Page 644 of 4329 results (0.012 seconds)

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: tee: amdtee: fix use-after-free vulnerability in amdtee_close_session There is a potential race condition in amdtee_close_session that may cause use-after-free in amdtee_open_session. For instance, if a session has refcount == 1, and one thread tries to free this session via: kref_put(&sess->refcount, destroy_session); the reference count will get decremented, and the next step would be to call destroy_session(). However, if in another thread, amdtee_open_session() is called before destroy_session() has completed execution, alloc_session() may return 'sess' that will be freed up later in destroy_session() leading to use-after-free in amdtee_open_session. To fix this issue, treat decrement of sess->refcount and removal of 'sess' from session list in destroy_session() as a critical section, so that it is executed atomically. • https://git.kernel.org/stable/c/757cc3e9ff1d72d014096399d6e2bf03974d9da1 https://git.kernel.org/stable/c/da7ce52a2f6c468946195b116615297d3d113a27 https://git.kernel.org/stable/c/1680c82929bc14d706065f123dab77f2f1293116 https://git.kernel.org/stable/c/60c3e7a00db954947c265b55099c21b216f2a05c https://git.kernel.org/stable/c/1c95574350cd63bc3c5c2fa06658010768f2a0ce https://git.kernel.org/stable/c/f4384b3e54ea813868bb81a861bf5b2406e15d8f •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF. Getting a reference on the socket found in a lookup while holding a lock should happen before releasing the lock. nfc_llcp_sock_get_sn() has a similar problem. Finally nfc_llcp_recv_snl() needs to make sure the socket found by nfc_llcp_sock_from_sn() does not disappear. • https://git.kernel.org/stable/c/8f50020ed9b81ba909ce9573f9d05263cdebf502 https://git.kernel.org/stable/c/e863f5720a5680e50c4cecf12424d7cc31b3eb0a https://git.kernel.org/stable/c/7adcf014bda16cdbf804af5c164d94d5d025db2d https://git.kernel.org/stable/c/6ac22ecdaad2ecc662048f8c6b0ceb1ca0699ef9 https://git.kernel.org/stable/c/d888d3f70b0de32b4f51534175f039ddab15eef8 https://git.kernel.org/stable/c/e4f2611f07c87b3ddb57c4b9e8efcd1e330fc3dc https://git.kernel.org/stable/c/d1af8a39cf839d93c8967fdd858f6bbdc3e4a15c https://git.kernel.org/stable/c/31c07dffafce914c1d1543c135382a11f •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not attempt to read past "commit" When iterating over the ring buffer while the ring buffer is active, the writer can corrupt the reader. There's barriers to help detect this and handle it, but that code missed the case where the last event was at the very end of the page and has only 4 bytes left. The checks to detect the corruption by the writer to reads needs to see the length of the event. If the length in the first 4 bytes is zero then the length is stored in the second 4 bytes. But if the writer is in the process of updating that code, there's a small window where the length in the first 4 bytes could be zero even though the length is only 4 bytes. That will cause rb_event_length() to read the next 4 bytes which could happen to be off the allocated page. To protect against this, fail immediately if the next event pointer is less than 8 bytes from the end of the commit (last byte of data), as all events must be a minimum of 8 bytes anyway. • https://git.kernel.org/stable/c/cee5151c5410e868826b8afecfb356f3799ebea3 https://git.kernel.org/stable/c/344f2f3e61a90f0150c754796ec9a17fcaeec03d https://git.kernel.org/stable/c/b08a4938229dbb530a35c41b83002a1457c6ff49 https://git.kernel.org/stable/c/75fc9e99b3a71006720ad1e029db11a4b5c32d4a https://git.kernel.org/stable/c/95a404bd60af6c4d9d8db01ad14fe8957ece31ca •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command Tags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed when we receive the response. • https://git.kernel.org/stable/c/2afd8fcee0c4d65a482e30c3ad2a92c25e5e92d4 https://git.kernel.org/stable/c/d540a4370aba378fbedf349ba0bb68e96e24243d https://git.kernel.org/stable/c/2259e1901b2d8c0e8538fc99e77de443b939e749 https://git.kernel.org/stable/c/22e6d783a33015bcdf0979015e4eac603912bea7 https://git.kernel.org/stable/c/c13e7331745852d0dd7c35eabbe181cbd5b01172 •

CVSS: -EPSS: 0%CPEs: 4EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: powerpc/47x: Fix 47x syscall return crash Eddie reported that newer kernels were crashing during boot on his 476 FSP2 system: kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0) BUG: Unable to handle kernel instruction fetch Faulting instruction address: 0xb7ee2000 Oops: Kernel access of bad area, sig: 11 [#1] BE PAGE_SIZE=4K FSP-2 Modules linked in: CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1 Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2 NIP:  b7ee2000 LR: 8c008000 CTR: 00000000 REGS: bffebd83 TRAP: 0400   Not tainted (6.1.55-d23900f.ppcnf-fs p2) MSR:  00000030 <IR,DR>  CR: 00001000  XER: 20000000 GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000 GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000 GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0 GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0 NIP [b7ee2000] 0xb7ee2000 LR [8c008000] 0x8c008000 Call Trace: Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX ---[ end trace 0000000000000000 ]--- The problem is in ret_from_syscall where the check for icache_44x_need_flush is done. When the flush is needed the code jumps out-of-line to do the flush, and then intends to jump back to continue the syscall return. However the branch back to label 1b doesn't return to the correct location, instead branching back just prior to the return to userspace, causing bogus register values to be used by the rfi. The breakage was introduced by commit 6f76a01173cc ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which inadvertently removed the "1" label and reused it elsewhere. Fix it by adding named local labels in the correct locations. Note that the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n compiles. • https://git.kernel.org/stable/c/6f76a01173ccaa363739f913394d4e138d92d718 https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820 https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3 https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746 https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14 •