Anubis

### Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) ### Description: The Linux kernel contains a flaw within the Server Message Block (SMB) implementation. Under low-memory conditions, the `close all cached dirs()` function may fail to properly manage dentries, leading to a "Dentry still in use" error during unmounting of CIFS shares. This occurs when the function is unable to move dentries to a separate list before dropping locks. An error message has been added to clarify this specific scenario. ### Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Linux kernel versions prior to 6.15.0-rc6 **Description:** The Linux kernel contains a flaw within the ptp subsystem related to recursive locking. Specifically, the `ptp vclock in use()` function includes a check for `ptp->n vclocks` that can lead to a deadlock when acquiring the `ptp->n vclocks mux` lock, particularly during the unregistration of virtual clocks. The issue arises from a redundant check for `ptp->n vclocks` within the function. The call trace indicates a potential recursive lock acquisition when attempting to acquire `ptp->n vclocks mux` while it is already held by another part of the code. **Recommendations:** Linux kernel versions prior to 6.15.0-rc6: Remove the logic that checks `ptp->n vclocks` in the `ptp vclock in use()` function.

### Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) ### Description: The Linux kernel contains a flaw in the `jbd2 journal dirty metadata()` function, resulting in a data race and potential null pointer dereference. The issue stems from a missing data-race annotation for `jh->b modified`, leading to concurrent access and modification of data. This can occur when `handle->h transaction` is a NULL pointer. ### Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Linux kernel (affected versions not specified) **Description:** A general protection fault may occur in the Linux kernel when loading and unloading the `i10nm edac` module, which automatically loads `skx edac common`. This issue arises because the `adxl component count` variable within `skx edac common`, responsible for tracking ADXL components, is not reset during module unloading and reloading. This leads to a doubled count of ADXL components, resulting in an out-of-bounds reference to the ADXL component array and a subsequent general protection fault. The fault is triggered during error injection testing after reloading the module. **Recommendations:** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The `strlcat()` function with FORTIFY support was triggering a panic due to a perceived buffer overflow, despite the correct target buffer size being passed. The issue occurs when using `strlcat()` with `memset()` followed by `strlcat()` for the BIOS version. The vulnerability is addressed by using `memcpy()` to ensure proper NULL termination of the resulting buffer, as the `BIOSVersion` is used by the `lpfc printf log()` function, which expects a properly terminated string. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A flaw exists in the kernel's ksmbd module where the `free transport` function for TCP connections can be invoked from smbdirect, potentially leading to a kernel oops. This issue has been addressed by adding `free transport` operations within the ksmbd connection and implementing individual `free transports` for both TCP and smbdirect. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Linux kernel (affected versions not specified) **Description:** The Linux kernel contains a flaw in the pata via controller that can cause system hangs when performing ATAPI Direct Memory Access (DMA) operations on certain hardware configurations, specifically with ATAPI devices on VT6415/VT6330 controllers. This issue can prevent the system from booting and is reproducible with tools like `cdrecord` when reading ATIP information from optical media. Hard disk drives attached to the controller are not affected by DMA issues. **Recommendations:** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A flaw exists in the Linux kernel related to block I/O operations. Specifically, using `submit bio noacct nocheck` in `blk zone wplug bio work` duplicates work and can lead to deadlocks when freezing a queue with pending bio write plugs. The issue arises because BIOS queued in the zone write plug have already undergone preparation in the `submit bio` path, including freeze protection. Bypassing this protection with `submit bio noacct nocheck` introduces the potential for deadlocks. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Linux kernel (affected versions not specified) **Description:** A use-after-free issue was identified in the net/atm/lec.c component of the Linux kernel. Specifically, an error path in the `lecd attach()` function could result in a dangling pointer within the `dev lec[]` array. A mutex was added to protect uses of `dev lecp[]` from `lecd attach()`, `lec vcc attach()`, and `lec mcast attach()`. This issue was discovered by syzbot during testing. The vulnerability manifests in the `lane ioctl()` function and can be triggered through the `/proc/net/atm/lec` interface. **Recommendations:** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

### Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.15.0-rc7 ### Description: A flaw was discovered in the Linux kernel related to the MPLS (Multiprotocol Label Switching) implementation. Specifically, the `mpls route input rcu()` function could be called from within an RTNL (Routing Table Network Layer) context without proper synchronization, leading to potential issues. The issue was identified by syzbot, a fuzzing tool, which reported suspicious RCU (Read-Copy-Update) usage. The fix involves using `rcu dereference rtnl()` in `mpls route input rcu()` to ensure proper synchronization and prevent potential race conditions. ### Recommendations: Update to a version newer than 6.15.0-rc7 to address this issue.

