yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the function parse_expr1 at /nasm/nasm-parse.c.

CVE-2023-29582: fuzz_vuln/readme.md at main · z1r00/fuzz_vuln

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the component yasm/yasm+0x43b466 in vsprintf.

**stack-buffer-overflow yasm/yasm+0x43b466 in vsprintf****project address**

https://github.com/yasm/yasm

**info**

OS：Ubuntu20.04 TLS

Build: ./autogen.sh && make distclean && CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" ./configure --prefix=$PWD/build --disable-shared && make -j && make install

**Poc**

https://github.com/z1r00/fuzz\_vuln/blob/main/yasm/stack-buffer-overflow/yasm/id:000055%2Csig:06%2Csrc:008089%2B007532%2Cop:splice%2Crep:128

**ASAN Info**

./yasm id:000055,sig:06,src:008089+007532,op:splice,rep:128

yasm: file name already has no extension: output will be in \`yasm.out'
\=================================================================
\==1107138==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffb43ff890 at pc 0x00000043b467 bp 0x7fffb43ff760 sp 0x7fffb43feef8
WRITE of size 21 at 0x7fffb43ff890 thread T0
    #0 0x43b466 in vsprintf (/home/z1r0/fuzzing/yasm/yasm/yasm+0x43b466)
    #1 0x43c3f3 in sprintf (/home/z1r0/fuzzing/yasm/yasm/yasm+0x43c3f3)
    #2 0x54e503 in x86\_dir\_cpu /home/z1r0/fuzzing/yasm/yasm/modules/arch/x86/x86arch.c:169:17
    #3 0x539e14 in yasm\_object\_directive /home/z1r0/fuzzing/yasm/yasm/libyasm/section.c:377:5
    #4 0x57bfe2 in nasm\_parser\_directive /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:1569:10
    #5 0x579361 in parse\_line /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:377:17
    #6 0x579361 in nasm\_parser\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:231:18
    #7 0x577618 in nasm\_do\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parser.c:66:5
    #8 0x577618 in nasm\_parser\_do\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parser.c:83:5
    #9 0x4c6eae in do\_assemble /home/z1r0/fuzzing/yasm/yasm/frontends/yasm/yasm.c:521:5
    #10 0x4c6eae in main /home/z1r0/fuzzing/yasm/yasm/frontends/yasm/yasm.c:753:12
    #11 0x7f833dc86082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41c47d in \_start (/home/z1r0/fuzzing/yasm/yasm/yasm+0x41c47d)
Address 0x7fffb43ff890 is located in stack of thread T0 at offset 48 in frame
    #0 0x54e38f in x86\_dir\_cpu /home/z1r0/fuzzing/yasm/yasm/modules/arch/x86/x86arch.c:153
  This frame has 1 object(s):
    \[32, 48) 'strcpu' (line 168) <== Memory access at offset 48 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/z1r0/fuzzing/yasm/yasm/yasm+0x43b466) in vsprintf
Shadow bytes around the buggy address:
  0x100076877ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
\=>0x100076877f10: 00 00\[f3\]f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f30: f1 f1 f1 f1 f8 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100076877f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f50: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f8 f8 f2 f2
  0x100076877f60: f8 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1107138==ABORTING

**Reference**

https://github.com/z1r00/fuzz\_vuln/blob/main/yasm/stack-buffer-overflow/yasm/readmd.md

CVE-2023-29579: stack-buffer-overflow yasm/yasm+0x43b466 in vsprintf · Issue #214 · yasm/yasm

mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the mp4v2::impl::MP4StringProperty::~MP4StringProperty() function at src/mp4property.cpp.

Permalink

Cannot retrieve contributors at this time

**Heap-buffer-overflow src/mp4property.cpp:338:17 in mp4v2::impl::MP4StringProperty::~MP4StringProperty()****project address**

https://github.com/TechSmith/mp4v2

**info**

OS：Ubuntu20.04 TLS

Build: mkdir build && cd build && cmake .. && make

**Poc**

https://github.com/z1r00/fuzz\_vuln/blob/main/mp4v2/heap-buffer-overflow/mp4property.cpp/poc1.mp4

