prueba dos interfaces USB y, en la prueba de la segunda interfaz, el controlador asume ciegamente que la primera interfaz obtuvo atado con el mismo conductor imon. • https://git.kernel.org/stable/c/0f5068519f89d928d6c51100e4b274479123829f https://git.kernel.org/stable/c/5e0b788fb96be36d1baf1a5c88d09c7c82a0452a https://git.kernel.org/stable/c/b083aaf5db2eeca9e362723258e5d8698f7dd84e https://git.kernel.org/stable/c/10ec5a97f8f5a772a1a42b4eb27196b447cd3aa9 https://git.kernel.org/stable/c/2a493a34bd6e496c55fabedd82b957193ace178f https://git.kernel.org/stable/c/a1766a4fd83befa0b34d932d532e7ebb7fab1fa7 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52753 – drm/amd/display: Avoid NULL dereference of timing generator
https://notcve.org/view.php?id=CVE-2023-52753
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid NULL dereference of timing generator [Why & How] Check whether assigned timing generator is NULL or not before accessing its funcs to prevent NULL dereference. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amd/display: Evite la desreferencia NULL del generador de temporización [Por qué y cómo] Verifique si el generador de temporización asignado es NULL o no antes de acceder a sus funciones para evitar la desreferencia NULL. • https://git.kernel.org/stable/c/09909f515032fa80b921fd3118efe66b185d10fd https://git.kernel.org/stable/c/eac3e4760aa12159f7f5475d55a67b7933abc195 https://git.kernel.org/stable/c/79b6a90f4f2433312154cd68452b0ba501fa74db https://git.kernel.org/stable/c/4e497f1acd99075b13605b2e7fa0cba721a2cfd9 https://git.kernel.org/stable/c/8a06894666e0b462c9316b26ab615cefdd0d676c https://git.kernel.org/stable/c/6d8653b1a7a8dc938b566ae8c4f373b36e792c68 https://git.kernel.org/stable/c/df8bc953eed72371e43ca407bd063507f760cf89 https://git.kernel.org/stable/c/b1904ed480cee3f9f4036ea0e36d139cb • CWE-476: NULL Pointer Dereference •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52752 – smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
https://notcve.org/view.php?id=CVE-2023-52752
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? • https://git.kernel.org/stable/c/558817597d5fbd7af31f891b67b0fd20f0d047b7 https://git.kernel.org/stable/c/89929ea46f9cc11ba66d2c64713aa5d5dc723b09 https://git.kernel.org/stable/c/0ab6f842452ce2cae04209d4671ac6289d0aef8a https://git.kernel.org/stable/c/d328c09ee9f15ee5a26431f5aad7c9239fa85e62 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-52751 – smb: client: fix use-after-free in smb2_query_info_compound()
https://notcve.org/view.php?id=CVE-2023-52751
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in smb2_query_info_compound() The following UAF was triggered when running fstests generic/072 with KASAN enabled against Windows Server 2022 and mount options 'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm' BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs] Read of size 8 at addr ffff888014941048 by task xfs_io/27534 CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0x7f ? srso_alias_return_thunk+0x5/0x7f ? __phys_addr+0x46/0x90 kasan_report+0xda/0x110 ? smb2_query_info_compound+0x423/0x6d0 [cifs] ? • https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9 https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b https://access.redhat.com/security/cve/CVE-2023-52751 https://bugzilla.redhat.com/show_bug.cgi?id=2282748 • CWE-416: Use After Free •