CVE-2023-52670 – rpmsg: virtio: Free driver_override when rpmsg_remove()
https://notcve.org/view.php?id=CVE-2023-52670
In the Linux kernel, the following vulnerability has been resolved: rpmsg: virtio: Free driver_override when rpmsg_remove() Free driver_override when rpmsg_remove(), otherwise the following memory leak will occur: unreferenced object 0xffff0000d55d7080 (size 128): comm "kworker/u8:2", pid 56, jiffies 4294893188 (age 214.272s) hex dump (first 32 bytes): 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320 [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70 [<00000000228a60c3>] kstrndup+0x4c/0x90 [<0000000077158695>] driver_set_override+0xd0/0x164 [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170 [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30 [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280 [<00000000443331cc>] really_probe+0xbc/0x2dc [<00000000391064b1>] __driver_probe_device+0x78/0xe0 [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160 [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140 [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4 [<000000003b929a36>] __device_attach+0x9c/0x19c [<00000000a94e0ba8>] device_initial_probe+0x14/0x20 [<000000003c999637>] bus_probe_device+0xa0/0xac En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rpmsg: virtio: Free driver_overridecuando rpmsg_remove() Free driver_override cuando rpmsg_remove(); de lo contrario, se producirá la siguiente pérdida de memoria: objeto sin referencia 0xffff0000d55d7080 (tamaño 128): comm "kworker/u8 :2", pid 56, santiamén 4294893188 (edad 214.272s) volcado hexadecimal (primeros 32 bytes): 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ retroceso: [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320 [<000000002300d89b>] +0x44/ 0x70 [<00000000228a60c3>] kstrndup+0x4c/0x90 [<0000000077158695>] driver_set_override+0xd0/0x164 [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170 0000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30 [<000000008bbf8fa2>] rpmsg_probe+0x2e0/ 0x3ec [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280 [<00000000443331cc>] very_probe+0xbc/0x2dc [<00000000391064b1>] __driver_probe_device+0x78/0xe0 [<00 000000a41c9a5b>] driver_probe_device+0xd8/0x160 [<000000009c3bd5df>] __device_attach_driver+0xb8/ 0x140 [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4 [<000000003b929a36>] __device_attach+0x9c/0x19c [<00000000a94e0ba8>] dispositivo_initial_probe+0x14/0x20 [<000 000003c999637>] bus_probe_device+0xa0/0xac • https://git.kernel.org/stable/c/b0b03b8119633de0649da9bd506e4850c401ff2b https://git.kernel.org/stable/c/229ce47cbfdc7d3a9415eb676abbfb77d676cb08 https://git.kernel.org/stable/c/dd50fe18c234bd5ff22f658f4d414e8fa8cd6a5d https://git.kernel.org/stable/c/69ca89d80f2c8a1f5af429b955637beea7eead30 https://git.kernel.org/stable/c/2d27a7b19cb354c6d04bcdc9239e261ff29858d6 https://git.kernel.org/stable/c/f4bb1d5daf77b1a95a43277268adf0d1430c2346 https://git.kernel.org/stable/c/4e6cef3fae5c164968118a13f3fe293700adc81a https://git.kernel.org/stable/c/9a416d624e5fb7246ea97c11fbfea7e0e • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2023-52669 – crypto: s390/aes - Fix buffer overread in CTR mode
https://notcve.org/view.php?id=CVE-2023-52669
In the Linux kernel, the following vulnerability has been resolved: crypto: s390/aes - Fix buffer overread in CTR mode When processing the last block, the s390 ctr code will always read a whole block, even if there isn't a whole block of data left. Fix this by using the actual length left and copy it into a buffer first for processing. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: crypto: s390/aes - Corrige la sobrelectura del buffer en modo CTR Al procesar el último bloque, el código ctr s390 siempre leerá un bloque completo, incluso si no hay un bloque completo de datos restantes. Solucione este problema utilizando la longitud real restante y cópielo primero en un búfer para procesarlo. • https://git.kernel.org/stable/c/0200f3ecc19660bebeabbcbaf212957fcf1dbf8f https://git.kernel.org/stable/c/cd51e26a3b89706beec64f2d8296cfb1c34e0c79 https://git.kernel.org/stable/c/a7f580cdb42ec3d53bbb7c4e4335a98423703285 https://git.kernel.org/stable/c/dbc9a791a70ea47be9f2acf251700fe254a2ab23 https://git.kernel.org/stable/c/d68ac38895e84446848b7647ab9458d54cacba3e https://git.kernel.org/stable/c/e78f1a43e72daf77705ad5b9946de66fc708b874 https://git.kernel.org/stable/c/d07f951903fa9922c375b8ab1ce81b18a0034e3b https://lists.debian.org/debian-lts-announce/2024/06/ •