**ASAN Info**

./mp4info poc1.mp4

./mp4info version 2.0.0
/home/ubuntu/fuzzing/mp4v2/poc1.mp4:
=================================================================
==2321319\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000158 at pc 0x7f0be169f82a bp 0x7ffe0644aba0 sp 0x7ffe0644ab98
READ of size 8 at 0x602000000158 thread T0
    #0 0x7f0be169f829 in mp4v2::impl::MP4StringProperty::~MP4StringProperty() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4property.cpp:338:17
    #1 0x7f0be169f919 in mp4v2::impl::MP4StringProperty::~MP4StringProperty() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4property.cpp:335:1
    #2 0x7f0be161a7d4 in mp4v2::impl::MP4Atom::~MP4Atom() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4atom.cpp:66:9
    #3 0x7f0be1587419 in mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() /home/ubuntu/mprv2\_fuzz/mp4v2/src/atoms.h:344:7
    #4 0x7f0be1624cd6 in mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom\*) /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4atom.cpp:206:3
    #5 0x7f0be1626ffb in mp4v2::impl::MP4Atom::ReadChildAtoms() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4atom.cpp:442:31
    #6 0x7f0be1625990 in mp4v2::impl::MP4Atom::Read() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4atom.cpp:247:11
    #7 0x7f0be163960d in mp4v2::impl::MP4File::ReadFromFile() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4file.cpp:431:18
    #8 0x7f0be1637f1f in mp4v2::impl::MP4File::Read(char const\*, MP4FileProvider\_s const\*) /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4file.cpp:98:5
    #9 0x7f0be15e60e2 in MP4Read /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4.cpp:106:16
    #10 0x7f0be169ae58 in MP4FileInfo /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4info.cpp:614:29
    #11 0x4c8141 in main /home/ubuntu/mprv2\_fuzz/mp4v2/util/mp4info.cpp:77:22
    #12 0x7f0be0e3f082 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x24082)
    #13 0x41d52d in \_start (/home/ubuntu/mprv2\_fuzz/mp4v2/build/mp4info+0x41d52d)

0x602000000158 is located 0 bytes to the right of 8-byte region \[0x602000000150,0x602000000158)
allocated by thread T0 here:
    #0 0x495f89 in realloc (/home/ubuntu/mprv2\_fuzz/mp4v2/build/mp4info+0x495f89)
    #1 0x7f0be1534c3d in mp4v2::impl::MP4Realloc(void\*, unsigned int) /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4util.h:80:18
    #2 0x7f0be16b428f in mp4v2::impl::MP4StringArray::Resize(unsigned int) /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4array.h:138:1
    #3 0x7f0be169f9a3 in mp4v2::impl::MP4StringProperty::SetCount(unsigned int) /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4property.cpp:346:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4property.cpp:338:17 in mp4v2::impl::MP4StringProperty::~MP4StringProperty()
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa 00\[fa\]fa fa fd fd
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2321319==ABORTING

CVE-2023-29578: fuzz_vuln/readme.md at main · z1r00/fuzz_vuln

An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.

From: Yu Hao <yhao016@ucr.edu>
To: marcel@holtmann.org, johan.hedberg@gmail.com,
	luiz.dentz@gmail.com, linux-bluetooth@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: BUG: general protection fault in hci\_uart\_tty\_ioctl
Date: Mon, 17 Apr 2023 21:59:12 -0700	\[thread overview\]
Message-ID: <CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g@mail.gmail.com> (raw)

Hello,

We found the following issue using syzkaller on Linux v6.2.0.

In function \`hci\_uart\_tty\_ioctl\`, there is a race condition
between HCIUARTSETPROTO and HCIUARTGETPROTO.
HCI\_UART\_PROTO\_SET is set before \`hu->proto\` is set.
Thus it may dereference a null pointer.

The full report including the Syzkaller reproducer & C reproducer:
https://gist.github.com/ZHYfeng/a3e3ff2bdfea5ed5de5475f0b54d55cb

The brief report is below:

Syzkaller hit 'general protection fault in hci\_uart\_tty\_ioctl' bug.

general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 \[#1\] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range \[0x0000000000000000-0x0000000000000007\]
CPU: 0 PID: 8770 Comm: syz-executor.0 Not tainted 6.2.0 #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:hci\_uart\_tty\_ioctl+0x244/0xc20 drivers/bluetooth/hci\_ldisc.c:774
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 08 00 00 48 8b 9b
b8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6
04 02 84 c0 74 08 3c 03 0f 8e 5f 08 00 00 44 8b 23 e9 14 ff
RSP: 0018:ffffc900022a7d10 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8710057c
RDX: 0000000000000000 RSI: ffff888046df8000 RDI: ffff88801cf510b8
RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed10039ea204
R10: ffff88801cf5101f R11: ffffed10039ea203 R12: ffff8880204eb000
R13: 0000000000000000 R14: ffffffffffffffe7 R15: 00000000800401c0
FS:  00007f203e7dd700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005587ec7f32d8 CR3: 000000004629e000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 tty\_ioctl+0xac0/0x1420 drivers/tty/tty\_io.c:2784
 vfs\_ioctl fs/ioctl.c:51 \[inline\]
 \_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]
 \_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]
 \_\_x64\_sys\_ioctl+0x198/0x210 fs/ioctl.c:856
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x7f203f0902fd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f203e7dcc58 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f203f1bc020 RCX: 00007f203f0902fd
RDX: 0000000000000000 RSI: 00000000800455c9 RDI: 0000000000000003
RBP: 00007f203f0fec89 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffee4615aef R14: 00007ffee4615ca0 R15: 00007f203e7dcdc0
 </TASK>

