Search for packages
| purl | pkg:deb/debian/linux@5.10.209-1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-28sa-wnbg-ubgf | In the Linux kernel, the following vulnerability has been resolved: serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed Returning an error code from .remove() makes the driver core emit the little helpful error message: remove callback returned a non-zero value. This will be ignored. and then remove the device anyhow. So all resources that were not freed are leaked in this case. Skipping serial8250_unregister_port() has the potential to keep enough of the UART around to trigger a use-after-free. So replace the error return (and with it the little helpful error message) by a more useful error message and continue to cleanup. |
CVE-2023-52457
|
| VCID-3evv-rmrt-9kea | kernel: netfilter: nf_tables: out-of-bounds access in nf_tables_newtable() |
CVE-2023-6040
|
| VCID-3gsd-1zzd-jkfz | kernel: drm/amd/pm: fix a double-free in si_dpm_init |
CVE-2023-52691
|
| VCID-3h89-dh3v-eye9 | kernel: null-ptr-deref in alloc_workqueue |
CVE-2023-52470
|
| VCID-4ce1-c57m-j7c6 | kernel: Out-Of-Bounds Read vulnerability in smbCalcSize |
CVE-2023-6606
|
| VCID-4qvh-m9dq-qqeu | kernel: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier |
CVE-2023-52449
|
| VCID-4u8y-9b4g-vqfx | kernel: QXL: race condition leading to use-after-free in qxl_mode_dumb_create() |
CVE-2023-39198
|
| VCID-4wnz-gjpx-mub1 | kernel: powerpc/powernv: Add a null pointer check in opal_powercap_init() |
CVE-2023-52696
|
| VCID-598a-ww2s-6fga | kernel: powerpc/powernv: Add a null pointer check to scom_debug_init_one() |
CVE-2023-52690
|
| VCID-5jn4-rn7w-pydp | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid dirent corruption As Al reported in link[1]: f2fs_rename() ... if (old_dir != new_dir && !whiteout) f2fs_set_link(old_inode, old_dir_entry, old_dir_page, new_dir); else f2fs_put_page(old_dir_page, 0); You want correct inumber in the ".." link. And cross-directory rename does move the source to new parent, even if you'd been asked to leave a whiteout in the old place. [1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/ With below testcase, it may cause dirent corruption, due to it missed to call f2fs_set_link() to update ".." link to new directory. - mkdir -p dir/foo - renameat2 -w dir/foo bar [ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3] [FSCK] other corrupted bugs [Fail] |
CVE-2023-52444
|
| VCID-62j2-3w9j-v7cv | kernel: NULL pointer dereference in __nvmet_req_complete |
CVE-2023-6536
|
| VCID-63yv-1kxm-nkhx | kernel: binder: fix race between mmput() and do_exit() |
CVE-2023-52609
|
| VCID-6vct-1ben-juc3 | kernel: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() |
CVE-2023-52675
|
| VCID-885e-g4an-h7e7 | kernel: null pointer dereference in of_syscon_register() |
CVE-2023-52467
|
| VCID-95xe-xtqt-r3b8 | kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption |
CVE-2024-26586
|
| VCID-c6v9-xutm-nyam | kernel: powerpc: Fix access beyond end of drmem array |
CVE-2023-52451
|
| VCID-c7ux-m2a3-euc6 | A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue. |
CVE-2024-24860
|
| VCID-dnty-4wac-bfhv | kernel: of: Fix double free in of_parse_phandle_with_args_map |
CVE-2023-52679
|
| VCID-emge-avzn-mkgz | kernel: Null Pointer Dereference vulnerability in ida_free in lib/idr.c |
CVE-2023-6915
|
| VCID-enq7-6crc-zuh7 | kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c |
CVE-2023-52464
|
| VCID-facn-wvhy-jybb | kernel: f2fs: explicitly null-terminate the xattr list |
CVE-2023-52436
|
| VCID-fmj3-c8m8-tfe6 | kernel: ACPI: video: check for error while searching for backlight device parent |
CVE-2023-52693
|
| VCID-g2ke-rg2j-n3cm | kernel: crypto: scomp - fix req->dst buffer overflow |
CVE-2023-52612
|
| VCID-grk5-ty52-bfhw | kernel: efivarfs: force RO when remounting if SetVariable is not supported |
CVE-2023-52463
|
| VCID-hgrf-kx83-z7d2 | kernel: pvrusb2: fix use after free on context disconnection |
CVE-2023-52445
|
| VCID-htwz-ekk8-17aw | kernel: binder: fix use-after-free in shinker's callback |
CVE-2023-52438
|
| VCID-j6kj-8t9f-gkfj | kernel: gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump |
CVE-2023-52448
|
| VCID-j9ud-q26e-4qbk | kernel: kvm: Avoid potential UAF in LPI translation cache |
CVE-2024-26598
|
| VCID-jey8-21pc-1qde | kernel: bpf: fix check for attempt to corrupt spilled pointer |
CVE-2023-52462
|
| VCID-k2me-am4h-rqfm | kernel: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() |
CVE-2024-26633
|
| VCID-me26-pr45-tfeg | kernel: use-after-free in kv_parse_power_table |
CVE-2023-52469
|
| VCID-n1w6-27yz-dfer | kernel: bluetooth: bt_sock_ioctl race condition leads to use-after-free in bt_sock_recvmsg |
CVE-2023-51779
|
| VCID-p8d6-57uv-aqd7 | In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here. |
CVE-2024-26597
|
| VCID-p99d-kg7s-5bbq | kernel: nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length |
CVE-2023-52454
|
| VCID-rsde-mtgv-qqg5 | kernel: ACPI: LPIT: Avoid u32 multiplication overflow |
CVE-2023-52683
|
| VCID-sz2h-3vjr-mybh | kernel: drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function |
CVE-2023-52694
|
| VCID-t2jg-dbdj-r3av | kernel: ICMPv6 “Packet Too Big” packets force a DoS of the Linux kernel by forcing 100% CPU |
CVE-2023-52340
|
| VCID-t8xa-q8y3-3qb5 | kernel: calipso: fix memory leak in netlbl_calipso_add_pass() |
CVE-2023-52698
|
| VCID-ty5y-knga-zug3 | kernel: NULL pointer dereference in nvmet_tcp_build_iovec |
CVE-2023-6356
|
| VCID-ueaz-eysk-abhx | kernel: uio: Fix use-after-free in uio_open |
CVE-2023-52439
|
| VCID-v8b9-uzsr-jqhv | Linux: netback processing of zero-length transmit fragment |
CVE-2023-46838
|
| VCID-w1sh-qksx-myem | kernel: powerpc/powernv: Add a null pointer check in opal_event_init() |
CVE-2023-52686
|
| VCID-wc2m-dsfh-qkaq | kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination |
CVE-2024-0646
|
| VCID-wk4m-e3ac-1ffw | kernel: NULL pointer dereference in nvmet_tcp_execute_request |
CVE-2023-6535
|
| VCID-x6ay-s6a4-h3es | kernel: imx: fix tx statemachine deadlock |
CVE-2023-52456
|
| VCID-ys7v-mmnm-jbc6 | In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: <TASK> ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside. AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org). |
CVE-2023-52443
|