CVE-2021-46956 – virtiofs: fix memory leak in virtio_fs_probe()
https://notcve.org/view.php?id=CVE-2021-46956
In the Linux kernel, the following vulnerability has been resolved: virtiofs: fix memory leak in virtio_fs_probe() When accidentally passing twice the same tag to qemu, kmemleak ended up reporting a memory leak in virtiofs. Also, looking at the log I saw the following error (that's when I realised the duplicated tag): virtiofs: probe of virtio5 failed with error -17 Here's the kmemleak log for reference: unreferenced object 0xffff888103d47800 (size 1024): comm "systemd-udevd", pid 118, jiffies 4294893780 (age 18.340s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................ backtrace: [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs] [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210 [<000000004d6baf3c>] really_probe+0xea/0x430 [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0 [<00000000196f47a7>] __driver_attach+0x98/0x140 [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0 [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0 [<0000000032b09ba7>] driver_register+0x8f/0xe0 [<00000000cdd55998>] 0xffffffffa002c013 [<000000000ea196a2>] do_one_initcall+0x64/0x2e0 [<0000000008f727ce>] do_init_module+0x5c/0x260 [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120 [<00000000ad2f48c6>] do_syscall_64+0x33/0x40 [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: virtiofs: corrige pérdida de memoria en virtio_fs_probe() Al pasar accidentalmente dos veces la misma etiqueta a qemu, kmemleak terminó reportando una pérdida de memoria en virtiofs. Además, mirando el registro vi el siguiente error (fue entonces cuando me di cuenta de la etiqueta duplicada): virtiofs: la sonda de virtio5 falló con el error -17 Aquí está el registro kmemleak como referencia: objeto sin referencia 0xffff888103d47800 (tamaño 1024): comm "systemd- udevd", pid 118, jiffies 4294893780 (edad 18.340 s) volcado hexadecimal (primeros 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 ......N....... ... ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................ rastreo: [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs] [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210 [<000000004d6baf3c>] very_probe+0xea/0x430 [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0 [<00000000196f47a7 >] __driver_attach+0x98/0x140 [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0 [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0 [<0000000032b09ba7>] driver_register+0x8f/0xe0 [<00000000cdd55998>] 0xffffffffa002c013 [<000000000ea196a2> ] do_one_initcall+0x64/0x2e0 [<0000000008f727ce>] do_init_module+0x5c/0x260 [<000000003cdedab6> ] __do_sys_finit_module+0xb5/0x120 [<00000000ad2f48c6>] do_syscall_64+0x33/0x40 [<00000000809526b5>] Entry_SYSCALL_64_after_hwframe+0x44/0xae • https://git.kernel.org/stable/c/a62a8ef9d97da23762a588592c8b8eb50a8deb6a https://git.kernel.org/stable/c/310efc95c72c13faf855c692d19cd4d054d827c8 https://git.kernel.org/stable/c/d19555ff225d0896a33246a49279e6d578095f15 https://git.kernel.org/stable/c/9b9d60c0eb8ada99cce2a9ab5c15dffc523b01ae https://git.kernel.org/stable/c/5116e79fc6e6725b8acdad8b7e928a83ab7b47e6 https://git.kernel.org/stable/c/c79c5e0178922a9e092ec8fed026750f39dcaef4 •
CVE-2021-46955 – openvswitch: fix stack OOB read while fragmenting IPv4 packets
https://notcve.org/view.php?id=CVE-2021-46955
In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch] this frame has 2 objects: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovs_fragment(), similarly to what is done for IPv6 few lines below. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: openvswitch: corrige la lectura OOB de la pila al fragmentar paquetes IPv4 al ejecutar openvswitch en kernels creados con KASAN, es posible ver el siguiente símbolo al probar la fragmentación de paquetes IPv4: ERROR: KASAN: stack- fuera de los límites en ip_do_fragment+0x1b03/0x1f60 Lectura de tamaño 1 en la dirección ffff888112fc713c por task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Nombre de hardware: Red Hat KVM, BIOS 1.11 .1-4.module+el8.1.0+4066+0f1aadab 01/04/2014 Seguimiento de llamadas: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_do it.