Mikulas Patocka

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a possible DMA corruption in the Linux kernel, specifically in the parisc architecture. The problem arises because the ARCH DMA MINALIGN value was defined as 16, which is too small, allowing two unrelated 16-byte allocations to share a cache line. If one allocation is written using DMA and the other using cached write, the value written with DMA may be corrupted. The kernel has been updated to change ARCH DMA MINALIGN to 128 on PA20 and 32 on PA1.1, which is the largest possible cache line size. This change allows the kernel to tune slab cache parameters dynamically based on the detected cache line size. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak occurs in the Linux kernel when rechecking data after a checksum failure, due to the associated kfree not happening because of 'goto skip io'. This issue is resolved by freeing the checksums memory before recheck and using the "checksum onstack" memory for storing checksum during recheck. The memory leak happens for the "checksums" pointer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.8.0-rc6 **Description** The vulnerability is caused by the fact that the postsuspend and resume methods were not paired correctly, resulting in list corruption. This occurs when there are two consecutive calls to the origin postsuspend function, with the second call attempting to remove the "hash list" entry from a list that was already removed by the first call. The fix involves modifying the dm internal resume function to call the preresume and resume methods of the table's targets. If a preresume method of some target fails, the DMF SUSPENDED flag is set and normal suspend is faked to avoid a kernel crash. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, versions 6.8.0-rc6 and later should be used. If updating is not possible, consider temporarily disabling the `dm internal resume` function or restricting its use to minimize the risk of exploitation. However, this is not a recommended long-term solution, as it may cause other issues. At the moment, there is no information about other versions that contain a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the dm-raid component in the Linux kernel, where the sync thread is not properly frozen during suspend. This is caused by the removal of the MD RECOVERY FROZEN flag from md stop writes() in commit f52f5c71f3d4, which doesn't realize that dm-raid relies on md stop writes() to freeze the sync thread indirectly. The flag MD RECOVERY FROZEN only prevents new sync thread from starting and can't stop the running sync thread. To fix this, the flag should be added back to md stop writes(), and the stop sync thread() function should be moved to md stop writes(). Additionally, the raid message function should be disallowed from changing the sync thread status during suspend. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the dm-crypt component of the Linux kernel, specifically with errors in resource management during authentication. This could potentially allow an attacker to cause a denial of service. The problem arises when authenticated encryption produces an invalid tag due to modified data being encrypted. To fix this, the data is copied into a clone bio first and then encrypted inside the clone bio, which may reduce performance but prevents device corruption when using O DIRECT and modifying data simultaneously. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved, related to the handling of read-only arrays in the `md check recovery()` function. Usually, if the array is not read-write, `md check recovery()` won't register a new sync thread. However, after a specific commit, a hang can be triggered when the array is set to read-only and then back to read-write, causing the daemon thread to be unable to unregister the sync thread. The root cause is that dm-raid manipulates the `mddev->ro` variable by itself, but it should stop the sync thread before setting the array read-only. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability has been resolved in the Linux kernel related to the handling of suspended arrays in the `md check recovery()` function. The issue arises when the `mddev suspend()` function does not stop the sync thread, causing problems when trying to unregister the sync thread. This can lead to a hang when stopping the array after it has been suspended. The problem is not limited to dm-raid and can be fixed by ignoring suspended arrays in `md check recovery()`. Follow-up patches will improve dm-raid to better handle frozen sync threads during suspension. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.9 **Description** The Linux kernel has a vulnerability in the dm-crypt and dm-verity modules, where tasklets have an inherent problem with memory corruption. The function `tasklet action common` calls `tasklet trylock`, then the tasklet callback, and then `tasklet unlock`. If the tasklet callback frees the structure that contains the tasklet or calls some code that may free it, `tasklet unlock` will write into free memory. The commits 8e14f610159d and d9a02e016aaf try to fix this issue for dm-crypt, but it is not a sufficient fix, and data corruption can still happen. There is no fix for dm-verity, and it will write into free memory with every tasklet-processed bio. Atomic workqueues will be implemented in kernel 6.9, which will have a better interface and will not suffer from the memory corruption problem. **Recommendations** To resolve the issue, update to Linux kernel version 6.9 or later. For versions prior to 6.9, consider disabling tasklets in both dm-crypt and dm-verity as a temporary workaround to prevent memory corruption.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A warning in the Linux kernel has been resolved, specifically a KASAN warning in `raid5 add disks` when running the LVM testsuite, notably in the test `lvconvert-raid-reshape-linear to raid6-single-type.sh`. The fix involves verifying that `rdev->saved raid disk` is within limits. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A bug in the Linux kernel's dm-log code has been identified, where the region bitmap size is rounded up to 32 bits, but the allocated region is accessed using unsigned long pointers by the function find next zero bit le. On 64-bit architectures, this may result in accessing 4 bytes beyond the allocated size. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory corruption issue exists in the Linux kernel due to the dm-integrity setup, where the `tag size` parameter is less than the actual digest size. This causes dm-integrity to write beyond the end of the `ic->recalc tags` array, resulting in memory corruption. The corruption occurs in the `integrity recalc` function, specifically in the `integrity sector checksum` and `crypto shash final` functions. **Recommendations** To resolve this issue, increase the size of the tags array to accommodate the full digest size for the last member of the tags array, ensuring enough padding at the end to prevent memory corruption. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.8.15 **Description** The issue allows local users to cause a denial of service, resulting in a system crash due to a NULL pointer dereference. This can be achieved by using an AF ALG socket with an incompatible algorithm. **Recommendations** For versions prior to 4.8.15, update to version 4.8.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Links versions prior to 2.8 links2 (affected versions not specified) **Description** The issue is related to an integer overflow in Links, which can be exploited by remote attackers to cause a denial of service (crash) via crafted HTML tables. Multiple vulnerabilities in the links2 package may lead to disruption of protected information availability, and exploitation can be done remotely. **Recommendations** For Links versions prior to 2.8, update to version 2.8 or later to resolve the issue. For links2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.5.4 **Description** The issue affects the Linux kernel, where the `do siocgstamp` and `do siocgstampns` functions in `net/socket.c` use an incorrect argument order. This allows local users to obtain sensitive information from kernel memory or cause a denial of service, resulting in a system crash, via a crafted ioctl call. **Recommendations** For Linux kernel versions prior to 3.5.4, update to version 3.5.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** libpng versions 1.0.x through 1.0.57 libpng versions 1.2.x through 1.2.47 libpng versions 1.4.x through 1.4.9 libpng versions 1.5.x through 1.5.9 **Description** The issue allows remote attackers to cause a denial of service (out-of-bounds read) via a large `avail in` field value in a PNG image. This is due to a buffer overflow in the `png push read zTXt` function. **Recommendations** For libpng versions 1.0.x through 1.0.57, update to version 1.0.58 or later. For libpng versions 1.2.x through 1.2.47, update to version 1.2.48 or later. For libpng versions 1.4.x through 1.4.9, update to version 1.4.10 or later. For libpng versions 1.5.x through 1.5.9, update to version 1.5.10 or later.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 2.6.29 Description: The issue allows local users to cause a denial of service, resulting in a system crash. This is related to the handling of uninitialized pointers and the request resource function when reading the /proc/iomem file on the sparc64 platform. Recommendations: For versions prior to 2.6.29, update to version 2.6.29 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: zgv version 5.5.3 Description: The issue allows remote attackers to cause a denial of service, resulting in an application crash via segmentation fault. This can be achieved by using crafted multiple-image (animated) GIF images. Recommendations: For zgv version 5.5.3, consider avoiding the use of crafted multiple-image GIF images until a patch is available. As a temporary workaround, restrict the handling of animated GIF images to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.