Christophe Leroy

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a hardlockup on vmap stack overflow in the powerpc/32 component of the Linux kernel. This occurs because the emergency ctx is still addressed with its virtual address even though the data MMU is not active anymore at that time. The problem can be fixed by using a physical address instead. The vulnerability may allow an attacker to cause a denial of service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel, where the function `set memory rox()` can fail, leaving memory unprotected. The function `bpf jit binary lock ro()` should check the return value of `set memory rox()` and bail out if an error occurs. This prevents memory from being left unprotected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel, where the function `set memory ro()` can fail, leaving memory unprotected. The return from `set memory ro()` needs to be taken into account with `bpf prog lock ro()`. This error can be addressed by checking the return of `set memory ro()` and handling it as an error. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null-pointer dereference in the `pgtable cache add` function of the `powerpc/mm` component of the Linux kernel. The `kasprintf()` function returns a pointer to dynamically allocated memory, which can be `NULL` upon failure. The vulnerability can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The powerpc kernel is not prepared to handle exec faults from kernel. The function `is exec fault()` returns 'false' when an exec fault is taken by kernel, because the check is based on reading `current->thread.regs->trap` which contains the trap from user. This leads to a forever minor exec fault because `PAGE EXEC` is not set and `set access flags filter()` bails out without setting the `PAGE EXEC` flag. The issue arises from commit `d3ca587404b3` which removed the proper handling of exec faults, introducing a test based on `error code`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.12.13 **Description** The issue is related to a NULL pointer dereference in the arch/powerpc/perf/core-book3s.c file of the Linux kernel. This can be exploited by local users to cause a denial of service (perf instruction pointer NULL pointer dereference and OOPS) via a "perf record" command, on systems with perf event paranoid=-1 and no specific PMU driver support registered. **Recommendations** For Linux kernel versions prior to 5.12.13, update to version 5.12.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the "perf record" command to minimize the risk of exploitation. Additionally, setting perf event paranoid to a value other than -1 may also help mitigate the risk.