Page 318 of 2059 results (0.009 seconds)

CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix access violation during port device removal Testing with KASAN and syzkaller revealed a bug in port.c:disable_store(): usb_hub_to_struct_hub() can return NULL if the hub that the port belongs to is concurrently removed, but the function does not check for this possibility before dereferencing the returned value. It turns out that the first dereference is unnecessary, since hub->intfdev is the parent of the port device, so it can be changed easily. Adding a check for hub == NULL prevents further problems. The same bug exists in the disable_show() routine, and it can be fixed the same way. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: USB: core: corrige la infracción de acceso durante la eliminación del dispositivo del puerto. Las pruebas con KASAN y syzkaller revelaron un error en port.c:disable_store(): usb_hub_to_struct_hub() puede devolver NULL si el hub que el puerto al que pertenece se elimina simultáneamente, pero la función no comprueba esta posibilidad antes de desreferenciar el valor devuelto. Resulta que la primera desreferencia es innecesaria, ya que hub->intfdev es el padre del dispositivo portuario, por lo que se puede cambiar fácilmente. • https://git.kernel.org/stable/c/f061f43d7418cb62b8d073e221ec75d3f5b89e17 https://git.kernel.org/stable/c/5f1d68ef5ddac27c6b997adccd1c339cef1e6848 https://git.kernel.org/stable/c/63533549ff53d24daf47c443dbd43c308afc3434 https://git.kernel.org/stable/c/6119ef6517ce501fc548154691abdaf1f954a277 https://git.kernel.org/stable/c/a4b46d450c49f32e9d4247b421e58083fde304ce https://access.redhat.com/security/cve/CVE-2024-36896 https://bugzilla.redhat.com/show_bug.cgi?id=2284556 • CWE-170: Improper Null Termination CWE-476: NULL Pointer Dereference •

CVSS: -EPSS: 0%CPEs: 3EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: use correct buffer size when parsing configfs lists This commit fixes uvc gadget support on 32-bit platforms. Commit 0df28607c5cb ("usb: gadget: uvc: Generalise helper functions for reuse") introduced a helper function __uvcg_iter_item_entries() to aid with parsing lists of items on configfs attributes stores. This function is a generalization of another very similar function, which used a stack-allocated temporary buffer of fixed size for each item in the list and used the sizeof() operator to check for potential buffer overruns. The new function was changed to allocate the now variably sized temp buffer on heap, but wasn't properly updated to also check for max buffer size using the computed size instead of sizeof() operator. As a result, the maximum item size was 7 (plus null terminator) on 64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just barely enough, 3 is definitely too small for some of UVC configfs attributes. For example, dwFrameInteval, specified in 100ns units, usually has 6-digit item values, e.g. 166666 for 60fps. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: usb: gadget: uvc: use el tamaño de búfer correcto al analizar listas de configfs. • https://git.kernel.org/stable/c/0df28607c5cb4fe60bba591e9858a8f7ba39aa4a https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528 https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410 •

CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. • https://git.kernel.org/stable/c/2e4c7553cd6f9c68bb741582dcb614edcbeca70f https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311 https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867 https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14 https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb251 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: Check for port partner validity before consuming it typec_register_partner() does not guarantee partner registration to always succeed. In the event of failure, port->partner is set to the error value or NULL. Given that port->partner validity is not checked, this results in the following crash: Unable to handle kernel NULL pointer dereference at virtual address xx pc : run_state_machine+0x1bc8/0x1c08 lr : run_state_machine+0x1b90/0x1c08 .. Call trace: run_state_machine+0x1bc8/0x1c08 tcpm_state_machine_work+0x94/0xe4 kthread_worker_fn+0x118/0x328 kthread+0x1d0/0x23c ret_from_fork+0x10/0x20 To prevent the crash, check for port->partner validity before derefencing it in all the call sites. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: typec: tcpm: verifique la validez del socio del puerto antes de consumirlo. typec_register_partner() no garantiza que el registro del socio sea siempre exitoso. En caso de error, puerto->socio se establece en el valor de error o NULL. • https://git.kernel.org/stable/c/31220bd89c22a18478f52fcd8069e8e2adb8f4f2 https://git.kernel.org/stable/c/9b7cd3fe01f0d03cf5820b351a6be2a6e0a6da6f https://git.kernel.org/stable/c/c97cd0b4b54eb42aed7f6c3c295a2d137f6d2416 https://git.kernel.org/stable/c/2897b36d2482b84f35e659989d5cb4501fb31ccd https://git.kernel.org/stable/c/cbcf107780aecf51aba68488044a416d95060b6d https://git.kernel.org/stable/c/2a07e6f0ad8a6e504a3912cfe8dc859b7d0740a5 https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57 https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887 • CWE-476: NULL Pointer Dereference •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: mm/slub: avoid zeroing outside-object freepointer for single free Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing separately") splits single and bulk object freeing in two functions slab_free() and slab_free_bulk() which leads slab_free() to call slab_free_hook() directly instead of slab_free_freelist_hook(). If `init_on_free` is set, slab_free_hook() zeroes the object. Afterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are set, the do_slab_free() slowpath executes freelist consistency checks and try to decode a zeroed freepointer which leads to a "Freepointer corrupt" detection in check_object(). During bulk free, slab_free_freelist_hook() isn't affected as it always sets it objects freepointer using set_freepointer() to maintain its reconstructed freelist after `init_on_free`. For single free, object's freepointer thus needs to be avoided when stored outside the object if `init_on_free` is set. The freepointer left as is, check_object() may later detect an invalid pointer value due to objects overflow. To reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the command line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`. dmesg sample log: [ 10.708715] ============================================================================= [ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: G B T ): Freepointer corrupt [ 10.712695] ----------------------------------------------------------------------------- [ 10.712695] [ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2) [ 10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c [ 10.716698] [ 10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Object ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Object ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Padding ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Padding ffff9d9a8035667c: 00 00 00 00 .... [ 10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/slub: evita poner a cero el puntero libre de objetos externos para un solo commit libre 284f17ac13fe ("mm/slub: maneja la liberación masiva y de objetos individuales por separado") divide la liberación de objetos únicos y masivos en dos funciones slab_free() y slab_free_bulk() lo que lleva a slab_free() a llamar a slab_free_hook() directamente en lugar de slab_free_freelist_hook(). Si se establece `init_on_free`, slab_free_hook() pone a cero el objeto. Luego, si se configuran `slub_debug=F` y `CONFIG_SLAB_FREELIST_HARDENED`, la ruta lenta do_slab_free() ejecuta comprobaciones de coherencia de la lista libre e intenta decodificar un freepointer puesto a cero, lo que conduce a una detección de "Freepointer corrupto" en check_object(). Durante la liberación masiva, slab_free_freelist_hook() no se ve afectado ya que siempre establece el puntero libre de sus objetos usando set_freepointer() para mantener su lista libre reconstruida después de `init_on_free`. • https://git.kernel.org/stable/c/284f17ac13fe34ae9eecbe57bb91553374d9b855 https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd •