CVE-2023-52455 – iommu: Don't reserve 0-length IOVA region
https://notcve.org/view.php?id=CVE-2023-52455
In the Linux kernel, the following vulnerability has been resolved: iommu: Don't reserve 0-length IOVA region When the bootloader/firmware doesn't setup the framebuffers, their address and size are 0 in "iommu-addresses" property. If IOVA region is reserved with 0 length, then it ends up corrupting the IOVA rbtree with an entry which has pfn_hi < pfn_lo. If we intend to use display driver in kernel without framebuffer then it's causing the display IOMMU mappings to fail as entire valid IOVA space is reserved when address and length are passed as 0. An ideal solution would be firmware removing the "iommu-addresses" property and corresponding "memory-region" if display is not present. But the kernel should be able to handle this by checking for size of IOVA region and skipping the IOVA reservation if size is 0. Also, add a warning if firmware is requesting 0-length IOVA region reservation. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu: no reservar región IOVA de longitud 0 Cuando el gestor de arranque/firmware no configura los framebuffers, su dirección y tamaño son 0 en la propiedad "iommu-addresses". Si la región IOVA está reservada con una longitud de 0, termina corrompiendo el rbtree de IOVA con una entrada que tiene pfn_hi < pfn_lo. • https://git.kernel.org/stable/c/a5bf3cfce8cb77d9d24613ab52d520896f83dd48 https://git.kernel.org/stable/c/98b8a550da83cc392a14298c4b3eaaf0332ae6ad https://git.kernel.org/stable/c/5e23e283910c9f30248732ae0770bcb0c9438abf https://git.kernel.org/stable/c/bb57f6705960bebeb832142ce9abf43220c3eab1 https://access.redhat.com/security/cve/CVE-2023-52455 https://bugzilla.redhat.com/show_bug.cgi?id=2265793 •
CVE-2023-52454 – nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length
https://notcve.org/view.php?id=CVE-2023-52454
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmet_tcp_build_pdu_iovec(). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 lr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Call trace: process_one_work+0x174/0x3c8 worker_thread+0x2d0/0x3e8 kthread+0x104/0x110 Fix the bug by raising a fatal error if DATAL isn't coherent with the packet size. Also, the PDU length should never exceed the MAXH2CDATA parameter which has been communicated to the host in nvmet_tcp_handle_icreq(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nvmet-tcp: soluciona un pánico del kernel cuando el host envía una longitud de PDU H2C no válida. Si el host envía un comando H2CData con un DATAL no válido, el kernel puede fallar en nvmet_tcp_build_pdu_iovec(). No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000000 lr: nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Rastreo de llamadas: Process_one_work+0x174/0x3c8 trabajador_thread+0x2d0/0x3e8 kthread+0x104/0x110 Solucione el error generando un error fatal si DATAL es No es coherente con el tamaño del paquete. Además, la longitud de la PDU nunca debe exceder el parámetro MAXH2CDATA que se ha comunicado al host en nvmet_tcp_handle_icreq(). • https://git.kernel.org/stable/c/872d26a391da92ed8f0c0f5cb5fef428067b7f30 https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9d https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510 https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42 https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88 https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68 https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a74 • CWE-476: NULL Pointer Dereference •
CVE-2023-52453 – hisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume
https://notcve.org/view.php?id=CVE-2023-52453
