CVE-2021-47142 – drm/amdgpu: Fix a use-after-free
https://notcve.org/view.php?id=CVE-2021-47142
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix a use-after-free looks like we forget to set ttm->sg to NULL. Hit panic below [ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 1235.989074] Call Trace: [ 1235.991751] sg_free_table+0x17/0x20 [ 1235.995667] amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu] [ 1236.002288] amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu] [ 1236.008464] ttm_tt_destroy+0x1e/0x30 [ttm] [ 1236.013066] ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm] [ 1236.018783] ttm_bo_release+0x262/0xa50 [ttm] [ 1236.023547] ttm_bo_put+0x82/0xd0 [ttm] [ 1236.027766] amdgpu_bo_unref+0x26/0x50 [amdgpu] [ 1236.032809] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu] [ 1236.040400] kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu] [ 1236.046912] kfd_ioctl+0x463/0x690 [amdgpu] En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdgpu: se soluciona un problema de use-after-free que parece que nos olvidamos de configurar ttm->sg en NULL. Se produce pánico a continuación [1235.844104] falla de protección general, probablemente para la dirección no canónica 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [1235.989074] Seguimiento de llamadas: [1235.991751] sg_free_table+0x17/0x20 [ 123 5.995667] amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu] [ 1236.002288] amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu] [ 1236.008464] ttm_tt_destroy+0x1e/0x30 [ttm] [ 1236.013066] ttm_bo_cleanup_memtype_use+0x51/0xa 0 [ttm] [ 1236.018783] ttm_bo_release+0x262/0xa50 [ttm] [ 1236.023547] ttm_bo_put+0x82/0xd0 [ttm] [ 1236.027766] amdgpu_bo_unref+0x26/0x50 [amdgpu] [ 1236.032809] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu] [ 123 6.040400] kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu] [ 1236.046912] kfd_ioctl+0x463/0x690 [ amdgpu] • https://git.kernel.org/stable/c/0707c3fea8102d211631ba515ef2159707561b0d https://git.kernel.org/stable/c/3293cf3513d69f00c14d43e2020826d45ea0e46a https://git.kernel.org/stable/c/952ab3f9f48eb0e8050596d41951cf516be6b122 https://git.kernel.org/stable/c/a849e218556f932576c0fb1c5a88714b61709a17 https://git.kernel.org/stable/c/7398c2aab4da960761ec182d04d6d5abbb4a226e https://git.kernel.org/stable/c/f98cdf084405333ee2f5be548a91b2d168e49276 https://git.kernel.org/stable/c/d4ea141fd4b40636a8326df5a377d9c5cf9b3faa https://git.kernel.org/stable/c/1e5c37385097c35911b0f8a0c67ffd10e •
CVE-2021-47141 – gve: Add NULL pointer checks when freeing irqs.
https://notcve.org/view.php?id=CVE-2021-47141
In the Linux kernel, the following vulnerability has been resolved: gve: Add NULL pointer checks when freeing irqs. When freeing notification blocks, we index priv->msix_vectors. If we failed to allocate priv->msix_vectors (see abort_with_msix_vectors) this could lead to a NULL pointer dereference if the driver is unloaded. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: gve: agrega comprobaciones de puntero NULL al liberar irqs. Al liberar bloques de notificaciones, indexamos priv->msix_vectors. Si no pudimos asignar priv->msix_vectors (consulte abort_with_msix_vectors), esto podría provocar una desreferencia del puntero NULL si el controlador está descargado. • https://git.kernel.org/stable/c/893ce44df56580fb878ca5af9c4a5fd87567da50 https://git.kernel.org/stable/c/821149ee88c206fa37e79c1868cc270518484876 https://git.kernel.org/stable/c/da21a35c00ff1a1794d4f166d3b3fa8db4d0f6fb https://git.kernel.org/stable/c/5278c75266c5094d3c0958793bf12fc90300e580 https://git.kernel.org/stable/c/5218e919c8d06279884aa0baf76778a6817d5b93 •
CVE-2021-47140 – iommu/amd: Clear DMA ops when switching domain
https://notcve.org/view.php?id=CVE-2021-47140
In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Clear DMA ops when switching domain Since commit 08a27c1c3ecf ("iommu: Add support to change default domain of an iommu group") a user can switch a device between IOMMU and direct DMA through sysfs. This doesn't work for AMD IOMMU at the moment because dev->dma_ops is not cleared when switching from a DMA to an identity IOMMU domain. The DMA layer thus attempts to use the dma-iommu ops on an identity domain, causing an oops: # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/unbind # echo identity > /sys/bus/pci/devices/0000:00:05.0/iommu_group/type # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/bind ... BUG: kernel NULL pointer dereference, address: 0000000000000028 ... Call Trace: iommu_dma_alloc e1000e_setup_tx_resources e1000e_open Since iommu_change_dev_def_domain() calls probe_finalize() again, clear the dma_ops there like Vt-d does. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu/amd: borra las operaciones de DMA al cambiar de dominio. Desde el commit 08a27c1c3ecf ("iommu: agrega soporte para cambiar el dominio predeterminado de un grupo iommu"), un usuario puede cambiar un dispositivo entre IOMMU y DMA directo a través de sysfs. • https://git.kernel.org/stable/c/08a27c1c3ecf5e1da193ce5f8fc97c3be16e75f0 https://git.kernel.org/stable/c/f3f2cf46291a693eab21adb94171b0128c2a9ec1 https://git.kernel.org/stable/c/d6177a6556f853785867e2ec6d5b7f4906f0d809 •
