Page 36 of 4559 results (0.015 seconds)

CVSS: -EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: svcrdma: Address an integer overflow Dan Carpenter reports: > Commit 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data > structure") from Jun 22, 2020 (linux-next), leads to the following > Smatch static checker warning: > > net/sunrpc/xprtrdma/svc_rdma_recvfrom.c:498 xdr_check_write_chunk() > warn: potential user controlled sizeof overflow 'segcount * 4 * 4' > > net/sunrpc/xprtrdma/svc_rdma_recvfrom.c > 488 static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt) > 489 { > 490 u32 segcount; > 491 __be32 *p; > 492 > 493 if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount)) > ^^^^^^^^ > > 494 return false; > 495 > 496 /* A bogus segcount causes this buffer overflow check to fail. */ > 497 p = xdr_inline_decode(&rctxt->rc_stream, > --> 498 segcount * rpcrdma_segment_maxsz * sizeof(*p)); > > > segcount is an untrusted u32. On 32bit systems anything >= SIZE_MAX / 16 will > have an integer overflow and some those values will be accepted by > xdr_inline_decode(). • https://git.kernel.org/stable/c/78147ca8b4a9b6cf0e597ddd6bf17959e08376c2 https://git.kernel.org/stable/c/21e1cf688fb0397788c8dd42e1e0b08d58ac5c7b https://git.kernel.org/stable/c/c1f8195bf68edd2cef0f18a4cead394075a54b5a https://git.kernel.org/stable/c/838dd342962cef4c320632a5af48d3c31f2f9877 https://git.kernel.org/stable/c/4cbc3ba6dc2f746497cade60bcbaa82ae3696689 https://git.kernel.org/stable/c/e5c440c227ecdc721f2da0dd88b6358afd1031a7 https://git.kernel.org/stable/c/3c63d8946e578663b868cb9912dac616ea68bfd0 •

CVSS: -EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check. • https://git.kernel.org/stable/c/a632bdcb359fd8145e86486ff8612da98e239acd https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b https://git.kernel.org/stable/c/ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9 https://git.kernel.org/stable/c/da13ade87a12dd58829278bc816a61bea06a56a9 https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77 https://git.kernel.org/stable/c/ea0fa76f61cf8e932d1d26e6193513230816e11d https://git.kernel.org/stable/c/096bb5b43edf755bc4477e64004fa3a20539ec2f https://git.kernel.org/stable/c/a3dd4d63eeb452cfb064a13862fb376ab •

CVSS: -EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: comedi: Flush partial mappings in error case If some remap_pfn_range() calls succeeded before one failed, we still have buffer pages mapped into the userspace page tables when we drop the buffer reference with comedi_buf_map_put(bm). The userspace mappings are only cleaned up later in the mmap error path. Fix it by explicitly flushing all mappings in our VMA on the error path. See commit 79a61cc3fc04 ("mm: avoid leaving partial pfn mappings around in error case"). • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 https://git.kernel.org/stable/c/57f048c2d205b85e34282a9b0b0ae177e84c2f44 https://git.kernel.org/stable/c/b9322408d83accc8b96322bc7356593206288c56 https://git.kernel.org/stable/c/8797b7712de704dc231f9e821d8eb3b9aeb3a032 https://git.kernel.org/stable/c/16c507df509113c037cdc0ba642b9ab3389bd26c https://git.kernel.org/stable/c/9b07fb464eb69a752406e78e62ab3a60bfa7b00d https://git.kernel.org/stable/c/c6963a06ce5c61d3238751ada04ee1569663a828 https://git.kernel.org/stable/c/297f14fbb81895f4ccdb0ad25d196786d •

CVSS: -EPSS: 0%CPEs: 3EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: exfat: fix out-of-bounds access of directory entries In the case of the directory size is greater than or equal to the cluster size, if start_clu becomes an EOF cluster(an invalid cluster) due to file system corruption, then the directory entry where ei->hint_femp.eidx hint is outside the directory, resulting in an out-of-bounds access, which may cause further file system corruption. This commit adds a check for start_clu, if it is an invalid cluster, the file or directory will be treated as empty. • https://git.kernel.org/stable/c/a0120d6463368378539ef928cf067d02372efb8c https://git.kernel.org/stable/c/3ddd1cb2b458ff6a193bc845f408dfff217db29e https://git.kernel.org/stable/c/184fa506e392eb78364d9283c961217ff2c0617b •

CVSS: -EPSS: 0%CPEs: 9EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent a potential integer overflow If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. • https://git.kernel.org/stable/c/745f7ce5a95e783ba62fe774325829466aec2aa8 https://git.kernel.org/stable/c/90adbae9dd158da8331d9fdd32077bd1af04f553 https://git.kernel.org/stable/c/3c5f545c9a1f8a1869246f6f3ae8c17289d6a841 https://git.kernel.org/stable/c/842f1c27a1aef5367e535f9e85c8c3b06352151a https://git.kernel.org/stable/c/de53c5305184ca1333b87e695d329d1502d694ce https://git.kernel.org/stable/c/dde654cad08fdaac370febb161ec41eb58e9d2a2 https://git.kernel.org/stable/c/084f797dbc7e52209a4ab6dbc7f0109268754eb9 https://git.kernel.org/stable/c/ccd3394f9a7200d6b088553bf38e68862 •