CVE-2023-52475 – Input: powermate - fix use-after-free in powermate_config_complete
https://notcve.org/view.php?id=CVE-2023-52475
In the Linux kernel, the following vulnerability has been resolved: Input: powermate - fix use-after-free in powermate_config_complete syzbot has found a use-after-free bug [1] in the powermate driver. This happens when the device is disconnected, which leads to a memory free from the powermate_device struct. When an asynchronous control message completes after the kfree and its callback is invoked, the lock does not exist anymore and hence the bug. Use usb_kill_urb() on pm->config to cancel any in-progress requests upon device disconnection. [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Entrada: powermate - corrige el use-after-free en powermate_config_complete syzbot ha encontrado un error de use-after-free [1] en el controlador powermate. Esto sucede cuando el dispositivo está desconectado, lo que genera una memoria libre de la estructura powermate_device. • https://git.kernel.org/stable/c/8677575c4f39d65bf0d719b5d20e8042e550ccb9 https://git.kernel.org/stable/c/67cace72606baf1758fd60feb358f4c6be92e1cc https://git.kernel.org/stable/c/5aa514100aaf59868d745196258269a16737c7bd https://git.kernel.org/stable/c/cd2fbfd8b922b7fdd50732e47d797754ab59cb06 https://git.kernel.org/stable/c/6a4a396386404e62fb59bc3bde48871a64a82b4f https://git.kernel.org/stable/c/2efe67c581a2a6122b328d4bb6f21b3f36f40d46 https://git.kernel.org/stable/c/e528b1b9d60743e0b26224e3fe7aa74c24b8b2f8 https://git.kernel.org/stable/c/5c15c60e7be615f05a45cd905093a54b1 • CWE-416: Use After Free •
CVE-2023-52474 – IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests
https://notcve.org/view.php?id=CVE-2023-52474
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec.a Here are the specific bugs: 1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len. Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec to the packet, even if some of those bytes are past iovec->iov.iov_len and are thus not intended to be in the packet. 2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the next iovec in user_sdma_request->iovs when the current iovec is not PAGE_SIZE and does not contain enough data to complete the packet. The transmitted packet will contain the wrong data from the iovec pages. This has not been an issue with SDMA packets from hfi1 Verbs or PSM2 because they only produce iovecs that end short of PAGE_SIZE as the tail iovec of an SDMA request. Fixing these bugs exposes other bugs with the SDMA pin cache (struct mmu_rb_handler) that get in way of supporting user SDMA requests with multiple payload iovecs whose buffers do not end at PAGE_SIZE. So this commit fixes those issues as well. Here are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec payload user SDMA requests can hit: 1. Overlapping memory ranges in mmu_rb_handler will result in duplicate pinnings. 2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node), the mmu_rb code (1) removes the existing entry under a lock, (2) releases that lock, pins the new pages, (3) then reacquires the lock to insert the extended mmu_rb_node. If someone else comes in and inserts an overlapping entry between (2) and (3), insert in (3) will fail. The failure path code in this case unpins _all_ pages in either the original mmu_rb_node or the new mmu_rb_node that was inserted between (2) and (3). 3. • https://git.kernel.org/stable/c/7724105686e718ac476a6ad3304fea2fbcfcffde https://git.kernel.org/stable/c/9c4c6512d7330b743c4ffd18bd999a86ca26db0d https://git.kernel.org/stable/c/a2bd706ab63509793b5cd5065e685b7ef5cba678 https://git.kernel.org/stable/c/dce59b5443700fbd0d2433ec6e4d4cf063448844 https://git.kernel.org/stable/c/c76cb8f4bdf26d04cfa5485a93ce297dba5e6a80 https://git.kernel.org/stable/c/7e6010f79b58f45b204cf18aa58f4b73c3f30adc https://git.kernel.org/stable/c/00cbce5cbf88459cd1aa1d60d0f1df15477df127 •
CVE-2024-26606 – binder: signal epoll threads of self-work
https://notcve.org/view.php?id=CVE-2024-26606
