CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47296 – KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak
https://notcve.org/view.php?id=CVE-2021-47296
In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak vcpu_put is not called if the user copy fails. This can result in preempt notifier corruption and crashes, among other issues. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: PPC: corrección de fuga de kvm_arch_vcpu_ioctl vcpu_load. No se llama a vcpu_put si falla la copia del usuario. Esto puede provocar daños y bloqueos del notificador preventivo, entre otros problemas. • https://git.kernel.org/stable/c/b3cebfe8c1cadf1817939dcc3688a2504a69c662 https://git.kernel.org/stable/c/9bafc34dc4ad0cef18727c557f21ed3c3304df50 https://git.kernel.org/stable/c/f38527f1890543cdfca8dfd06f75f9887cce6151 https://git.kernel.org/stable/c/e14ef1095387f764d95614d3ec9e4d07c82a3533 https://git.kernel.org/stable/c/a4a488915feaad38345cc01b80d52e8200ff5209 https://git.kernel.org/stable/c/bc4188a2f56e821ea057aca6bf444e138d06c252 •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47295 – net: sched: fix memory leak in tcindex_partial_destroy_work
https://notcve.org/view.php?id=CVE-2021-47295
In the Linux kernel, the following vulnerability has been resolved: net: sched: fix memory leak in tcindex_partial_destroy_work Syzbot reported memory leak in tcindex_set_parms(). The problem was in non-freed perfect hash in tcindex_partial_destroy_work(). In tcindex_set_parms() new tcindex_data is allocated and some fields from old one are copied to new one, but not the perfect hash. Since tcindex_partial_destroy_work() is the destroy function for old tcindex_data, we need to free perfect hash to avoid memory leak. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: sched: corrige la pérdida de memoria en tcindex_partial_destroy_work Syzbot informó una pérdida de memoria en tcindex_set_parms(). El problema estaba en el hash perfecto no liberado en tcindex_partial_destroy_work(). • https://git.kernel.org/stable/c/331b72922c5f58d48fd5500acadc91777cc31970 https://git.kernel.org/stable/c/8d7924ce85bae64e7a67c366c7c50840f49f3a62 https://git.kernel.org/stable/c/8e9662fde6d63c78eb1350f6167f64c9d71a865b https://git.kernel.org/stable/c/cac71d27745f92ee13f0ecc668ffe151a4a9c9b1 https://git.kernel.org/stable/c/f5051bcece50140abd1a11a2d36dc3ec5484fc32 • CWE-400: Uncontrolled Resource Consumption •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2021-47294 – netrom: Decrease sock refcount when sock timers expire
https://notcve.org/view.php?id=CVE-2021-47294
In the Linux kernel, the following vulnerability has been resolved: netrom: Decrease sock refcount when sock timers expire Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use sock timer API. It replaces mod_timer() by sk_reset_timer(), and del_timer() by sk_stop_timer(). Function sk_reset_timer() will increase the refcount of sock if it is called on an inactive timer, hence, in case the timer expires, we need to decrease the refcount ourselves in the handler, otherwise, the sock refcount will be unbalanced and the sock will never be freed. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netrom: Disminuir el recuento de sock cuando caducan los temporizadores de sock. La confirmación 63346650c1a9 ("netrom: cambiar a API de temporizador de sock") cambió para usar la API de temporizador de sock. Reemplaza mod_timer() por sk_reset_timer() y del_timer() por sk_stop_timer(). • https://git.kernel.org/stable/c/ce29e8a259de767f7210d346ad2b031cb8ab2732 https://git.kernel.org/stable/c/baa9e32336bf6d0d74a7c3486d2a27feaf57cd5f https://git.kernel.org/stable/c/0adf571fa34b27bd0b97b408cc0f0dc54b72f0eb https://git.kernel.org/stable/c/2c6b572458a9127e8070df13fa7f115c29ab1d92 https://git.kernel.org/stable/c/63346650c1a94a92be61a57416ac88c0a47c4327 https://git.kernel.org/stable/c/f1d9a1f2ef6ff17293d21d5e6b80e04bea0cf508 https://git.kernel.org/stable/c/519e8a22a454b1f1baa3a151b184fe51bc18e178 https://git.kernel.org/stable/c/853262355518cd1247515b74e83fabf03 •
CVSS: 4.2EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47293 – net/sched: act_skbmod: Skip non-Ethernet packets
https://notcve.org/view.php?id=CVE-2021-47293
