CVE-2021-47100 – ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module
https://notcve.org/view.php?id=CVE-2021-47100
In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Hi, When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko, the system crashed. The log as follows: [ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a [ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0 [ 141.087464] Oops: 0010 [#1] SMP NOPTI [ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47 [ 141.088009] Workqueue: events 0xffffffffc09b3a40 [ 141.088009] RIP: 0010:0xffffffffc09b3a5a [ 141.088009] Code: Bad RIP value. [ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246 [ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000 [ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1 [ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700 [ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8 [ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000 [ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0 [ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 141.088009] PKRU: 55555554 [ 141.088009] Call Trace: [ 141.088009] ? process_one_work+0x195/0x390 [ 141.088009] ? worker_thread+0x30/0x390 [ 141.088009] ? process_one_work+0x390/0x390 [ 141.088009] ? kthread+0x10d/0x130 [ 141.088009] ? • https://git.kernel.org/stable/c/b2cfd8ab4add53c2070367bfee2f5b738f51698d https://git.kernel.org/stable/c/925229d552724e1bba1abf01d3a0b1318539b012 https://git.kernel.org/stable/c/992649b8b16843d27eb39ceea5f9cf85ffb50a18 https://git.kernel.org/stable/c/6809da5185141e61401da5b01896b79a4deed1ad https://git.kernel.org/stable/c/6b3f7e4b10f343f05b5fb513b07a9168fbf1172e https://git.kernel.org/stable/c/ffb76a86f8096a8206be03b14adda6092e18e275 •
CVE-2021-47099 – veth: ensure skb entering GRO are not cloned.
https://notcve.org/view.php?id=CVE-2021-47099
In the Linux kernel, the following vulnerability has been resolved: veth: ensure skb entering GRO are not cloned. After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"), if GRO is enabled on a veth device and TSO is disabled on the peer device, TCP skbs will go through the NAPI callback. If there is no XDP program attached, the veth code does not perform any share check, and shared/cloned skbs could enter the GRO engine. Ignat reported a BUG triggered later-on due to the above condition: [ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574! [ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25 [ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 [ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0 [ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f 85 74 f5 ff ff <0f> 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89 f7 4c 89 8c [ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246 [ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000 [ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2 [ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0 [ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590 [ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0 [ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000 [ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0 [ 53.982634][ C1] Call Trace: [ 53.982634][ C1] <TASK> [ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0 [ 53.982634][ C1] tcp_sacktag_write_queue+0xe7b/0x3460 [ 53.982634][ C1] tcp_ack+0x2666/0x54b0 [ 53.982634][ C1] tcp_rcv_established+0x4d9/0x20f0 [ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810 [ 53.982634][ C1] tcp_v4_rcv+0x22ed/0x2ed0 [ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0 [ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0 [ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440 [ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660 [ 53.982634][ C1] ip_list_rcv+0x2c8/0x410 [ 53.982634][ C1] __netif_receive_skb_list_core+0x65c/0x910 [ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0 [ 53.982634][ C1] napi_complete_done+0x188/0x6e0 [ 53.982634][ C1] gro_cell_poll+0x10c/0x1d0 [ 53.982634][ C1] __napi_poll+0xa1/0x530 [ 53.982634][ C1] net_rx_action+0x567/0x1270 [ 53.982634][ C1] __do_softirq+0x28a/0x9ba [ 53.982634][ C1] run_ksoftirqd+0x32/0x60 [ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0 [ 53.982634][ C1] kthread+0x3b9/0x490 [ 53.982634][ C1] ret_from_fork+0x22/0x30 [ 53.982634][ C1] </TASK> Address the issue by skipping the GRO stage for shared or cloned skbs. To reduce the chance of OoO, try to unclone the skbs before giving up. v1 -> v2: - use avoid skb_copy and fallback to netif_receive_skb - Eric En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: veth: asegúrese de que los skb que ingresan a GRO no estén clonados. Después de confirmar d3256efd8e8b ("veth: permitir habilitar NAPI incluso sin XDP"), si GRO está habilitado en un dispositivo veth y TSO está deshabilitado en el dispositivo par, los skbs TCP pasarán por la devolución de llamada de NAPI. Si no hay ningún programa XDP adjunto, el código veth no realiza ninguna verificación compartida y los skbs compartidos/clonados podrían ingresar al motor GRO. • https://git.kernel.org/stable/c/d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c https://git.kernel.org/stable/c/d2269ae48598e05b59ec9ea9e6e44fd33941130d https://git.kernel.org/stable/c/9695b7de5b4760ed22132aca919570c0190cb0ce https://access.redhat.com/security/cve/CVE-2021-47099 https://bugzilla.redhat.com/show_bug.cgi?id=2267919 • CWE-20: Improper Input Validation •