CVE-2021-47139 – net: hns3: put off calling register_netdev() until client initialize complete
https://notcve.org/view.php?id=CVE-2021-47139
In the Linux kernel, the following vulnerability has been resolved: net: hns3: put off calling register_netdev() until client initialize complete Currently, the netdevice is registered before client initializing complete. So there is a timewindow between netdevice available and usable. In this case, if user try to change the channel number or ring param, it may cause the hns3_set_rx_cpu_rmap() being called twice, and report bug. [47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0 [47199.430340] hns3 0000:35:00.0 eth1: already uninitialized [47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1 [47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1 [47200.163524] ------------[ cut here ]------------ [47200.171674] kernel BUG at lib/cpu_rmap.c:142! [47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge] [47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1 [47200.215601] Hardware name: , xxxxxx 02/04/2021 [47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) [47200.230188] pc : cpu_rmap_add+0x38/0x40 [47200.237472] lr : irq_cpu_rmap_add+0x84/0x140 [47200.243291] sp : ffff800010e93a30 [47200.247295] x29: ffff800010e93a30 x28: ffff082100584880 [47200.254155] x27: 0000000000000000 x26: 0000000000000000 [47200.260712] x25: 0000000000000000 x24: 0000000000000004 [47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0 [47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680 [47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0 [47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0 [47200.293456] x15: fffffc2082990600 x14: dead000000000122 [47200.300059] x13: ffffffffffffffff x12: 000000000000003e [47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000 [47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700 [47200.319682] x7 : 0000000000000000 x6 : 000000000000003f [47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20 [47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80 [47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004 [47200.346058] Call trace: [47200.349324] cpu_rmap_add+0x38/0x40 [47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3] [47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3] [47200.370049] hns3_change_channels+0x40/0xb0 [hns3] [47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3] [47200.383353] ethtool_set_channels+0x140/0x250 [47200.389772] dev_ethtool+0x714/0x23d0 [47200.394440] dev_ioctl+0x4cc/0x640 [47200.399277] sock_do_ioctl+0x100/0x2a0 [47200.404574] sock_ioctl+0x28c/0x470 [47200.409079] __arm64_sys_ioctl+0xb4/0x100 [47200.415217] el0_svc_common.constprop.0+0x84/0x210 [47200.422088] do_el0_svc+0x28/0x34 [47200.426387] el0_svc+0x28/0x70 [47200.431308] el0_sync_handler+0x1a4/0x1b0 [47200.436477] el0_sync+0x174/0x180 [47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000) [47200.448869] ---[ end trace a01efe4ce42e5f34 ]--- The process is like below: excuting hns3_client_init | register_netdev() | hns3_set_channels() | | hns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet() | | | quit without calling function | hns3_free_rx_cpu_rmap for flag | HNS3_NIC_STATE_INITED is unset. | | | hns3_reset_notify_init_enet() | | set HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash Fix it by calling register_netdev() at the end of function hns3_client_init(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: hns3: posponga la llamada a Register_netdev() hasta que se complete la inicialización del cliente. • https://git.kernel.org/stable/c/08a100689d4baf296d6898c687ea8d005da8d234 https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50 https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613 •
CVE-2021-47138 – cxgb4: avoid accessing registers when clearing filters
https://notcve.org/view.php?id=CVE-2021-47138
In the Linux kernel, the following vulnerability has been resolved: cxgb4: avoid accessing registers when clearing filters Hardware register having the server TID base can contain invalid values when adapter is in bad state (for example, due to AER fatal error). Reading these invalid values in the register can lead to out-of-bound memory access. So, fix by using the saved server TID base when clearing filters. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cxgb4: evita acceder a los registros al borrar los filtros El registro de hardware que tiene la base TID del servidor puede contener valores no válidos cuando el adaptador está en mal estado (por ejemplo, debido a un error fatal de AER). Leer estos valores no válidos en el registro puede provocar un acceso a la memoria fuera de límites. • https://git.kernel.org/stable/c/b1a79360ee862f8ada4798ad2346fa45bb41b527 https://git.kernel.org/stable/c/0bf49b3c8d8b3a43ce09f1b2db70e5484d31fcdf https://git.kernel.org/stable/c/02f03883fdb10ad7e66717c70ea163a8d27ae6e7 https://git.kernel.org/stable/c/285207a558ab456aa7d8aa877ecc7e91fcc51710 https://git.kernel.org/stable/c/88c380df84fbd03f9b137c2b9d0a44b9f2f553b0 https://access.redhat.com/security/cve/CVE-2021-47138 https://bugzilla.redhat.com/show_bug.cgi?id=2271484 • CWE-125: Out-of-bounds Read •