OESA-2024-2323

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved: udf: Fix preallocation discarding at indirect extent boundary When preallocation extent is the first one in the extent block, the code would corrupt extent tree header instead. Fix the problem and use udfdeleteaext() for deleting extent to avoid some code duplication.(CVE-2022-48946)

In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Bounds check struct nfctarget arrays While running under CONFIGFORTIFYSOURCE=y, syzkaller reported: memcpy: detected field-spanning write (size 129) of single field "target->sensfres" at net/nfc/nci/ntf.c:260 (size 18) This appears to be a legitimate lack of bounds checking in nciaddnew_protocol(). Add the missing checks.(CVE-2022-48967)

In the Linux kernel, the following vulnerability has been resolved: gpio: amd8111: Fix PCI device reference count leak foreachpcidev() is implemented by pcigetdevice(). The comment of pcigetdevice() says that it will increase the reference count for the returned pcidev and also decrease the reference count for the input pcidev @from if it is not NULL. If we break foreachpcidev() loop with pdev not NULL, we need to call pcidevput() to decrease the reference count. Add the missing pcidevput() after the 'out' label. Since pcidevput() can handle NULL input parameter, there is no problem for the 'Device not found' branch. For the normal path, add pcidevput() in amdgpioexit().(CVE-2022-48973)

In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: Fix function prototype mismatch in sndseqexpandvarevent With clang's kernel control flow integrity (kCFI, CONFIGCFICLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. seqcopyinuser() and seqcopyinkernel() did not have prototypes matching sndseqdumpfunct. Adjust this and remove the casts. There are not resulting binary output differences. This was found as a result of Clang's new -Wcast-function-type-strict flag, which is more sensitive than the simpler -Wcast-function-type, which only checks for type width mismatches.(CVE-2022-48994)

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL pointer dereference in nilfspalloccommitfreeentry() Syzbot reported a null-ptr-deref bug: NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 3603 Comm: segctord Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 RIP: 0010:nilfspalloccommitfreeentry+0xe5/0x6b0 fs/nilfs2/alloc.c:608 Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7 RSP: 0018:ffffc90003dff830 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010 RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158 R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0 Call Trace: <TASK> nilfsdatcommitfree fs/nilfs2/dat.c:114 [inline] nilfsdatcommitend+0x464/0x5f0 fs/nilfs2/dat.c:193 nilfsdatcommitupdate+0x26/0x40 fs/nilfs2/dat.c:236 nilfsbtreecommitupdatev+0x87/0x4a0 fs/nilfs2/btree.c:1940 nilfsbtreecommitpropagatev fs/nilfs2/btree.c:2016 [inline] nilfsbtreepropagatev fs/nilfs2/btree.c:2046 [inline] nilfsbtreepropagate+0xa00/0xd60 fs/nilfs2/btree.c:2088 nilfsbmappropagate+0x73/0x170 fs/nilfs2/bmap.c:337 nilfscollectfiledata+0x45/0xd0 fs/nilfs2/segment.c:568 nilfssegctorapplybuffers+0x14a/0x470 fs/nilfs2/segment.c:1018 nilfssegctorscanfile+0x3f4/0x6f0 fs/nilfs2/segment.c:1067 nilfssegctorcollectblocks fs/nilfs2/segment.c:1197 [inline] nilfssegctorcollect fs/nilfs2/segment.c:1503 [inline] nilfssegctordoconstruct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045 nilfssegctorconstruct+0x8e3/0xb30 fs/nilfs2/segment.c:2379 nilfssegctorthreadconstruct fs/nilfs2/segment.c:2487 [inline] nilfssegctorthread+0x3c3/0xf30 fs/nilfs2/segment.c:2570 kthread+0x2e4/0x3a0 kernel/kthread.c:376 retfromfork+0x1f/0x30 arch/x86/entry/entry64.S:306 </TASK> ... If DAT metadata file is corrupted on disk, there is a case where req->prdescbh is NULL and blocknr is 0 at nilfsdatcommitend() during a b-tree operation that cascadingly updates ancestor nodes of the b-tree, because nilfsdatcommitalloc() for a lower level block can initialize the blocknr on the same DAT entry between nilfsdatprepareend() and nilfsdatcommitend(). If this happens, nilfsdatcommitend() calls nilfsdatcommitfree() without valid buffer heads in req->prdescbh and req->prbitmapbh, and causes the NULL pointer dereference above in nilfspalloccommitfreeentry() function, which leads to a crash. Fix this by adding a NULL check on req->prdescbh and req->prbitmapbh before nilfspalloccommitfreeentry() in nilfsdatcommitfree(). This also calls nilfs_error() in that case to notify that there is a fatal flaw in the filesystem metadata and prevent further operations.(CVE-2022-49007)

