CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47065 – rtw88: Fix array overrun in rtw_get_tx_power_params()
https://notcve.org/view.php?id=CVE-2021-47065
In the Linux kernel, the following vulnerability has been resolved: rtw88: Fix array overrun in rtw_get_tx_power_params() Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the following array overrun is logged: ================================================================================ UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34 index 5 is out of range for type 'u8 [5]' CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651 Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014 Workqueue: phy0 ieee80211_scan_work [mac80211] Call Trace: dump_stack+0x64/0x7c ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold+0x43/0x48 rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core] ? rtw_pci_read16+0x20/0x20 [rtw_pci] ? check_hw_ready+0x50/0x90 [rtw_core] rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core] rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core] rtw_set_channel+0xab/0x110 [rtw_core] rtw_ops_config+0x87/0xc0 [rtw_core] ieee80211_hw_config+0x9d/0x130 [mac80211] ieee80211_scan_state_set_channel+0x81/0x170 [mac80211] ieee80211_scan_work+0x19f/0x2a0 [mac80211] process_one_work+0x1dd/0x3a0 worker_thread+0x49/0x330 ? rescuer_thread+0x3a0/0x3a0 kthread+0x134/0x150 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x22/0x30 ================================================================================ The statement where an array is being overrun is shown in the following snippet: if (rate <= DESC_RATE11M) tx_power = pwr_idx_2g->cck_base[group]; else ====> tx_power = pwr_idx_2g->bw40_base[group]; The associated arrays are defined in main.h as follows: struct rtw_2g_txpwr_idx { u8 cck_base[6]; u8 bw40_base[5]; struct rtw_2g_1s_pwr_idx_diff ht_1s_diff; struct rtw_2g_ns_pwr_idx_diff ht_2s_diff; struct rtw_2g_ns_pwr_idx_diff ht_3s_diff; struct rtw_2g_ns_pwr_idx_diff ht_4s_diff; }; The problem arises because the value of group is 5 for channel 14. • https://git.kernel.org/stable/c/fa6dfe6bff246ddd5be3cfe81637f137acd6c294 https://git.kernel.org/stable/c/6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb https://git.kernel.org/stable/c/95fb153c6027924cda3422120169d1890737f3a0 https://git.kernel.org/stable/c/5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a https://git.kernel.org/stable/c/9cd09722e18a08b6a3d68b8bccfac39ddc22434c https://git.kernel.org/stable/c/2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47063 – drm: bridge/panel: Cleanup connector on bridge detach
https://notcve.org/view.php?id=CVE-2021-47063
In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm: bridge/panel: Limpiar conector en bridge detach Si no llamamos a drm_connector_cleanup() manualmente en panel_bridge_detach(), el conector se limpiará con los demás objetos DRM en la llamada a drm_mode_config_cleanup(). Sin embargo, dado que nuestro drm_connector está asignado por devm, para cuando se llame a drm_mode_config_cleanup(), nuestro conector ya no existirá. Por lo tanto, el conector debe limpiarse cuando se retira el puente para evitar condiciones de uso después de su liberación. v2: Limpiar el conector solo si fue creado v3: Agregar FIXME v4: (Usar conector->dev) directamente en el bloque if() • https://git.kernel.org/stable/c/13dfc0540a575b47b2d640b093ac16e9e09474f6 https://git.kernel.org/stable/c/ce450934a00cf896e648fde08d0bd1426653d7a2 https://git.kernel.org/stable/c/18149b420c9bd93c443e8d1f48a063d71d9f6aa1 https://git.kernel.org/stable/c/98d7d76a74e48ec3ddf2e23950adff7edcab9327 https://git.kernel.org/stable/c/4d906839d321c2efbf3fed4bc31ffd9ff55b75c0 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2021-47061 – KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU
https://notcve.org/view.php?id=CVE-2021-47061
