CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47404 – HID: betop: fix slab-out-of-bounds Write in betop_probe
https://notcve.org/view.php?id=CVE-2021-47404
In the Linux kernel, the following vulnerability has been resolved: HID: betop: fix slab-out-of-bounds Write in betop_probe Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. The problem is the driver assumes the device must have an input report but some malicious devices violate this assumption. So this patch checks hid_device's input is non empty before it's been used. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: HID: betop: corrige escritura slab-out-of-bounds en betop_probe. Syzbot informó un error de escritura slab-out-of-bounds en el controlador hid-betopff. El problema es que el controlador supone que el dispositivo debe tener un informe de entrada, pero algunos dispositivos maliciosos violan esta suposición. Entonces, este parche verifica que la entrada de hid_device no esté vacía antes de usarse. • https://git.kernel.org/stable/c/a4faa7153b87fbcfe4be15f4278676f79ca6e019 https://git.kernel.org/stable/c/6fc4476dda58f6c00097c7ddec3b772513f57525 https://git.kernel.org/stable/c/1c83c38dec83d57bc18d0c01d82c413d3b34ccb9 https://git.kernel.org/stable/c/bb8b72374db69afa25a5b65cf1c092860c6fe914 https://git.kernel.org/stable/c/fe9bb925e7096509711660d39c0493a1546e9550 https://git.kernel.org/stable/c/dedfc35a2de2bae9fa3da8210a05bfd515f83fee https://git.kernel.org/stable/c/708107b80aa616976d1c5fa60ac0c1390749db5e https://git.kernel.org/stable/c/1e4ce418b1cb1a810256b5fb3fd33d22d •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47391 – RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests
https://notcve.org/view.php?id=CVE-2021-47391
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests The FSM can run in a circle allowing rdma_resolve_ip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice. CPU 1 CPU 2 rdma_resolve_addr(): RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1 process_one_req(): for #1 addr_handler(): RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND mutex_unlock(&id_priv->handler_mutex); [.. handler still running ..] rdma_resolve_addr(): RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) !! two requests are now on the req_list rdma_destroy_id(): destroy_id_handler_unlock(): _destroy_id(): cma_cancel_operation(): rdma_addr_cancel() // process_one_req() self removes it spin_lock_bh(&lock); cancel_delayed_work(&req->work); if (!list_empty(&req->list)) == true ! rdma_addr_cancel() returns after process_on_req #1 is done kfree(id_priv) process_one_req(): for #2 addr_handler(): mutex_lock(&id_priv->handler_mutex); !! • https://git.kernel.org/stable/c/e51060f08a61965c4dd91516d82fe90617152590 https://git.kernel.org/stable/c/9a085fa9b7d644a234465091e038c1911e1a4f2a https://git.kernel.org/stable/c/03d884671572af8bcfbc9e63944c1021efce7589 https://git.kernel.org/stable/c/305d568b72f17f674155a2a8275f865f207b3808 •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47386 – hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field
https://notcve.org/view.php?id=CVE-2021-47386
In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field If driver read val value sufficient for (val & 0x08) && (!(val & 0x80)) && ((val & 0x7) == ((val >> 4) & 0x7)) from device then Null pointer dereference occurs. (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers) Also lm75[] does not serve a purpose anymore after switching to devm_i2c_new_dummy_device() in w83791d_detect_subclients(). The patch fixes possible NULL pointer dereference by removing lm75[]. Found by Linux Driver Verification project (linuxtesting.org). [groeck: Dropped unnecessary continuation lines, fixed multi-line alignment] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: hwmon: (w83791d) Corrija la desreferencia del puntero NULL eliminando el campo de estructura innecesario. Si el controlador lee el valor val suficiente para (val & 0x08) && (!