Christophe Jaillet

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak issue has been identified in the Linux kernel, specifically in the fs/ntfs3 module. The problem occurs in the error handling path of the `log replay()` function, where resources such as `log`, `ra`, and `log->one page buf` are not properly freed, leading to memory leaks. This issue is resolved by ensuring that all error handling paths free the necessary resources before returning. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel versions prior to 6.6.65 **Description** A bug in the Linux kernel has been resolved, specifically in the vdpa: solidrun module. The issue arises in the `psnet open pf bar()` and `snet open vf bar()` functions, where a string is placed on the stack and later passed to `pcim iomap regions()`. Since neither `pcim iomap regions()` nor the functions it calls copy the string, using the string later causes undefined behavior because the stack frame will have disappeared. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Linux Kernel versions prior to 6.6.65, update to version 6.6.65 or later to resolve the issue. As a temporary workaround, consider allocating strings on the heap through `devm kasprintf()` instead of placing them on the stack to prevent undefined behavior.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a double free vulnerability in the `ma35 pinctrl dt node to map func()` function within the `drivers/pinctrl/nuvoton/pinctrl-ma35.c` module of the Linux kernel. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The problem arises because `new map` is allocated using `devm *`, which automatically frees the allocated data on device removal. However, a call to `dt free map = pinconf generic dt free map` results in a double free, as `pinconf generic dt free map()` calls `pinctrl utils free map()`. **Recommendations** To resolve the issue, use `kcalloc()` instead of auto-managed `devm kcalloc()` for allocating `new map`. This change prevents the double free vulnerability by ensuring that the memory is not automatically freed by `devm *` when the device is removed, thus avoiding the conflict with the manual free operation performed by `pinconf generic dt free map()`.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory corruption problem in the Linux kernel, specifically in the wifi: iwlwifi: mvm component. The problem arises from incorrect pointer arithmetic when casting a pointer to `u8 *` and then adding 1 to it, which results in pointing to the wrong location in memory. This issue can potentially lead to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `blk alloc ext minor()` function in the Linux kernel, where the `ida alloc range()` function returns values from `min` to `max`, inclusive. This can cause an overflow when `NR EXT DEVT` is used as `disk->first minor` in the `device add disk()` function, specifically in the line `ddev->devt = MKDEV(disk->major, disk->first minor)`. The `NR EXT DEVT` value is equivalent to `(1 << MINORBITS)`, which can lead to an overflow. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A resource leak issue has been identified in the Linux kernel, specifically in the dmaengine: idxd component. The error handling path in the `idxd cdev register()` function was incomplete, leading to resource leaks when a call to `alloc chrdev region()` failed. This issue has been resolved by adding the necessary error handling path to prevent the leak. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A resource leak was found in the Linux kernel, specifically in the zorro7xx remove one() function. The issue arises from the error handling path of the probe, which releases a resource that is not properly freed in the remove function. In certain cases, an ioremap() must be undone, but this was not being done. The problem has been resolved by adding a missing iounmap() call in the remove function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential leak in the `nfp tunnel add shared mac()` function. The `ida simple get()` function returns an id between 0 and `NFP MAX MAC INDEX` inclusive, and `NFP MAX MAC INDEX` (0xff) is a valid id. To ensure the error handling path works correctly, the 'invalid' value for `ida idx` should not be in the 0..`NFP MAX MAC INDEX` range, inclusive, so it is set to -1. This vulnerability may allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to errors in security settings of the dmaengine component in the Linux kernel. Exploitation of this issue may allow an attacker to cause a denial of service. The problem is associated with the `pt core init()` function, where incorrect error handling can lead to resource leaks. The error handling path requires adjustments to prevent the release of unallocated resources. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a resource leak in the error handling path of the men z188 adc component in the Linux kernel. If `iio device register()` fails, a previous `ioremap()` is left unbalanced. The error handling path has been updated and the missing `iounmap()` call has been added. This could potentially allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak has been resolved in the Linux kernel. The issue occurred in the probe function when the final `serial config()` fails, causing the `info` variable to leak. A resource handling path has been added to free this memory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak has been resolved in the Linux kernel. The issue occurred in the `uio hv generic` module, where memory allocated by `vmbus alloc ring()` at the beginning of the probe function was never freed in the error handling path. The missing `vmbus free ring()` call has been added to fix the issue. Note that the memory was already freed in the `.remove` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in error handling paths in the Linux kernel, specifically in the uio hv generic component. If the `vmbus establish gpadl()` function fails, the `(recv|send) gpadl` will not be updated, and the `hv uio cleanup()` function in the error handling path will not be able to free the corresponding buffer. This can lead to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.