Filtered by vendor Linux
Subscribe
Total
15226 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-46959 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
spi: Fix use-after-free with devm_spi_alloc_*
We can't rely on the contents of the devres list during
spi_unregister_controller(), as the list is already torn down at the
time we perform devres_find() for devm_spi_release_controller. This
causes devices registered with devm_spi_alloc_{master,slave}() to be
mistakenly identified as legacy, non-devm managed devices and have their
reference counters decremented below 0.
-------- ...
Show More |
|||||
| CVE-2021-47065 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
rtw88: Fix array overrun in rtw_get_tx_power_params()
Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the
following array overrun is logged:
================================================================================
UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34
index 5 is out of range for type 'u8 [5]'
CPU: 2 PID: 84 Co ...
Show More |
|||||
| CVE-2021-47058 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
regmap: set debugfs_name to NULL after it is freed
There is a upstream commit cffa4b2122f5("regmap:debugfs:
Fix a memory leak when calling regmap_attach_dev") that
adds a if condition when create name for debugfs_name.
With below function invoking logical, debugfs_name is
freed in regmap_debugfs_exit(), but it is not created again
because of the if condition introduced by above commit.
regmap_reinit_cache()
regmap_debugfs_exi ...
Show More |
|||||
| CVE-2021-47054 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
bus: qcom: Put child node before return
Put child node before return to fix potential reference count leak.
Generally, the reference count of child is incremented and decremented
automatically in the macro for_each_available_child_of_node() and should
be decremented manually if the loop is broken in loop body.
|
|||||
| CVE-2021-47020 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
soundwire: stream: fix memory leak in stream config error path
When stream config is failed, master runtime will release all
slave runtime in the slave_rt_list, but slave runtime is not
added to the list at this time. This patch frees slave runtime
in the config error path to fix the memory leak.
|
|||||
| CVE-2021-47059 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
crypto: sun8i-ss - fix result memory leak on error path
This patch fixes a memory leak on an error path.
|
|||||
| CVE-2021-47061 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU
If allocating a new instance of an I/O bus fails when unregistering a
device, wait to destroy the device until after all readers are guaranteed
to see the new null bus. Destroying devices before the bus is nullified
could lead to use-after-free since readers expect the devices on their
reference of the bus to remain valid.
|
|||||
| CVE-2021-47062 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Use online_vcpus, not created_vcpus, to iterate over vCPUs
Use the kvm_for_each_vcpu() helper to iterate over vCPUs when encrypting
VMSAs for SEV, which effectively switches to use online_vcpus instead of
created_vcpus. This fixes a possible null-pointer dereference as
created_vcpus does not guarantee a vCPU exists, since it is updated at
the very beginning of KVM_CREATE_VCPU. created_vcpus exists to allow the
bulk ...
Show More |
|||||
| CVE-2021-47063 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm: bridge/panel: Cleanup connector on bridge detach
If we don't call drm_connector_cleanup() manually in
panel_bridge_detach(), the connector will be cleaned up with the other
DRM objects in the call to drm_mode_config_cleanup(). However, since our
drm_connector is devm-allocated, by the time drm_mode_config_cleanup()
will be called, our connector will be long gone. Therefore, the
connector must be cleaned up when the bridge ...
Show More |
|||||
| CVE-2024-42151 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable
Test case dummy_st_ops/dummy_init_ret_value passes NULL as the first
parameter of the test_1() function. Mark this parameter as nullable to
make verifier aware of such possibility.
Otherwise, NULL check in the test_1() code:
SEC("struct_ops/test_1")
int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)
{
if (!state)
...
Show More |
|||||
| CVE-2024-42150 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
net: txgbe: remove separate irq request for MSI and INTx
When using MSI or INTx interrupts, request_irq() for pdev->irq will
conflict with request_threaded_irq() for txgbe->misc.irq, to cause
system crash. So remove txgbe_request_irq() for MSI/INTx case, and
rename txgbe_request_msix_irqs() since it only request for queue irqs.
Add wx->misc_irq_domain to determine whether the driver creates an IRQ
domain and threaded request ...
Show More |
|||||
| CVE-2024-42149 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
fs: don't misleadingly warn during thaw operations
The block device may have been frozen before it was claimed by a
filesystem. Concurrently another process might try to mount that
frozen block device and has temporarily claimed the block device for
that purpose causing a concurrent fs_bdev_thaw() to end up here. The
mounter is already about to abort mounting because they still saw an
elevanted bdev->bd_fsfreeze_count so get_b ...
