Zijun Hu

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel has been resolved, related to the blk-cgroup subsystem. The `blkcg fill root iostats()` function iterates over devices by `class dev iter init()` and `class dev iter next()`, but fails to properly end the iteration with `class dev iter exit()`, resulting in a subsystem refcount leakage. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A potential wild pointer dereferences issue exists in the Linux kernel regarding the APIs `class dev iter init()`, `class dev iter next()`, and `class dev iter exit()`. The issue arises when the `class dev iter init()` function does not initialize its output parameter `@iter` and returns void, allowing the caller to continue invoking `class dev iter next(@iter)` even if `@iter` still contains wild pointers. This can lead to dereferences of these wild pointers, causing errors. The issue is resolved by initializing the output parameter `@iter` by `memset()` in `class dev iter init()` and prompting callers of errors by `pr crit()`. Additionally, `class dev iter next()` now checks if `@iter` is valid. **Recommendations** For the Linux kernel, to resolve this issue, apply the fix that initializes the output parameter `@iter` by `memset()` in `class dev iter init()` and implements error checking in `class dev iter next()`. As a temporary workaround, consider adding manual checks for the validity of `@iter` before invoking `class dev iter next()` to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue concerns accessing a released USB PHY in the Linux kernel. Specifically, it involves the `sunxi musb driver` and the `musb driver`. The problem arises when the `musb driver` is registered and unregistered, causing the USB PHY to be released, but then accessed again after its release. This is due to a commit that explicitly releases the USB PHY on exit. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include: - The `sunxi musb probe()` function calls `devm usb get phy()` to get the USB PHY. - The `musb probe()` function calls `sunxi musb init()` which uses the PHY. - The `musb remove()` function calls `sunxi musb exit()` which releases the PHY using `devm usb put phy()`. - When the `musb driver` is registered again, `musb probe()` is called, which attempts to use the already released PHY. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue is related to a double free in the driver API `bus register()` function. This occurs when an error happens after `kset register()`, causing `@priv` to be freed twice. The problem is fixed by setting `@priv` to NULL after the first free. This vulnerability may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider restricting access to the `bus register()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to a memory leakage caused by the driver API `devm free percpu()` when used to free memory allocated by `devm alloc percpu()`. This is fixed by using `devres release()` instead of `devres destroy()` within `devm free percpu()`. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.50 or later. As a temporary workaround, consider restricting the use of the `devm free percpu()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to an out-of-bounds (OOB) memory access in the `zap modalias env()` function. This function wrongly calculates the size of the memory block to move, causing an OOB memory access issue if the `MODALIAS` variable is not the last one within its `@env` parameter. The problem is fixed by correcting the size calculation for `memmove()`. There is also a mention of an issue with the `irqchip/imx-irqsteer` component related to an out-of-bounds read error, which could lead to a denial of service. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.50 or later. As a temporary workaround, consider restricting access to the vulnerable `zap modalias env()` function until a patch is available. Avoid using the `MODALIAS` variable in the affected `@env` parameter until the issue is resolved.