                 reply	other threads:\[~2023-04-18  5:00 UTC|newest\]

**Thread overview:** \[no followups\] expand\[flat|nested\]  mbox.gz  Atom feed

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g@mail.gmail.com \\
    --to=yhao016@ucr.edu \\
    --cc=johan.hedberg@gmail.com \\
    --cc=linux-bluetooth@vger.kernel.org \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=luiz.dentz@gmail.com \\
    --cc=marcel@holtmann.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2023-31083: BUG: general protection fault in hci_uart_tty_ioctl

An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.

From: Yu Hao <yhao016@ucr.edu>
To: mchehab@kernel.org, linux-media@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: BUG: WARNING in dvb\_frontend\_get\_event
Date: Mon, 17 Apr 2023 21:50:07 -0700	\[thread overview\]
Message-ID: <CA+UBctCu7fXn4q41O\_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com> (raw)

Hello,

We found the following issue using syzkaller on Linux v6.2.0.

In the function \`dvb\_frontend\_get\_event\`, function
\`wait\_event\_interruptible\` is called
and the condition is \`dvb\_frontend\_test\_event(fepriv, events)\`.
In the function \`dvb\_frontend\_test\_event\`, function
\`down(&fepriv->sem);\` is called.
However, function \`wait\_event\_interruptible\` would put the process to sleep.
And function \`down(&fepriv->sem);\` may block the process.
So there is the issue with "do not call blocking ops when !TASK\_RUNNING".

The full report including the Syzkaller reproducer & C reproducer:
https://gist.github.com/ZHYfeng/4c5f8be6adc63b73dba68230d15ece2c

The brief report is below:

Syzkaller hit 'WARNING in dvb\_frontend\_get\_event' bug.

------------\[ cut here \]------------
do not call blocking ops when !TASK\_RUNNING; state=1 set at
\[<ffffffff8161186d>\] prepare\_to\_wait\_event+0x6d/0x690
kernel/sched/wait.c:333
WARNING: CPU: 0 PID: 8017 at kernel/sched/core.c:9968
\_\_might\_sleep+0x10a/0x160 kernel/sched/core.c:9968
Modules linked in:
CPU: 0 PID: 8017 Comm: syz-executor303 Not tainted 6.2.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:\_\_might\_sleep+0x10a/0x160 kernel/sched/core.c:9968
Code: 9d 03 00 48 8d bb d8 16 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00
75 34 48 8b 93 d8 16 00 00 48 c7 c7 e0 68 4c 8a e8 38 55 72 08 <0f> 0b
e9 75 ff ff ff e8 1a 7b 7f 00 e9 26 ff ff ff 89 34 24 e8 1d
RSP: 0018:ffffc9000e537ac8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888018bdba80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff888018bdba80 RDI: fffff52001ca6f4b
RBP: ffffffff8a4cd200 R08: 0000000000000000 R09: ffffed1005944f32
R10: ffff88802ca2798b R11: ffffed1005944f31 R12: 000000000000003a
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888044057260
FS:  0000555555995880(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd34db66000 CR3: 000000001f479000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 down+0x1e/0xa0 kernel/locking/semaphore.c:58
 dvb\_frontend\_test\_event drivers/media/dvb-core/dvb\_frontend.c:277 \[inline\]
 dvb\_frontend\_get\_event.isra.0+0x528/0x670
drivers/media/dvb-core/dvb\_frontend.c:301
 dvb\_frontend\_handle\_ioctl+0x1953/0x2ea0
drivers/media/dvb-core/dvb\_frontend.c:2726
 dvb\_frontend\_do\_ioctl+0x1c5/0x2f0 drivers/media/dvb-core/dvb\_frontend.c:2097
 dvb\_usercopy+0xbe/0x280 drivers/media/dvb-core/dvbdev.c:961
 dvb\_frontend\_ioctl+0x5a/0x80 drivers/media/dvb-core/dvb\_frontend.c:2111
 vfs\_ioctl fs/ioctl.c:51 \[inline\]
 \_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]
 \_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]
 \_\_x64\_sys\_ioctl+0x198/0x210 fs/ioctl.c:856
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x7f569e9f4a7d
Code: 28 c3 e8 36 29 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff77694948 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f569e9f4a7d
RDX: 0000000020000000 RSI: 0000000080286f4e RDI: 0000000000000003
RBP: 00007f569e9ae440 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f569e9ae4e0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

