CVE-2023-52768 – wifi: wilc1000: use vmm_table as array in wilc struct
https://notcve.org/view.php?id=CVE-2023-52768
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: use vmm_table as array in wilc struct Enabling KASAN and running some iperf tests raises some memory issues with vmm_table: BUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4 Write of size 4 at addr c3a61540 by task wlan0-tx/95 KASAN detects that we are writing data beyond range allocated to vmm_table. There is indeed a mismatch between the size passed to allocator in wilc_wlan_init, and the range of possible indexes used later: allocation size is missing a multiplication by sizeof(u32) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wifi: wilc1000: use vmm_table como matriz en wilc struct. Al habilitar KASAN y ejecutar algunas pruebas de iperf se generan algunos problemas de memoria con vmm_table: BUG: KASAN: slab-out-of-bounds en wilc_wlan_handle_txq +0x6ac/0xdb4 Escritura de tamaño 4 en la dirección c3a61540 mediante la tarea wlan0-tx/95 KASAN detecta que estamos escribiendo datos más allá del rango asignado a vmm_table. De hecho, existe una discrepancia entre el tamaño pasado al asignador en wilc_wlan_init y el rango de posibles índices utilizados más adelante: al tamaño de la asignación le falta una multiplicación por sizeof(u32) • https://git.kernel.org/stable/c/32dd0b22a5ba1dd296ccf2caf46ad44c3a8d5d98 https://git.kernel.org/stable/c/40b717bfcefab28a0656b8caa5e43d5449e5a671 https://git.kernel.org/stable/c/5212d958f6518003cd98c9886f8e8aedcfc25741 https://git.kernel.org/stable/c/541b3757fd443a68ed8d25968eae511a8275e7c8 https://git.kernel.org/stable/c/4b0d6ddb6466d10df878a7787f175a0e4adc3e27 https://git.kernel.org/stable/c/6aaf7cd8bdfe245d3c9a8b48fe70c2011965948e https://git.kernel.org/stable/c/3ce1c2c3999b232258f7aabab311d47dda75605c https://git.kernel.org/stable/c/05ac1a198a63ad66bf5ae8b7321407c10 •
CVE-2023-52766 – i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler
https://notcve.org/view.php?id=CVE-2023-52766
In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: i3c: mipi-i3c-hci: corrige el acceso fuera de los límites en hci_dma_irq_handler. No realice bucles sobre encabezados de anillo en hci_dma_irq_handler() que no estén asignados y habilitados en hci_dma_init(). De lo contrario, el acceso fuera de los límites se producirá desde el acceso de anillos->encabezados[i] cuando i >= número de encabezados de anillo asignados. • https://git.kernel.org/stable/c/d23ad76f240c0f597b7a9eb79905d246f27d40df https://git.kernel.org/stable/c/8be39f66915b40d26ea2c18ba84b5c3d5da6809b https://git.kernel.org/stable/c/7c2b91b30d74d7c407118ad72502d4ca28af1af6 https://git.kernel.org/stable/c/4c86cb2321bd9c72d3b945ce7f747961beda8e65 https://git.kernel.org/stable/c/45a832f989e520095429589d5b01b0c65da9b574 •
CVE-2023-52764 – media: gspca: cpia1: shift-out-of-bounds in set_flicker
https://notcve.org/view.php?id=CVE-2023-52764
In the Linux kernel, the following vulnerability has been resolved: media: gspca: cpia1: shift-out-of-bounds in set_flicker Syzkaller reported the following issue: UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 shift exponent 245 is too large for 32-bit type 'int' When the value of the variable "sd->params.exposure.gain" exceeds the number of bits in an integer, a shift-out-of-bounds error is reported. It is triggered because the variable "currentexp" cannot be left-shifted by more than the number of bits in an integer. In order to avoid invalid range during left-shift, the conditional expression is added. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: media: gspca: cpia1: desplazamiento fuera de los límites en set_flicker. Syzkaller informó el siguiente problema: UBSAN: desplazamiento fuera de los límites en drivers/media/usb/gspca /cpia1.c:1031:27 el exponente de desplazamiento 245 es demasiado grande para el tipo 'int' de 32 bits. • https://git.kernel.org/stable/c/69bba62600bd91d6b7c1e8ca181faf8ac64f7060 https://git.kernel.org/stable/c/2eee8edfff90e22980a6b22079d238c3c9d323bb https://git.kernel.org/stable/c/8f83c85ee88225319c52680792320c02158c2a9b https://git.kernel.org/stable/c/c6b6b8692218da73b33b310d7c1df90f115bdd9a https://git.kernel.org/stable/c/09cd8b561aa9796903710a1046957f2b112c8f26 https://git.kernel.org/stable/c/a647f27a7426d2fe1b40da7c8fa2b81354a51177 https://git.kernel.org/stable/c/93bddd6529f187f510eec759f37d0569243c9809 https://git.kernel.org/stable/c/e2d7149b913d14352c82624e723ce1c21 • CWE-125: Out-of-bounds Read •
CVE-2023-52763 – i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.
https://notcve.org/view.php?id=CVE-2023-52763
In the Linux kernel, the following vulnerability has been resolved: i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data. The `i3c_master_bus_init` function may attach the I2C devices before the I3C bus initialization. In this flow, the DAT `alloc_entry`` will be used before the DAT `init`. Additionally, if the `i3c_master_bus_init` fails, the DAT `cleanup` will execute before the device is detached, which will execue DAT `free_entry` function. The above scenario can cause the driver to use DAT_data when it is NULL. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: i3c: master: mipi-i3c-hci: se corrigió un pánico del kernel al acceder a DAT_data. • https://git.kernel.org/stable/c/39c71357e68e2f03766f9321b9f4882e49ff1442 https://git.kernel.org/stable/c/e64d23dc65810be4e3395d72df0c398f60c991f9 https://git.kernel.org/stable/c/3cb79a365e7cce8f121bba91312e2ddd206b9781 https://git.kernel.org/stable/c/eed74230435c61eeb58abaa275b1820e6a4b7f02 https://git.kernel.org/stable/c/b53e9758a31c683fc8615df930262192ed5f034b •
CVE-2023-52762 – virtio-blk: fix implicit overflow on virtio_max_dma_size
https://notcve.org/view.php?id=CVE-2023-52762
In the Linux kernel, the following vulnerability has been resolved: virtio-blk: fix implicit overflow on virtio_max_dma_size The following codes have an implicit conversion from size_t to u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev); This may lead overflow, Ex (size_t)4G -> (u32)0. Once virtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX instead. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: virtio-blk: corrige el desbordamiento implícito en virtio_max_dma_size. Los siguientes códigos tienen una conversión implícita de size_t a u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev); Esto puede provocar un desbordamiento, Ex (size_t)4G -> (u32)0. Una vez que virtio_max_dma_size() tenga un tamaño mayor que U32_MAX, use U32_MAX en su lugar. • https://git.kernel.org/stable/c/72775cad7f572bb2501f9ea609e1d20e68f0b38b https://git.kernel.org/stable/c/472bd4787406bef2e8b41ee4c74d960a06a49a48 https://git.kernel.org/stable/c/017278f141141367f7d14b203e930b45b6ffffb9 https://git.kernel.org/stable/c/d667fe301dcbcb12d1d6494fc4b8abee2cb75d90 https://git.kernel.org/stable/c/fafb51a67fb883eb2dde352539df939a251851be https://access.redhat.com/security/cve/CVE-2023-52762 https://bugzilla.redhat.com/show_bug.cgi?id=2282623 • CWE-121: Stack-based Buffer Overflow •