(val & 0x80)) && (( val & 0x7) == ((val >> 4) & 0x7)) desde el dispositivo, luego se produce la desreferencia del puntero null. (Es posible si tmp = 0b0xyz1xyz, donde los mismos literales significan los mismos números) Además, lm75[] ya no sirve para nada después de cambiar a devm_i2c_new_dummy_device() en w83791d_detect_subclients(). • https://git.kernel.org/stable/c/44d3c480e4e2a75bf6296a18b4356157991ccd80 https://git.kernel.org/stable/c/516d9055039017a20a698103be2b556b4c976bb8 https://git.kernel.org/stable/c/16887ae4e3defd2c4e7913b6c539f33eaf4eac5c https://git.kernel.org/stable/c/943c15ac1b84d378da26bba41c83c67e16499ac4 https://access.redhat.com/security/cve/CVE-2021-47386 https://bugzilla.redhat.com/show_bug.cgi?id=2282354 • CWE-476: NULL Pointer Dereference •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47385 – hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field
https://notcve.org/view.php?id=CVE-2021-47385
In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field If driver read val value sufficient for (val & 0x08) && (!(val & 0x80)) && ((val & 0x7) == ((val >> 4) & 0x7)) from device then Null pointer dereference occurs. (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers) Also lm75[] does not serve a purpose anymore after switching to devm_i2c_new_dummy_device() in w83791d_detect_subclients(). The patch fixes possible NULL pointer dereference by removing lm75[]. Found by Linux Driver Verification project (linuxtesting.org). [groeck: Dropped unnecessary continuation lines, fixed multipline alignment] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: hwmon: (w83792d) Corrija la desreferencia del puntero NULL eliminando el campo de estructura innecesario. Si el controlador lee el valor val suficiente para (val & 0x08) && (!(val & 0x80)) && (( val & 0x7) == ((val >> 4) & 0x7)) desde el dispositivo, luego se produce la desreferencia del puntero null. (Es posible si tmp = 0b0xyz1xyz, donde los mismos literales significan los mismos números) Además, lm75[] ya no sirve para nada después de cambiar a devm_i2c_new_dummy_device() en w83791d_detect_subclients(). • https://git.kernel.org/stable/c/200ced5ba724d8bbf29dfac4ed1e17a39ccaccd1 https://git.kernel.org/stable/c/1499bb2c3a87a2efea0065adab2bd66badee61c3 https://git.kernel.org/stable/c/24af1fe376e22c42238a4a604d31e46c486876c3 https://git.kernel.org/stable/c/0f36b88173f028e372668ae040ab1a496834d278 https://access.redhat.com/security/cve/CVE-2021-47385 https://bugzilla.redhat.com/show_bug.cgi?id=2282355 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47384 – hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field
https://notcve.org/view.php?id=CVE-2021-47384
In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field If driver read tmp value sufficient for (tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7)) from device then Null pointer dereference occurs. (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers) Also lm75[] does not serve a purpose anymore after switching to devm_i2c_new_dummy_device() in w83791d_detect_subclients(). The patch fixes possible NULL pointer dereference by removing lm75[]. Found by Linux Driver Verification project (linuxtesting.org). [groeck: Dropped unnecessary continuation lines, fixed multi-line alignments] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: hwmon: (w83793) Corrija la desreferencia del puntero NULL eliminando el campo de estructura innecesario. Si el controlador lee el valor tmp suficiente para (tmp & 0x08) && (!(tmp & 0x80)) && (( tmp & 0x7) == ((tmp >> 4) & 0x7)) desde el dispositivo, luego se produce la desreferencia del puntero null. (Es posible si tmp = 0b0xyz1xyz, donde los mismos literales significan los mismos números) Además, lm75[] ya no sirve para nada después de cambiar a devm_i2c_new_dummy_device() en w83791d_detect_subclients(). • https://git.kernel.org/stable/c/6cb01fe630eaffc5a2c3f7364436caddba286623 https://git.kernel.org/stable/c/7c4fd5de39f273626a2b0f3a446d2cc85cd47616 https://git.kernel.org/stable/c/746011193f44f97f8784edcf8327c587946745fc https://git.kernel.org/stable/c/dd4d747ef05addab887dc8ff0d6ab9860bbcd783 https://access.redhat.com/security/cve/CVE-2021-47384 https://bugzilla.redhat.com/show_bug.cgi?id=2282356 •