CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47282 – spi: bcm2835: Fix out-of-bounds access with more than 4 slaves
https://notcve.org/view.php?id=CVE-2021-47282
21 May 2024 — In the Linux kernel, the following vulnerability has been resolved: spi: bcm2835: Fix out-of-bounds access with more than 4 slaves Commit 571e31fa60b3 ("spi: bcm2835: Cache CS register value for ->prepare_message()") limited the number of slaves to 3 at compile-time. The limitation was necessitated by a statically-sized array prepare_cs[] in the driver private data which contains a per-slave register value. The commit sought to enforce the limitation at run-time by setting the controller's num_chipselect to... • https://git.kernel.org/stable/c/571e31fa60b3697d5db26140e16d5c45c51c9815 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47281 – ALSA: seq: Fix race of snd_seq_timer_open()
https://notcve.org/view.php?id=CVE-2021-47281
21 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: Fix race of snd_seq_timer_open() The timer instance per queue is exclusive, and snd_seq_timer_open() should have managed the concurrent accesses. It looks as if it's checking the already existing timer instance at the beginning, but it's not right, because there is no protection, hence any later concurrent call of snd_seq_timer_open() may override the timer instance easily. This may result in UAF, as the leftover timer instance c... • https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166ba •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-47280 – drm: Fix use-after-free read in drm_getunique()
https://notcve.org/view.php?id=CVE-2021-47280
21 May 2024 — In the Linux kernel, the following vulnerability has been resolved: drm: Fix use-after-free read in drm_getunique() There is a time-of-check-to-time-of-use error in drm_getunique() due to retrieving file_priv->master prior to locking the device's master mutex. An example can be seen in the crash report of the use-after-free error found by Syzbot: https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803 In the report, the master pointer was used after being freed. This is because another... • https://git.kernel.org/stable/c/17dab9326ff263c62dab1dbac4492e2938a049e4 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47279 – usb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource()
https://notcve.org/view.php?id=CVE-2021-47279
21 May 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: misc: brcmstb-usb-pinmap: verifique el valor de retorno después de llamar a platform_get_resource() Causará un null-ptr-deref si platform_get_resource() devuelve NULL, necesitamos ve... • https://git.kernel.org/stable/c/517c4c44b32372d2fdf4421822e21083c45e89f9 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47278 – bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()
https://notcve.org/view.php?id=CVE-2021-47278
21 May 2024 — In the Linux kernel, the following vulnerability has been resolved: bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove() This driver's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itsel... • https://git.kernel.org/stable/c/8562d4fe34a3ef52da077f77985994bb9ad1f83e •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47277 – kvm: avoid speculation-based attacks from out-of-range memslot accesses
https://notcve.org/view.php?id=CVE-2021-47277
21 May 2024 — In the Linux kernel, the following vulnerability has been resolved: kvm: avoid speculation-based attacks from out-of-range memslot accesses KVM's mechanism for accessing guest memory translates a guest physical address (gpa) to a host virtual address using the right-shifted gpa (also known as gfn) and a struct kvm_memory_slot. The translation is performed in __gfn_to_hva_memslot using the following formula: hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE It is expected that gfn falls within ... • https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47276 – ftrace: Do not blindly read the ip address in ftrace_bug()
https://notcve.org/view.php?id=CVE-2021-47276
21 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ftrace: Do not blindly read the ip address in ftrace_bug() It was reported that a bug on arm64 caused a bad ip address to be used for updating into a nop in ftrace_init(), but the error path (rightfully) returned -EINVAL and not -EFAULT, as the bug caused more than one error to occur. But because -EINVAL was returned, the ftrace_bug() tried to report what was at the location of the ip address, and read it directly. This caused the machine t... • https://git.kernel.org/stable/c/05736a427f7e16be948ccbf39782bd3a6ae16b14 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47275 – bcache: avoid oversized read request in cache missing code path
https://notcve.org/view.php?id=CVE-2021-47275
21 May 2024 — In the Linux kernel, the following vulnerability has been resolved: bcache: avoid oversized read request in cache missing code path In the cache missing code path of cached device, if a proper location from the internal B+ tree is matched for a cache miss range, function cached_dev_cache_miss() will be called in cache_lookup_fn() in the following code block, [code block 1] 526 unsigned int sectors = KEY_INODE(k) == s->iop.inode 527 ? min_t(uint64_t, INT_MAX, 528 KEY_START(k) - bio->bi_iter.bi_sector) 529 : ... • https://git.kernel.org/stable/c/555002a840ab88468e252b0eedf0b05e2ce7099c •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-47274 – tracing: Correct the length check which causes memory corruption
https://notcve.org/view.php?id=CVE-2021-47274
21 May 2024 — In the Linux kernel, the following vulnerability has been resolved: tracing: Correct the length check which causes memory corruption We've suffered from severe kernel crashes due to memory corruption on our production environment, like, Call Trace: [1640542.554277] general protection fault: 0000 [#1] SMP PTI [1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G [1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190 [1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286 [1640542.5595... • https://git.kernel.org/stable/c/2e584b1a02eeb860e286d39bc408b25ebc5ec844 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47273 – usb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled
https://notcve.org/view.php?id=CVE-2021-47273
21 May 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled When only PHY1 is used (for example on Odroid-HC4), the regmap init code uses the usb2 ports when doesn't initialize the PHY1 regmap entry. This fixes: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... pc : regmap_update_bits_base+0x40/0xa0 lr : dwc3_meson_g12a_usb2_init_phy+0x4c/0xf8 ... Call trace: regmap_update_bits_base+0x40/0xa0 dw... • https://git.kernel.org/stable/c/013af227f58a97ffc61b99301f8f4448dc7e7f55 •