An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.

CVE-2019-15216

An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.

CVE-2019-15221

An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.

Permalink

Browse files

scsi: libsas: fix a race condition when smp task timeout

When the lldd is processing the complete sas task in interrupt and set the
task stat as SAS\_TASK\_STATE\_DONE, the smp timeout timer is able to be
triggered at the same time. And smp\_task\_timedout() will complete the task
wheter the SAS\_TASK\_STATE\_DONE is set or not. Then the sas task may freed
before lldd end the interrupt process. Thus a use-after-free will happen.

Fix this by calling the complete() only when SAS\_TASK\_STATE\_DONE is not
set. And remove the check of the return value of the del\_timer(). Once the
LLDD sets DONE, it must call task->done(), which will call
smp\_task\_done()->complete() and the task will be completed and freed
correctly.

Reported-by: chenxiang <chenxiang66@hisilicon.com>
Signed-off-by: Jason Yan <yanaijie@huawei.com>
CC: John Garry <john.garry@huawei.com>
CC: Johannes Thumshirn <jthumshirn@suse.de>
CC: Ewan Milne <emilne@redhat.com>
CC: Christoph Hellwig <hch@lst.de>
CC: Tomas Henzl <thenzl@redhat.com>
CC: Dan Williams <dan.j.williams@intel.com>
CC: Hannes Reinecke <hare@suse.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: John Garry <john.garry@huawei.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

*   Loading branch information

CVE-2018-20836: scsi: libsas: fix a race condition when smp task timeout · torvalds/linux@b90cd6f

An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

ipmi\_si: fix use-after-free of resource->name

When we excute the following commands, we got oops
rmmod ipmi\_si
cat /proc/ioports

\[ 1623.482380\] Unable to handle kernel paging request at virtual address ffff00000901d478
\[ 1623.482382\] Mem abort info:
\[ 1623.482383\]   ESR = 0x96000007
\[ 1623.482385\]   Exception class = DABT (current EL), IL = 32 bits
\[ 1623.482386\]   SET = 0, FnV = 0
\[ 1623.482387\]   EA = 0, S1PTW = 0
\[ 1623.482388\] Data abort info:
\[ 1623.482389\]   ISV = 0, ISS = 0x00000007
\[ 1623.482390\]   CM = 0, WnR = 0
\[ 1623.482393\] swapper pgtable: 4k pages, 48-bit VAs, pgdp = 00000000d7d94a66
\[ 1623.482395\] \[ffff00000901d478\] pgd=000000dffbfff003, pud=000000dffbffe003, pmd=0000003f5d06e003, pte=0000000000000000
\[ 1623.482399\] Internal error: Oops: 96000007 \[#1\] SMP
\[ 1623.487407\] Modules linked in: ipmi\_si(E) nls\_utf8 isofs rpcrdma ib\_iser ib\_srpt target\_core\_mod ib\_srp scsi\_transport\_srp ib\_ipoib rdma\_ucm ib\_umad rdma\_cm ib\_cm dm\_mirror dm\_region\_hash dm\_log iw\_cm dm\_mod aes\_ce\_blk crypto\_simd cryptd aes\_ce\_cipher ses ghash\_ce sha2\_ce enclosure sha256\_arm64 sg sha1\_ce hisi\_sas\_v2\_hw hibmc\_drm sbsa\_gwdt hisi\_sas\_main ip\_tables mlx5\_ib ib\_uverbs marvell ib\_core mlx5\_core ixgbe mdio hns\_dsaf ipmi\_devintf hns\_enet\_drv ipmi\_msghandler hns\_mdio \[last unloaded: ipmi\_si\]
\[ 1623.532410\] CPU: 30 PID: 11438 Comm: cat Kdump: loaded Tainted: G            E     5.0.0-rc3+ #168
\[ 1623.541498\] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.37 11/21/2017
\[ 1623.548822\] pstate: a0000005 (NzCv daif -PAN -UAO)
\[ 1623.553684\] pc : string+0x28/0x98
\[ 1623.557040\] lr : vsnprintf+0x368/0x5e8
\[ 1623.560837\] sp : ffff000013213a80
\[ 1623.564191\] x29: ffff000013213a80 x28: ffff00001138abb5
\[ 1623.569577\] x27: ffff000013213c18 x26: ffff805f67d06049
\[ 1623.574963\] x25: 0000000000000000 x24: ffff00001138abb5
\[ 1623.580349\] x23: 0000000000000fb7 x22: ffff0000117ed000
\[ 1623.585734\] x21: ffff000011188fd8 x20: ffff805f67d07000
\[ 1623.591119\] x19: ffff805f67d06061 x18: ffffffffffffffff
\[ 1623.596505\] x17: 0000000000000200 x16: 0000000000000000
\[ 1623.601890\] x15: ffff0000117ed748 x14: ffff805f67d07000
\[ 1623.607276\] x13: ffff805f67d0605e x12: 0000000000000000
\[ 1623.612661\] x11: 0000000000000000 x10: 0000000000000000
\[ 1623.618046\] x9 : 0000000000000000 x8 : 000000000000000f
\[ 1623.623432\] x7 : ffff805f67d06061 x6 : fffffffffffffffe
\[ 1623.628817\] x5 : 0000000000000012 x4 : ffff00000901d478
\[ 1623.634203\] x3 : ffff0a00ffffff04 x2 : ffff805f67d07000
\[ 1623.639588\] x1 : ffff805f67d07000 x0 : ffffffffffffffff
\[ 1623.644974\] Process cat (pid: 11438, stack limit = 0x000000008d4cbc10)
\[ 1623.651592\] Call trace:
\[ 1623.654068\]  string+0x28/0x98
\[ 1623.657071\]  vsnprintf+0x368/0x5e8
\[ 1623.660517\]  seq\_vprintf+0x70/0x98
\[ 1623.668009\]  seq\_printf+0x7c/0xa0
\[ 1623.675530\]  r\_show+0xc8/0xf8
\[ 1623.682558\]  seq\_read+0x330/0x440
\[ 1623.689877\]  proc\_reg\_read+0x78/0xd0
\[ 1623.697346\]  \_\_vfs\_read+0x60/0x1a0
\[ 1623.704564\]  vfs\_read+0x94/0x150
\[ 1623.711339\]  ksys\_read+0x6c/0xd8
\[ 1623.717939\]  \_\_arm64\_sys\_read+0x24/0x30
\[ 1623.725077\]  el0\_svc\_common+0x120/0x148
\[ 1623.732035\]  el0\_svc\_handler+0x30/0x40
\[ 1623.738757\]  el0\_svc+0x8/0xc
\[ 1623.744520\] Code: d1000406 aa0103e2 54000149 b4000080 (39400085)
\[ 1623.753441\] ---\[ end trace f91b6a4937de9835 \]---
\[ 1623.760871\] Kernel panic - not syncing: Fatal exception
\[ 1623.768935\] SMP: stopping secondary CPUs
\[ 1623.775718\] Kernel Offset: disabled
\[ 1623.781998\] CPU features: 0x002,21006008
\[ 1623.788777\] Memory Limit: none
\[ 1623.798329\] Starting crashdump kernel...
\[ 1623.805202\] Bye!

