CVE-2021-47486 – riscv, bpf: Fix potential NULL dereference
https://notcve.org/view.php?id=CVE-2021-47486
In the Linux kernel, the following vulnerability has been resolved: riscv, bpf: Fix potential NULL dereference The bpf_jit_binary_free() function requires a non-NULL argument. When the RISC-V BPF JIT fails to converge in NR_JIT_ITERATIONS steps, jit_data->header will be NULL, which triggers a NULL dereference. Avoid this by checking the argument, prior calling the function. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: riscv, bpf: corrige una posible desreferencia NULL La función bpf_jit_binary_free() requiere un argumento que no sea NULL. Cuando el JIT BPF de RISC-V no logra converger en los pasos NR_JIT_ITERATION, jit_data->header será NULL, lo que desencadena una desreferencia NULL. • https://git.kernel.org/stable/c/ca6cb5447ceca6a87d6b62c9e5d41042c34f7ffa https://git.kernel.org/stable/c/cac6b043cea3e120f4fccec16f7381747cbfdc0d https://git.kernel.org/stable/c/e1b80a5ebe5431caeb20f88c32d4a024777a2d41 https://git.kernel.org/stable/c/27de809a3d83a6199664479ebb19712533d6fd9b • CWE-476: NULL Pointer Dereference •
CVE-2021-47485 – IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
https://notcve.org/view.php?id=CVE-2021-47485
In the Linux kernel, the following vulnerability has been resolved: IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields Overflowing either addrlimit or bytes_togo can allow userspace to trigger a buffer overflow of kernel memory. Check for overflows in all the places doing math on user controlled buffers. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: IB/qib: Protege contra el desbordamiento del búfer en los campos de struct qib_user_sdma_pkt. El desbordamiento de addrlimit o bytes_togo puede permitir que el espacio de usuario desencadene un desbordamiento del búfer de la memoria del kernel. Compruebe si hay desbordamientos en todos los lugares que realizan cálculos en búferes controlados por el usuario. • https://git.kernel.org/stable/c/f931551bafe1f10ded7f5282e2aa162c267a2e5d https://git.kernel.org/stable/c/bda41654b6e0c125a624ca35d6d20beb8015b5d0 https://git.kernel.org/stable/c/3f57c3f67fd93b4da86aeffea1ca32c484d054ad https://git.kernel.org/stable/c/60833707b968d5ae02a75edb7886dcd4a957cf0d https://git.kernel.org/stable/c/73d2892148aa4397a885b4f4afcfc5b27a325c42 https://git.kernel.org/stable/c/0f8cdfff06829a0b0348b6debc29ff6a61967724 https://git.kernel.org/stable/c/c3e17e58f571f34c51aeb17274ed02c2ed5cf780 https://git.kernel.org/stable/c/0d4395477741608d123dad51def9fe50b •
CVE-2021-47484 – octeontx2-af: Fix possible null pointer dereference.
https://notcve.org/view.php?id=CVE-2021-47484
In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Fix possible null pointer dereference. This patch fixes possible null pointer dereference in files "rvu_debugfs.c" and "rvu_nix.c" En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: octeontx2-af: Se corrige posible desreferencia del puntero nulo. Este parche corrige la posible desreferencia del puntero nulo en los archivos "rvu_debugfs.c" y "rvu_nix.c" • https://git.kernel.org/stable/c/8756828a81485f7b28b588adbf0bac9bf6fc6651 https://git.kernel.org/stable/c/f1e3cd1cc80204fd02b9e9843450925a2af90dc0 https://git.kernel.org/stable/c/c2d4c543f74c90f883e8ec62a31973ae8807d354 • CWE-476: NULL Pointer Dereference •
CVE-2021-47483 – regmap: Fix possible double-free in regcache_rbtree_exit()
https://notcve.org/view.php?id=CVE-2021-47483
