Page 356 of 4126 results (0.009 seconds)

CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: use vmm_table as array in wilc struct Enabling KASAN and running some iperf tests raises some memory issues with vmm_table: BUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4 Write of size 4 at addr c3a61540 by task wlan0-tx/95 KASAN detects that we are writing data beyond range allocated to vmm_table. There is indeed a mismatch between the size passed to allocator in wilc_wlan_init, and the range of possible indexes used later: allocation size is missing a multiplication by sizeof(u32) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wifi: wilc1000: use vmm_table como matriz en wilc struct. Al habilitar KASAN y ejecutar algunas pruebas de iperf se generan algunos problemas de memoria con vmm_table: BUG: KASAN: slab-out-of-bounds en wilc_wlan_handle_txq +0x6ac/0xdb4 Escritura de tamaño 4 en la dirección c3a61540 mediante la tarea wlan0-tx/95 KASAN detecta que estamos escribiendo datos más allá del rango asignado a vmm_table. De hecho, existe una discrepancia entre el tamaño pasado al asignador en wilc_wlan_init y el rango de posibles índices utilizados más adelante: al tamaño de la asignación le falta una multiplicación por sizeof(u32) • https://git.kernel.org/stable/c/32dd0b22a5ba1dd296ccf2caf46ad44c3a8d5d98 https://git.kernel.org/stable/c/40b717bfcefab28a0656b8caa5e43d5449e5a671 https://git.kernel.org/stable/c/5212d958f6518003cd98c9886f8e8aedcfc25741 https://git.kernel.org/stable/c/541b3757fd443a68ed8d25968eae511a8275e7c8 https://git.kernel.org/stable/c/4b0d6ddb6466d10df878a7787f175a0e4adc3e27 https://git.kernel.org/stable/c/6aaf7cd8bdfe245d3c9a8b48fe70c2011965948e https://git.kernel.org/stable/c/3ce1c2c3999b232258f7aabab311d47dda75605c https://git.kernel.org/stable/c/05ac1a198a63ad66bf5ae8b7321407c10 •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: i3c: mipi-i3c-hci: corrige el acceso fuera de los límites en hci_dma_irq_handler. No realice bucles sobre encabezados de anillo en hci_dma_irq_handler() que no estén asignados y habilitados en hci_dma_init(). De lo contrario, el acceso fuera de los límites se producirá desde el acceso de anillos->encabezados[i] cuando i >= número de encabezados de anillo asignados. • https://git.kernel.org/stable/c/d23ad76f240c0f597b7a9eb79905d246f27d40df https://git.kernel.org/stable/c/8be39f66915b40d26ea2c18ba84b5c3d5da6809b https://git.kernel.org/stable/c/7c2b91b30d74d7c407118ad72502d4ca28af1af6 https://git.kernel.org/stable/c/4c86cb2321bd9c72d3b945ce7f747961beda8e65 https://git.kernel.org/stable/c/45a832f989e520095429589d5b01b0c65da9b574 •

CVSS: 6.2EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: mfd: qcom-spmi-pmic: Fix revid implementation The Qualcomm SPMI PMIC revid implementation is broken in multiple ways. First, it assumes that just because the sibling base device has been registered that means that it is also bound to a driver, which may not be the case (e.g. due to probe deferral or asynchronous probe). This could trigger a NULL-pointer dereference when attempting to access the driver data of the unbound device. Second, it accesses driver data of a sibling device directly and without any locking, which means that the driver data may be freed while it is being accessed (e.g. on driver unbind). Third, it leaks a struct device reference to the sibling device which is looked up using the spmi_device_from_of() every time a function (child) device is calling the revid function (e.g. on probe). Fix this mess by reimplementing the revid lookup so that it is done only at probe of the PMIC device; the base device fetches the revid info from the hardware, while any secondary SPMI device fetches the information from the base device and caches it so that it can be accessed safely from its children. If the base device has not been probed yet then probe of a secondary device is deferred. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mfd: qcom-spmi-pmic: reparación de la implementación revid. La implementación revid de Qualcomm SPMI PMIC está rota de varias maneras. • https://git.kernel.org/stable/c/e9c11c6e3a0e93903f5a13f8d2f97ae1bba512e1 https://git.kernel.org/stable/c/db98de0809f12b0edb9cd1be78e1ec1bfeba8f40 https://git.kernel.org/stable/c/4ce77b023d42a9f1062eecf438df1af4b4072eb2 https://git.kernel.org/stable/c/affae18838db5e6b463ee30c821385695af56dc2 https://git.kernel.org/stable/c/7b439aaa62fee474a0d84d67a25f4984467e7b95 • CWE-476: NULL Pointer Dereference •

CVSS: 4.4EPSS: 0%CPEs: 9EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: media: gspca: cpia1: shift-out-of-bounds in set_flicker Syzkaller reported the following issue: UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 shift exponent 245 is too large for 32-bit type 'int' When the value of the variable "sd->params.exposure.gain" exceeds the number of bits in an integer, a shift-out-of-bounds error is reported. It is triggered because the variable "currentexp" cannot be left-shifted by more than the number of bits in an integer. In order to avoid invalid range during left-shift, the conditional expression is added. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: media: gspca: cpia1: desplazamiento fuera de los límites en set_flicker. Syzkaller informó el siguiente problema: UBSAN: desplazamiento fuera de los límites en drivers/media/usb/gspca /cpia1.c:1031:27 el exponente de desplazamiento 245 es demasiado grande para el tipo 'int' de 32 bits. • https://git.kernel.org/stable/c/69bba62600bd91d6b7c1e8ca181faf8ac64f7060 https://git.kernel.org/stable/c/2eee8edfff90e22980a6b22079d238c3c9d323bb https://git.kernel.org/stable/c/8f83c85ee88225319c52680792320c02158c2a9b https://git.kernel.org/stable/c/c6b6b8692218da73b33b310d7c1df90f115bdd9a https://git.kernel.org/stable/c/09cd8b561aa9796903710a1046957f2b112c8f26 https://git.kernel.org/stable/c/a647f27a7426d2fe1b40da7c8fa2b81354a51177 https://git.kernel.org/stable/c/93bddd6529f187f510eec759f37d0569243c9809 https://git.kernel.org/stable/c/e2d7149b913d14352c82624e723ce1c21 • CWE-125: Out-of-bounds Read •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data. The `i3c_master_bus_init` function may attach the I2C devices before the I3C bus initialization. In this flow, the DAT `alloc_entry`` will be used before the DAT `init`. Additionally, if the `i3c_master_bus_init` fails, the DAT `cleanup` will execute before the device is detached, which will execue DAT `free_entry` function. The above scenario can cause the driver to use DAT_data when it is NULL. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: i3c: master: mipi-i3c-hci: se corrigió un pánico del kernel al acceder a DAT_data. • https://git.kernel.org/stable/c/39c71357e68e2f03766f9321b9f4882e49ff1442 https://git.kernel.org/stable/c/e64d23dc65810be4e3395d72df0c398f60c991f9 https://git.kernel.org/stable/c/3cb79a365e7cce8f121bba91312e2ddd206b9781 https://git.kernel.org/stable/c/eed74230435c61eeb58abaa275b1820e6a4b7f02 https://git.kernel.org/stable/c/b53e9758a31c683fc8615df930262192ed5f034b •