In the Linux kernel, the following vulnerability has been resolved: KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU If allocating a new instance of an I/O bus fails when unregistering a device, wait to destroy the device until after all readers are guaranteed to see the new null bus. Destroying devices before the bus is nullified could lead to use-after-free since readers expect the devices on their reference of the bus to remain valid. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: Destruye los dispositivos del bus de E/S al cancelar el registro _después_ de sincronizar SRCU Si falla la asignación de una nueva instancia de un bus de E/S al cancelar el registro de un dispositivo, espere para destruir el dispositivo hasta que todos los lectores tengan la garantía de ver el nuevo bus nulo. Destruir dispositivos antes de que se anule el bus podría dar lugar a un uso posterior a la liberación, ya que los lectores esperan que los dispositivos en su referencia del bus sigan siendo válidos. • https://git.kernel.org/stable/c/f65886606c2d3b562716de030706dfe1bea4ed5e https://git.kernel.org/stable/c/f0dfffce3f4ffd5f822568a4a6fb34c010e939d1 https://git.kernel.org/stable/c/840e124f89a5127e7eb97ebf377f4b8ca745c070 https://git.kernel.org/stable/c/40a023f681befd9b2862a3c16fb306a38b359ae5 https://git.kernel.org/stable/c/19184bd06f488af62924ff1747614a8cb284ad63 https://git.kernel.org/stable/c/41b2ea7a6a11e2b1a7f2c29e1675a709a6b2b98d https://git.kernel.org/stable/c/68c125324b5e1d1d22805653735442923d896a1d https://git.kernel.org/stable/c/03c6cccedd3913006744faa252a4da514 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2021-47060 – KVM: Stop looking for coalesced MMIO zones if the bus is destroyed
https://notcve.org/view.php?id=CVE-2021-47060
In the Linux kernel, the following vulnerability has been resolved: KVM: Stop looking for coalesced MMIO zones if the bus is destroyed Abort the walk of coalesced MMIO zones if kvm_io_bus_unregister_dev() fails to allocate memory for the new instance of the bus. If it can't instantiate a new bus, unregister_dev() destroys all devices _except_ the target device. But, it doesn't tell the caller that it obliterated the bus and invoked the destructor for all devices that were on the bus. In the coalesced MMIO case, this can result in a deleted list entry dereference due to attempting to continue iterating on coalesced_zones after future entries (in the walk) have been deleted. Opportunistically add curly braces to the for-loop, which encompasses many lines but sneaks by without braces due to the guts being a single if statement. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: deja de buscar zonas MMIO fusionadas si el bus se destruye. • https://git.kernel.org/stable/c/41b2ea7a6a11e2b1a7f2c29e1675a709a6b2b98d https://git.kernel.org/stable/c/f65886606c2d3b562716de030706dfe1bea4ed5e https://git.kernel.org/stable/c/f0dfffce3f4ffd5f822568a4a6fb34c010e939d1 https://git.kernel.org/stable/c/840e124f89a5127e7eb97ebf377f4b8ca745c070 https://git.kernel.org/stable/c/40a023f681befd9b2862a3c16fb306a38b359ae5 https://git.kernel.org/stable/c/19184bd06f488af62924ff1747614a8cb284ad63 https://git.kernel.org/stable/c/68c125324b5e1d1d22805653735442923d896a1d https://git.kernel.org/stable/c/7d1bc32d6477ff96a32695ea4be8144e4 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2021-47058 – regmap: set debugfs_name to NULL after it is freed
https://notcve.org/view.php?id=CVE-2021-47058
In the Linux kernel, the following vulnerability has been resolved: regmap: set debugfs_name to NULL after it is freed There is a upstream commit cffa4b2122f5("regmap:debugfs: Fix a memory leak when calling regmap_attach_dev") that adds a if condition when create name for debugfs_name. With below function invoking logical, debugfs_name is freed in regmap_debugfs_exit(), but it is not created again because of the if condition introduced by above commit. regmap_reinit_cache() regmap_debugfs_exit() ... regmap_debugfs_init() So, set debugfs_name to NULL after it is freed. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: regmap: establece debugfs_name en NULL después de liberarlo. Hay una confirmación ascendente cffa4b2122f5("regmap:debugfs: corrige una pérdida de memoria al llamar a regmap_attach_dev") que agrega una condición if al crear nombre para debugfs_name. Con la siguiente función que invoca lógica, debugfs_name se libera en regmap_debugfs_exit(), pero no se vuelve a crear debido a la condición if introducida por la confirmación anterior. regmap_reinit_cache() regmap_debugfs_exit() ... regmap_debugfs_init() Entonces, establezca debugfs_name en NULL después de liberarlo. • https://git.kernel.org/stable/c/5b654b03007917f3f1015b2a5c288c1ea6ae8f65 https://git.kernel.org/stable/c/480c5e9c7e4c76c01d5f1f7b73832d7b77e6b427 https://git.kernel.org/stable/c/c9698380b01aed3281160d3ab25749b57d6913b8 https://git.kernel.org/stable/c/cffa4b2122f5f3e53cf3d529bbc74651f95856d5 https://git.kernel.org/stable/c/2dc1554d5f0fdaf47cc5bea442b84b9226fea867 https://git.kernel.org/stable/c/d8897f7b2283a500666c85ef06e820df38ed7b52 https://git.kernel.org/stable/c/eb949f891226c012138ffd9df90d1e509f428ae6 https://git.kernel.org/stable/c/c764e375ae647832de1ee73d43a4bb3ef •