In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) Check for null before removing sysfs attrs If coretempaddcore() gets an error then pdata->coredata[indx] is already NULL and has been kfreed. Don't pass that to sysfsremovegroup() as that will crash in sysfsremovegroup(). [Shortened for readability] [91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20label' <cpu offline> [91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 [91855.165103] #PF: supervisor read access in kernel mode [91855.194506] #PF: errorcode(0x0000) - not-present page [91855.224445] PGD 0 P4D 0 [91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI ... [91855.342716] RIP: 0010:sysfsremovegroup+0xc/0x80 ... [91855.796571] Call Trace: [91855.810524] coretempcpuoffline+0x12b/0x1dd [coretemp] [91855.841738] ? coretempcpuonline+0x180/0x180 [coretemp] [91855.871107] cpuhpinvokecallback+0x105/0x4b0 [91855.893432] cpuhpthread_fun+0x8e/0x150 ... Fix this by checking for NULL first.(CVE-2022-49010)

In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) Fix possible UAF when ibmpexregisterbmc() fails Smatch report warning as follows: drivers/hwmon/ibmpex.c:509 ibmpexregisterbmc() warn: '&data->list' not removed from list If ibmpexfindsensors() fails in ibmpexregisterbmc(), data will be freed, but data->list will not be removed from driverdata.bmcdata, then list traversal may cause UAF. Fix by removeing it from driverdata.bmcdata before free().(CVE-2022-49029)

In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix sleep from invalid context bug in btrfsqgroupinherit() Syzkaller reported BUG as follows: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274 Call Trace: <TASK> dumpstacklvl+0xcd/0x134 _mightresched.cold+0x222/0x26b kmemcachealloc+0x2e7/0x3c0 updateqgrouplimititem+0xe1/0x390 btrfsqgroupinherit+0x147b/0x1ee0 createsubvol+0x4eb/0x1710 btrfsmksubvol+0xfe5/0x13f0 _btrfsioctlsnapcreate+0x2b0/0x430 btrfsioctlsnapcreatev2+0x25a/0x520 btrfsioctl+0x2a1c/0x5ce0 _x64sysioctl+0x193/0x200 dosyscall64+0x35/0x80 Fix this by calling qgroupdirty() on @dstqgroup, and update limit item in btrfsrunqgroups() later outside of the spinlock context.(CVE-2022-49033)

In the Linux kernel, the following vulnerability has been resolved: media: pci: cx23885: check cx23885vdevinit() return cx23885vdevinit() can return a NULL pointer, but that pointer is used in the next line without a check. Add a NULL pointer check and go to the error unwind if it is NULL.(CVE-2023-52918)

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix possible NULL pointer dereference in sendacknowledge() Handle memory allocation failure from nciskballoc() (calling allocskb()) to avoid possible NULL pointer dereference.(CVE-2023-52919)

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: core: Prevent USB core invalid event buffer address access

This commit addresses an issue where the USB core could access an invalid event buffer address during runtime suspend, potentially causing SMMU faults and other memory issues in Exynos platforms. The problem arises from the following sequence. 1. In dwc3gadgetsuspend, there is a chance of a timeout when moving the USB core to the halt state after clearing the run/stop bit by software. 2. In dwc3coreexit, the event buffer is cleared regardless of the USB core's status, which may lead to an SMMU faults and other memory issues. if the USB core tries to access the event buffer address.

To prevent this hardware quirk on Exynos platforms, this commit ensures that the event buffer address is not cleared by software when the USB core is active during runtime suspend by checking its status before clearing the buffer address.(CVE-2024-46675)

In the Linux kernel, the following vulnerability has been resolved:

gtp: fix a potential NULL pointer dereference

When sockfdlookup() fails, gtpencapenablesocket() returns a NULL pointer, but its callers only check for error pointers thus miss the NULL pointer case.

