Linux Kernel vulnerabilities

CVE-2023-53635 [MEDIUM] CVE-2023-53635: In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: fix wrong In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: fix wrong ct->timeout value (struct nf_conn)->timeout is an interval before the conntrack confirmed. After confirmed, it becomes a timestamp. It is observed that timeout of an unconfirmed conntrack: - Set by calling ctnetlink_change_timeout(). As a result, `nfct_tim

CVE-2022-50512 [MEDIUM] CWE-401 CVE-2022-50512: In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential memory leak In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential memory leak in ext4_fc_record_regions() As krealloc may return NULL, in this case 'state->fc_regions' may not be freed by krealloc, but 'state->fc_regions' already set NULL. Then will lead to 'state->fc_regions' memory leak.

CVE-2022-50529 [MEDIUM] CWE-401 CVE-2022-50529: In the Linux kernel, the following vulnerability has been resolved: test_firmware: fix memory leak In the Linux kernel, the following vulnerability has been resolved: test_firmware: fix memory leak in test_firmware_init() When misc_register() failed in test_firmware_init(), the memory pointed by test_fw_config->name is not released. The memory leak information is as follows: unreferenced object 0xffff88810a34cb00 (size 32): comm "insmod", pid 79

CVE-2023-53661 [MEDIUM] CWE-190 CVE-2023-53661: In the Linux kernel, the following vulnerability has been resolved: bnxt: avoid overflow in bnxt_ge In the Linux kernel, the following vulnerability has been resolved: bnxt: avoid overflow in bnxt_get_nvram_directory() The value of an arithmetic expression is subject of possible overflow due to a failure to cast operands to a larger data type before performing arithmetic. Used macro for multiplication instead operator for avoiding overflow. Fou

CVE-2022-50524 [MEDIUM] CWE-476 CVE-2022-50524: In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Check return va In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Check return value after calling platform_get_resource() platform_get_resource() may return NULL pointer, we need check its return value to avoid null-ptr-deref in resource_size().

CVE-2022-50531 [MEDIUM] CWE-401 CVE-2022-50531: In the Linux kernel, the following vulnerability has been resolved: tipc: fix an information leak i In the Linux kernel, the following vulnerability has been resolved: tipc: fix an information leak in tipc_topsrv_kern_subscr Use a 8-byte write to initialize sub.usr_handle in tipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized when issuing setsockopt(..., SOL_TIPC, ...). This resulted in an infoleak reported by KMSAN when the pac

CVE-2023-53644 [MEDIUM] CVE-2023-53644: In the Linux kernel, the following vulnerability has been resolved: media: radio-shark: Add endpoin In the Linux kernel, the following vulnerability has been resolved: media: radio-shark: Add endpoint checks The syzbot fuzzer was able to provoke a WARNING from the radio-shark2 driver: ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers

CVE-2022-50509 [MEDIUM] CWE-476 CVE-2022-50509: In the Linux kernel, the following vulnerability has been resolved: media: coda: Add check for kmal In the Linux kernel, the following vulnerability has been resolved: media: coda: Add check for kmalloc As the kmalloc may return NULL pointer, it should be better to check the return value in order to avoid NULL poineter dereference, same as the others.

CVE-2023-53677 [MEDIUM] CWE-401 CVE-2023-53677: In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix memory leaks in i In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix memory leaks in i915 selftests This patch fixes memory leaks on error escapes in function fake_get_pages (cherry picked from commit 8bfbdadce85c4c51689da10f39c805a7106d4567)

CVE-2023-53682 [MEDIUM] CWE-401 CVE-2023-53682: In the Linux kernel, the following vulnerability has been resolved: hwmon: (xgene) Fix ioremap and In the Linux kernel, the following vulnerability has been resolved: hwmon: (xgene) Fix ioremap and memremap leak Smatch reports: drivers/hwmon/xgene-hwmon.c:757 xgene_hwmon_probe() warn: 'ctx->pcc_comm_addr' from ioremap() not released on line: 757. This is because in drivers/hwmon/xgene-hwmon.c:701 xgene_hwmon_probe(), ioremap and memremap is no

