An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver.

CVE-2019-15222

An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.

CVE-2019-15216

An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.

CVE-2019-15218

An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver.

CVE-2019-15215

An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.

CVE-2019-15221

A vulnerability was reported in various BIOS versions of older ThinkPad systems that could allow a user with administrative privileges or physical access the ability to update the Embedded Controller with unsigned firmware.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Sales Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

CVE-2019-6171: Embedded Controller Update Vulnerability  - Lenovo Support DE

In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.

CVE-2018-20961

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability exists because software digital signatures are not properly verified during CLI command execution. An attacker could exploit this vulnerability to install an unsigned software image on an affected device.

*   Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
    
    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
    
    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Customers Without Service Contracts**
    
    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
    
    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
    
    **Fixed Releases**
    
    Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. In the following tables, the left column lists Cisco NX-OS Software releases. The right column indicates the first release that includes the fix for these vulnerabilities.
    
    **Note:** A complete fix for these vulnerabilities requires that a proper BIOS version is installed. Customers who are running an affected product that is listed in the previously disclosed Cisco advisory cisco-sa-20190306-nxos-sig-verif may not have upgraded the BIOS when the software was installed even if they are running a fixed software release. Customers are advised to confirm that the BIOS is running a fixed BIOS version (first fixed or later) as described in the previously disclosed advisory.
    
    **Nexus 3000 Series Switches: CSCvj14182, CSCvj14106, CSCvj14093**
    
    Cisco NX-OS Software Release
    
    First Fixed Release for These Vulnerabilities
    
    Prior to 6.0(2)
    
    Not vulnerable
    
    6.0(2)
    
    Not vulnerable
    
    Prior to 7.0(3)I4
    
    7.0(3)I7(5)
    
    7.0(3)I4
    
    7.0(3)I7(5)
    
    7.0(3)I5
    
    7.0(3)I7(5)
    
    7.0(3)I6
    
    7.0(3)I7(5)
    
    7.0(3)I7
    
    7.0(3)I7(5)
    
    9.2
    
    9.2(2)
    
    **Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform: CSCvk53256, CSCvk53227, CSCvk53125**
    
    Cisco NX-OS Software Release
    
    First Fixed Release for These Vulnerabilities
    
    7.0(3)F3
    
    7.0(3)F3(5)
    
    9.2
    
    9.2(2)
    
    **Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvj14182, CSCvj14106, CSCvj14093**
    
    Cisco NX-OS Software Release
    
    First Fixed Release for These Vulnerabilities
    
    Prior to 7.0(3)I4
    
    7.0(3)I7(5)
    
    7.0(3)I4
    
    7.0(3)I7(5)
    
    7.0(3)I5
    
    7.0(3)I7(5)
    
    7.0(3)I6
    
    7.0(3)I7(5)
    
    7.0(3)I7
    
    7.0(3)I7(5)
    
    9.2
    
    9.2(2)
    
    **Additional Resources**
    
    For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance.
    
    > Cisco MDS Series Switches  
    > Cisco Nexus 1000V for VMware Switch  
    > Cisco Nexus 3000 Series and 3500 Series Switches  
    > Cisco Nexus 5000 Series Switches  
    > Cisco Nexus 5500 Platform Switches  
    > Cisco Nexus 6000 Series Switches  
    > Cisco Nexus 7000 Series Switches  
    > Cisco Nexus 9000 Series Switches  
    > Cisco Nexus 9000 Series ACI-Mode Switches
    
    For help determining the best Cisco NX-OS Software release for Cisco UCS, refer to the Recommended Releases documents in the release notes for the device.

CVE-2019-1813: Cisco Security Advisory: Cisco NX-OS CLI Command Software Image Signature Verification Vulnerabilities

An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

ipmi\_si: fix use-after-free of resource->name

When we excute the following commands, we got oops
rmmod ipmi\_si
cat /proc/ioports

