Linux Kernel vulnerabilities

CVE-2022-50411 [HIGH] CWE-416 CVE-2022-50411: In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix error code path in In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix error code path in acpi_ds_call_control_method() A use-after-free in acpi_ps_parse_aml() after a failing invocaion of acpi_ds_call_control_method() is reported by KASAN [1] and code inspection reveals that next_walk_state pushed to the thread by acpi_ds_create_walk_state(

CVE-2023-53427 [HIGH] CWE-416 CVE-2023-53427: In the Linux kernel, the following vulnerability has been resolved: cifs: Fix warning and UAF when In the Linux kernel, the following vulnerability has been resolved: cifs: Fix warning and UAF when destroy the MR list If the MR allocate failed, the MR recovery work not initialized and list not cleared. Then will be warning and UAF when release the MR: WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110 CPU: 4 PID: 8

CVE-2023-53414 [MEDIUM] CWE-401 CVE-2023-53414: In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix memory leak wit In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix memory leak with using debugfs_lookup() When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once.

CVE-2023-53438 [MEDIUM] CVE-2023-53438: In the Linux kernel, the following vulnerability has been resolved: x86/MCE: Always save CS registe In the Linux kernel, the following vulnerability has been resolved: x86/MCE: Always save CS register on AMD Zen IF Poison errors The Instruction Fetch (IF) units on current AMD Zen-based systems do not guarantee a synchronous #MC is delivered for poison consumption errors. Therefore, MCG_STATUS[EIPV|RIPV] will not be set. However, the microarchitecture do

CVE-2022-50379 [MEDIUM] CWE-362 CVE-2022-50379: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between quota e In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between quota enable and quota rescan ioctl When enabling quotas, at btrfs_quota_enable(), after committing the transaction, we change fs_info->quota_root to point to the quota root we created and set BTRFS_FS_QUOTA_ENABLED at fs_info->flags. Then we try to start t

CVE-2023-53440 [MEDIUM] CWE-476 CVE-2023-53440: In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix sysfs interface lif In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix sysfs interface lifetime The current nilfs2 sysfs support has issues with the timing of creation and deletion of sysfs entries, potentially leading to null pointer dereferences, use-after-free, and lockdep warnings. Some of the sysfs attributes for nilfs2 per-filesyst

CVE-2023-53408 [MEDIUM] CWE-401 CVE-2023-53408: In the Linux kernel, the following vulnerability has been resolved: trace/blktrace: fix memory leak In the Linux kernel, the following vulnerability has been resolved: trace/blktrace: fix memory leak with using debugfs_lookup() When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at onc

CVE-2023-53439 [MEDIUM] CWE-401 CVE-2023-53439: In the Linux kernel, the following vulnerability has been resolved: net: skb_partial_csum_set() fix In the Linux kernel, the following vulnerability has been resolved: net: skb_partial_csum_set() fix against transport header magic value skb->transport_header uses the special 0xFFFF value to mark if the transport header was set or not. We must prevent callers to accidentaly set skb->transport_header to 0xFFFF. Note that only fuzzers can possibly

CVE-2023-53428 [MEDIUM] CWE-674 CVE-2023-53428: In the Linux kernel, the following vulnerability has been resolved: powercap: arm_scmi: Remove recu In the Linux kernel, the following vulnerability has been resolved: powercap: arm_scmi: Remove recursion while parsing zones Powercap zones can be defined as arranged in a hierarchy of trees and when registering a zone with powercap_register_zone(), the kernel powercap subsystem expects this to happen starting from the root zones down to the leave

CVE-2022-50390 [MEDIUM] CVE-2022-50390: In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix undefined behavior In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26 left shift of

CVE-2023-53425 [MEDIUM] CWE-476 CVE-2023-53425: In the Linux kernel, the following vulnerability has been resolved: media: platform: mediatek: vpu: In the Linux kernel, the following vulnerability has been resolved: media: platform: mediatek: vpu: fix NULL ptr dereference If pdev is NULL, then it is still dereferenced. This fixes this smatch warning: drivers/media/platform/mediatek/vpu/mtk_vpu.c:570 vpu_load_firmware() warn: address of NULL pointer 'pdev'

CVE-2022-50398 [MEDIUM] CVE-2022-50398: In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: add atomic_check to In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: add atomic_check to bridge ops DRM commit_tails() will disable downstream crtc/encoder/bridge if both disable crtc is required and crtc->active is set before pushing a new frame downstream. There is a rare case that user space display manager issue an extra screen update imme

CVE-2023-53393 [MEDIUM] CVE-2023-53393: In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_ib_get_hw_s In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_ib_get_hw_stats when used for device Currently, when mlx5_ib_get_hw_stats() is used for device (port_num = 0), there is a special handling in order to use the correct counters, but, port_num is being passed down the stack without any change. Also, some functions assume

CVE-2023-53444 [MEDIUM] CWE-476 CVE-2023-53444: In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix bulk_move corrupti In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix bulk_move corruption when adding a entry When the resource is the first in the bulk_move range, adding it again (thus moving it to the tail) will corrupt the list since the first pointer is not moved. This eventually lead to null pointer deref in ttm_lru_bulk_move_del

CVE-2022-50415 [MEDIUM] CWE-476 CVE-2022-50415: In the Linux kernel, the following vulnerability has been resolved: parisc: led: Fix potential null In the Linux kernel, the following vulnerability has been resolved: parisc: led: Fix potential null-ptr-deref in start_task() start_task() calls create_singlethread_workqueue() and not checked the ret value, which may return NULL. And a null-ptr-deref may happen: start_task() create_singlethread_workqueue() # failed, led_wq is NULL queue_delayed_

CVE-2023-53442 [MEDIUM] CWE-476 CVE-2023-53442: In the Linux kernel, the following vulnerability has been resolved: ice: Block switchdev mode when In the Linux kernel, the following vulnerability has been resolved: ice: Block switchdev mode when ADQ is active and vice versa ADQ and switchdev are not supported simultaneously. Enabling both at the same time can result in nullptr dereference. To prevent this, check if ADQ is active when changing devlink mode to switchdev mode, and check if swit

CVE-2022-50389 [MEDIUM] CWE-401 CVE-2022-50389: In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_crb: Add the missed ac In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak In crb_acpi_add(), we get the TPM2 table to retrieve information like start method, and then assign them to the priv data, so the TPM2 table is not used after the init, should be freed, call acpi_put_table() to fix t

CVE-2023-53407 [MEDIUM] CWE-401 CVE-2023-53407: In the Linux kernel, the following vulnerability has been resolved: USB: gadget: pxa27x_udc: fix me In the Linux kernel, the following vulnerability has been resolved: USB: gadget: pxa27x_udc: fix memory leak with using debugfs_lookup() When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the log

CVE-2023-53396 [MEDIUM] CWE-401 CVE-2023-53396: In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix memory leak in do_re In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix memory leak in do_rename If renaming a file in an encrypted directory, function fscrypt_setup_filename allocates memory for a file name. This name is never used, and before returning to the caller the memory for it is not freed. When running kmemleak on it we see that

CVE-2022-50399 [MEDIUM] CWE-190 CVE-2022-50399: In the Linux kernel, the following vulnerability has been resolved: media: atomisp: prevent integer In the Linux kernel, the following vulnerability has been resolved: media: atomisp: prevent integer overflow in sh_css_set_black_frame() The "height" and "width" values come from the user so the "height * width" multiplication can overflow.