In the Linux kernel, the following vulnerability has been resolved: binder: signal epoll threads of self-work In (e)poll mode, threads often depend on I/O events to determine when data is ready for consumption. Within binder, a thread may initiate a command via BINDER_WRITE_READ without a read buffer and then make use of epoll_wait() or similar to consume any responses afterwards. It is then crucial that epoll threads are signaled via wakeup when they queue their own work. Otherwise, they risk waiting indefinitely for an event leaving their work unhandled. What is worse, subsequent commands won't trigger a wakeup either as the thread has pending work. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: carpeta: señal de epoll de subprocesos de autotrabajo En el modo (e)poll, los subprocesos a menudo dependen de eventos de E/S para determinar cuándo los datos están listos para el consumo. • https://git.kernel.org/stable/c/457b9a6f09f011ebcb9b52cc203a6331a6fc2de7 https://git.kernel.org/stable/c/dd64bb8329ce0ea27bc557e4160c2688835402ac https://git.kernel.org/stable/c/42beab162dcee1e691ee4934292d51581c29df61 https://git.kernel.org/stable/c/a423042052ec2bdbf1e552e621e6a768922363cc https://git.kernel.org/stable/c/82722b453dc2f967b172603e389ee7dc1b3137cc https://git.kernel.org/stable/c/90e09c016d72b91e76de25f71c7b93d94cc3c769 https://git.kernel.org/stable/c/a7ae586f6f6024f490b8546c8c84670f96bb9b68 https://git.kernel.org/stable/c/93b372c39c40cbf179e56621e6bc48240 •
CVE-2023-52470 – drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()
https://notcve.org/view.php?id=CVE-2023-52470
In the Linux kernel, the following vulnerability has been resolved: drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() check the alloc_workqueue return value in radeon_crtc_init() to avoid null-ptr-deref. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/radeon: verifique el valor de retorno de alloc_workqueue en radeon_crtc_init() verifique el valor de retorno de alloc_workqueue en radeon_crtc_init() para evitar null-ptr-deref. A NULL pointer dereference flaw was found in alloc_workqueue in the Linux Kernel. Check the alloc_workqueue return value in radeon_crtc_init() to avoid null-ptr-deref. • https://git.kernel.org/stable/c/fa7f517cb26eb1a1a1f0baffcced39f6c3ec3337 https://git.kernel.org/stable/c/21b1645660717d6126dd4866c850fcc5c4703a41 https://git.kernel.org/stable/c/5d12c5d75f7c78b83a738025947651ec5c95b4d4 https://git.kernel.org/stable/c/57ca7984806d79b38af528de88fd803babf27feb https://git.kernel.org/stable/c/14bbfaa5df273b26cde6707f6e655585700e6fe1 https://git.kernel.org/stable/c/c4ff55408187f2595066967047363ca84e76db85 https://git.kernel.org/stable/c/0b813a6a0087451cb702b6eb841f10856f49d088 https://git.kernel.org/stable/c/fb2d8bc9b5e55848b8a7c3c028e2ee8d4 • CWE-476: NULL Pointer Dereference •
CVE-2023-52469 – drivers/amd/pm: fix a use-after-free in kv_parse_power_table
https://notcve.org/view.php?id=CVE-2023-52469
In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers/amd/pm: corrige un use-after-free en kv_parse_power_table Cuando ps asignado por kzalloc es igual a NULL, kv_parse_power_table libera adev->pm.dpm.ps que se asignó antes. Sin embargo, después de que el flujo de control pasa por las siguientes cadenas de llamadas: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini El adev->pm.dpm.ps se usa en el bucle for de kv_dpm_fini después de su primera liberación en kv_parse_power_table y provoca un error de use-after-free. A use-after-free flaw was found in kv_parse_power_table in drivers/amd/pm in the Linux kernel. • https://git.kernel.org/stable/c/a2e73f56fa6282481927ec43aa9362c03c2e2104 https://git.kernel.org/stable/c/8a27d9d9fc9b5564b8904c3a77a7dea482bfa34e https://git.kernel.org/stable/c/8b55b06e737feb2a645b0293ea27e38418876d63 https://git.kernel.org/stable/c/520e213a0b97b64735a13950e9371e0a5d7a5dc3 https://git.kernel.org/stable/c/b6dcba02ee178282e0d28684d241e0b8462dea6a https://git.kernel.org/stable/c/35fa2394d26e919f63600ce631e6aefc95ec2706 https://git.kernel.org/stable/c/95084632a65d5c0d682a83b55935560bdcd2a1e3 https://git.kernel.org/stable/c/3426f059eacc33ecc676b0d66539297e1 • CWE-416: Use After Free •