Page 372 of 3839 results (0.023 seconds)

CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after failing to attach the region to an ACL group, we hit a NULL pointer dereference upon 'region->group->tcam' [1]. Fix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam(). [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 [...] Call Trace: mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mlxsw: espectro_acl_tcam: corrige la desreferencia del puntero NULL en la ruta de error Al llamar a mlxsw_sp_acl_tcam_region_destroy() desde una ruta de error después de no poder adjuntar la región a un grupo de ACL, alcanzamos una desreferencia del puntero NULL al 'región->grupo->tcam' [1]. Solucione recuperando el puntero 'tcam' usando mlxsw_sp_acl_to_tcam(). [1] ERROR: desreferencia del puntero NULL del kernel, dirección: 0000000000000000 [...] RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 [...] Seguimiento de llamadas: mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 mlxsw_sp_acl_tcam_ventry_add+0 x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b 0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 Entry_SYSCALL_64_after_hwframe+0x63/0x6b A flaw was found in the Linux kernel, where a faulty error handler in the driver for certain Mellanox hardware could lead to a null pointer reference. This issue affects system stability. • https://git.kernel.org/stable/c/22a677661f5624539d394f681276171f92d714df https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39 https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809 https://access.redhat.com/security/cve/CVE-2024-26595 https://bugzilla.redhat.com/show_bug.cgi?id=2265799 • CWE-476: NULL Pointer Dereference •

CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: EDAC/thunderx: Fix possible out-of-bounds string access Enabling -Wstringop-overflow globally exposes a warning for a common bug in the usage of strncat(): drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr': drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=] 1136 | strncat(msg, other, OCX_MESSAGE_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... 1145 | strncat(msg, other, OCX_MESSAGE_SIZE); ... 1150 | strncat(msg, other, OCX_MESSAGE_SIZE); ... Apparently the author of this driver expected strncat() to behave the way that strlcat() does, which uses the size of the destination buffer as its third argument rather than the length of the source buffer. The result is that there is no check on the size of the allocated buffer. Change it to strlcat(). [ bp: Trim compiler output, fixup commit message. ] En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: EDAC/thunderx: corrige un posible acceso a cadenas fuera de los límites Al habilitar -Wstringop-overflow globalmente se expone una advertencia para un error común en el uso de strncat(): drivers/edac/ thunderx_edac.c: En la función 'thunderx_ocx_com_threaded_isr': drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' el límite especificado 1024 es igual al tamaño de destino [-Werror=stringop-overflow=] 1136 | strncat(msj, otro, OCX_MESSAGE_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... 1145 | strncat(msj, otro, OCX_MESSAGE_SIZE); ... 1150 | strncat(msj, otro, OCX_MESSAGE_SIZE); ... Aparentemente, el autor de este controlador esperaba que strncat() se comportara de la manera que lo hace strlcat(), que utiliza el tamaño del búfer de destino como tercer argumento en lugar de la longitud del búfer de origen. El resultado es que no se comprueba el tamaño del búfer asignado. Cámbielo a strlcat(). • https://git.kernel.org/stable/c/41003396f932d7f027725c7acebb6a7caa41dc3e https://git.kernel.org/stable/c/71c17ee02538802ceafc830f0736aa35b564e601 https://git.kernel.org/stable/c/5da3b6e7196f0b4f3728e4e25eb20233a9ddfaf6 https://git.kernel.org/stable/c/6aa7865ba7ff7f0ede0035180fb3b9400ceb405a https://git.kernel.org/stable/c/700cf4bead80fac994dcc43ae1ca5d86d8959b21 https://git.kernel.org/stable/c/9dbac9fdae6e3b411fc4c3fca3bf48f70609c398 https://git.kernel.org/stable/c/e1c86511241588efffaa49556196f09a498d5057 https://git.kernel.org/stable/c/426fae93c01dffa379225eb2bd4d3cdc4 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-805: Buffer Access with Incorrect Length Value •

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: block: add check that partition length needs to be aligned with block size Before calling add partition or resize partition, there is no check on whether the length is aligned with the logical block size. If the logical block size of the disk is larger than 512 bytes, then the partition size maybe not the multiple of the logical block size, and when the last sector is read, bio_truncate() will adjust the bio size, resulting in an IO error if the size of the read command is smaller than the logical block size.If integrity data is supported, this will also result in a null pointer dereference when calling bio_integrity_free. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque: agregar verifique que la longitud de la partición debe estar alineada con el tamaño del bloque Antes de llamar a agregar partición o cambiar el tamaño de la partición, no se verifica si la longitud está alineada con el tamaño del bloque lógico. Si el tamaño del bloque lógico del disco es mayor que 512 bytes, entonces el tamaño de la partición tal vez no sea el múltiplo del tamaño del bloque lógico, y cuando se lea el último sector, bio_truncate() ajustará el tamaño de la biografía, lo que resultará en un error de E/S si el tamaño del comando de lectura es menor que el tamaño del bloque lógico. Si se admiten datos de integridad, esto también resultará en una desreferencia del puntero nulo al llamar a bio_integrity_free. A flaw was found in the Linux kernel's block subsystem, where a NULL pointer dereference occurs if partitions are created or resized with a size that is not a multiple of the logical block size. • https://git.kernel.org/stable/c/8f6dfa1f1efe6dcca2d43e575491d8fcbe922f62 https://git.kernel.org/stable/c/5010c27120962c85d2f421d2cf211791c9603503 https://git.kernel.org/stable/c/ef31cc87794731ffcb578a195a2c47d744e25fb8 https://git.kernel.org/stable/c/cb16cc1abda18a9514106d2ac8c8d7abc0be5ed8 https://git.kernel.org/stable/c/bcdc288e7bc008daf38ef0401b53e4a8bb61bbe5 https://git.kernel.org/stable/c/6f64f866aa1ae6975c95d805ed51d7e9433a0016 https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html https://access.redhat.com/security/cve/CVE-2023 • CWE-476: NULL Pointer Dereference •

