Tze-Nan Wu

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an overflow in the `get free elt()` function, specifically with `tracing map->next elt`, which can lead to an infinite loop and a CPU hang problem when trying to insert an element into a full `tracing map` using ` tracing map insert()`. This occurs because once `tracing map->next elt` overflows, new elements can still be inserted into the `tracing map`, even though the maximum number of elements (`max elts`) has been reached. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The vulnerability is related to the ring-buffer component in the Linux kernel. It occurs when the writer can corrupt the reader while iterating over the ring buffer, specifically when the last event is at the end of the page and has only 4 bytes left. The issue arises from the checks to detect corruption by the writer to reads, which need to see the length of the event. If the length in the first 4 bytes is zero, the length is stored in the second 4 bytes. However, if the writer is updating the code, there's a small window where the length in the first 4 bytes could be zero, even though the length is only 4 bytes. This can cause `rb event length()` to read the next 4 bytes, which could be off the allocated page. To protect against this, the system fails immediately if the next event pointer is less than 8 bytes from the end of the commit. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.