Nathan Lynch

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the powerpc/pseries component of the Linux kernel, where functions like `plpar hcall()` and `plpar hcall9()` expect callers to provide valid result buffers of a certain minimum size. However, this requirement is currently only communicated through comments in the code, and the compiler is not aware of it. This can lead to stack corruption at runtime if the provided buffer is too small. To mitigate this, explicitly-sized array parameters can be used instead of pointers in the declarations for the hcall APIs. When compiled with -Warray-bounds, the code can provoke a diagnostic if the array argument is too small. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The vulnerability is related to the `dlpar memory remove by index()` function in the powerpc/pseries/memhp module of the Linux kernel. This function may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. As a result, the cursor is left pointing to an invalid entry, and the debug message at the end of the function then dereferences this pointer, leading to a slab-out-of-bounds error. This issue was found by inspection and confirmed with KASAN. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.