CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-52532 – net: mana: Fix TX CQE error handling
https://notcve.org/view.php?id=CVE-2023-52532
In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix TX CQE error handling For an unknown TX CQE error type (probably from a newer hardware), still free the SKB, update the queue tail, etc., otherwise the accounting will be wrong. Also, TX errors can be triggered by injecting corrupted packets, so replace the WARN_ONCE to ratelimited error logging. • https://git.kernel.org/stable/c/ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f https://git.kernel.org/stable/c/b67d7b1bfc46d05c1a58b172516454698e8d5004 https://git.kernel.org/stable/c/a910e0f6304726da30a212feecec65cb97ff7a80 https://git.kernel.org/stable/c/b2b000069a4c307b09548dc2243f31f3ca0eac9c •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52531 – wifi: iwlwifi: mvm: Fix a memory corruption issue
https://notcve.org/view.php?id=CVE-2023-52531
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the "(u8 *)" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected. • https://git.kernel.org/stable/c/8ca151b568b67a7b72dcfc6ee6ea7c107ddd795c https://git.kernel.org/stable/c/7c8faa31080342aec4903c9acb20caf82fcca1ef https://git.kernel.org/stable/c/6b3223449c959a8be94a1f042288059e40fcccb0 https://git.kernel.org/stable/c/f06cdd8d4ba5252986f51f80cc30263636397128 https://git.kernel.org/stable/c/8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d •
CVSS: 5.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-52530 – wifi: mac80211: fix potential key use-after-free
https://notcve.org/view.php?id=CVE-2023-52530
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add(). A use-after-free flaw was found in the Linux kernel’s IEEE 802.11 networking stack implementation functionality, used by Wifi, in how a user triggers the error path of the ieee80211_gtk_rekey_add function. This flaw allows a local user to crash the system. • https://git.kernel.org/stable/c/fdf7cb4185b60c68e1a75e61691c4afdc15dea0e https://git.kernel.org/stable/c/ef810e7c3d2a8fb3bbd23726599c487c30ea747e https://git.kernel.org/stable/c/a0a8a11d1630cd648dc1ce86da620b4e240e0315 https://git.kernel.org/stable/c/6891c6fd2a500d1f39d1426765f610bdc2c2a39d https://git.kernel.org/stable/c/003aa22c9619b49efe950aca3aebd1235a04940d https://git.kernel.org/stable/c/6440f0ee8a1779f53526bccb9de00914daeb9094 https://git.kernel.org/stable/c/2586fa0007dc6b7745da14250be7e3aae706b128 https://git.kernel.org/stable/c/a9ab1b2e30e898440a22d7b1d7a5b0b7c • CWE-416: Use After Free •
CVSS: 6.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52529 – HID: sony: Fix a potential memory leak in sony_probe()
https://notcve.org/view.php?id=CVE-2023-52529
In the Linux kernel, the following vulnerability has been resolved: HID: sony: Fix a potential memory leak in sony_probe() If an error occurs after a successful usb_alloc_urb() call, usb_free_urb() should be called. • https://git.kernel.org/stable/c/fb1a79a6b6e1223ddb18f12aa35e36f832da2290 https://git.kernel.org/stable/c/44535bbc811f56c0e241832cc7dcfd3d42221524 https://git.kernel.org/stable/c/02f04a3c5d74bd8842ce1ad44a2304e5b62a238f https://git.kernel.org/stable/c/bb0707fde7492121917fd9ddb43829e96ec0bb9e https://git.kernel.org/stable/c/f237b17611fa3501f43f12d1cb64323e10fdcb4f https://git.kernel.org/stable/c/f566efa7de1e35e6523f4acbaf85068a540be07d https://git.kernel.org/stable/c/e1cd4004cde7c9b694bbdd8def0e02288ee58c74 https://access.redhat.com/security/cve/CVE-2023-52529 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52528 – net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
https://notcve.org/view.php?id=CVE-2023-52528
In the Linux kernel, the following vulnerability has been resolved: net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg syzbot reported the following uninit-value access issue: ===================================================== BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline] BUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline] smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737 usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374 really_probe+0xf20/0x20b0 drivers/base/dd.c:529 driver_probe_device+0x293/0x390 drivers/base/dd.c:701 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680 usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032 usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241 usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272 really_probe+0xf20/0x20b0 drivers/base/dd.c:529 driver_probe_device+0x293/0x390 drivers/base/dd.c:701 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680 usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554 hub_port_connect drivers/usb/core/hub.c:5208 [inline] hub_port_connect_change drivers/usb/core/hub.c:5348 [inline] port_event drivers/usb/core/hub.c:5494 [inline] hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415 kthread+0x551/0x590 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Local variable ----buf.i87@smsc75xx_bind created at: __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline] smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482 __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline] smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482 This issue is caused because usbnet_read_cmd() reads less bytes than requested (zero byte in the reproducer). In this case, 'buf' is not properly filled. This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads less bytes than requested. • https://git.kernel.org/stable/c/d0cad871703b898a442e4049c532ec39168e5b57 https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4 https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825 https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5 https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812 https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09 https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f21 • CWE-252: Unchecked Return Value •