77 matches found
CVE-2021-47549
In the Linux kernel, the following vulnerability has been resolved: sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl When the rmmod sata_fsl.ko command is executed in the PPC64 GNU/Linux,a bug is reported: BUG: Unable to handle kernel data access on read at 0x80000800805b502cOops: Kernel...
CVE-2021-47548
In the Linux kernel, the following vulnerability has been resolved: ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() The if statement:if (port >= DSAF_GE_NUM)return; limits the value of port less than DSAF_GE_NUM (i.e., 8).However, if the value...
CVE-2021-47101
In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this casesmsr will be uninitialized. Fail log:BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:...
CVE-2021-47094
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Don't advance iterator after restart due to yielding After dropping mmu_lock in the TDP MMU, restart the iterator duringtdp_iter_next() and do not advance the iterator. Advancing the iteratorresults in skipping the to...
CVE-2021-47097
In the Linux kernel, the following vulnerability has been resolved: Input: elantech - fix stack out of bound access in elantech_change_report_id() The array param[] in elantech_change_report_id() must be at least 3bytes, because elantech_read_reg_params() is calling ps2_command() withPSMOUSE_CMD_GE...
CVE-2021-47560
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum: Protect driver from buggy firmware When processing port up/down events generated by the device's firmware,the driver protects itself from events reported for non-existent localports, but not the CPU port (local por...
CVE-2021-47103
In the Linux kernel, the following vulnerability has been resolved: inet: fully convert sk->sk_rx_dst to RCU rules syzbot reported various issues around early demux,one being included in this changelog [1] sk->sk_rx_dst is using RCU protection without clearlydocumenting it. And following sequ...
CVE-2021-47098
In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations Commit b50aa49638c7 ("hwmon: (lm90) Prevent integer underflows oftemperature calculations") addressed a number of underflow situationswhen writing temperat...
CVE-2021-47505
In the Linux kernel, the following vulnerability has been resolved: aio: fix use-after-free due to missing POLLFREE handling signalfd_poll() and binder_poll() are special in that they use awaitqueue whose lifetime is the current task, rather than the structfile as is normally the case. This is okay...
CVE-2021-47099
In the Linux kernel, the following vulnerability has been resolved: veth: ensure skb entering GRO are not cloned. After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"),if GRO is enabled on a veth device and TSO is disabled on the peerdevice, TCP skbs will go through the NAPI call...
CVE-2021-47580
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix type in min_t to avoid stack OOB Change min_t() to use type "u32" instead of type "int" to avoid stack outof bounds. With min_t() type "int" the values get sign extended and thelarger value gets used causing s...
CVE-2021-47609
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Fix string overflow in SCPI genpd driver Without the bound checks for scpi_pd->name, it could result in the bufferoverflow when copying the SCPI device name from the corresponding devicetree node as the name ...
CVE-2021-47592
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix tc flower deletion for VLAN priority Rx steering To replicate the issue:- Add 1 flower filter for VLAN Priority based frame steering:-$ IFDEVNAME=eth0$ tc qdisc add dev $IFDEVNAME ingress$ tc qdisc add dev $IFDEVNA...
CVE-2021-47501
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc When trying to dump VFs VSI RX/TX descriptorsusing debugfs there was a crashdue to NULL pointer dereference in i40e_dbg_dump_desc.Added a check to i40e_dbg_dump_desc that che...
CVE-2021-47186
In the Linux kernel, the following vulnerability has been resolved: tipc: check for null after calling kmemdup kmemdup can return a null pointer so need to check for it, otherwisethe null key will be dereferenced later in tipc_crypto_key_xmit ascan be seen in the trace [1]. [1] https://syzkaller.ap...
CVE-2021-47108
In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf In commit 41ca9caaae0b("drm/mediatek: hdmi: Add check for CEA modes only") a checkfor CEA modes was added to function mtk_hdmi_bridge_mode_valid()in order to address ...
CVE-2021-47606
In the Linux kernel, the following vulnerability has been resolved: net: netlink: af_netlink: Prevent empty skb by adding a check on len. Adding a check on len parameter to avoid empty skb. This prevents adivision error in netem_enqueue function which is caused when skb->len=0and skb->data_le...