Fix it by returning an error pointer with the error code carried from sockfd_lookup().

(I found this bug during code inspection.)(CVE-2024-46677)

In the Linux kernel, the following vulnerability has been resolved:

pinctrl: single: fix potential NULL dereference in pcsgetfunction()

pinmuxgenericgetfunction() can return NULL and the pointer 'function' was dereferenced without checking against NULL. Add checking of pointer 'function' in pcsget_function().

Found by code review.(CVE-2024-46685)

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix out-of-bounds read of dfv17channelnumber

Check the fbchannelnumber range to avoid the array out-of-bounds read error(CVE-2024-46724)

In the Linux kernel, the following vulnerability has been resolved:

of/irq: Prevent device address out-of-bounds read in interrupt map walk

When ofirqparseraw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg="func ofirqparse* +p"):

OF: ofirqparseone: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: ofirqparseraw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in ofirqparse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764

CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokiasmarm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dumpbacktrace+0xdc/0x130 showstack+0x1c/0x30 dumpstacklvl+0x6c/0x84 printreport+0x150/0x448 kasanreport+0x98/0x140 _asanload4+0x78/0xa0 ofirqparseraw+0x2b8/0x8d0 ofirqparseone+0x24c/0x270 parseinterrupts+0xc0/0x120 offwnodeaddlinks+0x100/0x2d0 fwdevlinkparsefwtree+0x64/0xc0 deviceadd+0xb38/0xc30 ofdeviceadd+0x64/0x90 ofplatformdevicecreatepdata+0xd0/0x170 ofplatformbuscreate+0x244/0x600 ofplatformnotify+0x1b0/0x254 blockingnotifiercallchain+0x9c/0xd0 _ofchangesetentrynotify+0x1b8/0x230 _ofchangesetapplynotify+0x54/0xe4 ofoverlayfdt_apply+0xc04/0xd94 ...

The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680)

The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compoundmapcount:0 compoundpincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it !

Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.(CVE-2024-46743)