                 reply	other threads:\[~2023-04-18  4:50 UTC|newest\]

**Thread overview:** \[no followups\] expand\[flat|nested\]  mbox.gz  Atom feed

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to='CA+UBctCu7fXn4q41O\_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com' \\
    --to=yhao016@ucr.edu \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=linux-media@vger.kernel.org \\
    --cc=mchehab@kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2023-31084: BUG: WARNING in dvb_frontend_get_event - Yu Hao

An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.

From: Richard Weinberger <richard@nod.at>
To: Yu Hao <yhao016@ucr.edu>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
	Vignesh Raghavendra <vigneshr@ti.com>,
	linux-mtd <linux-mtd@lists.infradead.org>,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: BUG: divide error in ubi\_attach\_mtd\_dev
Date: Tue, 18 Apr 2023 08:30:47 +0200 (CEST)	\[thread overview\]
Message-ID: <687864524.118195.1681799447034.JavaMail.zimbra@nod.at> (raw)
In-Reply-To: <CA+UBctDsHRpkLG5ppdiuV8Msn4Dx-ZJ2xDrxfa48VMb7ZE+xBA@mail.gmail.com\>

Yu Hao,

----- Ursprüngliche Mail -----
\> Von: "Yu Hao" <yhao016@ucr.edu>
>> ubi: mtd0 is already attached to ubi0
>> ubi7: attaching mtd147
>> divide error: 0000 \[#1\] PREEMPT SMP KASAN
>> CPU: 0 PID: 20023 Comm: syz-executor.0 Not tainted 6.2.0 #6
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> 1.13.0-1ubuntu1.1 04/01/2014
>> RIP: 0010:mtd\_div\_by\_eb include/linux/mtd/mtd.h:580 \[inline\]
>> RIP: 0010:io\_init drivers/mtd/ubi/build.c:620 \[inline\]
>> RIP: 0010:ubi\_attach\_mtd\_dev+0x77f/0x2fe0 drivers/mtd/ubi/build.c:955
>> Code: fc ff df 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38
>> d0 7c 08 84 d2 0f 85 1f 25 00 00 41 8b 4c 24 10 48 89 d8 31 d2 <48> f7
>> f1 48 89 c3 e8 b6 f3 1b fc 48 8d 85 40 17 00 00 48 89 c2 48
>> RSP: 0018:ffffc9000be0fd30 EFLAGS: 00010246
>> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
>> RDX: 0000000000000000 RSI: ffff888047a49d40 RDI: 0000000000000002
>> RBP: ffff888024e1c000 R08: 0000000000000016 R09: fffff520017c1f47
>> R10: ffffc9000be0fa37 R11: fffff520017c1f46 R12: ffff88806545a000
>> R13: 0000000000000000 R14: ffff88806545a010 R15: 0000000000000007
>> FS:  00007fd45e85c700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007f64aeef53a4 CR3: 000000004f39a000 CR4: 0000000000350ef0
>> Call Trace:
>>  <TASK>
>>  ctrl\_cdev\_ioctl+0x303/0x3a0 drivers/mtd/ubi/cdev.c:1043
What kind of MTD you attaching?
Has it erasesize 0?

