Linux Kernel vulnerabilities

CVE-2022-50368 [HIGH] CWE-787 CVE-2022-50368: In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: fix memory corrupt In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: fix memory corruption with too many bridges Add the missing sanity check on the bridge counter to avoid corrupting data beyond the fixed-sized bridge array in case there are ever more than eight bridges. Patchwork: https://patchwork.freedesktop.org/patch/502668/

CVE-2022-50366 [HIGH] CWE-125 CVE-2022-50366: In the Linux kernel, the following vulnerability has been resolved: powercap: intel_rapl: fix UBSAN In the Linux kernel, the following vulnerability has been resolved: powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue When value < time_unit, the parameter of ilog2() will be zero and the return value is -1. u64(-1) is too large for shift exponent and then will trigger shift-out-of-bounds: shift exponent 18446744073709551615 is too large fo

CVE-2022-50367 [HIGH] CWE-416 CVE-2022-50367: In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfs_md In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfs_mdt_destroy In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),

CVE-2023-53357 [HIGH] CWE-125 CVE-2023-53357: In the Linux kernel, the following vulnerability has been resolved: md/raid10: check slab-out-of-bo In the Linux kernel, the following vulnerability has been resolved: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() will return -EINVAL because 'page >= bitmap->pages', but the return value was not checked immediately in md_bitmap_get_counter() in order to set *bloc

CVE-2023-53363 [HIGH] CWE-416 CVE-2023-53363: In the Linux kernel, the following vulnerability has been resolved: PCI: Fix use-after-free in pci_ In the Linux kernel, the following vulnerability has been resolved: PCI: Fix use-after-free in pci_bus_release_domain_nr() Commit c14f7ccc9f5d ("PCI: Assign PCI domain IDs by ida_alloc()") introduced a use-after-free bug in the bus removal cleanup. The issue was found with kfence: [ 19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_dom

CVE-2023-53340 [HIGH] CWE-129 CVE-2023-53340: In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Collect command failu In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Collect command failures data only for known commands DEVX can issue a general command, which is not used by mlx5 driver. In case such command is failed, mlx5 is trying to collect the failure data, However, mlx5 doesn't create a storage for this command, since mlx5 doesn't

CVE-2023-53356 [MEDIUM] CWE-476 CVE-2023-53356: In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Add null In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Add null pointer check in gserial_suspend Consider a case where gserial_disconnect has already cleared gser->ioport. And if gserial_suspend gets called afterwards, it will lead to accessing of gser->ioport and thus causing null pointer dereference. Avoid th

CVE-2023-53367 [MEDIUM] CWE-401 CVE-2023-53367: In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: fix mem leak In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: fix mem leak in capture user mappings This commit fixes a memory leak caused when clearing the user_mappings info when a new context is opened immediately after user_mapping is captured and a hard reset is performed.

CVE-2023-53364 [MEDIUM] CWE-476 CVE-2023-53364: In the Linux kernel, the following vulnerability has been resolved: regulator: da9063: better fix n In the Linux kernel, the following vulnerability has been resolved: regulator: da9063: better fix null deref with partial DT Two versions of the original patch were sent but V1 was merged instead of V2 due to a mistake. So update to V2. The advantage of V2 is that it completely avoids dereferencing the pointer, even just to take the address, whi

CVE-2022-50355 [MEDIUM] CWE-401 CVE-2022-50355: In the Linux kernel, the following vulnerability has been resolved: staging: vt6655: fix some erron In the Linux kernel, the following vulnerability has been resolved: staging: vt6655: fix some erroneous memory clean-up loops In some initialization functions of this driver, memory is allocated with 'i' acting as an index variable and increasing from 0. The commit in "Fixes" introduces some clean-up codes in case of allocation failure, which free

CVE-2022-50371 [MEDIUM] CWE-667 CVE-2022-50371: In the Linux kernel, the following vulnerability has been resolved: led: qcom-lpg: Fix sleeping in In the Linux kernel, the following vulnerability has been resolved: led: qcom-lpg: Fix sleeping in atomic lpg_brighness_set() function can sleep, while led's brightness_set() callback must be non-blocking. Change LPG driver to use brightness_set_blocking() instead. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580 in

