CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52469 – drivers/amd/pm: fix a use-after-free in kv_parse_power_table
https://notcve.org/view.php?id=CVE-2023-52469
In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers/amd/pm: corrige un use-after-free en kv_parse_power_table Cuando ps asignado por kzalloc es igual a NULL, kv_parse_power_table libera adev->pm.dpm.ps que se asignó antes. Sin embargo, después de que el flujo de control pasa por las siguientes cadenas de llamadas: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini El adev->pm.dpm.ps se usa en el bucle for de kv_dpm_fini después de su primera liberación en kv_parse_power_table y provoca un error de use-after-free. A use-after-free flaw was found in kv_parse_power_table in drivers/amd/pm in the Linux kernel. • https://git.kernel.org/stable/c/a2e73f56fa6282481927ec43aa9362c03c2e2104 https://git.kernel.org/stable/c/8a27d9d9fc9b5564b8904c3a77a7dea482bfa34e https://git.kernel.org/stable/c/8b55b06e737feb2a645b0293ea27e38418876d63 https://git.kernel.org/stable/c/520e213a0b97b64735a13950e9371e0a5d7a5dc3 https://git.kernel.org/stable/c/b6dcba02ee178282e0d28684d241e0b8462dea6a https://git.kernel.org/stable/c/35fa2394d26e919f63600ce631e6aefc95ec2706 https://git.kernel.org/stable/c/95084632a65d5c0d682a83b55935560bdcd2a1e3 https://git.kernel.org/stable/c/3426f059eacc33ecc676b0d66539297e1 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52467 – mfd: syscon: Fix null pointer dereference in of_syscon_register()
https://notcve.org/view.php?id=CVE-2023-52467
In the Linux kernel, the following vulnerability has been resolved: mfd: syscon: Fix null pointer dereference in of_syscon_register() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mfd: syscon: corrige la desreferencia del puntero nulo en of_syscon_register() kasprintf() devuelve un puntero a la memoria asignada dinámicamente que puede ser NULL en caso de falla. • https://git.kernel.org/stable/c/e15d7f2b81d2e7d93115d46fa931b366c1cdebc2 https://git.kernel.org/stable/c/927626a2073887ee30ba00633260d4d203f8e875 https://git.kernel.org/stable/c/c3e3a2144bf50877551138ffce9f7aa6ddfe385b https://git.kernel.org/stable/c/527e8c5f3d00299822612c495d5adf1f8f43c001 https://git.kernel.org/stable/c/3ef1130deee98997275904d9bfc37af75e1e906c https://git.kernel.org/stable/c/7f2c410ac470959b88e03dadd94b7a0b71df7973 https://git.kernel.org/stable/c/41673c66b3d0c09915698fec5c13b24336f18dd1 https://lists.debian.org/debian-lts-announce/2024/06/ • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26605 – PCI/ASPM: Fix deadlock when enabling ASPM
https://notcve.org/view.php?id=CVE-2024-26605
In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix deadlock when enabling ASPM A last minute revert in 6.7-final introduced a potential deadlock when enabling ASPM during probe of Qualcomm PCIe controllers as reported by lockdep: ============================================ WARNING: possible recursive locking detected 6.7.0 #40 Not tainted -------------------------------------------- kworker/u16:5/90 is trying to acquire lock: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc but task is already holding lock: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(pci_bus_sem); lock(pci_bus_sem); *** DEADLOCK *** Call trace: print_deadlock_bug+0x25c/0x348 __lock_acquire+0x10a4/0x2064 lock_acquire+0x1e8/0x318 down_read+0x60/0x184 pcie_aspm_pm_state_change+0x58/0xdc pci_set_full_power_state+0xa8/0x114 pci_set_power_state+0xc4/0x120 qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom] pci_walk_bus+0x64/0xbc qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom] The deadlock can easily be reproduced on machines like the Lenovo ThinkPad X13s by adding a delay to increase the race window during asynchronous probe where another thread can take a write lock. Add a new pci_set_power_state_locked() and associated helper functions that can be called with the PCI bus semaphore held to avoid taking the read lock twice. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: PCI/ASPM: solucionó el punto muerto al habilitar ASPM. Una reversión de último minuto en 6.7-final introdujo un posible punto muerto al habilitar ASPM durante la prueba de los controladores PCIe de Qualcomm, según lo informado por lockdep: === ========================================= ADVERTENCIA: posible bloqueo recursivo detectado 6.7.0 #40 No contaminado -------------------------------------------- kworker/ u16:5/90 está intentando adquirir el bloqueo: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, en: pcie_aspm_pm_state_change+0x58/0xdc pero la tarea ya mantiene el bloqueo: ffffacfa78ced000 (pci_bus_sem){+++ +}-{3:3}, en: pci_walk_bus+0x34/0xbc otra información que podría ayudarnos a depurar esto: Posible escenario de bloqueo inseguro: CPU0 ---- lock(pci_bus_sem); bloquear(pci_bus_sem); *** DEADLOCK *** Rastreo de llamadas: print_deadlock_bug+0x25c/0x348 __lock_acquire+0x10a4/0x2064 lock_acquire+0x1e8/0x318 down_read+0x60/0x184 pcie_aspm_pm_state_change+0x58/0xdc pci_set_full_power_state+0xa8/0x114 pci_ set_power_state+0xc4/0x120 qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom] pci_walk_bus+0x64/0xbc qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom] El punto muerto se puede reproducir fácilmente en máquinas como la Lenovo ThinkPad X13s agregando un retraso para aumentar la ventana de carrera durante la prueba asíncrona donde otro hilo puede tomar un bloqueo de escritura. Agregue un nuevo pci_set_power_state_locked() y funciones auxiliares asociadas que se pueden llamar con el semáforo del bus PCI retenido para evitar tomar el bloqueo de lectura dos veces. • https://git.kernel.org/stable/c/b9c370b61d735a0e5390c42771e7eb21413f7868 https://git.kernel.org/stable/c/8cc22ba3f77c59df5f1ac47d62df51efb28cd868 https://git.kernel.org/stable/c/f93e71aea6c60ebff8adbd8941e678302d377869 https://git.kernel.org/stable/c/1f2f662c8bec75d1311e063efaa9107435cf16c8 https://git.kernel.org/stable/c/0f7908a016c092cfdaa16d785fa5099d867bc1a3 https://git.kernel.org/stable/c/b0f4478838be1f1d330061201898fef65bf8fd7c https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70 https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a180 • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26603 – x86/fpu: Stop relying on userspace for info to fault in xsave buffer
https://notcve.org/view.php?id=CVE-2024-26603
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Stop relying on userspace for info to fault in xsave buffer Before this change, the expected size of the user space buffer was taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed from user-space, so it is possible construct a sigreturn frame where: * fx_sw->xstate_size is smaller than the size required by valid bits in fx_sw->xfeatures. * user-space unmaps parts of the sigrame fpu buffer so that not all of the buffer required by xrstor is accessible. In this case, xrstor tries to restore and accesses the unmapped area which results in a fault. But fault_in_readable succeeds because buf + fx_sw->xstate_size is within the still mapped area, so it goes back and tries xrstor again. It will spin in this loop forever. Instead, fault in the maximum size which can be touched by XRSTOR (taken from fpstate->user_size). [ dhansen: tweak subject / changelog ] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: x86/fpu: dejar de depender del espacio de usuario para que la información falle en el búfer xsave Antes de este cambio, el tamaño esperado del búfer de espacio de usuario se tomaba de fx_sw->xstate_size. fx_sw->xstate_size se puede cambiar desde el espacio de usuario, por lo que es posible construir un marco sigreturn donde: * fx_sw->xstate_size es más pequeño que el tamaño requerido por los bits válidos en fx_sw->xfeatures. * el espacio de usuario desasigna partes del búfer fpu de sigrame para que no se pueda acceder a todo el búfer requerido por xrstor. En este caso, xrstor intenta restaurar y accede al área no asignada, lo que genera una falla. Pero falla_in_readable tiene éxito porque buf + fx_sw->xstate_size está dentro del área aún mapeada, por lo que regresa e intenta xrstor nuevamente. • https://git.kernel.org/stable/c/fcb3635f5018e53024c6be3c3213737f469f74ff https://git.kernel.org/stable/c/8bd3eee7720c14b59a206bd05b98d7586bccf99a https://git.kernel.org/stable/c/627339cccdc9166792ecf96bc3c9f711a60ce996 https://git.kernel.org/stable/c/b2479ab426cef7ab79a13005650eff956223ced2 https://git.kernel.org/stable/c/627e28cbb65564e55008315d9e02fbb90478beda https://git.kernel.org/stable/c/d877550eaf2dc9090d782864c96939397a3c6835 https://access.redhat.com/security/cve/CVE-2024-26603 https://bugzilla.redhat.com/show_bug.cgi?id=2265833 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26602 – sched/membarrier: reduce the ability to hammer on sys_membarrier
https://notcve.org/view.php?id=CVE-2024-26602
In the Linux kernel, the following vulnerability has been resolved: sched/membarrier: reduce the ability to hammer on sys_membarrier On some systems, sys_membarrier can be very expensive, causing overall slowdowns for everything. So put a lock on the path in order to serialize the accesses to prevent the ability for this to be called at too high of a frequency and saturate the machine. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sched/membarrier: reduce la capacidad de martillar en sys_membarrier. En algunos sistemas, sys_membarrier puede ser muy costoso, provocando ralentizaciones generales en todo. Por lo tanto, bloquee la ruta para serializar los accesos y evitar que se llame a una frecuencia demasiado alta y sature la máquina. • https://git.kernel.org/stable/c/22e4ebb975822833b083533035233d128b30e98f https://git.kernel.org/stable/c/3cd139875e9a7688b3fc715264032620812a5fa3 https://git.kernel.org/stable/c/2441a64070b85c14eecc3728cc87e883f953f265 https://git.kernel.org/stable/c/db896bbe4a9c67cee377e5f6a743350d3ae4acf6 https://git.kernel.org/stable/c/50fb4e17df319bb33be6f14e2a856950c1577dee https://git.kernel.org/stable/c/24ec7504a08a67247fbe798d1de995208a8c128a https://git.kernel.org/stable/c/b6a2a9cbb67545c825ec95f06adb7ff300a2ad71 https://git.kernel.org/stable/c/c5b2063c65d05e79fad8029324581d86c •