CVE-2021-46926 – ALSA: hda: intel-sdw-acpi: harden detection of controller
https://notcve.org/view.php?id=CVE-2021-46926
In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: hda: intel-sdw-acpi: reforzar la detección del controlador El código existente actualmente establece un puntero a un identificador ACPI antes de verificar que en realidad es un controlador SoundWire. Esto puede provocar problemas en los que el recorrido del gráfico continúa y finalmente falla, pero el puntero ya estaba configurado. Este parche cambia la lógica para que la información proporcionada a la persona que llama se establezca cuando se encuentra un controlador. • https://git.kernel.org/stable/c/cce476954401e3421afafb25bbaa926050688b1d https://git.kernel.org/stable/c/385f287f9853da402d94278e59f594501c1d1dad •
CVE-2021-46925 – net/smc: fix kernel panic caused by race of smc_sock
https://notcve.org/view.php?id=CVE-2021-46925
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of smc_sock A crash occurs when smc_cdc_tx_handler() tries to access smc_sock but smc_release() has already freed it. [ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88 [ 4570.696048] #PF: supervisor write access in kernel mode [ 4570.696728] #PF: error_code(0x0002) - not-present page [ 4570.697401] PGD 0 P4D 0 [ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI [ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111 [ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0 [ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30 <...> [ 4570.711446] Call Trace: [ 4570.711746] <IRQ> [ 4570.711992] smc_cdc_tx_handler+0x41/0xc0 [ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560 [ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10 [ 4570.713489] tasklet_action_common.isra.17+0x66/0x140 [ 4570.714083] __do_softirq+0x123/0x2f4 [ 4570.714521] irq_exit_rcu+0xc4/0xf0 [ 4570.714934] common_interrupt+0xba/0xe0 Though smc_cdc_tx_handler() checked the existence of smc connection, smc_release() may have already dismissed and released the smc socket before smc_cdc_tx_handler() further visits it. smc_cdc_tx_handler() |smc_release() if (!conn) | | |smc_cdc_tx_dismiss_slots() | smc_cdc_tx_dismisser() | |sock_put(&smc->sk) <- last sock_put, | smc_sock freed bh_lock_sock(&smc->sk) (panic) | To make sure we won't receive any CDC messages after we free the smc_sock, add a refcount on the smc_connection for inflight CDC message(posted to the QP but haven't received related CQE), and don't release the smc_connection until all the inflight CDC messages haven been done, for both success or failed ones. Using refcount on CDC messages brings another problem: when the link is going to be destroyed, smcr_link_clear() will reset the QP, which then remove all the pending CQEs related to the QP in the CQ. To make sure all the CQEs will always come back so the refcount on the smc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced by smc_ib_modify_qp_error(). And remove the timeout in smc_wr_tx_wait_no_pending_sends() since we need to wait for all pending WQEs done, or we may encounter use-after- free when handling CQEs. For IB device removal routine, we need to wait for all the QPs on that device been destroyed before we can destroy CQs on the device, or the refcount on smc_connection won't reach 0 and smc_sock cannot be released. • https://git.kernel.org/stable/c/5f08318f617b05b6ee389d8bd174c7af921ebf19 https://git.kernel.org/stable/c/e8a5988a85c719ce7205cb00dcf0716dcf611332 https://git.kernel.org/stable/c/b85f751d71ae8e2a15e9bda98852ea9af35282eb https://git.kernel.org/stable/c/349d43127dac00c15231e8ffbcaabd70f7b0e544 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2021-46924 – NFC: st21nfca: Fix memory leak in device probe and remove
https://notcve.org/view.php?id=CVE-2021-46924
