CVE-2021-47168 – NFS: fix an incorrect limit in filelayout_decode_layout()
https://notcve.org/view.php?id=CVE-2021-47168
In the Linux kernel, the following vulnerability has been resolved: NFS: fix an incorrect limit in filelayout_decode_layout() The "sizeof(struct nfs_fh)" is two bytes too large and could lead to memory corruption. It should be NFS_MAXFHSIZE because that's the size of the ->data[] buffer. I reversed the size of the arguments to put the variable on the left. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: NFS: corrige un límite incorrecto en filelayout_decode_layout() El "sizeof(struct nfs_fh)" es dos bytes demasiado grande y podría provocar daños en la memoria. Debería ser NFS_MAXFHSIZE porque ese es el tamaño del búfer ->datos[]. Invertí el tamaño de los argumentos para poner la variable a la izquierda. • https://git.kernel.org/stable/c/16b374ca439fb406e46e071f75428f5b033056f8 https://git.kernel.org/stable/c/9d280ab53df1d4a1043bd7a9e7c6a2f9cfbfe040 https://git.kernel.org/stable/c/b287521e9e94bb342ebe5fd8c3fd7db9aef4e6f1 https://git.kernel.org/stable/c/f299522eda1566cbfbae4b15c82970fc41b03714 https://git.kernel.org/stable/c/945ebef997227ca8c20bad7f8a8358c8ee57a84a https://git.kernel.org/stable/c/e411df81cd862ef3d5b878120b2a2fef0ca9cdb1 https://git.kernel.org/stable/c/9b367fe770b1b80d7bf64ed0d177544a44405f6e https://git.kernel.org/stable/c/d34fb628f6ef522f996205a9e578216bb •
CVE-2021-47167 – NFS: Fix an Oopsable condition in __nfs_pageio_add_request()
https://notcve.org/view.php?id=CVE-2021-47167
In the Linux kernel, the following vulnerability has been resolved: NFS: Fix an Oopsable condition in __nfs_pageio_add_request() Ensure that nfs_pageio_error_cleanup() resets the mirror array contents, so that the structure reflects the fact that it is now empty. Also change the test in nfs_pageio_do_add_request() to be more robust by checking whether or not the list is empty rather than relying on the value of pg_count. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: NFS: corrija una condición de Oopsable en __nfs_pageio_add_request() Asegúrese de que nfs_pageio_error_cleanup() restablezca el contenido de la matriz reflejada, de modo que la estructura refleje el hecho de que ahora está vacía. También cambie la prueba en nfs_pageio_do_add_request() para que sea más sólida verificando si la lista está vacía o no en lugar de confiar en el valor de pg_count. • https://git.kernel.org/stable/c/a7d42ddb3099727f58366fa006f850a219cce6c8 https://git.kernel.org/stable/c/1fc5f4eb9d31268ac3ce152d74ad5501ad24ca3e https://git.kernel.org/stable/c/ee21cd3aa8548e0cbc8c67a80b62113aedd2d101 https://git.kernel.org/stable/c/15ac6f14787649e8ebd75c142e2c5d2a243c8490 https://git.kernel.org/stable/c/56517ab958b7c11030e626250c00b9b1a24b41eb •
CVE-2021-47166 – NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()
https://notcve.org/view.php?id=CVE-2021-47166
In the Linux kernel, the following vulnerability has been resolved: NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce() The value of mirror->pg_bytes_written should only be updated after a successful attempt to flush out the requests on the list. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: NFS: no corrompa el valor de pg_bytes_writing en nfs_do_recoalesce() El valor de mirror->pg_bytes_write solo debe actualizarse después de un intento exitoso de eliminar las solicitudes de la lista. • https://git.kernel.org/stable/c/a7d42ddb3099727f58366fa006f850a219cce6c8 https://git.kernel.org/stable/c/e8b8418ce14ae66ee55179901edd12191ab06a9e https://git.kernel.org/stable/c/b291baae24f876acd5a5dd57d0bb2bbac8a68b0c https://git.kernel.org/stable/c/c757c1f1e65d89429db1409429436cf40d47c008 https://git.kernel.org/stable/c/40f139a6d50c232c0d1fd1c5e65a845c62db0ede https://git.kernel.org/stable/c/785917316b25685c9b3a2a88f933139f2de75e33 https://git.kernel.org/stable/c/7087db95c0a06ab201b8ebfac6a7ec1e34257997 https://git.kernel.org/stable/c/2fe1cac336b55a1f79e603e9ce3552c36 •
