Dan Carpenter

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory corruption issue in the Linux kernel has been identified, specifically in the mailbox component, th1520. The functions `th1520 mbox suspend noirq` and `th1520 mbox resume noirq` are designed to save and restore interrupt mask registers in the MBOX ICU0. However, an incorrectly sized array used to store these registers led to memory corruption when accessing all four registers. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for the incorrect array size in the th1520 mailbox component. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A resolved issue in the Linux kernel involves an out of bounds read in the `mtk hwlro get fdir entry()` function. The `fsp->location` variable, which comes from the user via the `ethtool get rxnfc()` function, is not properly validated, leading to a potential out of bounds read. This issue can be mitigated by checking the validity of the `fsp->location` variable to prevent such reads. **Recommendations** For the Linux kernel, ensure that the `fsp->location` variable is validated to prevent out of bounds reads in the `mtk hwlro get fdir entry()` function. As a temporary workaround, consider adding input validation for the `ethtool get rxnfc()` function to restrict potentially malicious user input.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue was related to the `visconti clk register gates()` function, where an array overflow could occur due to the use of -1 to represent the absence of a reset function. This value was stored in an unsigned 8-bit integer (`u8`), causing the condition `if (clks[i].rs id >= 0)` to always be true, leading to an out-of-bounds access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory corruption issue exists due to insufficient bounds checking in the `nci hci create pipe()` function. The `pipe` variable, which is a `u8` value coming from the network, can cause memory corruption in the `nci hci connect gate()` function if its value exceeds 127. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to integer overflows in the ksmbd component of the Linux kernel on 32-bit systems. Specifically, the addition operations in the `ipc msg alloc()` function can potentially overflow, leading to memory corruption. To address this, bounds checking using `KSMBD IPC MAX PAYLOAD` has been added to prevent overflow. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an integer overflow bug in the binfmt flat module of the Linux kernel on 32-bit systems. The bug occurs when calculating `full data` using the formula `full data = data len + relocs * sizeof(unsigned long)`, which could result in incorrect calculations if the "relocs" count is not properly checked. Most sizes and counts are capped at 256MB to prevent integer overflows, but the "relocs" count needs to be checked as well. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an integer overflow in the Linux kernel, specifically in the `tps6594 rtc set offset()` function. The problem occurs when the `offset` variable, which is a long in the range (-277774)-277774, is multiplied by `TICKS PER HOUR`, a large number approximately equal to a hundred million. This multiplication can cause an overflow on 32-bit systems, where a long can hold numbers up to approximately two billion. **Recommendations** To resolve the issue, consider changing the type of `TICKS PER HOUR` to `long long` to prevent the integer overflow.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A double free vulnerability was found in the Linux kernel's mtd: rawnand module, specifically in the `atmel pmecc create user()` function. The issue occurred because the "user" pointer was converted from being allocated with `kzalloc()` to being allocated by `devm kzalloc()`, and calling `kfree(user)` would lead to a double free. **Recommendations** For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `atmel pmecc create user()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free bug has been identified in the `register intc controller()` function. The issue arises during error handling when `d` is freed without being removed from `intc list`, leading to a use-after-free scenario. To address this, the fix ensures that `d` is added to the list only after all operations have been successfully completed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue concerns an integer overflow problem in the RDMA/uverbs component of the Linux kernel. Specifically, the expression `cmd.wqe size * cmd.wr count` can lead to integer wrapping because both variables are u32 values that come from the user. This result is then passed to `uverbs request next ptr()`, which could also potentially wrap. Additionally, the multiplication `cmd.sge count * sizeof(struct ib uverbs sge)` can overflow on 32-bit systems. To address this, the condition in `uverbs request next ptr()` has been rearranged, and all callers have been modified to use `size mul()` for multiplications. **Recommendations** For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider restricting the use of the RDMA/uverbs component until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A potential issue in the Linux kernel has been identified, related to the `msm ioctl gem submit()` function. Specifically, the `submit->cmd[i].size` and `submit->cmd[i].offset` variables, which are `u32` values coming from the user via the `submit lookup cmds()` function, could lead to an integer overflow. This is prevented by using the `size add()` function to avoid integer wrapping bugs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the initialization of variables annotated with ` free()` in the thermal testing code of the Linux kernel. If a function can return before these variables are updated, attempting to free the memory they point to upon function return may cause the kernel to crash. The problem has been fixed in some places in the thermal testing code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue concerns an integer overflow in the `pagemap scan get args()` function within the Linux kernel's `fs/proc/task mmu` component. The `arg->vec len` variable, a `u64` value provided by the user, is multiplied by `sizeof(struct page region)`, which can lead to integer wrapping. To prevent this, the `size mul()` function is utilized. Additionally, since the `size add/mul()` functions operate on unsigned long values, it is essential to ensure that `arg->vec len` fits within an unsigned long for 32-bit systems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A potential array underflow issue has been identified in the Linux kernel, specifically in the `ucsi ccg sync control()` function. The `command` variable can be controlled by the user via debugfs, which poses a risk if `con index` is zero, potentially leading to an array underflow. The issue arises when accessing `&uc->ucsi->connector[con index - 1]`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an integer overflow in the svcrdma component of the Linux kernel. This overflow can be triggered by a user-controlled value, potentially allowing an attacker to execute arbitrary code. The problem arises from a commit in the Linux kernel that introduced a "parsed chunk list" data structure, leading to a warning from the Smatch static checker about a potential user-controlled sizeof overflow. The `segcount` variable, an untrusted u32, is used in a calculation that can cause an integer overflow on 32-bit systems, which may be accepted by `xdr inline decode()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an integer overflow in the decode cb compound4res() function of the Linux kernel's NFSD component. If the tag length is >= U32 MAX - 3, the "length + 4" addition can result in an integer overflow. This can be addressed by splitting the decoding into several steps so that decode cb compound4res() does not have to perform arithmetic on the unsafe length value. The vulnerability can be exploited by a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential out of bounds condition in the `ucsi ccg update set new cam cmd()` function. The `*cmd` variable can be controlled by the user via debugfs, allowing `new cam` to be as high as 255, while the size of the `uc->updated[]` array is `UCSI MAX ALTMODES` (30). The call tree involves several functions, including `ucsi cmd()`, `ucsi send command()`, `ucsi send command common()`, `ucsi run command()`, and `ucsi ccg sync control()`. This could potentially impact the confidentiality and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use after free vulnerability in the Linux kernel, specifically in the io edgeport module. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The problem arises from the `dev dbg` function being called after `usb free urb`, resulting in a use after free of the `urb` pointer. To avoid this issue, the `dev` pointer is stored at the start of the function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A potential NULL dereference vulnerability has been identified in the Linux kernel, specifically in the wifi: cw1200 module. This issue was discovered through static analysis after a recent refactoring. The vulnerability could potentially be exploited, but no details about affected devices or real-world incidents are provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** A critical vulnerability in the Linux kernel's PCI keystone component has been fixed. The issue involved the `ks pcie quirk()` function, where an if-statement expression accidentally used `&&` instead of `||`, potentially resulting in a NULL dereference. This fix corrects the if-statement expression to use the correct condition. **Recommendations** For versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider restricting access to the PCI keystone component until a patch is available.