Thanks,
//richard

WARNING: multiple messages have this Message-ID

From: Richard Weinberger <richard@nod.at>
To: Yu Hao <yhao016@ucr.edu>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
	 Vignesh Raghavendra <vigneshr@ti.com>,
	 linux-mtd <linux-mtd@lists.infradead.org>,
	 linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: BUG: divide error in ubi\_attach\_mtd\_dev
Date: Tue, 18 Apr 2023 08:30:47 +0200 (CEST)	\[thread overview\]
Message-ID: <687864524.118195.1681799447034.JavaMail.zimbra@nod.at> (raw)
In-Reply-To: <CA+UBctDsHRpkLG5ppdiuV8Msn4Dx-ZJ2xDrxfa48VMb7ZE+xBA@mail.gmail.com\>

Yu Hao,

----- Ursprüngliche Mail -----
\> Von: "Yu Hao" <yhao016@ucr.edu>
>> ubi: mtd0 is already attached to ubi0
>> ubi7: attaching mtd147
>> divide error: 0000 \[#1\] PREEMPT SMP KASAN
>> CPU: 0 PID: 20023 Comm: syz-executor.0 Not tainted 6.2.0 #6
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> 1.13.0-1ubuntu1.1 04/01/2014
>> RIP: 0010:mtd\_div\_by\_eb include/linux/mtd/mtd.h:580 \[inline\]
>> RIP: 0010:io\_init drivers/mtd/ubi/build.c:620 \[inline\]
>> RIP: 0010:ubi\_attach\_mtd\_dev+0x77f/0x2fe0 drivers/mtd/ubi/build.c:955
>> Code: fc ff df 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38
>> d0 7c 08 84 d2 0f 85 1f 25 00 00 41 8b 4c 24 10 48 89 d8 31 d2 <48> f7
>> f1 48 89 c3 e8 b6 f3 1b fc 48 8d 85 40 17 00 00 48 89 c2 48
>> RSP: 0018:ffffc9000be0fd30 EFLAGS: 00010246
>> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
>> RDX: 0000000000000000 RSI: ffff888047a49d40 RDI: 0000000000000002
>> RBP: ffff888024e1c000 R08: 0000000000000016 R09: fffff520017c1f47
>> R10: ffffc9000be0fa37 R11: fffff520017c1f46 R12: ffff88806545a000
>> R13: 0000000000000000 R14: ffff88806545a010 R15: 0000000000000007
>> FS:  00007fd45e85c700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007f64aeef53a4 CR3: 000000004f39a000 CR4: 0000000000350ef0
>> Call Trace:
>>  <TASK>
>>  ctrl\_cdev\_ioctl+0x303/0x3a0 drivers/mtd/ubi/cdev.c:1043
What kind of MTD you attaching?
Has it erasesize 0?

Thanks,
//richard

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

next prev parent reply	other threads:\[~2023-04-18  6:30 UTC|newest\]

**Thread overview:** 21+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2023-04-18  5:10 BUG: divide error in ubi\_attach\_mtd\_dev Yu Hao
2023-04-18  5:16 \` Yu Hao
2023-04-18  5:16   \` Yu Hao
**2023-04-18  6:30   \` Richard Weinberger \[this message\]**
2023-04-18  6:30     \` Richard Weinberger
2023-04-20  4:49     \` Zhihao Cheng
2023-04-20  4:49       \` Zhihao Cheng
2023-04-20 17:27       \` Yu Hao
2023-04-20 17:27         \` Yu Hao
2023-04-20 17:33         \` Richard Weinberger
2023-04-20 17:33           \` Richard Weinberger
2023-04-20 18:14           \` Yu Hao
2023-04-20 18:14             \` Yu Hao
2023-04-20 20:36             \` Richard Weinberger
2023-04-20 20:36               \` Richard Weinberger
2023-04-23  3:20               \` Zhihao Cheng
2023-04-23  3:20                 \` Zhihao Cheng
2023-04-23  8:02                 \` Richard Weinberger
2023-04-23  8:02                   \` Richard Weinberger
2023-04-23  9:13                   \` Zhihao Cheng
2023-04-23  9:13                     \` Zhihao Cheng

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=687864524.118195.1681799447034.JavaMail.zimbra@nod.at \\
    --to=richard@nod.at \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=linux-mtd@lists.infradead.org \\
    --cc=miquel.raynal@bootlin.com \\
    --cc=vigneshr@ti.com \\
    --cc=yhao016@ucr.edu \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2023-31085: Re: BUG: divide error in ubi_attach_mtd_dev

An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel.

From: Yu Hao <yhao016@ucr.edu>
To: gregkh@linuxfoundation.org, jirislaby@kernel.org,
	linux-kernel@vger.kernel.org
Subject: BUG: sleeping function called from invalid context in \_\_might\_resched
Date: Mon, 17 Apr 2023 20:44:30 -0700	\[thread overview\]
Message-ID: <CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ\_7MNqhh483P5yN8A@mail.gmail.com> (raw)

Hello,

We found the following issue using syzkaller on Linux v6.2.0.
A similar bug was found in function \`n\_hdlc\_tty\_wakeup\` before.
(https://groups.google.com/g/syzkaller-bugs/c/XAyZCUO-eAY/m/Lpj5SzDNAwAJ)
Now it is found in a different caller \`gsmld\_write\`.
It needs to fix the bug in \`gsmld\_write\` again.

