Page 400 of 5580 results (0.074 seconds)

CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net/smc: Fix possible access to freed memory in link clear After modifying the QP to the Error state, all RX WR would be completed with WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not wait for it is done, but destroy the QP and free the link group directly. So there is a risk that accessing the freed memory in tasklet context. Here is a crash example: BUG: unable to handle page fault for address: ffffffff8f220860 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060 Oops: 0002 [#1] SMP PTI CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23 Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018 RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0 Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32 RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086 RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000 RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00 RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010 R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> _raw_spin_lock_irqsave+0x30/0x40 mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib] smc_wr_rx_tasklet_fn+0x56/0xa0 [smc] tasklet_action_common.isra.21+0x66/0x100 __do_softirq+0xd5/0x29c asm_call_irq_on_stack+0x12/0x20 </IRQ> do_softirq_own_stack+0x37/0x40 irq_exit_rcu+0x9d/0xa0 sysvec_call_function_single+0x34/0x80 asm_sysvec_call_function_single+0x12/0x20 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/smc: corrige el posible acceso a la memoria liberada al borrar el enlace. Después de modificar el QP al estado de Error, todos los RX WR se completarían con WC en estado IB_WC_WR_FLUSH_ERR. La implementación actual no espera a que esté terminada, sino que destruye el QP y libera el grupo de enlaces directamente. Por lo tanto, existe el riesgo de acceder a la memoria liberada en el contexto del tasklet. • https://git.kernel.org/stable/c/bd4ad57718cc86d2972a20f9791cd079996a4dd6 https://git.kernel.org/stable/c/89fcb70f1acd6b0bbf2f7bfbf45d7aa75a9bdcde https://git.kernel.org/stable/c/e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968 • CWE-755: Improper Handling of Exceptional Conditions •

CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: of: fdt: fix off-by-one error in unflatten_dt_nodes() Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") forgot to fix up the depth check in the loop body in unflatten_dt_nodes() which makes it possible to overflow the nps[] buffer... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: de: fdt: corrige el error uno por uno en unflatten_dt_nodes() Commit 78c44d910d3e ("drivers/of: corrige la profundidad al desacoplar el árbol de dispositivos") olvidó arreglar la comprobación de profundidad el cuerpo del bucle en unflatten_dt_nodes() que permite desbordar el búfer nps[]... Encontrado por el Centro de verificación de Linux (linuxtesting.org) con la herramienta de análisis estático SVACE. • https://git.kernel.org/stable/c/78c44d910d3e5f96dc6b3695fc1e4efd7c46a455 https://git.kernel.org/stable/c/cbdda20ce363356698835185801a58a28f644853 https://git.kernel.org/stable/c/2566706ac6393386a4e7c4ce23fe17f4c98d9aa0 https://git.kernel.org/stable/c/e0e88c25f88b9805572263c9ed20f1d88742feaf https://git.kernel.org/stable/c/ee4369260e77821602102dcc7d792de39a56365c https://git.kernel.org/stable/c/ba6b9f7cc1108bad6e2c53b1d6e0156379188db7 https://git.kernel.org/stable/c/2133f451311671c7c42b5640d2b999326b39aa0e https://git.kernel.org/stable/c/2f945a792f67815abca26fa8a5e863ccf • CWE-193: Off-by-one Error •

CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() syzbot is hitting percpu_rwsem_assert_held(&cpu_hotplug_lock) warning at cpuset_attach() [1], for commit 4f7e7236435ca0ab ("cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock") missed that cpuset_attach() is also called from cgroup_attach_task_all(). Add cpus_read_lock() like what cgroup_procs_write_start() does. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: cgroup: agregue cpus_read_lock() faltante a cgroup_attach_task_all() syzbot está presionando la advertencia percpu_rwsem_assert_held(&amp;cpu_hotplug_lock) en cpuset_attach() [1], para el commit 4f7e7236435ca0ab ("cgroup: Fix threadgroup_rwsem &lt;- &gt; cpus_read_lock() deadlock") se perdió que cpuset_attach() también se llama desde cgroup_attach_task_all(). Agregue cpus_read_lock() como lo hace cgroup_procs_write_start(). • https://git.kernel.org/stable/c/59c6902a96b4439e07c25ef86a4593bea5481c3b https://git.kernel.org/stable/c/dee1e2b18cf5426eed985512ccc6636ec69dbdd6 https://git.kernel.org/stable/c/3bf4bf54069f9b62a54988e5d085023c17a66c90 https://git.kernel.org/stable/c/c0deb027c99c099aa6b831e326bfba802b25e774 https://git.kernel.org/stable/c/07191f984842d50020789ff14c75da436a7f46a9 https://git.kernel.org/stable/c/9f267393b036f1470fb12fb892d59e7ff8aeb58d https://git.kernel.org/stable/c/5db17805b6ba4c34dab303f49aea3562fc25af75 https://git.kernel.org/stable/c/99bc25748e394d17f9e8b10cc7f273b8e • CWE-667: Improper Locking •

CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: peci: cpu: Fix use-after-free in adev_release() When auxiliary_device_add() returns an error, auxiliary_device_uninit() is called, which causes refcount for device to be decremented and .release callback will be triggered. Because adev_release() re-calls auxiliary_device_uninit(), it will cause use-after-free: [ 1269.455172] WARNING: CPU: 0 PID: 14267 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15 [ 1269.464007] refcount_t: underflow; use-after-free. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: peci: cpu: corrige use-after-free en adev_release() Cuando auxiliar_device_add() devuelve un error, se llama a auxiliar_device_uninit(), lo que hace que se disminuya el recuento del dispositivo y . Se activará la devolución de llamada de liberación. Debido a que adev_release() vuelve a llamar a auxiliar_device_uninit(), provocará use-after-free: [1269.455172] ADVERTENCIA: CPU: 0 PID: 14267 en lib/refcount.c:28 refcount_warn_saturate+0x110/0x15 [1269.464007] refcount_t: underflow ; use-after-free. • https://git.kernel.org/stable/c/c87f1f99e26ea4ae08cabe753ae98e5626bdba89 https://git.kernel.org/stable/c/1c11289b34ab67ed080bbe0f1855c4938362d9cf • CWE-416: Use After Free •

CVSS: -EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: remove one synchronize_net() barrier in ipv6_mc_down() As discussed in the past (commit 2d3916f31891 ("ipv6: fix skb drops in igmp6_event_query() and igmp6_event_report()")) I think the synchronize_net() call in ipv6_mc_down() is not needed. Under load, synchronize_net() can last between 200 usec and 5 ms. KASAN seems to agree as well. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ipv6: mcast: elimina una barrera de sincronización_net() en ipv6_mc_down() Como se discutió en el pasado (commit 2d3916f31891 ("ipv6: corrige caídas de skb en igmp6_event_query() e igmp6_event_report()" )) Creo que la llamada sincronizar_net() en ipv6_mc_down() no es necesaria. Bajo carga, sincronizar_net() puede durar entre 200 usos y 5 ms. KASAN parece estar de acuerdo también. • https://git.kernel.org/stable/c/f185de28d9ae6c978135993769352e523ee8df06 https://git.kernel.org/stable/c/9d159d6637ccce25f879d662a480541ef4ba3a50 https://git.kernel.org/stable/c/a03ede2282ebbd181bd6f5c38cbfcb5765afcd04 https://git.kernel.org/stable/c/26d4bac55750d535f1f0b8790dc26daf6089e373 https://git.kernel.org/stable/c/7eb06ee5921189812e6b4bfe7b0f1e878be16df7 https://git.kernel.org/stable/c/5da9a218340a2bc804dc4327e5804392e24a0b88 https://git.kernel.org/stable/c/17ef8efc00b34918b966388b2af0993811895a8c •