CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-9589-MPWG-8XQ6
Vulnerability from github – Published: 2025-04-14 15:31 – Updated: 2026-06-26 00:32A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function.
{
"affected": [],
"aliases": [
"CVE-2025-32913"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-14T14:15:24Z",
"severity": "HIGH"
},
"details": "A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function.",
"id": "GHSA-9589-mpwg-8xq6",
"modified": "2026-06-26T00:32:00Z",
"published": "2025-04-14T15:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32913"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/435"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359357"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-32913"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9179"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8292"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:7436"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4624"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4609"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4568"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4560"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4538"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4508"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4440"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4439"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21657"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-958G-2HVC-2PGW
Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-02-10 15:30In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds
Fix a stack-out-of-bounds read in brcmfmac that occurs when 'buf' that is not null-terminated is passed as an argument of strreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with a CLM version string by memcpy() in brcmf_fil_iovar_data_get(). Ensure buf is null-terminated.
Found by a modified version of syzkaller.
[ 33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available [ 33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22 [ 33.021554][ T1896] ================================================================== [ 33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110 [ 33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896 [ 33.023852][ T1896] [ 33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 [ 33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 33.026065][ T1896] Workqueue: usb_hub_wq hub_event [ 33.026581][ T1896] Call Trace: [ 33.026896][ T1896] dump_stack_lvl+0x57/0x7d [ 33.027372][ T1896] print_address_description.constprop.0.cold+0xf/0x334 [ 33.028037][ T1896] ? strreplace+0xf2/0x110 [ 33.028403][ T1896] ? strreplace+0xf2/0x110 [ 33.028807][ T1896] kasan_report.cold+0x83/0xdf [ 33.029283][ T1896] ? strreplace+0xf2/0x110 [ 33.029666][ T1896] strreplace+0xf2/0x110 [ 33.029966][ T1896] brcmf_c_preinit_dcmds+0xab1/0xc40 [ 33.030351][ T1896] ? brcmf_c_set_joinpref_default+0x100/0x100 [ 33.030787][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 33.031223][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 33.031661][ T1896] ? lock_acquire+0x19d/0x4e0 [ 33.032091][ T1896] ? find_held_lock+0x2d/0x110 [ 33.032605][ T1896] ? brcmf_usb_deq+0x1a7/0x260 [ 33.033087][ T1896] ? brcmf_usb_rx_fill_all+0x5a/0xf0 [ 33.033582][ T1896] brcmf_attach+0x246/0xd40 [ 33.034022][ T1896] ? wiphy_new_nm+0x1476/0x1d50 [ 33.034383][ T1896] ? kmemdup+0x30/0x40 [ 33.034722][ T1896] brcmf_usb_probe+0x12de/0x1690 [ 33.035223][ T1896] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 [ 33.035833][ T1896] usb_probe_interface+0x25f/0x710 [ 33.036315][ T1896] really_probe+0x1be/0xa90 [ 33.036656][ T1896] __driver_probe_device+0x2ab/0x460 [ 33.037026][ T1896] ? usb_match_id.part.0+0x88/0xc0 [ 33.037383][ T1896] driver_probe_device+0x49/0x120 [ 33.037790][ T1896] __device_attach_driver+0x18a/0x250 [ 33.038300][ T1896] ? driver_allows_async_probing+0x120/0x120 [ 33.038986][ T1896] bus_for_each_drv+0x123/0x1a0 [ 33.039906][ T1896] ? bus_rescan_devices+0x20/0x20 [ 33.041412][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 33.041861][ T1896] ? trace_hardirqs_on+0x1c/0x120 [ 33.042330][ T1896] __device_attach+0x207/0x330 [ 33.042664][ T1896] ? device_bind_driver+0xb0/0xb0 [ 33.043026][ T1896] ? kobject_uevent_env+0x230/0x12c0 [ 33.043515][ T1896] bus_probe_device+0x1a2/0x260 [ 33.043914][ T1896] device_add+0xa61/0x1ce0 [ 33.044227][ T1896] ? __mutex_unlock_slowpath+0xe7/0x660 [ 33.044891][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550 [ 33.045531][ T1896] usb_set_configuration+0x984/0x1770 [ 33.046051][ T1896] ? kernfs_create_link+0x175/0x230 [ 33.046548][ T1896] usb_generic_driver_probe+0x69/0x90 [ 33.046931][ T1896] usb_probe_device+0x9c/0x220 [ 33.047434][ T1896] really_probe+0x1be/0xa90 [ 33.047760][ T1896] __driver_probe_device+0x2ab/0x460 [ 33.048134][ T1896] driver_probe_device+0x49/0x120 [ 33.048516][ T1896] __device_attach_driver+0x18a/0x250 [ 33.048910][ T1896] ? driver_allows_async_probing+0x120/0x120 ---truncated---
{
"affected": [],
"aliases": [