CVE-2021-47163 – tipc: wait and exit until all work queues are done
https://notcve.org/view.php?id=CVE-2021-47163
In the Linux kernel, the following vulnerability has been resolved: tipc: wait and exit until all work queues are done On some host, a crash could be triggered simply by repeating these commands several times: # modprobe tipc # tipc bearer enable media udp name UDP1 localip 127.0.0.1 # rmmod tipc [] BUG: unable to handle kernel paging request at ffffffffc096bb00 [] Workqueue: events 0xffffffffc096bb00 [] Call Trace: [] ? process_one_work+0x1a7/0x360 [] ? worker_thread+0x30/0x390 [] ? create_worker+0x1a0/0x1a0 [] ? kthread+0x116/0x130 [] ? • https://git.kernel.org/stable/c/d0f91938bede204a343473792529e0db7d599836 https://git.kernel.org/stable/c/d1f76dfadaf8f47ed1753f97dbcbd41c16215ffa https://git.kernel.org/stable/c/5195ec5e365a2a9331bfeb585b613a6e94f98dba https://git.kernel.org/stable/c/b9f5b7ad4ac3af006443f535b1ce7bff1d130d7d https://git.kernel.org/stable/c/04c26faa51d1e2fe71cf13c45791f5174c37f986 •
CVE-2021-47162 – tipc: skb_linearize the head skb when reassembling msgs
https://notcve.org/view.php?id=CVE-2021-47162
In the Linux kernel, the following vulnerability has been resolved: tipc: skb_linearize the head skb when reassembling msgs It's not a good idea to append the frag skb to a skb's frag_list if the frag_list already has skbs from elsewhere, such as this skb was created by pskb_copy() where the frag_list was cloned (all the skbs in it were skb_get'ed) and shared by multiple skbs. However, the new appended frag skb should have been only seen by the current skb. Otherwise, it will cause use after free crashes as this appended frag skb are seen by multiple skbs but it only got skb_get called once. The same thing happens with a skb updated by pskb_may_pull() with a skb_cloned skb. Li Shuang has reported quite a few crashes caused by this when doing testing over macvlan devices: [] kernel BUG at net/core/skbuff.c:1970! [] Call Trace: [] skb_clone+0x4d/0xb0 [] macvlan_broadcast+0xd8/0x160 [macvlan] [] macvlan_process_broadcast+0x148/0x150 [macvlan] [] process_one_work+0x1a7/0x360 [] worker_thread+0x30/0x390 [] kernel BUG at mm/usercopy.c:102! [] Call Trace: [] __check_heap_object+0xd3/0x100 [] __check_object_size+0xff/0x16b [] simple_copy_to_iter+0x1c/0x30 [] __skb_datagram_iter+0x7d/0x310 [] __skb_datagram_iter+0x2a5/0x310 [] skb_copy_datagram_iter+0x3b/0x90 [] tipc_recvmsg+0x14a/0x3a0 [tipc] [] ____sys_recvmsg+0x91/0x150 [] ___sys_recvmsg+0x7b/0xc0 [] kernel BUG at mm/slub.c:305! • https://git.kernel.org/stable/c/45c8b7b175ceb2d542e0fe15247377bf3bce29ec https://git.kernel.org/stable/c/d45ed6c1ff20d3640a31f03816ca2d48fb7d6f22 https://git.kernel.org/stable/c/c19282fd54a19e4651a4e67836cd842082546677 https://git.kernel.org/stable/c/b2c8d28c34b3070407cb1741f9ba3f15d0284b8b https://git.kernel.org/stable/c/5489f30bb78ff0dafb4229a69632afc2ba20765c https://git.kernel.org/stable/c/436d650d374329a591c30339a91fa5078052ed1e https://git.kernel.org/stable/c/4b1761898861117c97066aea6c58f68a7787f0bf https://git.kernel.org/stable/c/64d17ec9f1ded042c4b188d15734f3348 •