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: Skip non-Ethernet packets Currently tcf_skbmod_act() assumes that packets use Ethernet as their L2 protocol, which is not always the case. As an example, for CAN devices: $ ip link add dev vcan0 type vcan $ ip link set up vcan0 $ tc qdisc add dev vcan0 root handle 1: htb $ tc filter add dev vcan0 parent 1: protocol ip prio 10 \ matchall action skbmod swap mac Doing the above silently corrupts all the packets. Do not perform skbmod actions for non-Ethernet packets. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: act_skbmod: omitir paquetes que no sean Ethernet. Actualmente, tcf_skbmod_act() asume que los paquetes usan Ethernet como protocolo L2, lo cual no siempre es el caso. • https://git.kernel.org/stable/c/86da71b57383d40993cb90baafb3735cffe5d800 https://git.kernel.org/stable/c/e4fdca366806f6bab374d1a95e626a10a3854b0c https://git.kernel.org/stable/c/a88414fb1117f2fe65fb88e45ba694e1d09d5024 https://git.kernel.org/stable/c/071729150be9e1d1b851b70efb6d91ee9269d57b https://git.kernel.org/stable/c/34f1e1f657fae2891b485a3b2b95fe4d2aef9f0d https://git.kernel.org/stable/c/727d6a8b7ef3d25080fad228b2c4a1d4da5999c6 https://access.redhat.com/security/cve/CVE-2021-47293 https://bugzilla.redhat.com/show_bug.cgi?id=2282504 • CWE-20: Improper Input Validation •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47292 – io_uring: fix memleak in io_init_wq_offload()
https://notcve.org/view.php?id=CVE-2021-47292
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix memleak in io_init_wq_offload() I got memory leak report when doing fuzz test: BUG: memory leak unreferenced object 0xffff888107310a80 (size 96): comm "syz-executor.6", pid 4610, jiffies 4295140240 (age 20.135s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... backtrace: [<000000001974933b>] kmalloc include/linux/slab.h:591 [inline] [<000000001974933b>] kzalloc include/linux/slab.h:721 [inline] [<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline] [<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955 [<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016 [<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline] [<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline] [<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline] [<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301 [<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae CPU0 CPU1 io_uring_enter io_uring_enter io_uring_add_tctx_node io_uring_add_tctx_node __io_uring_add_tctx_node __io_uring_add_tctx_node io_uring_alloc_task_context io_uring_alloc_task_context io_init_wq_offload io_init_wq_offload hash = kzalloc hash = kzalloc ctx->hash_map = hash ctx->hash_map = hash <- one of the hash is leaked When calling io_uring_enter() in parallel, the 'hash_map' will be leaked, add uring_lock to protect 'hash_map'. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: io_uring: corrige memleak en io_init_wq_offload(). Recibí un informe de pérdida de memoria al realizar la prueba fuzz: BUG: pérdida de memoria objeto sin referencia 0xffff888107310a80 (tamaño 96): comm "syz-executor.6" , pid 4610, sjiffies 4295140240 (edad 20,135 s) volcado hexadecimal (primeros 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................. 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... backtrace: [<000000001974933b>] kmalloc include/linux/slab.h:591 [en línea] [<000000001974933b>] kzalloc include/linux/slab.h:721 [en línea] [<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [en línea] [<000000001974933b>] _context+0x466/0x640 fs/io_uring .c:7955 [<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016 [<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [en línea] 0000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [en línea] [<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [en línea] [<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301 [<00000000b 875f18f>] do_syscall_x64 arch/x86/entry/common. c:50 [en línea] [<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<000000006b0a8484>] Entry_SYSCALL_64_after_hwframe+0x44/0xae CPU0 CPU1 io_uring_enter io_uring_enter io_uring_add_tctx_node io_uring_add_tctx_node __io_uring_add_tctx_node __io_uring_add_tctx_node io_uring_alloc_task_context io_uring_alloc_task_context io_init_wq_offload io_init_wq_offload hash = kzalloc hash = kzalloc ctx->hash_map = hash ctx->hash_map = hash <- uno de los hash se filtra Al llamar a io_uring_enter() en paralelo, se filtrará el 'hash_map', agregue uring_lock para proteger 'hash_map'. • https://git.kernel.org/stable/c/e941894eae31b52f0fd9bdb3ce20620afa152f45 https://git.kernel.org/stable/c/502731a03f27cba1513fbbff77e508185ffce5bb https://git.kernel.org/stable/c/362a9e65289284f36403058eea2462d0330c1f24 •