Zhou Qingyang

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer dereference issue was found in the Linux kernel, specifically in the `amdgpu dm connector add common modes()` function. This issue occurs when `amdgpu dm create common mode()` fails, causing a NULL pointer to be passed to `drm mode probed add()`, which then attempts to dereference it. This could lead to a NULL pointer dereference. The issue was discovered by a static analyzer. **Recommendations** To resolve this issue, apply the fix that adds a NULL check for the `mode` variable in the `amdgpu dm connector add common modes()` function.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to the fix commit **Description** The issue is related to a NULL pointer dereference in the `zynq qspi exec mem op()` function. This occurs because `kzalloc()` is directly used in `memset()`, which could lead to a NULL pointer dereference on failure of `kzalloc()`. The bug was found by a static analyzer using differential checking to identify inconsistent security operations between two code paths. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. **Recommendations** To resolve the issue, upgrade to versions released after March 2022. Ensure your systems are updated to protect against potential exploits. As a temporary workaround, consider adding a check of `tmpbuf` in the `zynq qspi exec mem op()` function to prevent the NULL pointer dereference.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free bug in the `mlx4 en try alloc resources()` function. This bug could lead to a use-after-free problem when `mlx4 en copy priv()` fails, causing `tmp->tx cq` to be freed, and then `mlx4 en alloc resources()` is called, resulting in a dereference of `&tmp->tx cq[t][i]`. The bug was found by a static analyzer using differential checking to identify inconsistent security operations between two code paths. It is noted that this bug could be a false positive or hard to trigger, and multiple researchers have cross-reviewed it. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer dereference vulnerability has been resolved in the Linux kernel. The issue occurs in the `cdnsp endpoint init()` function, where `cdnsp ring alloc()` is assigned to `pep->ring` and then dereferenced, potentially leading to a NULL pointer dereference if `cdnsp ring alloc()` fails. The bug was found by a static analyzer using differential checking to identify inconsistent security operations between two code paths. Multiple researchers have cross-reviewed the bug, and builds with `CONFIG USB CDNSP GADGET=y` show no new warnings. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak bug was found in the `rvu mbox init()` function, where `mbox regions` is not freed or passed out under the switch-default region. This bug was identified by a static analyzer using differential checking to detect inconsistent security operations between two code paths. The analysis confirmed that the inconsistent operations are not recovered in the current function or its callers, constituting a bug. The bug can be fixed by changing 'return err' to 'goto free regions'. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer dereference issue has been resolved in the Linux kernel. The issue occurs in the `qlcnic 83xx add rings()` function, where the indirect function of `ahw->hw ops->alloc mbx args` is called to allocate memory for `cmd.req.arg`. If this allocation fails, a NULL pointer dereference can occur. The fix involves adding a check for `alloc mbx args()` to prevent this issue. The bug was found using a static analyzer, which employs differential checking to identify inconsistent security operations between two code paths. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.