In the Linux kernel, the following vulnerability has been resolved: NFC: st21nfca: Fix memory leak in device probe and remove 'phy->pending_skb' is alloced when device probe, but forgot to free in the error handling path and remove path, this cause memory leak as follows: unreferenced object 0xffff88800bc06800 (size 512): comm "8", pid 11775, jiffies 4295159829 (age 9.032s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450 [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0 [<000000005fea522c>] __alloc_skb+0x124/0x380 [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2 Fix it by freeing 'pending_skb' in error and remove. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: NFC: st21nfca: corrige la pérdida de memoria en la sonda del dispositivo y elimina 'phy->pending_skb' cuando se asigna la sonda del dispositivo, pero olvidó liberarla en la ruta de manejo de errores y eliminar la ruta, esto causa pérdida de memoria de la siguiente manera: objeto sin referencia 0xffff88800bc06800 (tamaño 512): comunicación "8", pid 11775, santiago 4295159829 (edad 9.032 s) volcado hexadecimal (primeros 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................. backtrace: [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450 [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0 [<000000005fea522c>] __alloc_skb+0x124/0x380 [ <0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2 Solucionarlo liberando 'pending_skb' por error y elimínelo. • https://git.kernel.org/stable/c/68957303f44a501af5cf37913208a2acaa6bcdf1 https://git.kernel.org/stable/c/38c3e320e7ff46f2dc67bc5045333e63d9f8918d https://git.kernel.org/stable/c/a1e0080a35a16ce3808f7040fe0c3a8fdb052349 https://git.kernel.org/stable/c/1cd4063dbc91cf7965d73a6a3855e2028cd4613b https://git.kernel.org/stable/c/e553265ea56482da5700f56319fda9ff53e7dcb4 https://git.kernel.org/stable/c/238920381b8925d070d32d73cd9ce52ab29896fe https://git.kernel.org/stable/c/1b9dadba502234eea7244879b8d5d126bfaf9f0c • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2021-46923 – fs/mount_setattr: always cleanup mount_kattr
https://notcve.org/view.php?id=CVE-2021-46923
In the Linux kernel, the following vulnerability has been resolved: fs/mount_setattr: always cleanup mount_kattr Make sure that finish_mount_kattr() is called after mount_kattr was succesfully built in both the success and failure case to prevent leaking any references we took when we built it. We returned early if path lookup failed thereby risking to leak an additional reference we took when building mount_kattr when an idmapped mount was requested. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fs/mount_setattr: limpiar siempre mount_kattr. Asegúrese de que se llame a finish_mount_kattr() después de que mount_kattr se haya compilado con éxito tanto en el caso de éxito como en el de fracaso para evitar que se filtren las referencias que tomamos cuando lo compilamos. Regresamos temprano si falla la búsqueda de ruta, por lo que corremos el riesgo de filtrar una referencia adicional que tomamos al compilar mount_kattr cuando se solicitó un montaje con idmapped. • https://git.kernel.org/stable/c/9caccd41541a6f7d6279928d9f971f6642c361af https://git.kernel.org/stable/c/47b5d0a7532d39e42a938f81e3904268145c341d https://git.kernel.org/stable/c/012e332286e2bb9f6ac77d195f17e74b2963d663 • CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2021-46922 – KEYS: trusted: Fix TPM reservation for seal/unseal
https://notcve.org/view.php?id=CVE-2021-46922
In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix TPM reservation for seal/unseal The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for seal and unseal operations") was correct on the mailing list: https://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/ But somehow got rebased so that the tpm_try_get_ops() in tpm2_seal_trusted() got lost. This causes an imbalanced put of the TPM ops and causes oopses on TIS based hardware. This fix puts back the lost tpm_try_get_ops() En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KEYS: de confianza: corrige la reserva de TPM para sellar/dessellar El parche original 8c657a0590de ("KEYS: de confianza: reservar TPM para operaciones de sellar y dessellar") era correcto en la lista de correo: https ://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/ Pero de alguna manera se modificó la base para que tpm_try_get_ops() en tpm2_seal_trusted() se perdiera. Esto provoca un desequilibrio en las operaciones de TPM y provoca fallos en el hardware basado en TIS. Esta solución devuelve el tpm_try_get_ops() perdido • https://git.kernel.org/stable/c/67118bb78d72aab5b831f054a74ae856339a1974 https://git.kernel.org/stable/c/498b8fc1cdc13b57b02dd28544b18323900fae10 https://git.kernel.org/stable/c/bf84ef2dd2ccdcd8f2658476d34b51455f970ce4 https://git.kernel.org/stable/c/39c8d760d44cb3fa0d67e8cd505df81cf4d80999 https://git.kernel.org/stable/c/9d5171eab462a63e2fbebfccf6026e92be018f20 •