"CVE-2023-53582"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-04T16:15:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds\n\nFix a stack-out-of-bounds read in brcmfmac that occurs\nwhen \u0027buf\u0027 that is not null-terminated is passed as an argument of\nstrreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with\na CLM version string by memcpy() in brcmf_fil_iovar_data_get().\nEnsure buf is null-terminated.\n\nFound by a modified version of syzkaller.\n\n[ 33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available\n[ 33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22\n[ 33.021554][ T1896] ==================================================================\n[ 33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110\n[ 33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896\n[ 33.023852][ T1896]\n[ 33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132\n[ 33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[ 33.026065][ T1896] Workqueue: usb_hub_wq hub_event\n[ 33.026581][ T1896] Call Trace:\n[ 33.026896][ T1896] dump_stack_lvl+0x57/0x7d\n[ 33.027372][ T1896] print_address_description.constprop.0.cold+0xf/0x334\n[ 33.028037][ T1896] ? strreplace+0xf2/0x110\n[ 33.028403][ T1896] ? strreplace+0xf2/0x110\n[ 33.028807][ T1896] kasan_report.cold+0x83/0xdf\n[ 33.029283][ T1896] ? strreplace+0xf2/0x110\n[ 33.029666][ T1896] strreplace+0xf2/0x110\n[ 33.029966][ T1896] brcmf_c_preinit_dcmds+0xab1/0xc40\n[ 33.030351][ T1896] ? brcmf_c_set_joinpref_default+0x100/0x100\n[ 33.030787][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0\n[ 33.031223][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0\n[ 33.031661][ T1896] ? lock_acquire+0x19d/0x4e0\n[ 33.032091][ T1896] ? find_held_lock+0x2d/0x110\n[ 33.032605][ T1896] ? brcmf_usb_deq+0x1a7/0x260\n[ 33.033087][ T1896] ? brcmf_usb_rx_fill_all+0x5a/0xf0\n[ 33.033582][ T1896] brcmf_attach+0x246/0xd40\n[ 33.034022][ T1896] ? wiphy_new_nm+0x1476/0x1d50\n[ 33.034383][ T1896] ? kmemdup+0x30/0x40\n[ 33.034722][ T1896] brcmf_usb_probe+0x12de/0x1690\n[ 33.035223][ T1896] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n[ 33.035833][ T1896] usb_probe_interface+0x25f/0x710\n[ 33.036315][ T1896] really_probe+0x1be/0xa90\n[ 33.036656][ T1896] __driver_probe_device+0x2ab/0x460\n[ 33.037026][ T1896] ? usb_match_id.part.0+0x88/0xc0\n[ 33.037383][ T1896] driver_probe_device+0x49/0x120\n[ 33.037790][ T1896] __device_attach_driver+0x18a/0x250\n[ 33.038300][ T1896] ? driver_allows_async_probing+0x120/0x120\n[ 33.038986][ T1896] bus_for_each_drv+0x123/0x1a0\n[ 33.039906][ T1896] ? bus_rescan_devices+0x20/0x20\n[ 33.041412][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 33.041861][ T1896] ? trace_hardirqs_on+0x1c/0x120\n[ 33.042330][ T1896] __device_attach+0x207/0x330\n[ 33.042664][ T1896] ? device_bind_driver+0xb0/0xb0\n[ 33.043026][ T1896] ? kobject_uevent_env+0x230/0x12c0\n[ 33.043515][ T1896] bus_probe_device+0x1a2/0x260\n[ 33.043914][ T1896] device_add+0xa61/0x1ce0\n[ 33.044227][ T1896] ? __mutex_unlock_slowpath+0xe7/0x660\n[ 33.044891][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550\n[ 33.045531][ T1896] usb_set_configuration+0x984/0x1770\n[ 33.046051][ T1896] ? kernfs_create_link+0x175/0x230\n[ 33.046548][ T1896] usb_generic_driver_probe+0x69/0x90\n[ 33.046931][ T1896] usb_probe_device+0x9c/0x220\n[ 33.047434][ T1896] really_probe+0x1be/0xa90\n[ 33.047760][ T1896] __driver_probe_device+0x2ab/0x460\n[ 33.048134][ T1896] driver_probe_device+0x49/0x120\n[ 33.048516][ T1896] __device_attach_driver+0x18a/0x250\n[ 33.048910][ T1896] ? driver_allows_async_probing+0x120/0x120\n---truncated---",
"id": "GHSA-958g-2hvc-2pgw",
"modified": "2026-02-10T15:30:20Z",
"published": "2025-10-04T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53582"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0ca2efea4f11c6255061e852ac188264c469c197"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b173b4ad9c001a555f44adc7836d6fe3afbe9ec"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/423a1297ea72bbddf64dbb0957f2879c0f2aa5d0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/660145d708be52f946a82e5b633c020f58f996de"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a0f0ce1c8ab9fe90618dc394e3d1568b5a9ac154"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c02f733024d70105f22de8dd0a1252a0350cd516"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ecb980dc79709c02f579a9c03cb92ccec189ab38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-958V-76XQ-CVPV
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18Null pointer dereference can occur due to memory allocation failure in DIAG in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Wearables
{
"affected": [],
"aliases": [
"CVE-2021-1917"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-20T07:15:00Z",
"severity": "HIGH"
},
"details": "Null pointer dereference can occur due to memory allocation failure in DIAG in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Wearables",
"id": "GHSA-958v-76xq-cvpv",
"modified": "2022-05-24T19:18:24Z",
"published": "2022-05-24T19:18:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1917"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/october-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-959V-VP3P-VW6V
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel before 4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604.