Show More |
|||||
| CVE-2024-50263 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
fork: only invoke khugepaged, ksm hooks if no error
There is no reason to invoke these hooks early against an mm that is in an
incomplete state.
The change in commit d24062914837 ("fork: use __mt_dup() to duplicate
maple tree in dup_mmap()") makes this more pertinent as we may be in a
state where entries in the maple tree are not yet consistent.
Their placement early in dup_mmap() only appears to have been meaningful
for ear ...
Show More |
|||||
| CVE-2021-47050 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
memory: renesas-rpc-if: fix possible NULL pointer dereference of resource
The platform_get_resource_byname() can return NULL which would be
immediately dereferenced by resource_size(). Instead dereference it
after validating the resource.
Addresses-Coverity: Dereference null return value
|
|||||
| CVE-2021-47049 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
Drivers: hv: vmbus: Use after free in __vmbus_open()
The "open_info" variable is added to the &vmbus_connection.chn_msg_list,
but the error handling frees "open_info" without removing it from the
list. This will result in a use after free. First remove it from the
list, and then free it.
|
|||||
| CVE-2021-47048 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op
When handling op->addr, it is using the buffer "tmpbuf" which has been
freed. This will trigger a use-after-free KASAN warning. Let's use
temporary variables to store op->addr.val and op->cmd.opcode to fix
this issue.
|
|||||
| CVE-2021-47046 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix off by one in hdmi_14_process_transaction()
The hdcp_i2c_offsets[] array did not have an entry for
HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one
read overflow. I added an entry and copied the 0x0 value for the offset
from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c.
I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX
entries. This doesn't ...
Show More |
|||||
| CVE-2023-52475 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
Input: powermate - fix use-after-free in powermate_config_complete
syzbot has found a use-after-free bug [1] in the powermate driver. This
happens when the device is disconnected, which leads to a memory free from
the powermate_device struct. When an asynchronous control message
completes after the kfree and its callback is invoked, the lock does not
exist anymore and hence the bug.
Use usb_kill_urb() on pm->config to cancel ...
Show More |
|||||
| CVE-2021-47053 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
crypto: sun8i-ss - Fix memory leak of pad
It appears there are several failure return paths that don't seem
to be free'ing pad. Fix these.
Addresses-Coverity: ("Resource leak")
|
|||||
| CVE-2021-47052 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
crypto: sa2ul - Fix memory leak of rxd
There are two error return paths that are not freeing rxd and causing
memory leaks. Fix these.
Addresses-Coverity: ("Resource leak")
|
|||||
| CVE-2021-47051 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware()
pm_runtime_get_sync will increment pm usage counter even it failed.
Forgetting to putting operation will result in reference leak here.
Fix it by replacing it with pm_runtime_resume_and_get to keep usage
counter balanced.
|
|||||
| CVE-2021-47081 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
habanalabs/gaudi: Fix a potential use after free in gaudi_memset_device_memory
Our code analyzer reported a uaf.
In gaudi_memset_device_memory, cb is get via hl_cb_kernel_create()
with 2 refcount.
If hl_cs_allocate_job() failed, the execution runs into release_cb
branch. One ref of cb is dropped by hl_cb_put(cb) and could be freed
if other thread also drops one ref. Then cb is used by cb->id later,
which is a potential uaf.
...
Show More |
|||||
| CVE-2021-47080 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Prevent divide-by-zero error triggered by the user
The user_entry_size is supplied by the user and later used as a
denominator to calculate number of entries. The zero supplied by the user
will trigger the following divide-by-zero error:
divide error: 0000 [#1] SMP KASAN PTI
CPU: 4 PID: 497 Comm: c_repro Not tainted 5.13.0-rc1+ #281
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a ...
Show More |
|||||
| CVE-2021-47079 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: ideapad-laptop: fix a NULL pointer dereference
The third parameter of dytc_cql_command should not be NULL since it will
be dereferenced immediately.
|
|||||
| CVE-2023-52477 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
usb: hub: Guard against accesses to uninitialized BOS descriptors
Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h
access fields inside udev->bos without checking if it was allocated and
initialized. If usb_get_bos_descriptor() fails for whatever
reason, udev->bos will be NULL and those accesses will result in a
crash:
BUG: kernel NULL pointer dereference, address: 0000000000000018
PGD 0 P4D 0
Oops: 0000 [# ...
