CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-52568 – x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race
https://notcve.org/view.php?id=CVE-2023-52568
In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race The SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an enclave and set secs.epc_page to NULL. The SECS page is used for EAUG and ELDU in the SGX page fault handler. However, the NULL check for secs.epc_page is only done for ELDU, not EAUG before being used. Fix this by doing the same NULL check and reloading of the SECS page as needed for both EAUG and ELDU. The SECS page holds global enclave metadata. It can only be reclaimed when there are no other enclave pages remaining. At that point, virtually nothing can be done with the enclave until the SECS page is paged back in. An enclave can not run nor generate page faults without a resident SECS page. • https://git.kernel.org/stable/c/5a90d2c3f5ef87717e54572af8426aba6fdbdaa6 https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2023-52567 – serial: 8250_port: Check IRQ data before use
https://notcve.org/view.php?id=CVE-2023-52567
In the Linux kernel, the following vulnerability has been resolved: serial: 8250_port: Check IRQ data before use In case the leaf driver wants to use IRQ polling (irq = 0) and IIR register shows that an interrupt happened in the 8250 hardware the IRQ data can be NULL. In such a case we need to skip the wake event as we came to this path from the timer interrupt and quite likely system is already awake. Without this fix we have got an Oops: serial8250: ttyS0 at I/O 0x3f8 (irq = 0, base_baud = 115200) is a 16550A ... BUG: kernel NULL pointer dereference, address: 0000000000000010 RIP: 0010:serial8250_handle_irq+0x7c/0x240 Call Trace: ? serial8250_handle_irq+0x7c/0x240 ? __pfx_serial8250_timeout+0x10/0x10 • https://git.kernel.org/stable/c/edfe57aedff4ecf3606533aabf8ecf7676c3c5d9 https://git.kernel.org/stable/c/0bd49a043c7984c93c2a0af41222fb71c3986a4e https://git.kernel.org/stable/c/572d48361aa0a6e6f16c1470e5407de183493d0c https://git.kernel.org/stable/c/d5d628fea5f6181809a9d61b04de6ade53277684 https://git.kernel.org/stable/c/424cf29296354d7b9c6c038aaa7bb71782100851 https://git.kernel.org/stable/c/727e92fe13e81c6088a88d83e466b2b1b553c4e3 https://git.kernel.org/stable/c/0ba9e3a13c6adfa99e32b2576d20820ab10ad48a https://git.kernel.org/stable/c/d7c6aa39eb041e2a6a53106104200d11e •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52566 – nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
https://notcve.org/view.php?id=CVE-2023-52566
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the reference count of bh when the call to nilfs_dat_translate() fails. If the reference count hits 0 and its owner page gets unlocked, bh may be freed. However, bh->b_page is dereferenced to put the page after that, which may result in a use-after-free bug. This patch moves the release operation after unlocking and putting the page. NOTE: The function in question is only called in GC, and in combination with current userland tools, address translation using DAT does not occur in that function, so the code path that causes this issue will not be executed. However, it is possible to run that code path by intentionally modifying the userland GC library or by calling the GC ioctl directly. [konishi.ryusuke@gmail.com: NOTE added to the commit log] • https://git.kernel.org/stable/c/a3d93f709e893187d301aa5458b2248db9f22bd1 https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1 https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33 https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7 https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8 https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cd •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52565 – media: uvcvideo: Fix OOB read
https://notcve.org/view.php?id=CVE-2023-52565
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix OOB read If the index provided by the user is bigger than the mask size, we might do an out of bound read. • https://git.kernel.org/stable/c/367703c3ec4f72208b8cae14310b8a2c955ec565 https://git.kernel.org/stable/c/40140eda661ea4be219ef194a4f43b7b5e3bbd27 https://git.kernel.org/stable/c/42cbbc6b2c39b02e07cbd24dc2155d4edb99dd04 https://git.kernel.org/stable/c/09635bf4cdd4adf2160198a6041bcc7ca46c0558 https://git.kernel.org/stable/c/8bcf70d787f7d53a3b85ad394f926cfef3eed023 https://git.kernel.org/stable/c/41ebaa5e0eebea4c3bac96b72f9f8ae0d77c0bdb https://access.redhat.com/security/cve/CVE-2023-52565 https://bugzilla.redhat.com/show_bug.cgi?id=2267724 • CWE-125: Out-of-bounds Read •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52564 – Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"
https://notcve.org/view.php?id=CVE-2023-52564
In the Linux kernel, the following vulnerability has been resolved: Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" This reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239. The commit above is reverted as it did not solve the original issue. gsm_cleanup_mux() tries to free up the virtual ttys by calling gsm_dlci_release() for each available DLCI. There, dlci_put() is called to decrease the reference counter for the DLCI via tty_port_put() which finally calls gsm_dlci_free(). This already clears the pointer which is being checked in gsm_cleanup_mux() before calling gsm_dlci_release(). Therefore, it is not necessary to clear this pointer in gsm_cleanup_mux() as done in the reverted commit. The commit introduces a null pointer dereference: <TASK> ? __die+0x1f/0x70 ? • https://git.kernel.org/stable/c/8fc0eabaa73bbd9bd705577071564616da5c8c61 https://git.kernel.org/stable/c/5138c228311a863c3cf937b94a3ab4c87f1f70c4 https://git.kernel.org/stable/c/9615ca54bc138e35353a001e8b5d4824dce72188 https://git.kernel.org/stable/c/9b9c8195f3f0d74a826077fc1c01b9ee74907239 https://git.kernel.org/stable/c/74a8d6f50cc90ed0061997db51dfa81a62b0f835 https://git.kernel.org/stable/c/6d5c8862932d31a810b6545f7d69ecc124402c6e https://git.kernel.org/stable/c/a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb https://git.kernel.org/stable/c/c61d0b87a7028c2c10faffc524d748334 •