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfrejectipv6: fix nfrejectip6tcphdrput() syzbot reported that nfrejectip6tcphdrput() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skbputzero() to clear the whole TCP header, as done in nfrejectiptcphdrput() BUG: KMSAN: uninit-value in nfrejectip6tcphdrput+0x688/0x6c0 net/ipv6/netfilter/nfrejectipv6.c:255 nfrejectip6tcphdrput+0x688/0x6c0 net/ipv6/netfilter/nfrejectipv6.c:255 nfsendreset6+0xd84/0x15b0 net/ipv6/netfilter/nfrejectipv6.c:344 nftrejectineteval+0x3c1/0x880 net/netfilter/nftrejectinet.c:48 exprcallopseval net/netfilter/nftablescore.c:240 [inline] nftdochain+0x438/0x22a0 net/netfilter/nftablescore.c:288 nftdochaininet+0x41a/0x4f0 net/netfilter/nftchainfilter.c:161 nfhookentryhookfn include/linux/netfilter.h:154 [inline] nfhookslow+0xf4/0x400 net/netfilter/core.c:626 nfhook include/linux/netfilter.h:269 [inline] NFHOOK include/linux/netfilter.h:312 [inline] ipv6rcv+0x29b/0x390 net/ipv6/ip6input.c:310 _netifreceiveskbonecore net/core/dev.c:5661 [inline] _netifreceiveskb+0x1da/0xa00 net/core/dev.c:5775 processbacklog+0x4ad/0xa50 net/core/dev.c:6108 _napipoll+0xe7/0x980 net/core/dev.c:6772 napipoll net/core/dev.c:6841 [inline] netrxaction+0xa5a/0x19b0 net/core/dev.c:6963 handlesoftirqs+0x1ce/0x800 kernel/softirq.c:554 _dosoftirq+0x14/0x1a kernel/softirq.c:588 dosoftirq+0x9a/0x100 kernel/softirq.c:455 _localbhenableip+0x9f/0xb0 kernel/softirq.c:382 localbhenable include/linux/bottomhalf.h:33 [inline] rcureadunlockbh include/linux/rcupdate.h:908 [inline] _devqueuexmit+0x2692/0x5610 net/core/dev.c:4450 devqueuexmit include/linux/netdevice.h:3105 [inline] neighresolveoutput+0x9ca/0xae0 net/core/neighbour.c:1565 neighoutput include/net/neighbour.h:542 [inline] ip6finishoutput2+0x2347/0x2ba0 net/ipv6/ip6output.c:141 _ip6finishoutput net/ipv6/ip6output.c:215 [inline] ip6finishoutput+0xbb8/0x14b0 net/ipv6/ip6output.c:226 NFHOOKCOND include/linux/netfilter.h:303 [inline] ip6output+0x356/0x620 net/ipv6/ip6output.c:247 dstoutput include/net/dst.h:450 [inline] NFHOOK include/linux/netfilter.h:314 [inline] ip6xmit+0x1ba6/0x25d0 net/ipv6/ip6output.c:366 inet6cskxmit+0x442/0x530 net/ipv6/inet6connectionsock.c:135 _tcptransmitskb+0x3b07/0x4880 net/ipv4/tcpoutput.c:1466 tcptransmitskb net/ipv4/tcpoutput.c:1484 [inline] tcpconnect+0x35b6/0x7130 net/ipv4/tcpoutput.c:4143 tcpv6connect+0x1bcc/0x1e40 net/ipv6/tcpipv6.c:333 _inetstreamconnect+0x2ef/0x1730 net/ipv4/afinet.c:679 inetstreamconnect+0x6a/0xd0 net/ipv4/afinet.c:750 _sysconnectfile net/socket.c:2061 [inline] _sysconnect+0x606/0x690 net/socket.c:2078 _dosysconnect net/socket.c:2088 [inline] _sesysconnect net/socket.c:2085 [inline] _x64sysconnect+0x91/0xe0 net/socket.c:2085 x64syscall+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls64.h:43 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x1e0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f Uninit was stored to memory at: nfrejectip6tcphdrput+0x60c/0x6c0 net/ipv6/netfilter/nfrejectipv6.c:249 nfsendreset6+0xd84/0x15b0 net/ipv6/netfilter/nfrejectipv6.c:344 nftrejectineteval+0x3c1/0x880 net/netfilter/nftrejectinet.c:48 exprcallopseval net/netfilter/nftablescore.c:240 [inline] nftdochain+0x438/0x22a0 net/netfilter/nftablescore.c:288 nftdochaininet+0x41a/0x4f0 net/netfilter/nftchainfilter.c:161 nfhookentryhookfn include/linux/netfilter.h:154 [inline] nfhookslow+0xf4/0x400 net/netfilter/core.c:626 nfhook include/linux/netfilter.h:269 [inline] NFHOOK include/linux/netfilter.h:312 [inline] ipv6rcv+0x29b/0x390 net/ipv6/ip6input.c:310 _netifreceiveskbone_core ---truncated---(CVE-2024-47685)

In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Ensure index in rtl2832pidfilter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so setbit and clearbit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue. hverkuil: added fixes tag, rtl2830pidfilter -> rtl2832pidfilter in logmsg

In the Linux kernel, the following vulnerability has been resolved: can: bcm: Clear bo->bcmprocread after removeprocentry(). syzbot reported a warning in bcmrelease(). [0] The blamed change fixed another warning that is triggered when connect() is issued again for a socket whose connect()ed device has been unregistered. However, if the socket is just close()d without the 2nd connect(), the remaining bo->bcmprocread triggers unnecessary removeprocentry() in bcmrelease(). Let's clear bo->bcmprocread after removeprocentry() in bcmnotify(). [0] name '4986' WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 removeprocentry+0x2e7/0x5d0 fs/proc/generic.c:711 Modules linked in: CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:removeprocentry+0x2e7/0x5d0 fs/proc/generic.c:711 Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07 RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246 RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640 R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> bcmrelease+0x250/0x880 net/can/bcm.c:1578 _sockrelease net/socket.c:659 [inline] sockclose+0xbc/0x240 net/socket.c:1421 _fput+0x24a/0x8a0 fs/filetable.c:422 taskworkrun+0x24f/0x310 kernel/taskwork.c:228 exittaskwork include/linux/taskwork.h:40 [inline] doexit+0xa2f/0x27f0 kernel/exit.c:882 dogroupexit+0x207/0x2c0 kernel/exit.c:1031 _dosysexitgroup kernel/exit.c:1042 [inline] _sesysexitgroup kernel/exit.c:1040 [inline] _x64sysexitgroup+0x3f/0x40 kernel/exit.c:1040 x64syscall+0x2634/0x2640 arch/x86/include/generated/asm/syscalls64.h:232 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7fcfb51ee969 Code: Unable to access opcode bytes at 0x7fcfb51ee93f. RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIGRAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000 R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0 R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160 </TASK>(CVE-2024-47709)