**Name of the Vulnerable Software and Affected Versions:** Linux kernel versions prior to 5.10.234-syzkaller **Description:** A flaw exists in the jffs2 file system within the Linux kernel where the result of `jffs2 prealloc raw node refs()` was not adequately checked in several places. This could lead to a null pointer dereference during garbage collection or file writing operations, potentially causing system instability or denial of service. The issue was discovered through fuzzing using Syzkaller by the Linux Verification Center. **Recommendations:** Linux kernel versions prior to 5.10.234-syzkaller should be updated to version 5.10.234-syzkaller or later.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A memory leak exists in the WCD9335 audio codec driver due to the failure to free regulator supplies in error paths and during unbind operations. The driver obtains and enables regulator supplies but does not release them, leading to memory leaks and an unbalanced regulator enable count. The issue is addressed by converting the code to use `devm regulator bulk get enable()`, which simplifies the code and ensures proper cleanup. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Linux kernel (affected versions not specified) **Description:** The Linux kernel contains a flaw within the s390/pkey subsystem. A calculation error in the `memdup user()` function, related to the number of apqn target list entries determined by a userspace ioctl call, can lead to an integer overflow. This discrepancy between the allocated area size and its description can cause unpredictable behavior. The issue is addressed by utilizing the `memdup array user()` helper, which detects and prevents such overflows. The vulnerability was discovered by the Linux Verification Center (linuxtesting.org). **Recommendations:** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A flaw exists in the Linux kernel related to the Fibre Channel Network Interface Card (fnic) driver. A crash can occur in the `fnic wq cmpl handler` function when Fibre Distributed Memory Interface (FDMI) requests from both the Remote Host Bus Adapter (RHBA) and Remote Port Adapter (RPA) time out. This happens because the driver attempts to free the same memory frame twice when resending ABTS (Abort Block Transfer Sequence) commands. The issue was addressed by allocating separate frames for RHBA and RPA requests and modifying the ABTS logic. Testing involved dropping various responses (PLOGI, RHBA, RPA) and combinations thereof, along with ABTS responses, to verify the fix. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Linux kernel versions prior to 6.15.0-02023-gadbdb95c8696-dirty #1238 **Description:** A NULL pointer dereference issue was identified in the `group cpus evenly()` function within the lib/group cpus module of the Linux kernel. This issue occurs when `numgrps` is set to 0, resulting in a dereference of a NULL pointer after `kcalloc()` returns `ZERO SIZE PTR`. The fix involves adding a check for `numgrps` within `group cpus evenly()` and returning NULL directly if it is zero. **Recommendations:** Update the Linux kernel to version 6.15.0-02023-gadbdb95c8696-dirty #1238 or a later version to resolve this issue.

**Name of the Vulnerable Software and Affected Versions:** Linux kernel (affected versions not specified) **Description:** A concurrency race condition can occur when two instances of uart devices are probing. If one thread calls the `uart register driver` function, which allocates memory for the `uart state` member of the `uart driver` structure, the other instance can bypass driver registration and call `ulite assign`. This calls `uart add one port`, expecting the driver to be fully initialized, leading to a kernel panic due to a null pointer dereference. The issue is resolved by moving uart driver registration into the init function to ensure the driver is always registered when the probe function is called. **Recommendations:** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux Kernel (affected versions not specified) Description: The Linux kernel contains a flaw in the Wacom HID driver related to the `wacom aes battery handler()` function. A crash can occur if a Wacom device is removed while the `aes battery work` is pending, potentially leading to hard crashes or a general protection fault. This issue was introduced by commit fd2a9b29dc9c, which added the `wacom aes battery handler()` function scheduled as a delayed work item. The problem arises because `aes battery work` is not canceled in the `wacom remove()` function. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The `cxl cper handle prot err()` function makes assumptions about the type and binding of devices identified in records, potentially leading to crashes. Specifically, the function incorrectly assumes endpoints are CXL-type-3 devices and bound to the `cxl pci` driver. The code has been corrected to verify that the PCIe endpoint parents a `cxl memdev` before assuming the driver data format, preparing the implementation for CXL accelerators not bound to `cxl pci`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The Linux kernel contains a flaw in the atm subsystem, specifically within the `clip push()` function. A missing check allows `clip push()` to be called with a NULL socket buffer (`skb`) by `vcc destroy socket()`. This results in a NULL dereference when attempting to read `skb->truesize` if `clip devs` is NULL, leading to a crash. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Linux kernel versions prior to 6.15.0-custom+ #249 **Description:** A flaw exists in the Linux kernel related to handling checksum tree errors when the `rescue=ibadroots` mount option is used. Specifically, if a corrupted checksum tree root is encountered, the `BTRFS FS STATE NO DATA CSUMS` flag is not consistently set, leading to unexpected behavior during subsequent checksum lookups. This can result in a general protection fault and potentially crash the kernel. **Recommendations:** Update to Linux kernel version 6.15.0-custom+ #249 or later to address this issue.