| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Memory corruption while processing shared command buffer packet between camera userspace and kernel. |
| Memory corruption while parsing clock configuration data for a specific hardware type. |
| Memory corruption while accessing a synchronization object during concurrent operations. |
| Memory corruption while deinitializing a HDCP session. |
| Memory corruption while handling sensor utility operations. |
| Cryptographic issue may occur while encrypting license data. |
| Memory corruption while processing a secure logging command in the trusted application. |
| Memory corruption while processing identity credential operations in the trusted application. |
| Memory corruption while processing MFC channel configuration during music playback. |
| Information disclosure when a weak hashed value is returned to userland code in response to a IOCTL call to obtain a session ID. |
| Memory corruption when accessing resources in kernel driver. |
| Memory corruption when passing parameters to the Trusted Virtual Machine during the handshake. |
| Memory corruption while performing private key encryption in trusted application. |
| Memory corruption while selecting the PLMN from SOR failed list. |
| Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication. |
| Memory corruption during memory assignment to headless peripheral VM due to incorrect error code handling. |
| In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix node corruption in ar->arvifs list
In current WLAN recovery code flow, ath11k_core_halt() only
reinitializes the "arvifs" list head. This will cause the
list node immediately following the list head to become an
invalid list node. Because the prev of that node still points
to the list head "arvifs", but the next of the list head "arvifs"
no longer points to that list node.
When a WLAN recovery occurs during the execution of a vif
removal, and it happens before the spin_lock_bh(&ar->data_lock)
in ath11k_mac_op_remove_interface(), list_del() will detect the
previously mentioned situation, thereby triggering a kernel panic.
The fix is to remove and reinitialize all vif list nodes from the
list head "arvifs" during WLAN halt. The reinitialization is to make
the list nodes valid, ensuring that the list_del() in
ath11k_mac_op_remove_interface() can execute normally.
Call trace:
__list_del_entry_valid_or_report+0xb8/0xd0
ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]
drv_remove_interface+0x48/0x194 [mac80211]
ieee80211_do_stop+0x6e0/0x844 [mac80211]
ieee80211_stop+0x44/0x17c [mac80211]
__dev_close_many+0xac/0x150
__dev_change_flags+0x194/0x234
dev_change_flags+0x24/0x6c
devinet_ioctl+0x3a0/0x670
inet_ioctl+0x200/0x248
sock_do_ioctl+0x60/0x118
sock_ioctl+0x274/0x35c
__arm64_sys_ioctl+0xac/0xf0
invoke_syscall+0x48/0x114
...
Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 |
| Memory Corruption in Multi-mode Call Processor while processing bit mask API. |
| Memory corruption while copying the sound model data from user to kernel buffer during sound model register. |
| Memory corruption while loading a VM from a signed VM image that is not coherent in the processor cache. |
