Filtered by vendor Linux
Subscribe
Total
15226 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-47279 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
usb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource()
It will cause null-ptr-deref if platform_get_resource() returns NULL,
we need check the return value.
|
|||||
| CVE-2021-47278 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()
This driver's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.
Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re ...
Show More |
|||||
| CVE-2021-47273 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled
When only PHY1 is used (for example on Odroid-HC4), the regmap init code
uses the usb2 ports when doesn't initialize the PHY1 regmap entry.
This fixes:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
...
pc : regmap_update_bits_base+0x40/0xa0
lr : dwc3_meson_g12a_usb2_init_phy+0x4c/0xf8
...
Call trace:
regmap_update_bits_ba ...
Show More |
|||||
| CVE-2021-47302 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
igc: Fix use-after-free error during reset
Cleans the next descriptor to watch (next_to_watch) when cleaning the
TX ring.
Failure to do so can cause invalid memory accesses. If igc_poll() runs
while the controller is being reset this can lead to the driver try to
free a skb that was already freed.
Log message:
[ 101.525242] refcount_t: underflow; use-after-free.
[ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:2 ...
Show More |
|||||
| CVE-2021-47301 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
igb: Fix use-after-free error during reset
Cleans the next descriptor to watch (next_to_watch) when cleaning the
TX ring.
Failure to do so can cause invalid memory accesses. If igb_poll() runs
while the controller is reset this can lead to the driver try to free
a skb that was already freed.
(The crash is harder to reproduce with the igb driver, but the same
potential problem exists as the code is identical to igc)
|
|||||
| CVE-2021-47300 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix tail_call_reachable rejection for interpreter when jit failed
During testing of f263a81451c1 ("bpf: Track subprog poke descriptors correctly
and fix use-after-free") under various failure conditions, for example, when
jit_subprogs() fails and tries to clean up the program to be run under the
interpreter, we ran into the following freeze:
[...]
#127/8 tailcall_bpf2bpf_3:FAIL
[...]
[ 92.041251] BUG: KASAN: sl ...
Show More |
|||||
| CVE-2021-47299 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
xdp, net: Fix use-after-free in bpf_xdp_link_release
The problem occurs between dev_get_by_index() and dev_xdp_attach_link().
At this point, dev_xdp_uninstall() is called. Then xdp link will not be
detached automatically when dev is released. But link->dev already
points to dev, when xdp link is released, dev will still be accessed,
but dev has been released.
dev_get_by_index() |
link->dev = dev |
...
Show More |
|||||
| CVE-2021-47268 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port
A pending hrtimer may expire after the kthread_worker of tcpm port
is destroyed, see below kernel dump when do module unload, fix it
by cancel the 2 hrtimers.
[ 111.517018] Unable to handle kernel paging request at virtual address ffff8000118cb880
[ 111.518786] blk_update_request: I/O error, dev sda, sector 60061185 op 0x0:(READ) flags 0x0 phys ...
Show More |
|||||
| CVE-2021-47266 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
RDMA/ipoib: Fix warning caused by destroying non-initial netns
After the commit 5ce2dced8e95 ("RDMA/ipoib: Set rtnl_link_ops for ipoib
interfaces"), if the IPoIB device is moved to non-initial netns,
destroying that netns lets the device vanish instead of moving it back to
the initial netns, This is happening because default_device_exit() skips
the interfaces due to having rtnl_link_ops set.
Steps to reporoduce:
ip netns ad ...
Show More |
|||||
| CVE-2022-48695 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix use-after-free warning
Fix the following use-after-free warning which is observed during
controller reset:
refcount_t: underflow; use-after-free.
WARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0
|
|||||
| CVE-2024-27392 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
nvme: host: fix double-free of struct nvme_id_ns in ns_update_nuse()
When nvme_identify_ns() fails, it frees the pointer to the struct
nvme_id_ns before it returns. However, ns_update_nuse() calls kfree()
for the pointer even when nvme_identify_ns() fails. This results in
KASAN double-free, which was observed with blktests nvme/045 with
proposed patches [1] on the kernel v6.8-rc7. Fix the double-free by
skipping kfree() when n ...
Show More |
|||||
| CVE-2021-47328 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi: Fix conn use after free during resets
If we haven't done a unbind target call we can race where
iscsi_conn_teardown wakes up the EH thread and then frees the conn while
those threads are still accessing the conn ehwait.
We can only do one TMF per session so this just moves the TMF fields from
the conn to the session. We can then rely on the
iscsi_session_teardown->iscsi_remove_session->__iscsi_unbind_session call ...
Show More |
|||||
| CVE-2021-47321 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
watchdog: Fix possible use-after-free by calling del_timer_sync()
This driver's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.
Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-sche ...