If io\_setup is called successful in try\_smi\_init() but try\_smi\_init()
goes out\_err before calling ipmi\_register\_smi(), so ipmi\_unregister\_smi()
will not be called while removing module. It leads to the resource that
allocated in io\_setup() can not be freed, but the name(DEVICE\_NAME) of
resource is freed while removing the module. It causes use-after-free
when cat /proc/ioports.

Fix this by calling io\_cleanup() while try\_smi\_init() goes to out\_err.
and don't call io\_cleanup() until io\_setup() returns successful to avoid
warning prints.

Fixes: 93c303d ("ipmi\_si: Clean up shutdown a bit")
Cc: stable@vger.kernel.org
Reported-by: NuoHan Qiao <qiaonuohan@huawei.com>
Suggested-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>

*   Loading branch information

CVE-2019-11811: ipmi_si: fix use-after-free of resource->name · torvalds/linux@401e7e8

The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel before 4.14.4 mishandles gather operations, which allows attackers to cause a denial of service (TLB entry leak or use-after-free) or possibly have unspecified other impact by triggering a copy_to_user call within a certain time window.

CVE-2017-18202

The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure.

Permalink

Browse files

blkcg: fix double free of new\_blkg in blkcg\_init\_queue

If blkg\_create fails, new\_blkg passed as an argument will
be freed by blkg\_create, so there is no need to free it again.

Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Jens Axboe <axboe@fb.com>

*   Loading branch information

CVE-2018-7480: blkcg: fix double free of new_blkg in blkcg_init_queue · torvalds/linux@9b54d81

The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.

CVE-2017-18017

CVE-2016-9921 CVE-2016-9922 Qemu: display: cirrus_vga: a divide by zero in cirrus_do_copy

\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\]\[Date Index\]\[Thread Index\]

**From**:

Gerd Hoffmann

**Subject**:

\[Qemu-devel\] \[PULL 4/4\] display: cirrus: check vga bits per pixel(bpp) value

**Date**:

Mon, 5 Dec 2016 12:04:00 +0100

From: Prasad J Pandit <address@hidden>

In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
'cirrus\_get\_bpp' returns zero(0), which could lead to a divide
by zero error in while copying pixel data. The same could occur
via blit pitch values. Add check to avoid it.

Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/display/cirrus\_vga.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/hw/display/cirrus\_vga.c b/hw/display/cirrus\_vga.c
index 3d712d5..bdb092e 100644
--- a/hw/display/cirrus\_vga.c
+++ b/hw/display/cirrus\_vga.c
@@ -272,6 +272,9 @@ static void cirrus\_update\_memory\_access(CirrusVGAState \*s);
 static bool blit\_region\_is\_unsafe(struct CirrusVGAState \*s,
                                   int32\_t pitch, int32\_t addr)
 {
+    if (!pitch) {
+        return true;
+    }
     if (pitch < 0) {
         int64\_t min = addr
             + ((int64\_t)s->cirrus\_blt\_height-1) \* pitch;
@@ -715,7 +718,7 @@ static int 
cirrus\_bitblt\_videotovideo\_patterncopy(CirrusVGAState \* s)
                                             s->cirrus\_addr\_mask));
 }
 
-static void cirrus\_do\_copy(CirrusVGAState \*s, int dst, int src, int w, int h)
+static int cirrus\_do\_copy(CirrusVGAState \*s, int dst, int src, int w, int h)
 {
     int sx = 0, sy = 0;
     int dx = 0, dy = 0;
@@ -729,6 +732,9 @@ static void cirrus\_do\_copy(CirrusVGAState \*s, int dst, int 
src, int w, int h)
         int width, height;
 
         depth = s->vga.get\_bpp(&s->vga) / 8;
+        if (!depth) {
+            return 0;
+        }
         s->vga.get\_resolution(&s->vga, &width, &height);
 
         /\* extra x, y \*/
@@ -783,6 +789,8 @@ static void cirrus\_do\_copy(CirrusVGAState \*s, int dst, int 
src, int w, int h)
     cirrus\_invalidate\_region(s, s->cirrus\_blt\_dstaddr,
                                s->cirrus\_blt\_dstpitch, s->cirrus\_blt\_width,
                                s->cirrus\_blt\_height);
+
+    return 1;
 }
 
 static int cirrus\_bitblt\_videotovideo\_copy(CirrusVGAState \* s)
@@ -790,11 +798,9 @@ static int cirrus\_bitblt\_videotovideo\_copy(CirrusVGAState 
\* s)
     if (blit\_is\_unsafe(s))
         return 0;
 
-    cirrus\_do\_copy(s, s->cirrus\_blt\_dstaddr - s->vga.start\_addr,
+    return cirrus\_do\_copy(s, s->cirrus\_blt\_dstaddr - s->vga.start\_addr,
             s->cirrus\_blt\_srcaddr - s->vga.start\_addr,
             s->cirrus\_blt\_width, s->cirrus\_blt\_height);
-
-    return 1;
 }
 
 /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
-- 
1.8.3.1

*   **\[Qemu-devel\] \[PULL for-2.8 0/4\] vga fixes**, _Gerd Hoffmann_, 2016/12/05
    *   **\[Qemu-devel\] \[PULL 3/4\] virtio-gpu: fix memory leak in update\_cursor\_data\_virgl**, _Gerd Hoffmann_, 2016/12/05
    *   **\[Qemu-devel\] \[PULL 1/4\] qxl: Only emit QXL\_INTERRUPT\_CLIENT\_MONITORS\_CONFIG on config changes**, _Gerd Hoffmann_, 2016/12/05
    *   **\[Qemu-devel\] \[PULL 2/4\] virtio-gpu: fix information leak in getting capset info dispatch**, _Gerd Hoffmann_, 2016/12/05
    *   **\[Qemu-devel\] \[PULL 4/4\] display: cirrus: check vga bits per pixel(bpp) value**, _Gerd Hoffmann_ **<=**
    *   **Re: \[Qemu-devel\] \[PULL for-2.8 0/4\] vga fixes**, _Stefan Hajnoczi_, 2016/12/06

*   Prev by Date: **\[Qemu-devel\] \[PULL for-2.8 0/4\] vga fixes**
*   Next by Date: **Re: \[Qemu-devel\] \[PATCH for-2.8\] target-arm/translate-a64: fix gen\_load\_exclusive**
*   Previous by thread: **\[Qemu-devel\] \[PULL 2/4\] virtio-gpu: fix information leak in getting capset info dispatch**
*   Next by thread: **Re: \[Qemu-devel\] \[PULL for-2.8 0/4\] vga fixes**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2016-9922: [Qemu-devel] [PULL 4/4] display: cirrus: check vga bits per pixel(bpp) v

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.

Tag

#huawei