CVE-2021-47476 – comedi: ni_usb6501: fix NULL-deref in command paths
https://notcve.org/view.php?id=CVE-2021-47476
In the Linux kernel, the following vulnerability has been resolved: comedi: ni_usb6501: fix NULL-deref in command paths The driver uses endpoint-sized USB transfer buffers but had no sanity checks on the sizes. This can lead to zero-size-pointer dereferences or overflowed transfer buffers in ni6501_port_command() and ni6501_counter_command() if a (malicious) device has smaller max-packet sizes than expected (or when doing descriptor fuzz testing). Add the missing sanity checks to probe(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: ni_usb6501: corrige NULL-deref en las rutas de comando El controlador usa búferes de transferencia USB del tamaño de un terminal, pero no tuvo controles de cordura en los tamaños. Esto puede provocar desreferencias de puntero de tamaño cero o búferes de transferencia desbordados en ni6501_port_command() y ni6501_counter_command() si un dispositivo (malicioso) tiene tamaños máximos de paquetes más pequeños de lo esperado (o cuando se realizan pruebas de descriptor difuso). Agregue las comprobaciones de cordura que faltan a probe(). • https://git.kernel.org/stable/c/a03bb00e50ab4c07107da58a52a0bff7943f360c https://git.kernel.org/stable/c/58478143771b20ab219937b1c30a706590a59224 https://git.kernel.org/stable/c/aa39738423503825625853b643b9e99d11c23816 https://git.kernel.org/stable/c/df7b1238f3b599a0b9284249772cdfd1ea83a632 https://git.kernel.org/stable/c/bc51111bf6e8e7b6cc94b133e4c291273a16acd1 https://git.kernel.org/stable/c/b0156b7c9649d8f55a2ce3d3258509f1b2a181c3 https://git.kernel.org/stable/c/ef143dc0c3defe56730ecd3a9de7b3e1d7e557c1 https://git.kernel.org/stable/c/4a9d43cb5d5f39fa39fc1da438517004c • CWE-476: NULL Pointer Dereference •
CVE-2021-47475 – comedi: vmk80xx: fix transfer-buffer overflows
https://notcve.org/view.php?id=CVE-2021-47475
In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix transfer-buffer overflows The driver uses endpoint-sized USB transfer buffers but up until recently had no sanity checks on the sizes. Commit e1f13c879a7c ("staging: comedi: check validity of wMaxPacketSize of usb endpoints found") inadvertently fixed NULL-pointer dereferences when accessing the transfer buffers in case a malicious device has a zero wMaxPacketSize. Make sure to allocate buffers large enough to handle also the other accesses that are done without a size check (e.g. byte 18 in vmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond the buffers, for example, when doing descriptor fuzzing. The original driver was for a low-speed device with 8-byte buffers. Support was later added for a device that uses bulk transfers and is presumably a full-speed device with a maximum 64-byte wMaxPacketSize. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: vmk80xx: corrige desbordamientos del búfer de transferencia El controlador utiliza búferes de transferencia USB del tamaño de un terminal, pero hasta hace poco no tenía controles de cordura sobre los tamaños. el commit e1f13c879a7c ("staging: comedi: verificar la validez de wMaxPacketSize de los endpoints USB encontrados") corrigió inadvertidamente las desreferencias de puntero NULL al acceder a los buffers de transferencia en caso de que un dispositivo malicioso tenga un wMaxPacketSize cero. Asegúrese de asignar buffers lo suficientemente grandes para manejar también los otros accesos que se realizan sin una verificación de tamaño (por ejemplo, el byte 18 en vmk80xx_cnt_insn_read() para VMK8061_MODEL) para evitar escribir más allá de los buffers, por ejemplo, cuando se realiza una confusión de descriptores. El controlador original era para un dispositivo de baja velocidad con buffers de 8 bytes. Posteriormente se agregó soporte para un dispositivo que utiliza transferencias masivas y presumiblemente es un dispositivo de velocidad completa con un wMaxPacketSize máximo de 64 bytes. • https://git.kernel.org/stable/c/985cafccbf9b7f862aa1c5ee566801e18b5161fb https://git.kernel.org/stable/c/5229159f1d052821007aff1a1beb7873eacf1a9f https://git.kernel.org/stable/c/ec85bcff4ed09260243d8f39faba99e1041718ba https://git.kernel.org/stable/c/40d2a7e278e2e7c0a5fd7e997e7eb63945bf93f7 https://git.kernel.org/stable/c/7a2021b896de1ad559d33b5c5cdd20b982242088 https://git.kernel.org/stable/c/199acd8c110e3ae62833c24f632b0bb1c9f012a9 https://git.kernel.org/stable/c/33d7a470730dfe7c9bfc8da84575cf2cedd60d00 https://git.kernel.org/stable/c/278484ae93297b1bb1ce755f9d3b6d95a •