CVE-2023-53343 [MEDIUM] CWE-476 CVE-2023-53343: In the Linux kernel, the following vulnerability has been resolved: icmp6: Fix null-ptr-deref of ip In the Linux kernel, the following vulnerability has been resolved: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev(). With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that has the link-local address as src and dst IP and will be forwarded to an external IP in the IPv6 Ext Hdr. For example, the script below gener

CVE-2023-53352 [MEDIUM] CWE-476 CVE-2023-53352: In the Linux kernel, the following vulnerability has been resolved: drm/ttm: check null pointer bef In the Linux kernel, the following vulnerability has been resolved: drm/ttm: check null pointer before accessing when swapping Add a check to avoid null pointer dereference as below: [ 90.002283] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 90.002292] KASAN: null-ptr-deref in

CVE-2022-50374 [MEDIUM] CWE-908 CVE-2022-50374: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_{ldisc,serdev}: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure syzbot is reporting NULL pointer dereference at hci_uart_tty_close() [1], for rcu_sync_enter() is called without rcu_sync_init() due to hci_uart_tty_open() ignoring percpu_init_rwsem() failure. While we are at it, fi

CVE-2022-50373 [MEDIUM] CWE-362 CVE-2022-50373: In the Linux kernel, the following vulnerability has been resolved: fs: dlm: fix race in lowcomms In the Linux kernel, the following vulnerability has been resolved: fs: dlm: fix race in lowcomms This patch fixes a race between queue_work() in _dlm_lowcomms_commit_msg() and srcu_read_unlock(). The queue_work() can take the final reference of a dlm_msg and so msg->idx can contain garbage which is signaled by the following warning: [ 676.237050]

CVE-2023-53348 [MEDIUM] CWE-667 CVE-2023-53348: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock when aborti In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock when aborting transaction during relocation with scrub Before relocating a block group we pause scrub, then do the relocation and then unpause scrub. The relocation process requires starting and committing a transaction, and if we have a failure in the critical

CVE-2023-53336 [MEDIUM] CWE-476 CVE-2023-53336: In the Linux kernel, the following vulnerability has been resolved: media: ipu-bridge: Fix null poi In the Linux kernel, the following vulnerability has been resolved: media: ipu-bridge: Fix null pointer deref on SSDB/PLD parsing warnings When ipu_bridge_parse_rotation() and ipu_bridge_parse_orientation() run sensor->adev is not set yet. So if either of the dev_warn() calls about unknown values are hit this will lead to a NULL pointer deref. S

CVE-2022-50361 [MEDIUM] CWE-476 CVE-2022-50361: In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: add missing unr In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: add missing unregister_netdev() in wilc_netdev_ifc_init() Fault injection test reports this issue: kernel BUG at net/core/dev.c:10731! invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI Call Trace: wilc_netdev_ifc_init+0x19f/0x220 [wilc1000 884bf126e9e98af6a708f266a

CVE-2023-53335 [MEDIUM] CWE-476 CVE-2023-53335: In the Linux kernel, the following vulnerability has been resolved: RDMA/cxgb4: Fix potential null- In the Linux kernel, the following vulnerability has been resolved: RDMA/cxgb4: Fix potential null-ptr-deref in pass_establish() If get_ep_from_tid() fails to lookup non-NULL value for ep, ep is dereferenced later regardless of whether it is empty. This patch adds a simple sanity check to fix the issue. Found by Linux Verification Center (linuxte

CVE-2022-50362 [MEDIUM] CVE-2022-50362: In the Linux kernel, the following vulnerability has been resolved: dmaengine: hisilicon: Add multi In the Linux kernel, the following vulnerability has been resolved: dmaengine: hisilicon: Add multi-thread support for a DMA channel When we get a DMA channel and try to use it in multiple threads it will cause oops and hanging the system. % echo 100 > /sys/module/dmatest/parameters/threads_per_chan % echo 100 > /sys/module/dmatest/parameters/iterations