CVE-2023-52667 – net/mlx5e: fix a potential double-free in fs_any_create_groups
https://notcve.org/view.php?id=CVE-2023-52667
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix a potential double-free in fs_any_create_groups When kcalloc() for ft->g succeeds but kvzalloc() for in fails, fs_any_create_groups() will free ft->g. However, its caller fs_any_create_table() will free ft->g again through calling mlx5e_destroy_flow_table(), which will lead to a double-free. Fix this by setting ft->g to NULL in fs_any_create_groups(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5e: corrige una posible double free en fs_any_create_groups Cuando kcalloc() para ft->g tiene éxito pero kvzalloc() para in falla, fs_any_create_groups() liberará ft-> gramo. Sin embargo, su llamador fs_any_create_table() liberará ft->g nuevamente llamando a mlx5e_destroy_flow_table(), lo que conducirá a un double free. Solucione este problema configurando ft->g en NULL en fs_any_create_groups(). • https://git.kernel.org/stable/c/0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6 https://git.kernel.org/stable/c/72a729868592752b5a294d27453da264106983b1 https://git.kernel.org/stable/c/b2fa86b2aceb4bc9ada51cea90f61546d7512cbe https://git.kernel.org/stable/c/2897c981ee63e1be5e530b1042484626a10b26d8 https://git.kernel.org/stable/c/65a4ade8a6d205979292e88beeb6a626ddbd4779 https://git.kernel.org/stable/c/aef855df7e1bbd5aa4484851561211500b22707e https://access.redhat.com/security/cve/CVE-2023-52667 https://bugzilla.redhat.com/show_bug.cgi?id=2281350 • CWE-415: Double Free •
CVE-2024-35833 – dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA
https://notcve.org/view.php?id=CVE-2024-35833
In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA This dma_alloc_coherent() is undone neither in the remove function, nor in the error handling path of fsl_qdma_probe(). Switch to the managed version to fix both issues. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dmaengine: fsl-qdma: corregida una pérdida de memoria relacionada con el comando de cola DMA. Este dma_alloc_coherent() no se deshace ni en la función de eliminación ni en la ruta de manejo de errores de fsl_qdma_probe() . Cambie a la versión administrada para solucionar ambos problemas. • https://git.kernel.org/stable/c/b092529e0aa09829a6404424ce167bf3ce3235e2 https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8 https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802 https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3 https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59 https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6 https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24 https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e •
CVE-2024-35832 – bcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit
https://notcve.org/view.php?id=CVE-2024-35832
In the Linux kernel, the following vulnerability has been resolved: bcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit bch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut. It should be freed by kvfree not kfree. Or umount will triger: [ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008 [ 406.830676 ] #PF: supervisor read access in kernel mode [ 406.831643 ] #PF: error_code(0x0000) - not-present page [ 406.832487 ] PGD 0 P4D 0 [ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI [ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90 [ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [ 406.835796 ] RIP: 0010:kfree+0x62/0x140 [ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6 [ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286 [ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4 [ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000 [ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001 [ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80 [ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000 [ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000 [ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0 [ 406.841464 ] Call Trace: [ 406.841583 ] <TASK> [ 406.841682 ] ? __die+0x1f/0x70 [ 406.841828 ] ? page_fault_oops+0x159/0x470 [ 406.842014 ] ? fixup_exception+0x22/0x310 [ 406.842198 ] ? exc_page_fault+0x1ed/0x200 [ 406.842382 ] ? • https://git.kernel.org/stable/c/56590678791119b9a655202e49898edfb9307271 https://git.kernel.org/stable/c/369acf97d6fd5da620d053d0f1878ffe32eff555 •