In the Linux kernel, the following vulnerability has been resolved: regmap: Fix possible double-free in regcache_rbtree_exit() In regcache_rbtree_insert_to_block(), when 'present' realloc failed, the 'blk' which is supposed to assign to 'rbnode->block' will be freed, so 'rbnode->block' points a freed memory, in the error handling path of regcache_rbtree_init(), 'rbnode->block' will be freed again in regcache_rbtree_exit(), KASAN will report double-free as follows: BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390 Call Trace: slab_free_freelist_hook+0x10d/0x240 kfree+0xce/0x390 regcache_rbtree_exit+0x15d/0x1a0 regcache_rbtree_init+0x224/0x2c0 regcache_init+0x88d/0x1310 __regmap_init+0x3151/0x4a80 __devm_regmap_init+0x7d/0x100 madera_spi_probe+0x10f/0x333 [madera_spi] spi_probe+0x183/0x210 really_probe+0x285/0xc30 To fix this, moving up the assignment of rbnode->block to immediately after the reallocation has succeeded so that the data structure stays valid even if the second reallocation fails. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: regmap: corrige posible doble liberación en regcache_rbtree_exit() En regcache_rbtree_insert_to_block(), cuando la realloc 'presente' fallaba, el 'blk' que se supone debe asignarse a 'rbnode->block ' se liberará, por lo que 'rbnode->block' apunta a una memoria liberada, en la ruta de manejo de errores de regcache_rbtree_init(), 'rbnode->block' se liberará nuevamente en regcache_rbtree_exit(), KASAN informará la doble liberación de la siguiente manera : ERROR: KASAN: doble libre o no válido en kfree+0xce/0x390 Rastreo de llamadas: slab_free_freelist_hook+0x10d/0x240 kfree+0xce/0x390 regcache_rbtree_exit+0x15d/0x1a0 regcache_rbtree_init+0x224/0x2c0 regcache_init+0x88d/ 0x1310 __regmap_init+0x3151/ 0x4a80 __devm_regmap_init+0x7d/0x100 madera_spi_probe+0x10f/0x333 [madera_spi] spi_probe+0x183/0x210 Actually_probe+0x285/0xc30 Para solucionar este problema, mueva hacia arriba la asignación de rbnode->block inmediatamente después de que la reasignación se haya realizado correctamente para que la estructura de datos permanezca válido incluso si la segunda reasignación falla. • https://git.kernel.org/stable/c/3f4ff561bc88b074d5e868dde4012d89cbb06c87 https://git.kernel.org/stable/c/e72dce9afbdbfa70d9b44f5908a50ff6c4858999 https://git.kernel.org/stable/c/fc081477b47dfc3a6cb50a96087fc29674013fc2 https://git.kernel.org/stable/c/758ced2c3878ff789801e6fee808e185c5cf08d6 https://git.kernel.org/stable/c/3dae1a4eced3ee733d7222e69b8a55caf2d61091 https://git.kernel.org/stable/c/1cead23c1c0bc766dacb900a3b0269f651ad596f https://git.kernel.org/stable/c/36e911a16b377bde0ad91a8c679069d0d310b1a6 https://git.kernel.org/stable/c/50cc1462a668dc62949a1127388bc3af7 •
CVE-2021-47482 – net: batman-adv: fix error handling
https://notcve.org/view.php?id=CVE-2021-47482
In the Linux kernel, the following vulnerability has been resolved: net: batman-adv: fix error handling Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was in wrong error handling in batadv_mesh_init(). Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case of any batadv_*_init() calls failure. This approach may work well, when there is some kind of indicator, which can tell which parts of batadv are initialized; but there isn't any. All written above lead to cleaning up uninitialized fields. Even if we hide ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1] To fix these bugs we can unwind batadv_*_init() calls one by one. It is good approach for 2 reasons: 1) It fixes bugs on error handling path 2) It improves the performance, since we won't call unneeded batadv_*_free() functions. So, this patch makes all batadv_*_init() clean up all allocated memory before returning with an error to no call correspoing batadv_*_free() and open-codes batadv_mesh_free() with proper order to avoid touching uninitialized fields. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: batman-adv: corrección de manejo de errores Syzbot informó advertencia ODEBUG en batadv_nc_mesh_free(). • https://git.kernel.org/stable/c/c6c8fea29769d998d94fcec9b9f14d4b52b349d3 https://git.kernel.org/stable/c/0c6b199f09be489c48622537a550787fc80aea73 https://git.kernel.org/stable/c/07533f1a673ce1126d0a72ef1e4b5eaaa3dd6d20 https://git.kernel.org/stable/c/e50f957652190b5a88a8ebce7e5ab14ebd0d3f00 https://git.kernel.org/stable/c/fbf150b16a3635634b7dfb7f229d8fcd643c6c51 https://git.kernel.org/stable/c/6422e8471890273994fe8cc6d452b0dcd2c9483e https://git.kernel.org/stable/c/b0a2cd38553c77928ef1646ed1518486b1e70ae8 https://git.kernel.org/stable/c/a8f7359259dd5923adc6129284fdad12f • CWE-544: Missing Standardized Error Handling Mechanism •