Duoming Zhou

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A reference count leak issue exists in the `ax25 dev device down()` function, which can cause a memory leak when the ax25 device is shutting down. The issue arises because the `ax25 dev device down()` function drops the reference count of `net device` one or zero times, depending on whether it goes to `unlock put` or not. To solve this issue, the reference count of `net device` should be decreased after `dev->ax25 ptr` is set to null. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak issue has been identified in the Linux kernel, specifically in the ax25 module. The issue arises from reference count leaks in the `ax25 addr ax25dev()` and `ax25 dev device down()` functions, which can cause a memory leak. The reference count of the object `ax25 dev` can be increased multiple times in `ax25 addr ax25dev()`, leading to a memory leak. Similarly, in `ax25 dev device down()`, the reference count of `ax25 dev` is set to 1 and then increased when added to `ax25 dev list`, resulting in a reference count of 2. However, when the device is shutting down, `ax25 dev device down()` drops the reference count once or twice, depending on the circumstances, causing a memory leak. To resolve this issue, a break has been added in `ax25 addr ax25dev()` since it is impossible for one pointer to be on a list twice. Additionally, the reference count of `ax25 dev` is increased once in `ax25 dev device up()` and decreased after it is removed from `ax25 dev list`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free bug in the Linux kernel, specifically in the watchdog: cpu5wdt.c module. When the cpu5wdt module is removing, the origin code uses `del timer()` to de-activate the timer. If the timer handler is running, `del timer()` could not stop it and will return directly. If the port region is released by `release region()` and then the timer handler `cpu5wdt trigger()` calls `outb()` to write into the region that is released, the use-after-free bug will happen. This can lead to a denial of service or other impacts. **Recommendations** To resolve the issue, change `del timer()` to `timer shutdown sync()` in order that the timer handler could be finished before the port region is released. As a temporary workaround, consider disabling the `cpu5wdt trigger()` function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free bug in the ax25 dev device down() function, which is caused by concurrent access to a resource, leading to a race condition. When the ax25 device is detaching, the ax25 dev device down() function calls ax25 ds del timer() to clean up the slave timer. However, if the timer handler is running, ax25 ds del timer() will return directly, resulting in use-after-free bugs. One scenario is shown below: (Thread 1) | (Thread 2) | ax25 ds timeout() ax25 dev device down() | ax25 ds del timer() | del timer() | ax25 dev put() //FREE | | ax25 dev-> //USE To mitigate the bug, when the device is detaching, use timer shutdown sync() to stop the timer. **Recommendations** To resolve the issue, use timer shutdown sync() to stop the timer when the device is detaching. As a temporary workaround, consider disabling the ax25 dev device down() function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the ax25 ds del timer() function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free bug in the ALSA subsystem of the Linux kernel. This bug occurs when the `snd pcm substream` is closing, and the `aica channel` is deallocated but can still be dereferenced in the worker thread. The reason for this is that `del timer()` returns directly, regardless of whether the timer handler is running or not, and the worker could be rescheduled in the timer handler. To mitigate this bug, the `mod timer()` function should be called conditionally in `run spu dma()`, and a PCM sync stop operation should be implemented to cancel both the timer and worker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a null pointer dereference bug in the Linux kernel, specifically in the wifi: brcmfmac: pcie component. This bug occurs when the physical memory runs out, causing the kzalloc() function in brcmf pcie download fw nvram() to return null. As a result, using get random bytes() to generate random bytes in the randbuf can lead to a null pointer dereference. To prevent allocation failure, a separate function has been added to use a buffer on the kernel stack to generate random bytes in the randbuf, which can prevent the kernel stack from overflowing. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A null pointer dereference bug can occur in the Linux kernel when the physical memory runs out, causing the `kcalloc()` function in `dmirror device evict chunk()` to return null. If `src pfns` or `dst pfns` is dereferenced, this bug will happen. Moreover, if the `kcalloc()` fails, the pages mapping a chunk could not be evicted. To resolve this issue, a ` GFP NOFAIL` flag is added to `kcalloc()`, and `kcalloc()` is switched to `kvcalloc()` to avoid failing allocations due to the lack of need for physically contiguous memory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a null pointer dereference bug in the `nfp fl lag do work()` function, which can occur when the physical memory runs out and `kmalloc array()` returns null. If the `acti netdevs` is dereferenced, it can cause a null pointer dereference bug. This can lead to a denial of service. A patch has been added to check for allocation failure and reschedule the delayed work if it happens. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a null pointer dereference in the zynq component of the Linux kernel. This occurs when the kmalloc() function in zynq clk setup() returns null due to physical memory running out, and then snprintf() is used to write data to the null address. The patch for this issue uses a stack variable to replace the kmalloc(). Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** The issue is related to a NULL pointer dereference in the `of pci prop intr map()` function of the Linux kernel's PCI driver. This could allow an attacker to cause a denial of service. The vulnerability is resolved by returning an error for int map allocation failure, specifically returning -ENOMEM from `of pci prop intr map()` if `kcalloc()` fails. **Recommendations** Update to Linux kernel version 6.6.37 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `of pci prop intr map()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.5.3 **Description** The issue is related to a use-after-free bug in the Linux kernel. This bug occurs because the original code puts `flush work()` before `timer shutdown sync()` in `switch drv remove()`, allowing the worker to be rescheduled in `switch timer()` and causing a use-after-free bug. The vulnerability can be exploited to access confidential data, disrupt data integrity, and cause a denial of service. **Recommendations** To resolve the issue, upgrade the Linux kernel to a version newer than 6.5.3. As a temporary workaround, consider disabling the `switch drv remove()` function until a patch is available. Restrict access to the vulnerable `switch timer()` and `switch work handler()` functions to minimize the risk of exploitation. Avoid using the `psw->state` variable in the affected code until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use after free flaw in the Linux kernel's integrated infrared receiver/transceiver driver, specifically in the way a user detaches an rc device. This could allow an attacker to crash the system or potentially escalate their privileges. The flaw is associated with the `ene remove()` function in the `ene ir.c` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A critical issue has been found in the Linux Kernel, affecting the function `tst timer` of the file `drivers/atm/idt77252.c` of the component IPsec. The manipulation leads to use after free, which can be exploited due to a race condition. This may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** To fix this issue, it is recommended to apply a patch. As a temporary workaround, consider disabling the `tst timer` function until a patch is available. Restrict access to the vulnerable module `drivers/atm/idt77252.c` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A flaw in the Linux Kernel, specifically in the `nfcmrvl nci unregister dev()` function in `drivers/nfc/nfcmrvl/main.c`, can lead to use after free, allowing both read and write operations when not synchronized between the cleanup routine and firmware download routine. This issue may impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A deadlock issue exists in the Linux kernel, specifically in the oxu bus suspend() function. This occurs due to a lock being held in one thread while waiting for a timer to stop, and the timer handler also requiring the same lock, resulting in a block. The issue arises from the use of del timer sync() within the protection of spin lock irq(), preventing the timer handler from obtaining the necessary lock. **Recommendations** For the affected Linux kernel versions, apply the patch that extracts del timer sync() from the protection of spin lock irq() to resolve the deadlock issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A deadlock issue was found in the Linux kernel, specifically in the sa1100 set termios() function. This occurs when two threads attempt to access the same lock, resulting in a situation where one thread waits indefinitely for the other to release the lock. The issue arises from the use of del timer sync() while holding the sport->port.lock, which is also required by the timer handler. To resolve this, the patch moves del timer sync() before spin lock irqsave() to prevent the deadlock. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A deadlock issue exists in the Linux kernel, specifically in the rtllib beacons stop() function. This occurs when two threads attempt to access the ieee->beacon lock simultaneously, causing one thread to block indefinitely. The issue arises from the use of del timer sync() within the protection of spin lock irqsave(), which prevents the timer handler from obtaining the necessary lock. **Recommendations** For the affected Linux kernel version, apply the patch that extracts del timer sync() from the protection of spin lock irqsave() to resolve the deadlock issue in rtllib beacons stop().

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A deadlock issue exists in the Linux kernel, specifically in the `ieee80211 beacons stop()` function. This occurs when two threads attempt to access the `ieee->beacon lock` simultaneously, causing the function to block indefinitely. The deadlock is a result of the `del timer sync()` call waiting for a timer to stop while holding the lock, and the timer handler also requiring the same lock. The issue is resolved by extracting the `del timer sync()` call from the protection of `spin lock irqsave()`, allowing the timer handler to obtain the necessary lock. **Recommendations** For the Linux kernel, apply the patch that extracts `del timer sync()` from the protection of `spin lock irqsave()` to resolve the deadlock issue in `ieee80211 beacons stop()`.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality. This issue arises in the way a user connects with the protocol, allowing a local user to crash the system. The flaw is related to the implementation of the Amateur Radio AX.25 protocol and can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a flaw in the Linux kernel that can be exploited by an attacker to crash the system by simulating amateur radio from the user space. This results in a null-ptr-deref vulnerability and a use-after-free vulnerability. The exploitation of this flaw may allow a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.