CVE-2021-47098 – hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations
https://notcve.org/view.php?id=CVE-2021-47098
In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations Commit b50aa49638c7 ("hwmon: (lm90) Prevent integer underflows of temperature calculations") addressed a number of underflow situations when writing temperature limits. However, it missed one situation, seen when an attempt is made to set the hysteresis value to MAX_LONG and the critical temperature limit is negative. Use clamp_val() when setting the hysteresis temperature to ensure that the provided value can never overflow or underflow. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hwmon: (lm90) Previene el desbordamiento/desbordamiento insuficiente de enteros en los cálculos de histéresis del commit b50aa49638c7 ("hwmon: (lm90) Evita el desbordamiento insuficiente de enteros en los cálculos de temperatura") abordó una serie de situaciones de desbordamiento insuficiente al escribir. límites de temperatura. Sin embargo, omitió una situación, vista cuando se intenta establecer el valor de histéresis en MAX_LONG y el límite de temperatura crítica es negativo. Utilice abrazadera_val() al configurar la temperatura de histéresis para garantizar que el valor proporcionado nunca pueda desbordarse o subestimarse. • https://git.kernel.org/stable/c/b50aa49638c7e12abf4ecc483f4e928c5cccc1b0 https://git.kernel.org/stable/c/d105f30bea9104c590a9e5b495cb8a49bdfe405f https://git.kernel.org/stable/c/55840b9eae5367b5d5b29619dc2fb7e4596dba46 https://access.redhat.com/security/cve/CVE-2021-47098 https://bugzilla.redhat.com/show_bug.cgi?id=2267920 • CWE-190: Integer Overflow or Wraparound •
CVE-2021-47097 – Input: elantech - fix stack out of bound access in elantech_change_report_id()
https://notcve.org/view.php?id=CVE-2021-47097
In the Linux kernel, the following vulnerability has been resolved: Input: elantech - fix stack out of bound access in elantech_change_report_id() The array param[] in elantech_change_report_id() must be at least 3 bytes, because elantech_read_reg_params() is calling ps2_command() with PSMOUSE_CMD_GETINFO, that is going to access 3 bytes from param[], but it's defined in the stack as an array of 2 bytes, therefore we have a potential stack out-of-bounds access here, also confirmed by KASAN: [ 6.512374] BUG: KASAN: stack-out-of-bounds in __ps2_command+0x372/0x7e0 [ 6.512397] Read of size 1 at addr ffff8881024d77c2 by task kworker/2:1/118 [ 6.512416] CPU: 2 PID: 118 Comm: kworker/2:1 Not tainted 5.13.0-22-generic #22+arighi20211110 [ 6.512428] Hardware name: LENOVO 20T8000QGE/20T8000QGE, BIOS R1AET32W (1.08 ) 08/14/2020 [ 6.512436] Workqueue: events_long serio_handle_event [ 6.512453] Call Trace: [ 6.512462] show_stack+0x52/0x58 [ 6.512474] dump_stack+0xa1/0xd3 [ 6.512487] print_address_description.constprop.0+0x1d/0x140 [ 6.512502] ? __ps2_command+0x372/0x7e0 [ 6.512516] __kasan_report.cold+0x7d/0x112 [ 6.512527] ? _raw_write_lock_irq+0x20/0xd0 [ 6.512539] ? __ps2_command+0x372/0x7e0 [ 6.512552] kasan_report+0x3c/0x50 [ 6.512564] __asan_load1+0x6a/0x70 [ 6.512575] __ps2_command+0x372/0x7e0 [ 6.512589] ? ps2_drain+0x240/0x240 [ 6.512601] ? • https://git.kernel.org/stable/c/9e4815cf178561104881e5d687ef69396aca1c8d https://git.kernel.org/stable/c/dde807b4a44273fa5f62c0cb308295e6d6642550 https://git.kernel.org/stable/c/e4c9062717feda88900b566463228d1c4910af6d https://git.kernel.org/stable/c/a7f95328c6f0afffdc4555f16e3bbab8bbf0d9be https://git.kernel.org/stable/c/676c572439e58b7ee6b7ca3f1e5595382921045c https://git.kernel.org/stable/c/dfd5b60b5342b6b505a104e48f08ad9b9bdbbd7b https://git.kernel.org/stable/c/1d72d9f960ccf1052a0630a68c3d358791dbdaaa https://access.redhat.com/security/cve/CVE-2021-47097 • CWE-125: Out-of-bounds Read •
CVE-2021-47096 – ALSA: rawmidi - fix the uninitalized user_pversion
https://notcve.org/view.php?id=CVE-2021-47096
In the Linux kernel, the following vulnerability has been resolved: ALSA: rawmidi - fix the uninitalized user_pversion The user_pversion was uninitialized for the user space file structure in the open function, because the file private structure use kmalloc for the allocation. The kernel ALSA sequencer code clears the file structure, so no additional fixes are required. BugLink: https://github.com/alsa-project/alsa-lib/issues/178 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ALSA: rawmidi: corrige la user_pversion no inicializada. La user_pversion no se inicializó para la estructura de archivos del espacio de usuario en la función abierta, porque la estructura privada del archivo usa kmalloc para la asignación. El código del secuenciador ALSA del kernel borra la estructura del archivo, por lo que no se requieren correcciones adicionales. Enlace de error: https://github.com/alsa-project/alsa-lib/issues/178 • https://git.kernel.org/stable/c/09d23174402da0f10e98da2c61bb5ac8e7d79fdd https://git.kernel.org/stable/c/12d50801497235956fb3760be8530f4e44e4ce67 https://git.kernel.org/stable/c/b398fcbe4de1e1100867fdb6f447c6fbc8fe7085 https://git.kernel.org/stable/c/39a8fc4971a00d22536aeb7d446ee4a97810611b •