The full report including the C reproducer:
https://gist.github.com/ZHYfeng/eb410de5d7aec253d8c83cf34e628d6a

The brief report is below:

Syzkaller hit 'BUG: sleeping function called from invalid context in
\_\_might\_resched' bug.

BUG: sleeping function called from invalid context at
kernel/printk/printk.c:2656
in\_atomic(): 1, irqs\_disabled(): 1, non\_block: 0, pid: 9817, name: (agetty)
preempt\_count: 1, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by (agetty)/9817:
 #0: ffff888017797098 (&tty->ldisc\_sem){++++}-{0:0}, at:
tty\_ldisc\_ref\_wait+0x27/0x80 drivers/tty/tty\_ldisc.c:244
 #1: ffff888017797130 (&tty->atomic\_write\_lock){+.+.}-{3:3}, at:
tty\_write\_lock+0x23/0x90 drivers/tty/tty\_io.c:944
 #2: ffff888046ee93e0 (&gsm->tx\_lock){....}-{2:2}, at:
gsmld\_write+0x63/0x150 drivers/tty/n\_gsm.c:3410
irq event stamp: 3146
hardirqs last  enabled at (3145): \[<ffffffff8a0f3a32>\]
syscall\_enter\_from\_user\_mode+0x22/0xb0 kernel/entry/common.c:111
hardirqs last disabled at (3146): \[<ffffffff8a12e6b3>\]
\_\_raw\_spin\_lock\_irqsave include/linux/spinlock\_api\_smp.h:108 \[inline\]
hardirqs last disabled at (3146): \[<ffffffff8a12e6b3>\]
\_raw\_spin\_lock\_irqsave+0x53/0x60 kernel/locking/spinlock.c:162
softirqs last  enabled at (0): \[<ffffffff814b301d>\]
copy\_process+0x1a8d/0x7490 kernel/fork.c:2211
softirqs last disabled at (0): \[<0000000000000000>\] 0x0
Preemption disabled at:
\[<0000000000000000>\] 0x0
CPU: 0 PID: 9817 Comm: (agetty) Not tainted 6.2.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0xcd/0x134 lib/dump\_stack.c:106
 \_\_might\_resched.cold+0x222/0x26b kernel/sched/core.c:10045
 console\_lock+0x1c/0x80 kernel/printk/printk.c:2656
 do\_con\_write+0x114/0x1e40 drivers/tty/vt/vt.c:2908
 con\_write+0x26/0x40 drivers/tty/vt/vt.c:3295
 gsmld\_write+0xd0/0x150 drivers/tty/n\_gsm.c:3413
 do\_tty\_write drivers/tty/tty\_io.c:1018 \[inline\]
 file\_tty\_write.isra.0+0x48f/0x820 drivers/tty/tty\_io.c:1089
 call\_write\_iter include/linux/fs.h:2189 \[inline\]
 new\_sync\_write fs/read\_write.c:491 \[inline\]
 vfs\_write+0x9cf/0xd90 fs/read\_write.c:584
 ksys\_write+0x12c/0x250 fs/read\_write.c:637
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x7f5538c101b0
Code: 2e 0f 1f 84 00 00 00 00 00 90 48 8b 05 19 7e 20 00 c3 0f 1f 84
00 00 00 00 00 83 3d 19 c2 20 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ae fc ff ff 48 89 04 24
RSP: 002b:00007ffdb4aadbe8 EFLAGS: 00000246 ORIG\_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000a RCX: 00007f5538c101b0
RDX: 000000000000000a RSI: 00007f553b13ccbe RDI: 0000000000000003
RBP: 00007f553b13ccbe R08: 00007ffdb4aadba0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: ffffffffffffffff R15: 00007ffdb4aadea0
 </TASK>

next             reply	other threads:\[~2023-04-18  3:45 UTC|newest\]

**Thread overview:** 4+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2023-04-18  3:44 Yu Hao \[this message\]**
2023-04-18  6:09 \` BUG: sleeping function called from invalid context in \_\_might\_resched Greg KH
2023-04-18  6:51 \` Jiri Slaby
2023-04-20  8:21   \` D. Starke

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to='CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ\_7MNqhh483P5yN8A@mail.gmail.com' \\
    --to=yhao016@ucr.edu \\
    --cc=gregkh@linuxfoundation.org \\
    --cc=jirislaby@kernel.org \\
    --cc=linux-kernel@vger.kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2023-31082: BUG: sleeping function called from invalid context in __might_resched

An issue was discovered in drivers/media/test-drivers/vidtv/vidtv_bridge.c in the Linux kernel 6.2. There is a NULL pointer dereference in vidtv_mux_stop_thread. In vidtv_stop_streaming, after dvb->mux=NULL occurs, it executes vidtv_mux_stop_thread(dvb->mux).