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/ 0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sy s_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033: 0x7f957079db07 Código: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RB X: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 00000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 00000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 La dirección del error pertenece a la página: página:00000000af2a1d93 refcount:0 mapcount:0 mapeo:00000000000000000 index:0x0 pfn: 0x112fc7 banderas: 0x17ffffc0000000() sin formato: 0017ffffc0000000 0000000000000000 muerto000000000122 00000000000000000 sin formato: 0000000000000000 000000000000 0000 00000000ffffffff 0000000000000000 página volcada porque: kasan: mal acceso detectado addr ffff888112fc713c está ubicado en la pila del controlador de tareas 2/1367 en el desplazamiento 180 en el framework: ovs_fragment+0x0/0x840 [ openvswitch] este framework tiene 2 objetos: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Estado de la memoria alrededor de la dirección del error: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88811 2fc7080 : 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 para paquetes IPv4, ovs_fragment() utiliza una estructura temporal dst_entry. Luego, en el siguiente gráfico de llamadas: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() el puntero a struct dst_entry se usa como puntero a struct rtable: esto convierte el acceso a miembros de estructura como rt_mtu_locked en una lectura OOB en la pila. • https://git.kernel.org/stable/c/119bbaa6795a4f4aed46994cc7d9ab01989c87e3 https://git.kernel.org/stable/c/d543907a4730400f5c5b684c57cb5bbbfd6136ab https://git.kernel.org/stable/c/8387fbac8e18e26a60559adc63e0b7067303b0a4 https://git.kernel.org/stable/c/d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 https://git.kernel.org/stable/c/df9ece1148e2ec242871623dedb004f7a1387125 https://git.kernel.org/stable/c/b1d7280f9ba1bfdbc3af5bdb82e51f014854f26f https://git.kernel.org/stable/c/23e17ec1a5eb53fe39cc34fa5592686d5acd0dac https://git.kernel.org/stable/c/5a52fa8ad45b5a593ed416adf32653863 •
CVE-2021-46953 – ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure
https://notcve.org/view.php?id=CVE-2021-46953
In the Linux kernel, the following vulnerability has been resolved: ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure When failing the driver probe because of invalid firmware properties, the GTDT driver unmaps the interrupt that it mapped earlier. However, it never checks whether the mapping of the interrupt actially succeeded. Even more, should the firmware report an illegal interrupt number that overlaps with the GIC SGI range, this can result in an IPI being unmapped, and subsequent fireworks (as reported by Dann Frazier). Rework the driver to have a slightly saner behaviour and actually check whether the interrupt has been mapped before unmapping things. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ACPI: GTDT: no corrompe las asignaciones de interrupciones en caso de falla de la sonda de vigilancia. Cuando falla la sonda del controlador debido a propiedades de firmware no válidas, el controlador GTDT desasigna la interrupción que asignó anteriormente. Sin embargo, nunca comprueba si el mapeo de la interrupción realmente tuvo éxito. • https://git.kernel.org/stable/c/ca9ae5ec4ef0ed13833b03297ab319676965492c https://git.kernel.org/stable/c/c3385a9122f8db15b453e07bfc88117fce7f3724 https://git.kernel.org/stable/c/7b2162db1498c71962a4bb2f776fa4e76d4d305b https://git.kernel.org/stable/c/504632a3577a049dd9bb7aabae5b4476f9c586b4 https://git.kernel.org/stable/c/e0f2d86481eaa83df33b0793f75212919db7a19d https://git.kernel.org/stable/c/42e69521ee1fa5abf21f478d147d06bbfe6bf6a8 https://git.kernel.org/stable/c/596e079c362ac17ed02aa1b99fdc444d62072a01 https://git.kernel.org/stable/c/1ecd5b129252249b9bc03d7645a7bda51 •
CVE-2021-46952 – NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds
https://notcve.org/view.php?id=CVE-2021-46952
In the Linux kernel, the following vulnerability has been resolved: NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds Fix shift out-of-bounds in xprt_calc_majortimeo(). This is caused by a garbage timeout (retrans) mount option being passed to nfs mount, in this case from syzkaller. If the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift value for a 64-bit long integer, so 'retrans' cannot be >= 64. If it is >= 64, fail the mount and return an error. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: NFS: fs_context: valida las retransmisiones UDP para evitar cambios fuera de los límites. Corrige cambios fuera de los límites en xprt_calc_majortimeo(). Esto se debe a que se pasa una opción de montaje de tiempo de espera de basura (retransmisión) al montaje nfs, en este caso desde syzkaller. • https://git.kernel.org/stable/c/9954bf92c0cddd50a2a470be302e1c1ffdf21d42 https://git.kernel.org/stable/c/96fa26b74cdcf9f5c98996bf36bec9fb5b19ffe2 https://git.kernel.org/stable/c/2f3380121d49e829fb73ba86240c181bc32ad897 https://git.kernel.org/stable/c/3d0163821c035040a46d816a42c0780f0f0a30a8 https://git.kernel.org/stable/c/c09f11ef35955785f92369e25819bf0629df2e59 • CWE-125: Out-of-bounds Read •