{
"affected": [],
"aliases": [
"CVE-2015-8787"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-02-08T03:59:00Z",
"severity": "CRITICAL"
},
"details": "The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel before 4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604.",
"id": "GHSA-959v-vp3p-vw6v",
"modified": "2022-05-13T01:04:11Z",
"published": "2022-05-13T01:04:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8787"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/94f9cd81436c85d8c3a318ba92e236ede73752fc"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1300731"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=94f9cd81436c85d8c3a318ba92e236ede73752fc"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176464.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176484.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00015.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/01/27/6"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2889-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2889-2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2890-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2890-2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2890-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95JG-586G-68W9
Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2025-05-05 18:31Null pointer dereference in subsystem for Intel(R) AMT before versions 15.0.35 may allow an authenticated user to potentially enable denial of service via network access.
{
"affected": [],
"aliases": [
"CVE-2021-33068"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T23:15:00Z",
"severity": "MODERATE"
},
"details": "Null pointer dereference in subsystem for Intel(R) AMT before versions 15.0.35 may allow an authenticated user to potentially enable denial of service via network access.",
"id": "GHSA-95jg-586g-68w9",
"modified": "2025-05-05T18:31:31Z",
"published": "2022-02-11T00:00:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33068"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220210-0006"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00470.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95MQ-4JG4-HPQ2
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2024-11-07 00:30In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini
Currently amdgpu calls drm_sched_fini() from the fence driver sw fini routine - such function is expected to be called only after the respective init function - drm_sched_init() - was executed successfully.
Happens that we faced a driver probe failure in the Steam Deck recently, and the function drm_sched_fini() was called even without its counter-part had been previously called, causing the following oops:
amdgpu: probe of 0000:04:00.0 failed with error -110 BUG: kernel NULL pointer dereference, address: 0000000000000090 PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338 Hardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022 RIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched] [...] Call Trace: amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu] amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu] amdgpu_driver_release_kms+0x16/0x30 [amdgpu] devm_drm_dev_init_release+0x49/0x70 [...]
To prevent that, check if the drm_sched was properly initialized for a given ring before calling its fini counter-part.
Notice ideally we'd use sched.ready for that; such field is set as the latest thing on drm_sched_init(). But amdgpu seems to "override" the meaning of such field - in the above oops for example, it was a GFX ring causing the crash, and the sched.ready field was set to true in the ring init routine, regardless of the state of the DRM scheduler. Hence, we ended-up using sched.ops as per Christian's suggestion [0], and also removed the no_scheduler check [1].
[0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/ [1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/
{
"affected": [],
"aliases": [
"CVE-2023-52738"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:13Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini\n\nCurrently amdgpu calls drm_sched_fini() from the fence driver sw fini\nroutine - such function is expected to be called only after the\nrespective init function - drm_sched_init() - was executed successfully.\n\nHappens that we faced a driver probe failure in the Steam Deck\nrecently, and the function drm_sched_fini() was called even without\nits counter-part had been previously called, causing the following oops:\n\namdgpu: probe of 0000:04:00.0 failed with error -110\nBUG: kernel NULL pointer dereference, address: 0000000000000090\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338\nHardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022\nRIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched]\n[...]\nCall Trace:\n \u003cTASK\u003e\n amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu]\n amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu]\n amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\n devm_drm_dev_init_release+0x49/0x70\n [...]\n\nTo prevent that, check if the drm_sched was properly initialized for a\ngiven ring before calling its fini counter-part.\n\nNotice ideally we\u0027d use sched.ready for that; such field is set as the latest\nthing on drm_sched_init(). But amdgpu seems to \"override\" the meaning of such\nfield - in the above oops for example, it was a GFX ring causing the crash, and\nthe sched.ready field was set to true in the ring init routine, regardless of\nthe state of the DRM scheduler. Hence, we ended-up using sched.ops as per\nChristian\u0027s suggestion [0], and also removed the no_scheduler check [1].\n\n[0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/\n[1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/",
"id": "GHSA-95mq-4jg4-hpq2",
"modified": "2024-11-07T00:30:35Z",
"published": "2024-05-21T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52738"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2bcbbef9cace772f5b7128b11401c515982de34b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e557c8ca2c585bdef591b8503ba83b85f5d0afd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5ad7bbf3dba5c4a684338df1f285080f2588b535"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-95V2-WH6J-6P7Q
Vulnerability from github – Published: 2022-04-21 01:57 – Updated: 2022-04-21 01:57It was found in FreeBSD 8.0, 6.3 and 4.9, and OpenBSD 4.6 that a null pointer dereference in ftpd/popen.c may lead to remote denial of service of the ftpd service.