Show More |
|||||
| CVE-2021-47003 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Fix potential null dereference on pointer status
There are calls to idxd_cmd_exec that pass a null status pointer however
a recent commit has added an assignment to *status that can end up
with a null pointer dereference. The function expects a null status
pointer sometimes as there is a later assignment to *status where
status is first null checked. Fix the issue by null checking status
before making the as ...
Show More |
|||||
| CVE-2021-47002 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Fix null pointer dereference in svc_rqst_free()
When alloc_pages_node() returns null in svc_rqst_alloc(), the
null rq_scratch_page pointer will be dereferenced when calling
put_page() in svc_rqst_free(). Fix it by adding a null check.
Addresses-Coverity: ("Dereference after null check")
|
|||||
| CVE-2021-47012 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
RDMA/siw: Fix a use after free in siw_alloc_mr
Our code analyzer reported a UAF.
In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of
siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via
kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a
freed object. After, the execution continue up to the err_out branch of
siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop ...
Show More |
|||||
| CVE-2021-47009 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
KEYS: trusted: Fix memory leak on object td
Two error return paths are neglecting to free allocated object td,
causing a memory leak. Fix this by returning via the error return
path that securely kfree's td.
Fixes clang scan-build warning:
security/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential
memory leak [unix.Malloc]
|
|||||
| CVE-2021-47008 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Make sure GHCB is mapped before updating
Access to the GHCB is mainly in the VMGEXIT path and it is known that the
GHCB will be mapped. But there are two paths where it is possible the GHCB
might not be mapped.
The sev_vcpu_deliver_sipi_vector() routine will update the GHCB to inform
the caller of the AP Reset Hold NAE event that a SIPI has been delivered.
However, if a SIPI is performed without a corresponding AP R ...
Show More |
|||||
| CVE-2021-47005 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Fix NULL pointer dereference for ->get_features()
get_features ops of pci_epc_ops may return NULL, causing NULL pointer
dereference in pci_epf_test_alloc_space function. Let us add a check for
pci_epc_feature pointer in pci_epf_test_bind before we access it to avoid
any such NULL pointer dereference and return -ENOTSUPP in case
pci_epc_feature is not found.
When the patch is not applied and EPC features is not ...
Show More |
|||||
| CVE-2021-47022 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7615: fix memleak when mt7615_unregister_device()
mt7615_tx_token_put() should get call before mt76_free_pending_txwi().
|
|||||
| CVE-2021-47021 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7915: fix memleak when mt7915_unregister_device()
mt7915_tx_token_put() should get call before mt76_free_pending_txwi().
|
|||||
| CVE-2021-47017 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ath10k: Fix a use after free in ath10k_htc_send_bundle
In ath10k_htc_send_bundle, the bundle_skb could be freed by
dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later
by bundle_skb->len.
As skb_len = bundle_skb->len, my patch replaces bundle_skb->len to
skb_len after the bundle_skb was freed.
|
|||||
| CVE-2021-47013 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).
If some error happens in emac_tx_fill_tpd(), the skb will be freed via
dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().
But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).
As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,
thus my patch ass ...
Show More |
|||||
| CVE-2024-53085 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
tpm: Lock TPM chip in tpm_pm_suspend() first
Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy
according, as this leaves window for tpm_hwrng_read() to be called while
the operation is in progress. The recent bug report gives also evidence of
this behaviour.
Aadress this by locking the TPM chip before checking any chip->flags both
in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED
...
Show More |
|||||
| CVE-2024-49914 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe
This commit addresses a null pointer dereference issue in the
`dcn20_program_pipe` function. The issue could occur when
`pipe_ctx->plane_state` is null.
The fix adds a check to ensure `pipe_ctx->plane_state` is not null
before accessing. This prevents a null pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dc ...
Show More |
|||||
| CVE-2024-49906 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check null pointer before try to access it
[why & how]
Change the order of the pipe_ctx->plane_state check to ensure that
plane_state is not null before accessing it.
|
|||||
| CVE-2024-44963 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not BUG_ON() when freeing tree block after error
When freeing a tree block, at btrfs_free_tree_block(), if we fail to
create a delayed reference we don't deal with the error and just do a
BUG_ON(). The error most likely to happen is -ENOMEM, and we have a
comment mentioning that only -ENOMEM can happen, but that is not true,
because in case qgroups are enabled any error returned from
btrfs_qgroup_trace_extent_post() ...
Show More |
|||||
| CVE-2024-43913 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
nvme: apple: fix device reference counting
Drivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl.
Split the allocation side out to make the error handling boundary easier
to navigate. The apple driver had been doing this wrong, leaking the
controller device memory on a tagset failure.
|
|||||