Alexander Sverdlin

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A vulnerability has been resolved in the Linux kernel related to the shutdown sequence of the lan9303 driver. The issue involves two problems: one where the lan9303 driver calls dev get drvdata() at arbitrary runtime, and another where the setting of dp->conduit->dsa ptr = NULL is concurrent with receive packet processing, leading to potential null pointer dereferences. Closing the conduit interface solves both problems by stopping the phylink state machine and ensuring that ioctls, rtnetlinks, and ethtool requests on the user ports no longer propagate down to the driver. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.4.144 Description: The issue is related to a NULL pointer dereference in the Linux kernel's nfsd component. This can lead to a denial of service. The problem arises from a race condition between the `rpc pipefs event()` function and the registration of `nfsd net id` by `register pernet subsys()`. The crash occurs due to an inability to handle a kernel NULL pointer dereference at a specific virtual address. Technical details include the involvement of `rpc pipefs event()`, `blocking notifier call chain`, and other functions like `rpc fill super`, `get tree keyed`, and `ksys mount`. The `rpc pipefs event()` function is a key part of the issue, and the crash info points to a problem at virtual address 0000000000000012. Recommendations: To resolve the issue, update the Linux kernel to a version that includes the fix for the nfsd startup race condition, specifically the commit bb7ffbf29e76 that addresses the issue by restoring the order of `register pernet subsys()` vs `register cld notifier()` and adding a `WARN ON()` to prevent future regressions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a potential use-after-free in the `fsl lpspi probe()` function in the Linux kernel's SPI driver. This function allocates and disposes of memory manually using `spi alloc host()` and `spi alloc target()`, but also uses `devm spi register controller()`. In case of an error after the latter call, the memory is explicitly freed in the probe function by `spi controller put()`, but is used afterwards by "devm" management outside the probe function. This can lead to a kernel NULL pointer dereference. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include: - The `fsl lpspi probe()` function is vulnerable. - The `spi alloc host()` and `spi alloc target()` functions are used for memory allocation. - The `devm spi register controller()` function is used for controller registration. - The `spi controller put()` function is used for memory deallocation. - The `spi unregister controller()` function is called afterwards, which can lead to a use-after-free condition. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is caused by a transport use-after-free problem in the Linux kernel's SCTP implementation. When processing a duplicate COOKIE-ECHO chunk in `sctp sf do dupcook a()`, both COOKIE-ACK and SHUTDOWN chunks are allocated with the transport from the new association. However, later in the side-effect machine, the old association is used to send them out, and the old association's `shutdown last sent to` is set to the transport that the SHUTDOWN chunk is attached to in `sctp cmd setup t2()`, which actually belongs to the new association. After the new association is freed and the old association's T2 timeout, the old association's `shutdown last sent to` that is already freed would be accessed in `sctp sf t2 timer expire()`. This results in a panic. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.