\[ 1623.482380\] Unable to handle kernel paging request at virtual address ffff00000901d478
\[ 1623.482382\] Mem abort info:
\[ 1623.482383\]   ESR = 0x96000007
\[ 1623.482385\]   Exception class = DABT (current EL), IL = 32 bits
\[ 1623.482386\]   SET = 0, FnV = 0
\[ 1623.482387\]   EA = 0, S1PTW = 0
\[ 1623.482388\] Data abort info:
\[ 1623.482389\]   ISV = 0, ISS = 0x00000007
\[ 1623.482390\]   CM = 0, WnR = 0
\[ 1623.482393\] swapper pgtable: 4k pages, 48-bit VAs, pgdp = 00000000d7d94a66
\[ 1623.482395\] \[ffff00000901d478\] pgd=000000dffbfff003, pud=000000dffbffe003, pmd=0000003f5d06e003, pte=0000000000000000
\[ 1623.482399\] Internal error: Oops: 96000007 \[#1\] SMP
\[ 1623.487407\] Modules linked in: ipmi\_si(E) nls\_utf8 isofs rpcrdma ib\_iser ib\_srpt target\_core\_mod ib\_srp scsi\_transport\_srp ib\_ipoib rdma\_ucm ib\_umad rdma\_cm ib\_cm dm\_mirror dm\_region\_hash dm\_log iw\_cm dm\_mod aes\_ce\_blk crypto\_simd cryptd aes\_ce\_cipher ses ghash\_ce sha2\_ce enclosure sha256\_arm64 sg sha1\_ce hisi\_sas\_v2\_hw hibmc\_drm sbsa\_gwdt hisi\_sas\_main ip\_tables mlx5\_ib ib\_uverbs marvell ib\_core mlx5\_core ixgbe mdio hns\_dsaf ipmi\_devintf hns\_enet\_drv ipmi\_msghandler hns\_mdio \[last unloaded: ipmi\_si\]
\[ 1623.532410\] CPU: 30 PID: 11438 Comm: cat Kdump: loaded Tainted: G            E     5.0.0-rc3+ #168
\[ 1623.541498\] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.37 11/21/2017
\[ 1623.548822\] pstate: a0000005 (NzCv daif -PAN -UAO)
\[ 1623.553684\] pc : string+0x28/0x98
\[ 1623.557040\] lr : vsnprintf+0x368/0x5e8
\[ 1623.560837\] sp : ffff000013213a80
\[ 1623.564191\] x29: ffff000013213a80 x28: ffff00001138abb5
\[ 1623.569577\] x27: ffff000013213c18 x26: ffff805f67d06049
\[ 1623.574963\] x25: 0000000000000000 x24: ffff00001138abb5
\[ 1623.580349\] x23: 0000000000000fb7 x22: ffff0000117ed000
\[ 1623.585734\] x21: ffff000011188fd8 x20: ffff805f67d07000
\[ 1623.591119\] x19: ffff805f67d06061 x18: ffffffffffffffff
\[ 1623.596505\] x17: 0000000000000200 x16: 0000000000000000
\[ 1623.601890\] x15: ffff0000117ed748 x14: ffff805f67d07000
\[ 1623.607276\] x13: ffff805f67d0605e x12: 0000000000000000
\[ 1623.612661\] x11: 0000000000000000 x10: 0000000000000000
\[ 1623.618046\] x9 : 0000000000000000 x8 : 000000000000000f
\[ 1623.623432\] x7 : ffff805f67d06061 x6 : fffffffffffffffe
\[ 1623.628817\] x5 : 0000000000000012 x4 : ffff00000901d478
\[ 1623.634203\] x3 : ffff0a00ffffff04 x2 : ffff805f67d07000
\[ 1623.639588\] x1 : ffff805f67d07000 x0 : ffffffffffffffff
\[ 1623.644974\] Process cat (pid: 11438, stack limit = 0x000000008d4cbc10)
\[ 1623.651592\] Call trace:
\[ 1623.654068\]  string+0x28/0x98
\[ 1623.657071\]  vsnprintf+0x368/0x5e8
\[ 1623.660517\]  seq\_vprintf+0x70/0x98
\[ 1623.668009\]  seq\_printf+0x7c/0xa0
\[ 1623.675530\]  r\_show+0xc8/0xf8
\[ 1623.682558\]  seq\_read+0x330/0x440
\[ 1623.689877\]  proc\_reg\_read+0x78/0xd0
\[ 1623.697346\]  \_\_vfs\_read+0x60/0x1a0
\[ 1623.704564\]  vfs\_read+0x94/0x150
\[ 1623.711339\]  ksys\_read+0x6c/0xd8
\[ 1623.717939\]  \_\_arm64\_sys\_read+0x24/0x30
\[ 1623.725077\]  el0\_svc\_common+0x120/0x148
\[ 1623.732035\]  el0\_svc\_handler+0x30/0x40
\[ 1623.738757\]  el0\_svc+0x8/0xc
\[ 1623.744520\] Code: d1000406 aa0103e2 54000149 b4000080 (39400085)
\[ 1623.753441\] ---\[ end trace f91b6a4937de9835 \]---
\[ 1623.760871\] Kernel panic - not syncing: Fatal exception
\[ 1623.768935\] SMP: stopping secondary CPUs
\[ 1623.775718\] Kernel Offset: disabled
\[ 1623.781998\] CPU features: 0x002,21006008
\[ 1623.788777\] Memory Limit: none
\[ 1623.798329\] Starting crashdump kernel...
\[ 1623.805202\] Bye!