From: Yu Hao <yhao016@ucr.edu>
To: dwlsalmeida@gmail.com, mchehab@kernel.org,
	linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: BUG: general protection fault in vidtv\_mux\_stop\_thread
Date: Mon, 17 Apr 2023 21:20:46 -0700	\[thread overview\]
Message-ID: <CA+UBctDXyiosaiR7YNKCs8k0aWu4gU+YutRcnC+TDJkXpHjQag@mail.gmail.com> (raw)

Hello,

We found the following issue using syzkaller on Linux v6.2.0.

It seems to be a currency bug.
In the function \`vidtv\_stop\_streaming\`, after \`dvb->mux = NULL;\` was executed,
it executes \`vidtv\_mux\_stop\_thread(dvb->mux);\` again.
Need to check the \`dvb->mux==NULL\` before \`vidtv\_mux\_stop\_thread(dvb->mux);\`
in function \`vidtv\_stop\_streaming\`

The full report including the Syzkaller reproducer:
https://gist.github.com/ZHYfeng/c61f87ed42d4c44344d4addefd81cc1f

The brief report is below:

Syzkaller hit 'general protection fault in vidtv\_mux\_stop\_thread' bug.

general protection fault, probably for non-canonical address
0xdffffc0000000025: 0000 \[#1\] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range \[0x0000000000000128-0x000000000000012f\]
CPU: 0 PID: 9614 Comm: syz-executor.0 Not tainted 6.2.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:vidtv\_mux\_stop\_thread+0x27/0x80
drivers/media/test-drivers/vidtv/vidtv\_mux.c:471
Code: 00 00 00 0f 1f 44 00 00 55 53 48 89 fb e8 51 23 b2 fa 48 8d bb
28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6
04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8
RSP: 0018:ffffc900068ffca0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff86cec666
RDX: 0000000000000025 RSI: ffff888020378000 RDI: 0000000000000128
RBP: ffff888019d652f8 R08: 0000000000000000 R09: fffffbfff1ce4fab
R10: ffffc900068ffcb8 R11: fffffbfff1ce4faa R12: ffff888019d65260
R13: ffffffff8dc6f3c0 R14: ffffc9000713a6c0 R15: ffff888019d64a70
FS:  0000555555b72940(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555c00d88 CR3: 000000001e832000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 vidtv\_stop\_streaming
drivers/media/test-drivers/vidtv/vidtv\_bridge.c:209 \[inline\]
 vidtv\_stop\_feed+0x14e/0x250 drivers/media/test-drivers/vidtv/vidtv\_bridge.c:252
 dmx\_section\_feed\_stop\_filtering+0x91/0x150
drivers/media/dvb-core/dvb\_demux.c:1000
 dvb\_dmxdev\_feed\_stop+0x203/0x280 drivers/media/dvb-core/dmxdev.c:486
 dvb\_dmxdev\_filter\_stop.part.0+0x1e7/0x340 drivers/media/dvb-core/dmxdev.c:559
 dvb\_dmxdev\_filter\_stop drivers/media/dvb-core/dmxdev.c:552 \[inline\]
 dvb\_dmxdev\_filter\_free drivers/media/dvb-core/dmxdev.c:840 \[inline\]
 dvb\_demux\_release+0xd6/0x5c0 drivers/media/dvb-core/dmxdev.c:1246
 \_\_fput+0x281/0xa90 fs/file\_table.c:320
 task\_work\_run+0x170/0x270 kernel/task\_work.c:179
 resume\_user\_mode\_work include/linux/resume\_user\_mode.h:49 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:171 \[inline\]
 exit\_to\_user\_mode\_prepare+0x262/0x270 kernel/entry/common.c:203
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:285 \[inline\]
 syscall\_exit\_to\_user\_mode+0x19/0x50 kernel/entry/common.c:296
 do\_syscall\_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x7fe950c40dcb
Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c
24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffd3d403e80 EFLAGS: 00000293 ORIG\_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fe950c40dcb
RDX: 0000001b31220000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 00007fe950dd0450
R10: 00007ffd3d403fc0 R11: 0000000000000293 R12: 00007fe950dd0448
R13: 00007fe950dd0450 R14: 00007fe950dcbf60 R15: 000000000001c14f
 </TASK>

                 reply	other threads:\[~2023-04-18  4:22 UTC|newest\]