CVE-2022-50555 [MEDIUM] CWE-476 CVE-2022-50555: In the Linux kernel, the following vulnerability has been resolved: tipc: fix a null-ptr-deref in t In the Linux kernel, the following vulnerability has been resolved: tipc: fix a null-ptr-deref in tipc_topsrv_accept syzbot found a crash in tipc_topsrv_accept: KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] Workqueue: tipc_rcv tipc_topsrv_accept RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487 Call Trace: tipc_topsr

CVE-2023-53667 [MEDIUM] CWE-476 CVE-2023-53667: In the Linux kernel, the following vulnerability has been resolved: net: cdc_ncm: Deal with too low In the Linux kernel, the following vulnerability has been resolved: net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than the calculated "min" value, but greater than zero, the logic sets tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in cdc_ncm_fill_tx_f

CVE-2023-53637 [MEDIUM] CWE-401 CVE-2023-53637: In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov772x: Fix memleak In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov772x: Fix memleak in ov772x_probe() A memory leak was reported when testing ov772x with bpf mock device: AssertionError: unreferenced object 0xffff888109afa7a8 (size 8): comm "python3", pid 279, jiffies 4294805921 (age 20.681s) hex dump (first 8 bytes): 80 22 88 15

CVE-2023-53679 [MEDIUM] CWE-191 CVE-2023-53679: In the Linux kernel, the following vulnerability has been resolved: wifi: mt7601u: fix an integer u In the Linux kernel, the following vulnerability has been resolved: wifi: mt7601u: fix an integer underflow Fix an integer underflow that leads to a null pointer dereference in 'mt7601u_rx_skb_from_seg()'. The variable 'dma_len' in the URB packet could be manipulated, which could trigger an integer underflow of 'seg_len' in 'mt7601u_rx_process_seg

CVE-2022-50533 [MEDIUM] CWE-476 CVE-2022-50533: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: mlme: fix null- In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: mlme: fix null-ptr deref on failed assoc If association to an AP without a link 0 fails, then we crash in tracing because it assumes that either ap_mld_addr or link 0 BSS is valid, since we clear sdata->vif.valid_links and then don't add the ap_mld_addr to the stru

CVE-2023-53681 [MEDIUM] CWE-476 CVE-2023-53681: In the Linux kernel, the following vulnerability has been resolved: bcache: Fix __bch_btree_node_al In the Linux kernel, the following vulnerability has been resolved: bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent In some specific situations, the return value of __bch_btree_node_alloc may be NULL. This may lead to a potential NULL pointer dereference in caller function like a calling chain : btree_split->bch_btree_no

CVE-2023-53662 [MEDIUM] CWE-401 CVE-2023-53662: In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leaks in ext4_ In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} If the filename casefolding fails, we'll be leaking memory from the fscrypt_name struct, namely from the 'crypto_buf.name' member. Make sure we free it in the error path on both ext4_fname_setup_filename() and e

CVE-2023-53623 [MEDIUM] CWE-362 CVE-2023-53623: In the Linux kernel, the following vulnerability has been resolved: mm/swap: fix swap_info_struct r In the Linux kernel, the following vulnerability has been resolved: mm/swap: fix swap_info_struct race between swapoff and get_swap_pages() The si->lock must be held when deleting the si from the available list. Otherwise, another thread can re-add the si to the available list, which can lead to memory corruption. The only place we have found wher

CVE-2023-53685 [MEDIUM] CWE-401 CVE-2023-53685: In the Linux kernel, the following vulnerability has been resolved: tun: Fix memory leak for detach In the Linux kernel, the following vulnerability has been resolved: tun: Fix memory leak for detached NAPI queue. syzkaller reported [0] memory leaks of sk and skb related to the TUN device with no repro, but we can reproduce it easily with: struct ifreq ifr = {} int fd_tun, fd_tmp; char buf[4] = {}; fd_tun = openat(AT_FDCWD, "/dev/net/tun", O_W

CVE-2022-50515 [MEDIUM] CWE-401 CVE-2022-50515: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue() If construction of the array of work queues to handle hpd_rx_irq offload work fails, we need to unwind. Destroy all the created workqueues and the allocated memory for the hpd_rx_irq_offload_work_queue struct array.