Keith Busch

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to a use-after-free vulnerability in the Linux kernel's PCI/DPC subsystem. Specifically, the `pci bridge wait for secondary bus()` function neglects to hold a reference on the child device, leading to potential crashes or other security issues when a DPC event occurs concurrently with hot-removal of the same portion of the hierarchy. The vulnerability is caused by the `dpc handler()` awaiting readiness of the secondary bus below the Downstream Port where the DPC event occurred, and polling the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its `struct pci dev` cause the kernel to crash. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider disabling the `pci bridge wait for secondary bus()` function until a patch is available. Restrict access to the vulnerable PCI/DPC subsystem to minimize the risk of exploitation. Avoid using the `pci dev wait()` function in conjunction with `pci bridge wait for secondary bus()` until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a potential out-of-bounds access when using `test bit()` on a single word. The `test bit()` and `set bit()` functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump, indicating a slab-out-of-bounds error in ` scsih add device.constprop.0`. The allocation should be at least the size of `sizeof(unsigned long)` to prevent `set bit()` and `test bit()` from overwriting unallocated memory. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.