**Thread overview:** \[no followups\] expand\[flat|nested\]  mbox.gz  Atom feed

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=CA+UBctDXyiosaiR7YNKCs8k0aWu4gU+YutRcnC+TDJkXpHjQag@mail.gmail.com \\
    --to=yhao016@ucr.edu \\
    --cc=dwlsalmeida@gmail.com \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=linux-media@vger.kernel.org \\
    --cc=mchehab@kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2023-31081: BUG: general protection fault in vidtv_mux_stop_thread

Repetier Server through 1.4.10 does not have CSRF protection.

Here you can download the free version of Repetier-Server. To get the Pro version with all features, you just have to enter your Repetier-Server Pro license code you can get here. Repetier-Server Monitor is always free.

** Repetier-Server 1.4.10**

**After installing Repetier-Server you can activate a completely free test period of 14 days to test out all Pro features. If you are satisfied, we are happy if you decide for a Pro version and support this project.**

**Download Older Versions**

**Show Changelog**

**Which version is the right?**

For the linux versions we currently only have Debian installer which work with all newer Debian like distributions like Ubuntu as long as your libc version is greater equal the used version. See table below:

*   **Linux 32 bit Intel (intel32):** libc 2.19 like used in Ubuntu 14.04LTS
*   **Linux 64 bit Intel (amd64):** libc 2.13 like used in Debian Wheezy
*   **Linux 32 bit ARM (armhf):** libc 2.16 like used in Debian Jessie. Use armel if you have a older libc.
*   **Linux 64 bit ARM (armhf 64 bit):** libc 2.23 like used in Ubuntu 16.04
*   **Linux 32 bit ARM (armel):** libc 2.13 like on Raspberry-Pi Raspian
*   **Windows: Vista, 7, 10 and 11**
*   **Mac: OS X 10.13 or later**

For the arm boards we have two versions depending on the arm architecture. The widespread Raspberry-PI uses the armel version. Boards with better hardware like Beagle bon black should use the faster armhf version.

For update informations, please check out our changelog.

** Repetier-Server Monitor 1.4.5**

Free desktop app to connect multiple Repetier-Server PRO or OEM instances at once with additional functions like easy g-code upload from any slicer, Repetier-Server backup, …  
Read more …

**Show Changelog**

**System requirements**

*   Windows 7 and higher (64 bit), Mac OS X 10.10 and higher and Linux (64 bit)
*   200 MB disc storage
*   The current version of Repetier-Server
*   If under linux the screen is empty add –disable-gpu as parameter. Happens especially under virtual machines.

**Troubleshooting:**

If you have any problems with our software, here you will find help:

*   Manual including installation instructions and other documentations
*   Frequently askes questions
*   Our forum for answers and questions not covered in the above sources

**Notice for Raspberry Pi users**

The Pi is very power sensitive. If it does not receive stable 5V, you may experience stability issues like bad connections or temperature errors. Use a solid 3A power supply, best with 5.1 V output. Also a cheap usb cable with thin wires can cause voltage loss. We recommend an AWG20 USB cable.

More information

CVE-2023-31061: Download - Repetier-Server

Ubuntu Security Notice 6036-1 - It was discovered that PatchELF was not properly performing bounds checks, which could lead to an out-of-bounds read via a specially crafted file. An attacker could possibly use this issue to cause a denial of service or to expose sensitive information.

==========================================================================

Ubuntu Security Notice USN-6036-1  
April 20, 2023

patchelf vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 ESM

Summary:

patchelf could be made to crash or read sensitive data if it opened  
a specially crafted file.

Software Description:  
- patchelf: modify properties of ELF executables

Details:

It was discovered that PatchELF was not properly performing bounds  
checks, which could lead to an out-of-bounds read via a specially  
crafted file. An attacker could possibly use this issue to cause a  
denial of service or to expose sensitive information. (CVE-2022-44940)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
patchelf 0.14.3-1ubuntu0.1

Ubuntu 22.04 ESM:  
patchelf 0.14.3-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6036-1  
CVE-2022-44940

Package Information:  
https://launchpad.net/ubuntu/+source/patchelf/0.14.3-1ubuntu0.1

Tag

#ubuntu