If io\_setup is called successful in try\_smi\_init() but try\_smi\_init()
goes out\_err before calling ipmi\_register\_smi(), so ipmi\_unregister\_smi()
will not be called while removing module. It leads to the resource that
allocated in io\_setup() can not be freed, but the name(DEVICE\_NAME) of
resource is freed while removing the module. It causes use-after-free
when cat /proc/ioports.

Fix this by calling io\_cleanup() while try\_smi\_init() goes to out\_err.
and don't call io\_cleanup() until io\_setup() returns successful to avoid
warning prints.

Fixes: 93c303d ("ipmi\_si: Clean up shutdown a bit")
Cc: stable@vger.kernel.org
Reported-by: NuoHan Qiao <qiaonuohan@huawei.com>
Suggested-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>

*   Loading branch information

CVE-2019-11811: ipmi_si: fix use-after-free of resource->name · torvalds/linux@401e7e8

Buffer overflow in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege and/or denial of service via network access.



*   Security Advisory
*   1\. Insecure Default Secure Boot Policy for Option ROMs
*   2\. Incorrect PKCS#1v1.5 Padding Verification for RSA Signature Check
*   3\. UEFI Variable “Reinstallation”
*   4\. Overwrite from Performance Data Variable
*   5\. CommBuffer SMM Overwrite/Exposure
*   6\. TOCTOU Issue with CommBuffer
*   7\. SMRAM Overwrite in Fault Tolerant Write SMI Handler
*   8\. SMRAM Overwrite in SmmVariableHandler
*   9\. Integer/Heap Overflow in SetVariable
*   10\. Heap Overflow in UpdateVariable
*   11\. Overwrite from FirmwarePerformance Variable
*   12\. Integer/Buffer Overflow in TpmDxe Driver
*   13\. Protection of PhysicalPresence Variable
*   14\. Boot Failure Related to UEFI Variable Usage
*   15\. Buffer Overflows in Capsule Update
*   16\. Boot Failure Related to TPM Measurements
*   17\. Buffer Overflow in Variable Reclaim
*   18\. Overflow in Processing of AuthVarKeyDatabase
*   19\. Counter Based Authenticated Variable Issue
*   20\. Honoring Memory Only Reset Control and correct MOR spec imlementation
*   21\. TCG PP S4 issue
*   22\. BIOS Password
*   23\. OPAL driver has PP issue on BlockSid
*   24\. OPAL driver has PSID issue
*   25\. DHCP misses boundary check for network packet
*   26\. SmmCore comm buffer check has TOCTOU issue
*   27\. UEFI Variable Deletion/Corruption
*   28\. EDK II Untested memory not covered by SMM page protection
*   29\. Unauthenticated Firmware Chain-of-Trust Bypass
*   30\. EDK II Authenticated Variable Bypass
*   31\. EDK II TianoCompress Bounds Checking Issues
*   32\. DNS Packet Size Check
*   33\. Opal BlockSid Setting Disabled after S3
*   34\. PartitionDxe and Udf Buffer Overflow
*   35\. Stack Overflow on Corrupted BMP
*   36\. Buffer Overflow in BlockIo service for RAM disk
*   37\. XHCI stack local stack overflow
*   38\. SW SMI Confused Deputy SmramSaveState.c
*   39\. Unlimited FV Recursion
*   40\. AuthVariable Timestamp Zeroing on APPEND\_WRITE
*   41\. BootGuard TOCTOU

*   Published with GitBook

**

Security Advisory

DRAFT \[07/20/2022 06:17:39\]

Version: .009.0

**

**

Security Advisory

DRAFT \[07/20/2022 06:17:39\]

Version: .009.0

**

Tag

#bios