Will Deacon

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: A kernel info leak has been resolved in the Linux kernel. The issue occurs because the `xol add vma()` function maps an uninitialized page allocated by ` create xol area()` into userspace, making this memory readable on some architectures, such as x86, even without the necessary permissions. This allows a debugger to read the memory, potentially exposing sensitive information. Recommendations: For versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider restricting access to the `xol add vma()` function and the ` create xol area()` function until a patch is available. Additionally, ensure that the `VM READ` and `VM EXEC` permissions are properly set to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the initialization of the `vmap block` structure in the Linux kernel. When a new `vmap block` is being instantiated by `new vmap block()`, the partially initialized structure is added to the local `vmap block queue` xarray before the `cpu` field has been initialized. If another CPU is concurrently walking the xarray, it may perform an out-of-bounds access to the remote queue thanks to an uninitialized index. This has been observed as UBSAN errors in Android. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a functional regression in the Linux kernel's swiotlb component, which causes double-allocation of slots due to broken alignment handling. This can lead to buffer corruption and/or a hang when using vsock in a virtual machine with a restricted DMA SWIOTLB pool. The problem occurs because swiotlb alloc() expects a page-aligned allocation but returns a pointer to the 'struct page' corresponding to the allocation, resulting in double-allocation of the first half of the 4KiB page. The issue is resolved by treating the allocation alignment separately from any additional alignment requirements from the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.18.12 on the arm64 platform **Description** The issue is related to the KVM subsystem in the Linux kernel, specifically in the arch/arm64/kvm/guest.c file. It is caused by insufficient restrictions on userspace access to the core register file and inadequate PSTATE.M validation, which can lead to unintended execution modes. An attacker who can create virtual machines can exploit this to arbitrarily redirect the hypervisor flow of control with full register control or cause a denial of service via an illegal exception return, potentially leading to a hypervisor panic. **Recommendations** For Linux kernel versions prior to 4.18.12 on the arm64 platform, update to version 4.18.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the KVM subsystem to minimize the risk of exploitation.