CVE-2021-47082
In the Linux kernel, the following vulnerability has been resolved: tun: avoid double free in tun_free_netdev Avoid double free in tun_free_netdev() by moving thedev->tstats and tun->security allocs to a new ndo_init routine(tun_net_init()) that will be called by register_netdevice().ndo_init...
CVE-2021-47087
In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix incorrect page free bug Pointer to the allocated pages (struct page *page) has alreadyprogressed towards the end of allocation. It is incorrect to perform__free_pages(page, order) using this pointer as we would free...
CVE-2021-47104
In the Linux kernel, the following vulnerability has been resolved: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() The wrong goto label was used for the error case and missed cleanup of thepkt allocation. Addresses-Coverity-ID: 1493352 ("Resource leak")
CVE-2021-47107
In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix READDIR buffer overflow If a client sends a READDIR count argument that is too small (say,zero), then the buffer size calculation in the new init_dirlisthelper functions results in an underflow, allowing the XDR streamfun...
CVE-2021-47105
In the Linux kernel, the following vulnerability has been resolved: ice: xsk: return xsk buffers back to pool when cleaning the ring Currently we only NULL the xdp_buff pointer in the internal SW ring butwe never give it back to the xsk buffer pool. This means that bufferscan be leaked out of the b...
CVE-2021-47090
In the Linux kernel, the following vulnerability has been resolved: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() Hulk Robot reported a panic in put_page_testzero() when testingmadvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retryingget_any_page(). This is becau...
CVE-2021-47086
In the Linux kernel, the following vulnerability has been resolved: phonet/pep: refuse to enable an unbound pipe This ioctl() implicitly assumed that the socket was already bound toa valid local socket name, i.e. Phonet object. If the socket was notbound, two separate problems would occur: We'd sen...
CVE-2021-47095
In the Linux kernel, the following vulnerability has been resolved: ipmi: ssif: initialize ssif_info->client early During probe ssif_info->client is dereferenced in error path. However,it is set when some of the error checking has already been done. Thiscauses following kernel crash if an err...
CVE-2021-47563
In the Linux kernel, the following vulnerability has been resolved: ice: avoid bpf_prog refcount underflow Ice driver has the routines for managing XDP resources that are sharedbetween ndo_bpf op and VSI rebuild flow. The latter takes place forexample when user changes queue count on an interface v...
CVE-2021-47102
In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix incorrect structure access In line:upper = info->upper_dev;We access upper_dev field, which is related only for particular events(e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memorya...
CVE-2021-47517
In the Linux kernel, the following vulnerability has been resolved: ethtool: do not perform operations on net devices being unregistered There is a short period between a net device starts to be unregisteredand when it is actually gone. In that time frame ethtool operationscould still be performed,...
CVE-2021-47212
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error,which indicates that the driver started the destroy process.In this case, when a destroy command is being executed,...
CVE-2021-47217
In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails Check for a valid hv_vp_index array prior to derefencing hv_vp_index whensetting Hyper-V's TSC change callback. If Hyper-V setup failed inhyperv_init(), the...
CVE-2021-47188
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65cCall trace:ufshcd_queuecommand+0x468/0x65cscsi_...
CVE-2021-47201
In the Linux kernel, the following vulnerability has been resolved: iavf: free q_vectors before queues in iavf_disable_vf iavf_free_queues() clears adapter->num_active_queues, whichiavf_free_q_vectors() relies on, so swap the order of these two functioncalls in iavf_disable_vf(). This resolves a...
CVE-2021-47106
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy() We need to use list_for_each_entry_safe() iteratorbecause we can not access @catchall after kfree_rcu() call. syzbot reported: BUG: KASAN: use-after-free in nft...
CVE-2021-47551
In the Linux kernel, the following vulnerability has been resolved: drm/amd/amdkfd: Fix kernel panic when reset failed and been triggered again In SRIOV configuration, the reset may failed to bring asic back to normal but stop cpschalready been called, the start_cpsch will not be called since there...
