| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Possible use after free when process shell memory is freed using IOCTL munmap call and process initialization is in progress in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music |
| Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands. |
| Memory corruption while rendering graphics using Adreno GPU drivers in Chrome. |
| Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands. |
| In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix node corruption in ar->arvifs list
In current WLAN recovery code flow, ath11k_core_halt() only
reinitializes the "arvifs" list head. This will cause the
list node immediately following the list head to become an
invalid list node. Because the prev of that node still points
to the list head "arvifs", but the next of the list head "arvifs"
no longer points to that list node.
When a WLAN recovery occurs during the execution of a vif
removal, and it happens before the spin_lock_bh(&ar->data_lock)
in ath11k_mac_op_remove_interface(), list_del() will detect the
previously mentioned situation, thereby triggering a kernel panic.
The fix is to remove and reinitialize all vif list nodes from the
list head "arvifs" during WLAN halt. The reinitialization is to make
the list nodes valid, ensuring that the list_del() in
ath11k_mac_op_remove_interface() can execute normally.
Call trace:
__list_del_entry_valid_or_report+0xb8/0xd0
ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]
drv_remove_interface+0x48/0x194 [mac80211]
ieee80211_do_stop+0x6e0/0x844 [mac80211]
ieee80211_stop+0x44/0x17c [mac80211]
__dev_close_many+0xac/0x150
__dev_change_flags+0x194/0x234
dev_change_flags+0x24/0x6c
devinet_ioctl+0x3a0/0x670
inet_ioctl+0x200/0x248
sock_do_ioctl+0x60/0x118
sock_ioctl+0x274/0x35c
__arm64_sys_ioctl+0xac/0xf0
invoke_syscall+0x48/0x114
...
Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 |
| Memory corruption while copying the result to the transmission queue which is shared between the virtual machine and the host. |
| Memory corruption while copying the result to the transmission queue in EMAC. |
| Memory corruption while processing camera TPG write request. |
| Memory corruption while processing command message in WLAN Host. |
| Memory corruption while executing timestamp video decode command with large input values. |
| Memory corruption while processing packet data with exceedingly large packet. |
| Memory corruption during sub-system restart while processing clean-up to free up resources. |
| Memory corruption caused by missing locks and checks on the DMA fence and improper synchronization. |
| Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node. |
| Memory corruption while assigning memory from the source DDR memory(HLOS) to ADSP. |
| Memory corruption while reading ACPI config through the user mode app. |
| Transient DOS while processing 11AZ RTT management action frame received through OTA. |
| Memory corruption in Core when updating rollback version for TA and OTA feature is enabled. |
| Cryptographic issue in Automotive while unwrapping the key secs2d and verifying with RPMB data. |
| Transient DOS while parsing ieee80211_parse_mscs_ie in WIN WLAN driver. |