Show More |
|||||
| CVE-2021-47318 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
arch_topology: Avoid use-after-free for scale_freq_data
Currently topology_scale_freq_tick() (which gets called from
scheduler_tick()) may end up using a pointer to "struct
scale_freq_data", which was previously cleared by
topology_clear_scale_freq_source(), as there is no protection in place
here. The users of topology_clear_scale_freq_source() though needs a
guarantee that the previously cleared scale_freq_data isn't used
an ...
Show More |
|||||
| CVE-2021-47311 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
net: qcom/emac: fix UAF in emac_remove
adpt is netdev private data and it cannot be
used after free_netdev() call. Using adpt after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.
|
|||||
| CVE-2021-47310 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
net: ti: fix UAF in tlan_remove_one
priv is netdev private data and it cannot be
used after free_netdev() call. Using priv after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.
|
|||||
| CVE-2021-47361 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
mcb: fix error handling in mcb_alloc_bus()
There are two bugs:
1) If ida_simple_get() fails then this code calls put_device(carrier)
but we haven't yet called get_device(carrier) and probably that
leads to a use after free.
2) After device_initialize() then we need to use put_device() to
release the bus. This will free the internal resources tied to the
device and call mcb_free_bus() which will free the rest.
|
|||||
| CVE-2021-47358 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
staging: greybus: uart: fix tty use after free
User space can hold a tty open indefinitely and tty drivers must not
release the underlying structures until the last user is gone.
Switch to using the tty-port reference counter to manage the life time
of the greybus tty state to avoid use after free after a disconnect.
|
|||||
| CVE-2021-47357 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
atm: iphase: fix possible use-after-free in ia_module_exit()
This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.
Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule ...
Show More |
|||||
| CVE-2021-47355 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.
Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedul ...
Show More |
|||||
| CVE-2021-47342 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix possible UAF when remounting r/o a mmp-protected file system
After commit 618f003199c6 ("ext4: fix memory leak in
ext4_fill_super"), after the file system is remounted read-only, there
is a race where the kmmpd thread can exit, causing sbi->s_mmp_tsk to
point at freed memory, which the call to ext4_stop_mmpd() can trip
over.
Fix this by only allowing kmmpd() to exit when it is stopped via
ext4_stop_mmpd().
Bug-Repo ...
Show More |
|||||
| CVE-2021-47334 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
misc/libmasm/module: Fix two use after free in ibmasm_init_one
In ibmasm_init_one, it calls ibmasm_init_remote_input_dev().
Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are
allocated by input_allocate_device(), and assigned to
sp->remote.mouse_dev and sp->remote.keybd_dev respectively.
In the err_free_devices error branch of ibmasm_init_one,
mouse_dev and keybd_dev are freed by input_free_device(), and return
...
Show More |
|||||
| CVE-2021-47362 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/pm: Update intermediate power state for SI
Update the current state as boot state during dpm initialization.
During the subsequent initialization, set_power_state gets called to
transition to the final power state. set_power_state refers to values
from the current state and without current state populated, it could
result in NULL pointer dereference.
For ex: on platforms where PCI speed change is supported through ACP ...
Show More |
|||||
| CVE-2021-47309 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.1 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
net: validate lwtstate->data before returning from skb_tunnel_info()
skb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info
type without validation. lwtstate->data can have various types such as
mpls_iptunnel_encap, etc and these are not compatible.
So skb_tunnel_info() should validate before returning that pointer.
Splat looks like:
BUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]
Read of ...
Show More |
|||||
| CVE-2021-47307 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
cifs: prevent NULL deref in cifs_compose_mount_options()
The optional @ref parameter might contain an NULL node_name, so
prevent dereferencing it in cifs_compose_mount_options().
Addresses-Coverity: 1476408 ("Explicit null dereferenced")
|
|||||
| CVE-2021-47306 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
net: fddi: fix UAF in fza_probe
fp is netdev private data and it cannot be
used after free_netdev() call. Using fp after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() after error message.
TURBOchannel adapter")
|
|||||
| CVE-2021-47303 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
bpf: Track subprog poke descriptors correctly and fix use-after-free
Subprograms are calling map_poke_track(), but on program release there is no
hook to call map_poke_untrack(). However, on program release, the aux memory
(and poke descriptor table) is freed even though we still have a reference to
it in the element list of the map aux data. When we run map_poke_run(), we then
end up accessing free'd memory, triggering KASAN ...
Show More |
|||||
| CVE-2021-47373 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v3-its: Fix potential VPE leak on error
In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error,
there is an off-by-one in the number of VPEs to be freed.
Fix it by simply passing the number of VPEs allocated, which is the
index of the loop iterating over the VPEs.