CVE-2021-47602
In the Linux kernel, the following vulnerability has been resolved: mac80211: track only QoS data frames for admission control For admission control, obviously all of that only works forQoS data frames, otherwise we cannot even access the QoSfield in the header. Syzbot reported (see below) an unini...
CVE-2021-47603
In the Linux kernel, the following vulnerability has been resolved: audit: improve robustness of the audit queue handling If the audit daemon were ever to get stuck in a stopped state thekernel's kauditd_thread() could get blocked attempting to send auditrecords to the userspace audit daemon. With ...
CVE-2021-47091
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix locking in ieee80211_start_ap error path We need to hold the local->mtx to release the channel context,as even encoded by the lockdep_assert_held() there. Fix it.
CVE-2021-47100
In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Hi, When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko,the system crashed. The log as follows:[ 141.087026] BUG: unable to handle kernel paging re...
CVE-2021-47214
In the Linux kernel, the following vulnerability has been resolved: hugetlb, userfaultfd: fix reservation restore on userfaultfd error Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if webail out using "goto out_release_unlock;" in the cases where idx >=size, or !huge_pte_none(...
CVE-2021-47218
In the Linux kernel, the following vulnerability has been resolved: selinux: fix NULL-pointer dereference when hashtab allocation fails When the hash table slot array allocation fails in hashtab_init(),h->size is left initialized with a non-zero value, but the h->htablepointer is NULL. This m...
CVE-2021-47534
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: kms: Add missing drm_crtc_commit_put Commit 9ec03d7f1ed3 ("drm/vc4: kms: Wait on previous FIFO users before acommit") introduced a global state for the HVS, with each FIFO storingthe current CRTC commit so that we can prop...
CVE-2021-47547
In the Linux kernel, the following vulnerability has been resolved: net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound In line 5001, if all id in the array 'lp->phy[8]' is not 0, when the'for' end, the 'k' is 8. At this time, the array 'lp->phy[8]' may be ou...
CVE-2021-47586
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup KASAN reports an out-of-bounds read in rk_gmac_setup on the line: while (ops->regs[i]) { This happens for most platforms since the regs flexible array member isempty, so the m...
CVE-2021-47096
In the Linux kernel, the following vulnerability has been resolved: ALSA: rawmidi - fix the uninitalized user_pversion The user_pversion was uninitialized for the user space file structurein the open function, because the file private structure usekmalloc for the allocation. The kernel ALSA sequenc...
CVE-2021-47189
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory ordering between normal and ordered work functions Ordered work functions aren't guaranteed to be handled by the same threadwhich executed the normal work functions. The only way execution betweennormal/ordered fu...
CVE-2021-47552
In the Linux kernel, the following vulnerability has been resolved: blk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release() For avoiding to slow down queue destroy, we don't callblk_mq_quiesce_queue() in blk_cleanup_queue(), instead of delaying tocancel dispatch work in blk...
CVE-2021-47557
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_ets: don't peek at classes beyond 'nbands' when the number of DRR classes decreases, the round-robin active list cancontain elements that have already been freed in ets_qdisc_change(). As aconsequence, it's possible ...
CVE-2021-47562
In the Linux kernel, the following vulnerability has been resolved: ice: fix vsi->txq_map sizing The approach of having XDP queue per CPU regardless of user's settingexposed a hidden bug that could occur in case when Rx queue count differfrom Tx queue count. Currently vsi->txq_map's size is e...
CVE-2021-47089
In the Linux kernel, the following vulnerability has been resolved: kfence: fix memory leak when cat kfence objects Hulk robot reported a kmemleak problem: unreferenced object 0xffff93d1d8cc02e8 (size 248): comm "cat", pid 23327, jiffies 4624670141 (age 495992.217s) hex dump (first 32 bytes): 00 40...
CVE-2021-47192
In the Linux kernel, the following vulnerability has been resolved: scsi: core: sysfs: Fix hang when device state is set via sysfs This fixes a regression added with: commit f0f82e2476f6 ("scsi: core: Fix capacity set to zero afterofflinining device") The problem is that after iSCSI recovery, iscsi...