Hans De Goede

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises from the handling of interrupts in IPU6 devices when they are disabled. Since some IPU6 devices share interrupts, the system needs to properly handle cases where an interrupt is triggered from another device on the shared irq line while the IPU6 device itself is disabled. This can lead to the system hanging. The problem occurs because when the IPU6 device is disabled, it returns 0xffffffff from the ISR STATUS register, causing the system to handle all irq cases for which it is not prepared. **Recommendations** To resolve the issue, use pm runtime get if active() to check if the device is enabled and prevent suspending it when handling irq until the end of irq. Additionally, use synchronize irq() in suspend. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Panasonic laptop code in the Linux kernel, which uses the SINF array with index values without checking its size. This can lead to out-of-bounds accesses, potentially affecting the confidentiality, integrity, and availability of protected information. The code does not check if the SINF array has a minimum size to cover all AC+DC brightness entries, and it does not refuse to load if the array is smaller. The vulnerability can be exploited by accessing the array out of bounds, and it affects various Panasonic laptop models, including the Toughbook CF-18, which has only 10 SINF array entries. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer dereference vulnerability has been resolved in the Linux kernel. The issue occurs when dummy codecs are declared, resulting in a zero-sized array. This causes the `dais[i].codecs` pointer to point to the address of the next variable stored in the data section, leading to an out-of-bounds array reference. The vulnerability relies on the `name` member of the next variable being NULL, which is usually the case but can result in crashes when it is not. The fix involves checking `dais.num codecs != 0` to prevent the dereference. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the power supply framework in the Linux kernel, which is not designed for long living in-kernel references to power supply devices. Specifically, unregistering a power supply while some other code has a reference to it triggers a warning in power supply unregister(), followed by the power supply still getting removed and the backing data freed anyway, leaving the tusb1210 charger-detect code with a dangling reference. This results in a crash the next time tusb1210 get online() is called. The fix involves only holding the reference in tusb1210 get online() and freeing it at the end of the function, which avoids the issue when manually rmmod-ing the charger chip driver during development. However, this still leaves a theoretical race window. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The Linux kernel has a vulnerability in the HID: logitech-hidpp module, which can cause a kernel crash when a receiver is disconnected via USB. The issue arises from four time-of-check vs time-of-use (TOCTOU) races in the `hidpp connect event()` function, which can lead to a use-after-free scenario. This occurs when two threads take turns executing the `probe battery()` function, resulting in the registration of two power supplies for the same battery. When the last registered power supply class device is unregistered, the memory from the last `devm kmemdup()` call is freed, causing `hidpp->battery.desc.properties` to point to freed memory. This leads to backtraces when `power supply uevent()` is invoked to fill the uevent data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue is related to a missing call to `ssam request sync free()` in the `platform/surface: aggregator` component. Although rare, `ssam request sync init()` can fail, and in such cases, the request should be freed via `ssam request sync free()`. Currently, it is leaked instead. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.19.0 **Description** The vulnerability is related to the drm/gma500 component of the Linux kernel. It is caused by the `gma crtc page flip()` function holding the `event lock` spinlock while calling `crtc funcs->mode set base()`, which takes `ww mutex`. This can lead to a sleeping function being called from an invalid context, resulting in a BUG warning and potential system instability. The issue is fixed by unlocking the `event lock` after setting `gma crtc->page flip event` and re-taking the lock on errors to clear `gma crtc->page flip event` if it is still set. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, versions prior to 5.19.0 are affected, so updating to 5.19.0 or later will mitigate this issue. Note: The provided input descriptions do not mention any specific mitigation measures or workarounds for this vulnerability beyond updating the Linux kernel.

**Name of the Vulnerable Software and Affected Versions** Dia (affected versions not specified) **Description** The issue involves multiple unspecified format string vulnerabilities. These vulnerabilities have an unspecified impact and attack vectors, distinct from other known issues. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dia version 0.94 **Description** The issue allows user-assisted attackers to cause a denial of service and possibly execute arbitrary code by triggering errors or warnings. This can be achieved through format string specifiers in a .bmp filename. Other mechanisms for input, such as a crafted .dia file, are also automatically processed by Dia. **Recommendations** For Dia version 0.94, avoid using format string specifiers in filenames until a patch is available. As a temporary workaround, consider restricting the use of .bmp and .dia files to minimize the risk of exploitation.