Page 523 of 5556 results (0.015 seconds)

CVSS: -EPSS: 0%CPEs: 3EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: xen-netback: take a reference to the RX task thread Do this in order to prevent the task from being freed if the thread returns (which can be triggered by the frontend) before the call to kthread_stop done as part of the backend tear down. Not taking the reference will lead to a use-after-free in that scenario. Such reference was taken before but dropped as part of the rework done in 2ac061ce97f4. Reintroduce the reference taking and add a comment this time explaining why it's needed. This is XSA-374 / CVE-2021-28691. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xen-netback: toma una referencia al hilo de la tarea RX. Haga esto para evitar que la tarea se libere si el hilo regresa (que puede ser activado por el frontend) antes de que llamada a kthread_stop realizada como parte del desmontaje del backend. • https://git.kernel.org/stable/c/2ac061ce97f413bfbbdd768f7d2e0fda2e8170df https://git.kernel.org/stable/c/6b53db8c4c14b4e7256f058d202908b54a7b85b4 https://git.kernel.org/stable/c/caec9bcaeb1a5f03f2d406305355c853af10c13e https://git.kernel.org/stable/c/107866a8eb0b664675a260f1ba0655010fac1e08 •

CVSS: -EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on shutdown Currenly, we disable kvmclock from machine_shutdown() hook and this only happens for boot CPU. We need to disable it for all CPUs to guard against memory corruption e.g. on restore from hibernate. Note, writing '0' to kvmclock MSR doesn't clear memory location, it just prevents hypervisor from updating the location so for the short while after write and while CPU is still alive, the clock remains usable and correct so we don't need to switch to some other clocksource. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: x86/kvm: deshabilite kvmclock en todas las CPU al apagar Actualmente, deshabilitamos kvmclock desde el enlace machine_shutdown() y esto solo sucede para la CPU de arranque. Necesitamos deshabilitarlo para todas las CPU para protegernos contra la corrupción de la memoria, por ejemplo, al restaurar desde la hibernación. Tenga en cuenta que escribir '0' en kvmclock MSR no borra la ubicación de la memoria, solo evita que el hipervisor actualice la ubicación, por lo que durante un breve período después de la escritura y mientras la CPU aún está activa, el reloj permanece utilizable y correcto, por lo que no lo necesitamos. para cambiar a alguna otra fuente de reloj. • https://git.kernel.org/stable/c/9084fe1b3572664ad276f427dce575f580c9799a https://git.kernel.org/stable/c/3b0becf8b1ecf642a9edaf4c9628ffc641e490d6 https://git.kernel.org/stable/c/1df2dc09926f61319116c80ee85701df33577d70 https://git.kernel.org/stable/c/c02027b5742b5aa804ef08a4a9db433295533046 •

CVSS: -EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: neighbour: allow NUD_NOARP entries to be forced GCed IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to fill up the neighbour table with enough entries that it will overflow for valid connections after that. This behaviour is more prevalent after commit 58956317c8de ("neighbor: Improve garbage collection") is applied, as it prevents removal from entries that are not NUD_FAILED, unless they are more than 5s old. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vecino: permite forzar las entradas NUD_NOARP. Las interfaces GCed IFF_POINTOPOINT utilizan entradas NUD_NOARP para IPv6. Es posible llenar la tabla de vecinos con suficientes entradas para que después de eso se desborde de conexiones válidas. • https://git.kernel.org/stable/c/58956317c8de52009d1a38a721474c24aef74fe7 https://git.kernel.org/stable/c/d99029e6aab62aef0a0251588b2867e77e83b137 https://git.kernel.org/stable/c/d17d47da59f726dc4c87caebda3a50333d7e2fd3 https://git.kernel.org/stable/c/ddf088d7aaaaacfc836104f2e632b29b1d383cfc https://git.kernel.org/stable/c/7a6b1ab7475fd6478eeaf5c9d1163e7a18125c8f •

CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix RELEASE_LOCKOWNER The test on so_count in nfsd4_release_lockowner() is nonsense and harmful. Revert to using check_for_locks(), changing that to not sleep. First: harmful. As is documented in the kdoc comment for nfsd4_release_lockowner(), the test on so_count can transiently return a false positive resulting in a return of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is clearly a protocol violation and with the Linux NFS client it can cause incorrect behaviour. If RELEASE_LOCKOWNER is sent while some other thread is still processing a LOCK request which failed because, at the time that request was received, the given owner held a conflicting lock, then the nfsd thread processing that LOCK request can hold a reference (conflock) to the lock owner that causes nfsd4_release_lockowner() to return an incorrect error. The Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it never sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so it knows that the error is impossible. It assumes the lock owner was in fact released so it feels free to use the same lock owner identifier in some later locking request. When it does reuse a lock owner identifier for which a previous RELEASE failed, it will naturally use a lock_seqid of zero. However the server, which didn't release the lock owner, will expect a larger lock_seqid and so will respond with NFS4ERR_BAD_SEQID. So clearly it is harmful to allow a false positive, which testing so_count allows. The test is nonsense because ... well... it doesn't mean anything. so_count is the sum of three different counts. 1/ the set of states listed on so_stateids 2/ the set of active vfs locks owned by any of those states 3/ various transient counts such as for conflicting locks. When it is tested against '2' it is clear that one of these is the transient reference obtained by find_lockowner_str_locked(). • https://git.kernel.org/stable/c/3097f38e91266c7132c3fdb7e778fac858c00670 https://git.kernel.org/stable/c/e2fc17fcc503cfca57b5d1dd3b646ca7eebead97 https://git.kernel.org/stable/c/ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b https://git.kernel.org/stable/c/fea1d0940301378206955264a01778700fc9c16f https://git.kernel.org/stable/c/2ec65dc6635d1976bd1dbf2640ff7f810b2f6dd1 https://git.kernel.org/stable/c/ef481b262bba4f454351eec43f024fec942c2d4c https://git.kernel.org/stable/c/10d75984495f7fe62152c3b0dbfa3f0a6b739c9b https://git.kernel.org/stable/c/a2235bc65ade40982c3d09025cdd34bc5 • CWE-393: Return of Wrong Status Code •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Check mailbox/SMT channel for consistency On reception of a completion interrupt the shared memory area is accessed to retrieve the message header at first and then, if the message sequence number identifies a transaction which is still pending, the related payload is fetched too. When an SCMI command times out the channel ownership remains with the platform until eventually a late reply is received and, as a consequence, any further transmission attempt remains pending, waiting for the channel to be relinquished by the platform. Once that late reply is received the channel ownership is given back to the agent and any pending request is then allowed to proceed and overwrite the SMT area of the just delivered late reply; then the wait for the reply to the new request starts. It has been observed that the spurious IRQ related to the late reply can be wrongly associated with the freshly enqueued request: when that happens the SCMI stack in-flight lookup procedure is fooled by the fact that the message header now present in the SMT area is related to the new pending transaction, even though the real reply has still to arrive. This race-condition on the A2P channel can be detected by looking at the channel status bits: a genuine reply from the platform will have set the channel free bit before triggering the completion IRQ. Add a consistency check to validate such condition in the A2P ISR. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: firmware: arm_scmi: comprueba la coherencia del buzón/canal SMT Al recibir una interrupción de finalización, se accede al área de memoria compartida para recuperar el encabezado del mensaje al principio y luego, si el número de secuencia del mensaje identifica una transacción que aún está pendiente, el payload relacionado también se recupera. Cuando se agota el tiempo de espera de un comando SCMI, la propiedad del canal permanece en la plataforma hasta que finalmente se recibe una respuesta tardía y, como consecuencia, cualquier intento de transmisión adicional permanece pendiente, esperando que la plataforma abandone el canal. Una vez que se recibe esa respuesta tardía, la propiedad del canal se devuelve al agente y cualquier solicitud pendiente puede continuar y sobrescribir el área SMT de la respuesta tardía recién entregada; luego comienza la espera de la respuesta a la nueva solicitud. Se ha observado que la IRQ espuria relacionada con la respuesta tardía puede asociarse erróneamente con la solicitud recién puesta en cola: cuando eso sucede, el procedimiento de búsqueda en curso de la pila SCMI se ve engañado por el hecho de que el encabezado del mensaje ahora presente en el área SMT es relacionado con la nueva transacción pendiente, aunque la respuesta real aún no ha llegado. • https://git.kernel.org/stable/c/5c8a47a5a91d4d6e185f758d61997613d9c5d6ac https://git.kernel.org/stable/c/614cc65032dcb0b64d23f5c5e338a8a04b12be5d https://git.kernel.org/stable/c/7f95f6997f4fdd17abec3200cae45420a5489350 https://git.kernel.org/stable/c/9b5e1b93c83ee5fc9f5d7bd2d45b421bd87774a2 https://git.kernel.org/stable/c/12dc4217f16551d6dee9cbefc23fdb5659558cda https://git.kernel.org/stable/c/437a310b22244d4e0b78665c3042e5d1c0f45306 •