{
"affected": [],
"aliases": [
"CVE-2010-4816"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-22T14:15:00Z",
"severity": "HIGH"
},
"details": "It was found in FreeBSD 8.0, 6.3 and 4.9, and OpenBSD 4.6 that a null pointer dereference in ftpd/popen.c may lead to remote denial of service of the ftpd service.",
"id": "GHSA-95v2-wh6j-6p7q",
"modified": "2022-04-21T01:57:54Z",
"published": "2022-04-21T01:57:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4816"
},
{
"type": "WEB",
"url": "https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=144761"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2010/Mar/117"
},
{
"type": "WEB",
"url": "https://seclists.org/oss-sec/2011/q3/284"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9625-277J-4Q85
Vulnerability from github – Published: 2025-03-18 21:31 – Updated: 2025-03-18 21:31In the Linux kernel, the following vulnerability has been resolved:
soc: qcom: rpmpd: Check for null return of devm_kcalloc
Because of the possible failure of the allocation, data->domains might be NULL pointer and will cause the dereference of the NULL pointer later. Therefore, it might be better to check it and directly return -ENOMEM without releasing data manually if fails, because the comment of the devm_kmalloc() says "Memory allocated with this function is automatically freed on driver detach.".
{
"affected": [],
"aliases": [
"CVE-2021-47651"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T06:37:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: rpmpd: Check for null return of devm_kcalloc\n\nBecause of the possible failure of the allocation, data-\u003edomains might\nbe NULL pointer and will cause the dereference of the NULL pointer\nlater.\nTherefore, it might be better to check it and directly return -ENOMEM\nwithout releasing data manually if fails, because the comment of the\ndevm_kmalloc() says \"Memory allocated with this function is\nautomatically freed on driver detach.\".",
"id": "GHSA-9625-277j-4q85",
"modified": "2025-03-18T21:31:58Z",
"published": "2025-03-18T21:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47651"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/31b5124d742969ea8bf7a1360596f548ca23e770"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a811126d38f9767a20cc271b34db7c8efc5a46c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/724376c30af5a57686b223dbcd6188e07d2a1de2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/755dbc3d73789ac9f0017c729abf5e4b153bf799"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84b89fa877ad576e9ee8130f412cfd592f274508"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b5d6eba71997b6d661935d2b15094ac7f9f6132d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9629-73HH-QPXP
Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-04-17 21:30In the Linux kernel, the following vulnerability has been resolved:
ice: Fix some null pointer dereference issues in ice_ptp.c
devm_kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure.
{
"affected": [],
"aliases": [
"CVE-2023-52471"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-26T16:27:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix some null pointer dereference issues in ice_ptp.c\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.",
"id": "GHSA-9629-73hh-qpxp",
"modified": "2024-04-17T21:30:45Z",
"published": "2024-02-26T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52471"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3027e7b15b02d2d37e3f82d6b8404f6d37e3b8cf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3cd9b9bee33f39f6c6d52360fe381b89a7b12695"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-962J-23C4-PJ99
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07A vulnerability has been identified in JT Utilities (All versions < V13.0.2.0). When parsing specially crafted JT files, a missing check for the validity of an iterator leads to NULL pointer deference condition, causing the application to crash. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application.
{
"affected": [],
"aliases": [
"CVE-2021-33714"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-13T11:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in JT Utilities (All versions \u003c V13.0.2.0). When parsing specially crafted JT files, a missing check for the validity of an iterator leads to NULL pointer deference condition, causing the application to crash. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application.",
"id": "GHSA-962j-23c4-pj99",
"modified": "2022-05-24T19:07:42Z",
"published": "2022-05-24T19:07:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33714"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-209268.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.