CVE-2023-52607 – powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
https://notcve.org/view.php?id=CVE-2023-52607
In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix null-pointer dereference in pgtable_cache_add kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: powerpc/mm: corrige la desreferencia del puntero nulo en pgtable_cache_add kasprintf() devuelve un puntero a la memoria asignada dinámicamente que puede ser NULL en caso de falla. Asegúrese de que la asignación se haya realizado correctamente comprobando la validez del puntero. A possible null-pointer dereference was found in pgtable_cache_add in the Linux kernel. • https://git.kernel.org/stable/c/21e45a7b08d7cd98d6a53c5fc5111879f2d96611 https://git.kernel.org/stable/c/f6781add1c311c17eff43e14c786004bbacf901e https://git.kernel.org/stable/c/aa28eecb43cac6e20ef14dfc50b8892c1fbcda5b https://git.kernel.org/stable/c/ac3ed969a40357b0542d20f096a6d43acdfa6cc7 https://git.kernel.org/stable/c/d482d61025e303a2bef3733a011b6b740215cfa1 https://git.kernel.org/stable/c/145febd85c3bcc5c74d87ef9a598fc7d9122d532 https://git.kernel.org/stable/c/ffd29dc45bc0355393859049f6becddc3ed08f74 https://git.kernel.org/stable/c/f46c8a75263f97bda13c739ba1c90aced • CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference •
CVE-2023-52606 – powerpc/lib: Validate size for vector operations
https://notcve.org/view.php?id=CVE-2023-52606
In the Linux kernel, the following vulnerability has been resolved: powerpc/lib: Validate size for vector operations Some of the fp/vmx code in sstep.c assume a certain maximum size for the instructions being emulated. The size of those operations however is determined separately in analyse_instr(). Add a check to validate the assumption on the maximum size of the operations, so as to prevent any unintended kernel stack corruption. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/lib: validar tamaño para operaciones vectoriales Parte del código fp/vmx en sstep.c asume un cierto tamaño máximo para las instrucciones que se emula. Sin embargo, el tamaño de esas operaciones se determina por separado en analyse_instr(). Agregue una verificación para validar la suposición sobre el tamaño máximo de las operaciones, a fin de evitar daños no deseados en la pila del kernel. • https://git.kernel.org/stable/c/42084a428a139f1a429f597d44621e3a18f3e414 https://git.kernel.org/stable/c/0580f4403ad33f379eef865c2a6fe94de37febdf https://git.kernel.org/stable/c/beee482cc4c9a6b1dcffb2e190b4fd8782258678 https://git.kernel.org/stable/c/de4f5ed63b8a199704d8cdcbf810309d7eb4b36b https://git.kernel.org/stable/c/abd26515d4b767ba48241eea77b28ce0872aef3e https://git.kernel.org/stable/c/28b8ba8eebf26f66d9f2df4ba550b6b3b136082c https://git.kernel.org/stable/c/848e1d7fd710900397e1d0e7584680c1c04e3afd https://git.kernel.org/stable/c/8f9abaa6d7de0a70fc68acaedce290c1f • CWE-121: Stack-based Buffer Overflow •
CVE-2023-52604 – FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
https://notcve.org/view.php?id=CVE-2023-52604
In the Linux kernel, the following vulnerability has been resolved: FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree Syzkaller reported the following issue: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6 index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]') CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK> ================================================================================ Kernel panic - not syncing: UBSAN: panic_on_warn set ... CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 panic+0x30f/0x770 kernel/panic.c:340 check_panic_on_warn+0x82/0xa0 kernel/panic.c:236 ubsan_epilogue lib/ubsan.c:223 [inline] __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK> Kernel Offset: disabled Rebooting in 86400 seconds.. The issue is caused when the value of lp becomes greater than CTLTREESIZE which is the max size of stree. Adding a simple check solves this issue. Dave: As the function returns a void, good error handling would require a more intrusive code reorganization, so I modified Osama's patch at use WARN_ON_ONCE for lack of a cleaner option. The patch is tested via syzbot. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: FS:JFS:UBSAN:array-index-out-of-bounds en dbAdjTree Syzkaller informó el siguiente problema: UBSAN: array-index-out-of-bounds en fs/jfs /jfs_dmap.c:2867:6 el índice 196694 está fuera del rango para el tipo 's8[1365]' (también conocido como 'carácter firmado[1365]') CPU: 1 PID: 109 Comm: jfsCommit No contaminado 6.6.0-rc3-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/08/2023 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [en línea] __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfs _dmap.c: 2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [en línea] dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/j fs /jfs_txnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [en línea] jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x3 70 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 ============== ==================================================== ================ Pánico del kernel: no se sincroniza: UBSAN: pánico_on_warn configurado... CPU: 1 PID: 109 Comm: jfsCommit No contaminado 6.6.0-rc3-syzkaller #0 Hardware nombre: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/08/2023 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 pánico+0x30f /0x770 Kernel/Panic.C: 340 check_panic_on_warn+0x82/0xa0 kernel/Panic.c: 236 UBSAN_EPILOGO LIB/UBSAN.C: 223 [Inline] __ubsan_handle_out_of_bounds+0x13c/0x150 LIB/UB/UBSAN.C: 4F0 FS /jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [en línea] dbFree +0x343/0x650 fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [en línea] jf s_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64. S:304 Desplazamiento del kernel: deshabilitado Reinicio en 86400 segundos. • https://git.kernel.org/stable/c/e3e95c6850661c77e6dab079d9b5374a618ebb15 https://git.kernel.org/stable/c/98f9537fe61b8382b3cc5dd97347531698517c56 https://git.kernel.org/stable/c/de34de6e57bbbc868e4fcf9e98c76b3587cabb0b https://git.kernel.org/stable/c/6fe8b702125aeee6ce83f20092a2341446704e7b https://git.kernel.org/stable/c/42f433785f108893de0dd5260bafb85d7d51db03 https://git.kernel.org/stable/c/6a44065dd604972ec1fbcccbdc4a70d266a89cdd https://git.kernel.org/stable/c/59342822276f753e49d27ef5eebffbba990572b9 https://git.kernel.org/stable/c/9862ec7ac1cbc6eb5ee4a045b5d5b8edb •
CVE-2023-52603 – UBSAN: array-index-out-of-bounds in dtSplitRoot
https://notcve.org/view.php?id=CVE-2023-52603
In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 </TASK> The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: UBSAN: array-index-out-of-bounds en dtSplitRoot Syzkaller informó el siguiente problema: oop0: se detectó un cambio de capacidad de 0 a 32768 UBSAN: array-index-out-of- límites en fs/jfs/jfs_dtree.c:1971:9 índice -2 está fuera de rango para el tipo 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 No contaminado 6.0.0-syzkaller-09423- g493ffd6605b2 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 22/09/2022 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c: 106 ubsan_epilogue lib/ubsan.c:151 [en línea] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:9 85 [en línea ] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 f s/namei. c:4038 __do_sys_mkdirat fs/namei.c:4053 [en línea] __se_sys_mkdirat fs/namei.c:4051 [en línea] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [ inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Código: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 F7 48 89 D6 48 89 CA 4D 89 C2 4D 89 C8 4C 8B 4C 24 08 0F 05 <48> 3D 01 F0 FF FF 73 01 C3 48 C7 C1 C0 FF FF FF F7 D8 64 89 01 48 RSP: 002B: 00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 00000000000000000 RCX: 00007fcdc0113fd9 RDX: 00000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15 : 0000000000000000 El problema se produce cuando el valor de fsi es inferior a -1. La verificación para romper el ciclo cuando el valor fsi se convierte en -1 está presente, pero syzbot pudo producir un valor menor que -1, lo que causa el error. Este parche simplemente agrega el cambio para los valores menores que 0. El parche se prueba a través de syzbot. • https://git.kernel.org/stable/c/e30b52a2ea3d1e0aaee68096957cf90a2f4ec5af https://git.kernel.org/stable/c/fd3486a893778770557649fe28afa5e463d4ed07 https://git.kernel.org/stable/c/7aa33854477d9c346f5560a1a1fcb3fe7783e2a8 https://git.kernel.org/stable/c/e4ce01c25ccbea02a09a5291c21749b1fc358e39 https://git.kernel.org/stable/c/e4cbc857d75d4e22a1f75446e7480b1f305d8d60 https://git.kernel.org/stable/c/edff092a59260bf0b0a2eba219cb3da6372c2f9f https://git.kernel.org/stable/c/6e2902ecc77e9760a9fc447f56d598383e2372d2 https://git.kernel.org/stable/c/27e56f59bab5ddafbcfe69ad7a4a6ea12 •
CVE-2023-52602 – jfs: fix slab-out-of-bounds Read in dtSearch
https://notcve.org/view.php?id=CVE-2023-52602
In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds Read in dtSearch Currently while searching for current page in the sorted entry table of the page there is a out of bound access. Added a bound check to fix the error. Dave: Set return code to -EIO En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jfs: arreglar slab-out-of-bounds Leer en dtSearch Actualmente, mientras se busca la página actual en la tabla de entradas ordenadas de la página, hay un acceso fuera de los límites. Se agregó un cheque encuadernado para corregir el error. Dave: establece el código de retorno en -EIO • https://git.kernel.org/stable/c/ce8bc22e948634a5c0a3fa58a179177d0e3f3950 https://git.kernel.org/stable/c/1b9d6828589d57f94a23fb1c46112cda39d7efdb https://git.kernel.org/stable/c/1c40ca3d39d769931b28295b3145c25f1decf5a6 https://git.kernel.org/stable/c/6c6a96c3d74df185ee344977d46944d6f33bb4dd https://git.kernel.org/stable/c/cab0c265ba182fd266c2aa3c69d7e40640a7f612 https://git.kernel.org/stable/c/7110650b85dd2f1cee819acd1345a9013a1a62f7 https://git.kernel.org/stable/c/bff9d4078a232c01e42e9377d005fb2f4d31a472 https://git.kernel.org/stable/c/fa5492ee89463a7590a1449358002ff7e • CWE-400: Uncontrolled Resource Consumption •