CVE-2021-46951 – tpm: efi: Use local variable for calculating final log size
https://notcve.org/view.php?id=CVE-2021-46951
In the Linux kernel, the following vulnerability has been resolved: tpm: efi: Use local variable for calculating final log size When tpm_read_log_efi is called multiple times, which happens when one loads and unloads a TPM2 driver multiple times, then the global variable efi_tpm_final_log_size will at some point become a negative number due to the subtraction of final_events_preboot_size occurring each time. Use a local variable to avoid this integer underflow. The following issue is now resolved: Mar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Mar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy] Mar 8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20 Mar 8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 Mar 8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206 Mar 8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f Mar 8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d Mar 8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073 Mar 8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5 Mar 8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018 Mar 8 15:35:12 hibinst kernel: FS: 0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000 Mar 8 15:35:12 hibinst kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Mar 8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0 Mar 8 15:35:12 hibinst kernel: Call Trace: Mar 8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7 Mar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0 Mar 8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260 Mar 8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy] Mar 8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370 Mar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0 Mar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tpm: efi: use la variable local para calcular el tamaño del registro final Cuando se llama a tpm_read_log_efi varias veces, lo que sucede cuando uno carga y descarga un controlador TPM2 varias veces, entonces la variable global efi_tpm_final_log_size en algún momento se convierte en un número negativo debido a la resta de final_events_preboot_size que ocurre cada vez. Utilice una variable local para evitar este desbordamiento de enteros. El siguiente problema ahora está resuelto: 8 de marzo 15:35:12 kernel hibinst: Nombre del hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS 0.0.0 06/02/2015 8 de marzo 15:35:12 kernel hibinst: Cola de trabajo: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy] 8 de marzo 15:35:12 kernel de hibinst: RIP: 0010:__memcpy+0x12/0x20 8 de marzo 15:35:12 kernel de hibinst: Código: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 8 de marzo 15:35:12 kernel de hibinst: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206 8 de marzo 15:35:12 kernel de hibinst: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ff ffffffffffe0f 8 de marzo 15:35:12 kernel de hibinst: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d 8 de marzo 15:35:12 kernel de hibinst: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000 000007e9d6073 8 de marzo 15:35:12 kernel hibinst: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5 8 de marzo 15:35:12 kernel de hibinst: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018 8 de marzo 15:35:12 kernel de hibinst: FS: 0000000000000000(0000) GS:ffff8 8f87bd00000(0000) knlGS:0000000000000000 8 de marzo a las 15:35: 12 kernel de hibinst: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 8 de marzo 15:35:12 kernel de hibinst: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0 8 de marzo 15:35:12 kernel de hibinst: Seguimiento de llamadas: 8 de marzo 15:35:12 Hibinst Kernel: tpm_read_log_efi+0x152/0x1a7 mar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0 mar 8 15:35:12 hibinst kernel: tpm_chip_register kernel de hibinst: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy] 8 de marzo 15:35:12 kernel de hibinst: Process_one_work+0x1b4/0x370 8 de marzo 15:35:12 kernel de hibinst: work_thread+0x53/0x3e0 8 de marzo 15:35:12 kernel de hibinst : ? • https://git.kernel.org/stable/c/166a2809d65b282272c474835ec22c882a39ca1b https://git.kernel.org/stable/c/2f12258b5224cfaa808c54fd29345f3c1cbfca76 https://git.kernel.org/stable/c/60a01ecc9f68067e4314a0b55148e39e5d58a51b https://git.kernel.org/stable/c/3818b753277f5ca0c170bf5b98e0a5a225542fcb https://git.kernel.org/stable/c/ac07c557ca12ec9276c0375517bac7ae5be4e50c https://git.kernel.org/stable/c/48cff270b037022e37835d93361646205ca25101 • CWE-191: Integer Underflow (Wrap or Wraparound) •