CVE-2021-47383 – tty: Fix out-of-bound vmalloc access in imageblit
https://notcve.org/view.php?id=CVE-2021-47383
In the Linux kernel, the following vulnerability has been resolved: tty: Fix out-of-bound vmalloc access in imageblit This issue happens when a userspace program does an ioctl FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct containing only the fields xres, yres, and bits_per_pixel with values. If this struct is the same as the previous ioctl, the vc_resize() detects it and doesn't call the resize_screen(), leaving the fb_var_screeninfo incomplete. And this leads to the updatescrollmode() calculates a wrong value to fbcon_display->vrows, which makes the real_y() return a wrong value of y, and that value, eventually, causes the imageblit to access an out-of-bound address value. To solve this issue I made the resize_screen() be called even if the screen does not need any resizing, so it will "fix and fill" the fb_var_screeninfo independently. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tty: corrige el acceso vmalloc fuera de los límites en imageblit. Este problema ocurre cuando un programa de espacio de usuario realiza un ioctl FBIOPUT_VSCREENINFO pasando la estructura fb_var_screeninfo que contiene solo los campos xres, yres y bits_per_pixel con valores. Si esta estructura es la misma que la ioctl anterior, vc_resize() la detecta y no llama a resize_screen(), dejando fb_var_screeninfo incompleto. • https://git.kernel.org/stable/c/7e71fcedfda6f7de18f850a6b36e78d78b04476f https://git.kernel.org/stable/c/70aed03b1d5a5df974f456cdc8eedb213c94bb8b https://git.kernel.org/stable/c/067c694d06040db6f0c65281bb358452ca6d85b9 https://git.kernel.org/stable/c/8a6a240f52e14356386030d8958ae8b1761d2325 https://git.kernel.org/stable/c/883f7897a25e3ce14a7f274ca4c73f49ac84002a https://git.kernel.org/stable/c/d570c48dd37dbe8fc6875d4461d01a9554ae2560 https://git.kernel.org/stable/c/699d926585daa6ec44be556cdc1ab89e5d54557b https://git.kernel.org/stable/c/3b0c406124719b625b1aba431659f5cdc • CWE-125: Out-of-bounds Read •
CVE-2021-47382 – s390/qeth: fix deadlock during failing recovery
https://notcve.org/view.php?id=CVE-2021-47382
In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix deadlock during failing recovery Commit 0b9902c1fcc5 ("s390/qeth: fix deadlock during recovery") removed taking discipline_mutex inside qeth_do_reset(), fixing potential deadlocks. An error path was missed though, that still takes discipline_mutex and thus has the original deadlock potential. Intermittent deadlocks were seen when a qeth channel path is configured offline, causing a race between qeth_do_reset and ccwgroup_remove. Call qeth_set_offline() directly in the qeth_do_reset() error case and then a new variant of ccwgroup_set_offline(), without taking discipline_mutex. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: s390/qeth: arreglar el punto muerto durante la recuperación fallida. La confirmación 0b9902c1fcc5 ("s390/qeth: arreglar el punto muerto durante la recuperación") se eliminó tomando discipline_mutex dentro de qeth_do_reset(), solucionando posibles puntos muertos. Sin embargo, se omitió una ruta de error que todavía requiere discipline_mutex y, por lo tanto, tiene el potencial de bloqueo original. • https://git.kernel.org/stable/c/b41b554c1ee75070a14c02a88496b1f231c7eacc https://git.kernel.org/stable/c/af0c184ea106051e428b5a0b5f2dfd31cbc54c52 https://git.kernel.org/stable/c/0bfe741741327822d1482c7edef0184636d08b40 https://git.kernel.org/stable/c/d2b59bd4b06d84a4eadb520b0f71c62fe8ec0a62 •
CVE-2021-47381 – ASoC: SOF: Fix DSP oops stack dump output contents
https://notcve.org/view.php?id=CVE-2021-47381
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Fix DSP oops stack dump output contents Fix @buf arg given to hex_dump_to_buffer() and stack address used in dump error output. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ASoC: SOF: corrige el contenido de salida del volcado de pila de DSP. Corrija el argumento @buf dado a hex_dump_to_buffer() y la dirección de pila utilizada en la salida de error de volcado. • https://git.kernel.org/stable/c/e657c18a01c85d2c4ec0e96d52be8ba42b956593 https://git.kernel.org/stable/c/a6bb576ead074ca6fa3b53cb1c5d4037a23de81b https://git.kernel.org/stable/c/ac4dfccb96571ca03af7cac64b7a0b2952c97f3a •
CVE-2021-47380 – HID: amd_sfh: Fix potential NULL pointer dereference
https://notcve.org/view.php?id=CVE-2021-47380
In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: Fix potential NULL pointer dereference devm_add_action_or_reset() can suddenly invoke amd_mp2_pci_remove() at registration that will cause NULL pointer dereference since corresponding data is not initialized yet. The patch moves initialization of data before devm_add_action_or_reset(). Found by Linux Driver Verification project (linuxtesting.org). [jkosina@suse.cz: rebase] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: HID: amd_sfh: corrige una posible desreferencia del puntero NULL devm_add_action_or_reset() puede invocar repentinamente amd_mp2_pci_remove() en el registro, lo que provocará una desreferencia del puntero NULL ya que los datos correspondientes aún no se han inicializado. El parche mueve la inicialización de los datos antes de devm_add_action_or_reset(). Encontrado por el proyecto de verificación de controladores de Linux (linuxtesting.org). [jkosina@suse.cz: rebase] • https://git.kernel.org/stable/c/283e4bee701dfcd409dd293f19a268bb2bc8ff38 https://git.kernel.org/stable/c/d46ef750ed58cbeeba2d9a55c99231c30a172764 •
CVE-2021-47379 – blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd
https://notcve.org/view.php?id=CVE-2021-47379
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd KASAN reports a use-after-free report when doing fuzz test: [693354.104835] ================================================================== [693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160 [693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338 [693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 [693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 [693354.105612] Call Trace: [693354.105621] dump_stack+0xf1/0x19b [693354.105626] ? show_regs_print_info+0x5/0x5 [693354.105634] ? printk+0x9c/0xc3 [693354.105638] ? cpumask_weight+0x1f/0x1f [693354.105648] print_address_description+0x70/0x360 [693354.105654] kasan_report+0x1b2/0x330 [693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105665] ? • https://git.kernel.org/stable/c/d12ddd843f1877de1f7dd2aeea4907cf9ff3ac08 https://git.kernel.org/stable/c/f58d305887ad7b24986d58e881f6806bb81b2bdf https://git.kernel.org/stable/c/7c2c69e010431b0157c9454adcdd2305809bf9fb https://git.kernel.org/stable/c/858560b27645e7e97aca37ee8f232cccd658fbd2 •