CVSS: 9.3EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate mech token in session setup If client send invalid mech token in session setup request, ksmbd validate and make the error if it is invalid. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: validar el token mecánico en la configuración de la sesión Si el cliente envía un token mecánico no válido en la solicitud de configuración de la sesión, ksmbd valida y genera el error si no es válido. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability. However, only systems with ksmbd enabled are vulnerable. The specific flaw exists within the handling of SMB2 Mech Tokens. • https://git.kernel.org/stable/c/dd1de9268745f0eac83a430db7afc32cbd62e84b https://git.kernel.org/stable/c/6eb8015492bcc84e40646390e50a862b2c0529c9 https://git.kernel.org/stable/c/a2b21ef1ea4cf632d19b3a7cc4d4245b8e63202a https://git.kernel.org/stable/c/5e6dfec95833edc54c48605a98365a7325e5541e https://git.kernel.org/stable/c/92e470163d96df8db6c4fa0f484e4a229edb903d • CWE-125: Out-of-bounds Read •

CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/memhp: Fix access beyond end of drmem array dlpar_memory_remove_by_index() may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the last valid entry in the array. The debug message at the end of the function then dereferences this pointer: pr_debug("Failed to hot-remove memory at %llx\n", lmb->base_addr); This was found by inspection and confirmed with KASAN: pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 ================================================================== BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 Read of size 8 at addr c000000364e97fd0 by task bash/949 dump_stack_lvl+0xa4/0xfc (unreliable) print_report+0x214/0x63c kasan_report+0x140/0x2e0 __asan_load8+0xa8/0xe0 dlpar_memory+0x298/0x1658 handle_dlpar_errorlog+0x130/0x1d0 dlpar_store+0x18c/0x3e0 kobj_attr_store+0x68/0xa0 sysfs_kf_write+0xc4/0x110 kernfs_fop_write_iter+0x26c/0x390 vfs_write+0x2d4/0x4e0 ksys_write+0xac/0x1a0 system_call_exception+0x268/0x530 system_call_vectored_common+0x15c/0x2ec Allocated by task 1: kasan_save_stack+0x48/0x80 kasan_set_track+0x34/0x50 kasan_save_alloc_info+0x34/0x50 __kasan_kmalloc+0xd0/0x120 __kmalloc+0x8c/0x320 kmalloc_array.constprop.0+0x48/0x5c drmem_init+0x2a0/0x41c do_one_initcall+0xe0/0x5c0 kernel_init_freeable+0x4ec/0x5a0 kernel_init+0x30/0x1e0 ret_from_kernel_user_thread+0x14/0x1c The buggy address belongs to the object at c000000364e80000 which belongs to the cache kmalloc-128k of size 131072 The buggy address is located 0 bytes to the right of allocated 98256-byte region [c000000364e80000, c000000364e97fd0) ================================================================== pseries-hotplug-mem: Failed to hot-remove memory at 0 Log failed lookups with a separate message and dereference the cursor only when it points to a valid entry. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: powerpc/pseries/memhp: corrige el acceso más allá del final de la matriz drmem dlpar_memory_remove_by_index() puede acceder más allá de los límites de la matriz lmb drmem cuando la búsqueda de LMB no coincide con una entrada con el valor dado Índice de la República Democrática del Congo. Cuando la búsqueda falla, el cursor queda apuntando a &drmem_info->lmbs[drmem_info->n_lmbs], que es un elemento después de la última entrada válida en la matriz. • https://git.kernel.org/stable/c/51925fb3c5c901aa06cdc853268a6e19e19bcdc7 https://git.kernel.org/stable/c/bb79613a9a704469ddb8d6c6029d532a5cea384c https://git.kernel.org/stable/c/9b5f03500bc5b083c0df696d7dd169d7ef3dd0c7 https://git.kernel.org/stable/c/b582aa1f66411d4adcc1aa55b8c575683fb4687e https://git.kernel.org/stable/c/999a27b3ce9a69d54ccd5db000ec3a447bc43e6d https://git.kernel.org/stable/c/026fd977dc50ff4a5e09bfb0603557f104d3f3a0 https://git.kernel.org/stable/c/df16afba2378d985359812c865a15c05c70a967e https://git.kernel.org/stable/c/708a4b59baad96c4718dc0bd3a3427d3a • CWE-125: Out-of-bounds Read CWE-129: Improper Validation of Array Index •