[maz: fixed commit message]
|
|||||
| CVE-2021-47372 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
net: macb: fix use after free on rmmod
plat_dev->dev->platform_data is released by platform_device_unregister(),
use of pclk and hclk is a use-after-free. Since device unregister won't
need a clk device we adjust the function call sequence to fix this issue.
[ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]
[ 31.275563] Freed by task 306:
[ 30.276782] platform_device_release+0x25/0x80
|
|||||
| CVE-2021-47364 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix memory leak in compat_insnlist()
`compat_insnlist()` handles the 32-bit version of the `COMEDI_INSNLIST`
ioctl (whenwhen `CONFIG_COMPAT` is enabled). It allocates memory to
temporarily hold an array of `struct comedi_insn` converted from the
32-bit version in user space. This memory is only being freed if there
is a fault while filling the array, otherwise it is leaked.
Add a call to `kfree()` to fix the leak.
|
|||||
| CVE-2021-47363 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
nexthop: Fix division by zero while replacing a resilient group
The resilient nexthop group torture tests in fib_nexthop.sh exposed a
possible division by zero while replacing a resilient group [1]. The
division by zero occurs when the data path sees a resilient nexthop
group with zero buckets.
The tests replace a resilient nexthop group in a loop while traffic is
forwarded through it. The tests do not specify the number of b ...
Show More |
|||||
| CVE-2021-46990 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s: Fix crashes when toggling entry flush barrier
The entry flush mitigation can be enabled/disabled at runtime via a
debugfs file (entry_flush), which causes the kernel to patch itself to
enable/disable the relevant mitigations.
However depending on which mitigation we're using, it may not be safe to
do that patching while other CPUs are active. For example the following
crash:
sleeper[15639]: segfault (11) at c0 ...
Show More |
|||||
| CVE-2021-46988 | 1 Linux | 1 Linux Kernel | 2024-12-26 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
userfaultfd: release page in error path to avoid BUG_ON
Consider the following sequence of events:
1. Userspace issues a UFFD ioctl, which ends up calling into
shmem_mfill_atomic_pte(). We successfully account the blocks, we
shmem_alloc_page(), but then the copy_from_user() fails. We return
-ENOENT. We don't release the page we allocated.
2. Our caller detects this error code, tries the copy_from_user() after
drop ...
Show More |
|||||
| CVE-2021-47338 | 1 Linux | 1 Linux Kernel | 2024-12-24 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
fbmem: Do not delete the mode that is still in use
The execution of fb_delete_videomode() is not based on the result of the
previous fbcon_mode_deleted(). As a result, the mode is directly deleted,
regardless of whether it is still in use, which may cause UAF.
==================================================================
BUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \
drivers/video/fbdev/core/modedb.c:924
Re ...
Show More |
|||||
| CVE-2021-47314 | 1 Linux | 1 Linux Kernel | 2024-12-24 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
memory: fsl_ifc: fix leak of private memory on probe failure
On probe error the driver should free the memory allocated for private
structure. Fix this by using resource-managed allocation.
|
|||||
| CVE-2021-47260 | 1 Linux | 1 Linux Kernel | 2024-12-24 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix a potential NULL dereference in nfs_get_client()
None of the callers are expecting NULL returns from nfs_get_client() so
this code will lead to an Oops. It's better to return an error
pointer. I expect that this is dead code so hopefully no one is
affected.
|
|||||
| CVE-2021-47264 | 1 Linux | 1 Linux Kernel | 2024-12-24 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
ASoC: core: Fix Null-point-dereference in fmt_single_name()
Check the return value of devm_kstrdup() in case of
Null-point-dereference.
|
|||||
| CVE-2021-47269 | 1 Linux | 1 Linux Kernel | 2024-12-24 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: ep0: fix NULL pointer exception
There is no validation of the index from dwc3_wIndex_to_dep() and we might
be referring a non-existing ep and trigger a NULL pointer exception. In
certain configurations we might use fewer eps and the index might wrongly
indicate a larger ep index than existing.
By adding this validation from the patch we can actually report a wrong
index back to the caller.
In our usecase we are us ...
Show More |
|||||
| CVE-2021-47270 | 1 Linux | 1 Linux Kernel | 2024-12-24 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
usb: fix various gadgets null ptr deref on 10gbps cabling.
This avoids a null pointer dereference in
f_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm}
by simply reusing the 5gbps config for 10gbps.
|
|||||
| CVE-2021-47280 | 1 Linux | 1 Linux Kernel | 2024-12-24 | N/A | 7.0 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm: Fix use-after-free read in drm_getunique()
There is a time-of-check-to-time-of-use error in drm_getunique() due
to retrieving file_priv->master prior to locking the device's master
mutex.
An example can be seen in the crash report of the use-after-free error
found by Syzbot:
https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803
In the report, the master pointer was used after being freed. This is ...
Show More |
|||||