CVE-2021-47474 – comedi: vmk80xx: fix bulk-buffer overflow
https://notcve.org/view.php?id=CVE-2021-47474
In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix bulk-buffer overflow The driver is using endpoint-sized buffers but must not assume that the tx and rx buffers are of equal size or a malicious device could overflow the slab-allocated receive buffer when doing bulk transfers. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: vmk80xx: corrige el desbordamiento masivo del búfer El controlador utiliza búferes del tamaño de un endpoint, pero no debe asumir que los búferes tx y rx son del mismo tamaño o un dispositivo malicioso podría desbordar el búfer de recepción asignado por losa al realizar transferencias masivas. • https://git.kernel.org/stable/c/985cafccbf9b7f862aa1c5ee566801e18b5161fb https://git.kernel.org/stable/c/e0e6a63fd97ad95fe05dfd77268a1952551e11a7 https://git.kernel.org/stable/c/7cfb35db607760698d299fd1cf7402dfa8f09973 https://git.kernel.org/stable/c/0866dcaa828c21bc2f94dac00e086078f11b5772 https://git.kernel.org/stable/c/063f576c43d589a4c153554b681d32b3f8317c7b https://git.kernel.org/stable/c/1ae4715121a57bc6fa29fd992127b01907f2f993 https://git.kernel.org/stable/c/b7fd7f3387f070215e6be341e68eb5c087eeecc0 https://git.kernel.org/stable/c/7b0e356189327287d0eb98ec081bd6dd9 •
CVE-2023-52879 – tracing: Have trace_event_file have ref counters
https://notcve.org/view.php?id=CVE-2023-52879
In the Linux kernel, the following vulnerability has been resolved: tracing: Have trace_event_file have ref counters The following can crash the kernel: # cd /sys/kernel/tracing # echo 'p:sched schedule' > kprobe_events # exec 5>>events/kprobes/sched/enable # > kprobe_events # exec 5>&- The above commands: 1. Change directory to the tracefs directory 2. Create a kprobe event (doesn't matter what one) 3. Open bash file descriptor 5 on the enable file of the kprobe event 4. Delete the kprobe event (removes the files too) 5. • https://git.kernel.org/stable/c/e6807c873d8791ae5a5186ad05ec66cab926539a https://git.kernel.org/stable/c/407bf1c140f0757706c0b28604bcc90837d45ce2 https://git.kernel.org/stable/c/fa6d449e4d024d8c17f4288e0567d28ace69415c https://git.kernel.org/stable/c/a46bf337a20f9edd3c8041b025639842280d0575 https://git.kernel.org/stable/c/9beec04370132a7a6cd1aa9897f6fffc6262ff28 https://git.kernel.org/stable/c/f5ca233e2e66dc1c249bf07eefa37e34a6c9346a https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cf •
CVE-2023-52878 – can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
https://notcve.org/view.php?id=CVE-2023-52878
In the Linux kernel, the following vulnerability has been resolved: can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds If the "struct can_priv::echoo_skb" is accessed out of bounds, this would cause a kernel crash. Instead, issue a meaningful warning message and return with an error. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: can: dev: can_put_echo_skb(): no bloquee el kernel si se accede a can_priv::echo_skb fuera de los límites. Si se accede a "struct can_priv::echoo_skb" fuera de los límites, esto provocaría un fallo del kernel. En su lugar, emita un mensaje de advertencia significativo y regrese con un error. • https://git.kernel.org/stable/c/a6e4bc5304033e434fabccabb230b8e9ff55d76f https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444 https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4 https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057 https://access.redhat.com/security/cve/CVE-2023-52878 https://bugzilla.redhat.com/show_bug.cgi?id=2282680 • CWE-125: Out-of-bounds Read •