In the Linux kernel, the following vulnerability has been resolved: nbd: fix race between timeout and normal completion If request timetout is handled by nbdrequeuecmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBDCMDINFLIGHT in nbdrequeuecmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue.(CVE-2024-49855)

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in degamma hardware format translation Fixes index out of bounds issue in cm_helper_translate_curve_to_degamma_hw_format function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFERFUNCPOINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10cmcommon.c:594 cmhelpertranslatecurvetodegammahwformat() error: buffer overflow 'outputtf->tfpts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10cmcommon.c:595 cmhelpertranslatecurvetodegammahwformat() error: buffer overflow 'outputtf->tfpts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10cmcommon.c:596 cmhelpertranslatecurvetodegammahwformat() error: buffer overflow 'outputtf->tf_pts.blue' 1025 <= s32max(CVE-2024-49894)

In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uninit-value access of newea in eabuffer syzbot reports that lzo1x1docompress is using uninit-value: ===================================================== BUG: KMSAN: uninit-value in lzo1x1docompress+0x19f9/0x2510 lib/lzo/lzo1xcompress.c:178 ... Uninit was stored to memory at: eaput fs/jfs/xattr.c:639 [inline] ... Local variable eabuf created at: _jfssetxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662 _jfsxattrset+0xe6/0x1f0 fs/jfs/xattr.c:934 ===================================================== The reason is eabuf->newea is not initialized properly. Fix this by using memset to empty its content at the beginning in ea_get().(CVE-2024-49900)

In the Linux kernel, the following vulnerability has been resolved: jbd2: stop waiting for space when jbd2cleanupjournaltail() returns error In jbd2logwaitforspace(), we might call jbd2cleanupjournaltail() to recover some journal space. But if an error occurs while executing jbd2cleanupjournaltail() (e.g., an EIO), we don't stop waiting for free space right away, we try other branches, and if jcommittingtransaction is NULL (i.e., the tid is 0), we will get the following complain: ============================================ JBD2: I/O error when updating journal superblock for sdd-8. _jbd2logwaitforspace: needed 256 blocks and only had 217 space available _jbd2logwaitforspace: no way to get more journal space in sdd-8 ------------[ cut here ]------------ WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 _jbd2logwaitforspace+0x251/0x2e0 Modules linked in: CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1 RIP: 0010:jbd2logwaitforspace+0x251/0x2e0 Call Trace: <TASK> addtransactioncredits+0x5d1/0x5e0 startthishandle+0x1ef/0x6a0 jbd2_journalstart+0x18b/0x340 ext4dirtyinode+0x5d/0xb0 _markinodedirty+0xe4/0x5d0 genericupdatetime+0x60/0x70 [...] ============================================ So only if jbd2cleanupjournaltail() returns 1, i.e., there is nothing to clean up at the moment, continue to try to reclaim free space in other ways. Note that this fix relies on commit 6f6a6fda2945 ("jbd2: fix ocfs2 corrupt when updating journal superblock fails") to make jbd2cleanupjournal_tail return the correct error code.(CVE-2024-49959)

In the Linux kernel, the following vulnerability has been resolved: net: do not delay dstentriesadd() in dstrelease() dstentriesadd() uses per-cpu data that might be freed at netns dismantle from ip6routenetexit() calling dstentriesdestroy() Before ip6routenetexit() can be called, we release all the dsts associated with this netns, via calls to dstrelease(), which waits an rcu grace period before calling dstdestroy() dstentriesadd() use in dstdestroy() is racy, because dstentriesdestroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIGXFRM case, dstdestroy() can call dstreleaseimmediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels.(CVE-2024-50036)