In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume When the optional PRE_COPY support was added to speed up the device compatibility check, it failed to update the saving/resuming data pointers based on the fd offset. This results in migration data corruption and when the device gets started on the destination the following error is reported in some cases, [ 478.907684] arm-smmu-v3 arm-smmu-v3.2.auto: event 0x10 received: [ 478.913691] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000310200000010 [ 478.919603] arm-smmu-v3 arm-smmu-v3.2.auto: 0x000002088000007f [ 478.925515] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000 [ 478.931425] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000 [ 478.947552] hisi_zip 0000:31:00.0: qm_axi_rresp [error status=0x1] found [ 478.955930] hisi_zip 0000:31:00.0: qm_db_timeout [error status=0x400] found [ 478.955944] hisi_zip 0000:31:00.0: qm sq doorbell timeout in function 2 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: hisi_acc_vfio_pci: actualiza correctamente el puntero de datos de migración al guardar/reanudar Cuando se agregó el soporte PRE_COPY opcional para acelerar la verificación de compatibilidad del dispositivo, no se pudieron actualizar los punteros de datos de guardado/reanudación según el desplazamiento fd. Esto da como resultado la corrupción de los datos de migración y cuando el dispositivo se inicia en el destino, en algunos casos se informa el siguiente error, [ 478.907684] arm-smmu-v3 arm-smmu-v3.2.auto: event 0x10 received: [ 478.913691] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000310200000010 [ 478.919603] arm-smmu-v3 arm-smmu-v3.2.auto: 0x000002088000007f [ 478.925515] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000 [ 478.931425] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000 [ 478.947552] hisi_zip 0000:31:00.0: qm_axi_rresp [error status=0x1] found [ 478.955930] hisi_zip 0000:31:00.0: qm_db_timeout [error status=0x400] found [ 478.955944] hisi_zip 0000:31:00.0: qm sq doorbell timeout in function 2 • https://git.kernel.org/stable/c/d9a871e4a143047d1d84a606772af319f11516f9 https://git.kernel.org/stable/c/45f80b2f230df10600e6fa1b83b28bf1c334185e https://git.kernel.org/stable/c/6bda81e24a35a856f58e6a5786de579b07371603 https://git.kernel.org/stable/c/be12ad45e15b5ee0e2526a50266ba1d295d26a88 •
CVE-2024-26593 – i2c: i801: Fix block process call transactions
https://notcve.org/view.php?id=CVE-2024-26593
In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: i2c: i801: Reparar transacciones de llamada de proceso de bloque Según las hojas de datos de Intel, el software debe restablecer el índice del búfer de bloque dos veces para transacciones de llamada de proceso de bloque: una vez antes de escribir los datos salientes en el búfer , y una vez más antes de leer los datos entrantes del búfer. Actualmente, al controlador le falta el segundo reinicio, lo que provoca que se lea la parte incorrecta del búfer de bloque. • https://git.kernel.org/stable/c/315cd67c945351f8a569500f8ab16b7fa94026e8 https://git.kernel.org/stable/c/d074d5ff5ae77b18300e5079c6bda6342a4d44b7 https://git.kernel.org/stable/c/7a14b8a477b88607d157c24aeb23e7389ec3319f https://git.kernel.org/stable/c/1f8d0691c50581ba6043f009ec9e8b9f78f09d5a https://git.kernel.org/stable/c/491528935c9c48bf341d8b40eabc6c4fc5df6f2c https://git.kernel.org/stable/c/6be99c51829b24c914cef5bff6164877178e84d9 https://git.kernel.org/stable/c/609c7c1cc976e740d0fed4dbeec688b3ecb5dce2 https://git.kernel.org/stable/c/c1c9d0f6f7f1dbf29db996bd8e1662428 • CWE-125: Out-of-bounds Read •
CVE-2024-26594 – ksmbd: validate mech token in session setup
https://notcve.org/view.php?id=CVE-2024-26594
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate mech token in session setup If client send invalid mech token in session setup request, ksmbd validate and make the error if it is invalid. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: validar el token mecánico en la configuración de la sesión Si el cliente envía un token mecánico no válido en la solicitud de configuración de la sesión, ksmbd valida y genera el error si no es válido. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability. However, only systems with ksmbd enabled are vulnerable. The specific flaw exists within the handling of SMB2 Mech Tokens. • https://git.kernel.org/stable/c/dd1de9268745f0eac83a430db7afc32cbd62e84b https://git.kernel.org/stable/c/6eb8015492bcc84e40646390e50a862b2c0529c9 https://git.kernel.org/stable/c/a2b21ef1ea4cf632d19b3a7cc4d4245b8e63202a https://git.kernel.org/stable/c/5e6dfec95833edc54c48605a98365a7325e5541e https://git.kernel.org/stable/c/92e470163d96df8db6c4fa0f484e4a229edb903d • CWE-125: Out-of-bounds Read •