CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-38549 – drm/mediatek: Add 0 size check to mtk_drm_gem_obj
https://notcve.org/view.php?id=CVE-2024-38549
In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Add 0 size check to mtk_drm_gem_obj Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object of 0 bytes. Currently, no such check exists and the kernel will panic if a userspace application attempts to allocate a 0x0 GBM buffer. Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and verifying that we now return EINVAL. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm/mediatek: Agregar verificación de tamaño 0 a mtk_drm_gem_obj Agregar una verificación a mtk_drm_gem_init si intentamos asignar un objeto GEM de 0 bytes. Actualmente, no existe tal verificación y el kernel entrará en pánico si una aplicación de espacio de usuario intenta asignar un búfer GBM 0x0. Probado intentando asignar un búfer GBM 0x0 en un MT8188 y verificando que ahora devolvemos EINVAL. • https://git.kernel.org/stable/c/119f5173628aa7a0c3cf9db83460d40709e8241d https://git.kernel.org/stable/c/79078880795478d551a05acc41f957700030d364 https://git.kernel.org/stable/c/be34a1b351ea7faeb15dde8c44fe89de3980ae67 https://git.kernel.org/stable/c/d17b75ee9c2e44d3a3682c4ea5ab713ea6073350 https://git.kernel.org/stable/c/0e3b6f9123726858cac299e1654e3d20424cabe4 https://git.kernel.org/stable/c/13562c2d48c9ee330de1077d00146742be368f05 https://git.kernel.org/stable/c/af26ea99019caee1500bf7e60c861136c0bf8594 https://git.kernel.org/stable/c/9489951e3ae505534c4013db4e76b1b5a •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-38545 – RDMA/hns: Fix UAF for cq async event
https://notcve.org/view.php?id=CVE-2024-38545
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix UAF for cq async event The refcount of CQ is not protected by locks. When CQ asynchronous events and CQ destruction are concurrent, CQ may have been released, which will cause UAF. Use the xa_lock() to protect the CQ refcount. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: RDMA/hns: corrige UAF para el evento cq async El recuento de CQ no está protegido por bloqueos. Cuando los eventos asincrónicos de CQ y la destrucción de CQ son simultáneos, es posible que se haya liberado CQ, lo que provocará UAF. Utilice xa_lock() para proteger el recuento de CQ. • https://git.kernel.org/stable/c/9a4435375cd151e07c0c38fa601b00115986091b https://git.kernel.org/stable/c/763780ef0336a973e933e40e919339381732dcaf https://git.kernel.org/stable/c/63da190eeb5c9d849b71f457b15b308c94cbaf08 https://git.kernel.org/stable/c/39d26cf46306bdc7ae809ecfdbfeff5aa1098911 https://git.kernel.org/stable/c/37a7559dc1358a8d300437e99ed8ecdab0671507 https://git.kernel.org/stable/c/a942ec2745ca864cd8512142100e4027dc306a42 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-38538 – net: bridge: xmit: make sure we have at least eth header len bytes
https://notcve.org/view.php?id=CVE-2024-38538
In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL [1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: bridge: xmit: asegúrese de tener al menos el encabezado eth len bytes syzbot desencadenó un error de valor uninit[1] en la ruta xmit del dispositivo puente al enviar un mensaje corto (menos de ETH_HLEN bytes) skb. Para solucionarlo, compruebe si realmente podemos retirar esa cantidad en lugar de suponerla. Probado con dropwatch: soltar en: br_dev_xmit+0xb93/0x12d0 [puente] (0xffffffffc06739b3) origen: marca de tiempo del software: lunes 13 de mayo 11:31:53 2024 778214037 protocolo nsec: 0x88a8 longitud: 2 longitud original: 2 motivo de caída: PKT_TOO_SMALL [1 ] ERROR: KMSAN: valor uninit en br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [en línea] netdev_start_xmit include/linux/netdevice.h:4917 [en línea] xmit_one net/core/dev.c:3531 [en línea] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev .c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [en línea] __bpf_tx_skb net/core/filter.c:2136 [en línea] __bpf_redirect_common net/core/filter.c:2180 [en línea] __bpf_redirect+0x14a6/0x1620 net/ Core/Filter.C: 2187 ____BPF_CLONE_REDIRECT NET/CORE/FILTRO.C: 2460 [Inline] BPF_CLONE_REDIRECT+0x328/0x470 NET/Core/Filter.c: 2432 ___ BPF_PROG_RUN+0X13FE/0XE0F0 KERNEL/BPF/BPF/CORE. 0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [en línea] __bpf_prog_run include/linux/filter.h:657 [en línea] bpf_prog_run include/linux/filter.h:664 [en línea ] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 pf+0x6aa/0xd90 núcleo/ bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [en línea] __se_sys_bpf kernel/bpf/syscall.c:5765 [en línea] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 ys_call+0x96b /0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+ 0x77/0x7f • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2 https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5 https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2 https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc https://access.redhat.com/security/cve/CVE-2024-38538 https://bugzilla.redhat.com/show_bug.cgi?id=2293461 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-36971 – Android Kernel Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-36971
In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: fix __dst_negative_advice() race __dst_negative_advice() no aplica las reglas adecuadas de RCU cuando se debe borrar sk->dst_cache, lo que genera una posible UAF. Las reglas de RCU son que primero debemos borrar sk->sk_dst_cache y luego llamar a dst_release(old_dst). Tenga en cuenta que sk_dst_reset(sk) implementa este protocolo correctamente, mientras que __dst_negative_advice() utiliza el orden incorrecto. Dado que ip6_negative_advice() tiene una lógica especial contra RTF_CACHE, esto significa que cada uno de los tres ->negative_advice() métodos existentes debe realizar sk_dst_reset() ellos mismos. • https://git.kernel.org/stable/c/a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314 https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13 https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72 https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6 https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4 https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508 https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-36969 – drm/amd/display: Fix division by zero in setup_dsc_config
https://notcve.org/view.php?id=CVE-2024-36969
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix division by zero in setup_dsc_config When slice_height is 0, the division by slice_height in the calculation of the number of slices will cause a division by zero driver crash. This leaves the kernel in a state that requires a reboot. This patch adds a check to avoid the division by zero. The stack trace below is for the 6.8.4 Kernel. I reproduced the issue on a Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor connected via Thunderbolt. The amdgpu driver crashed with this exception when I rebooted the system with the monitor connected. kernel: ? • https://git.kernel.org/stable/c/a32c8f951c8a456c1c251e1dcdf21787f8066445 https://git.kernel.org/stable/c/91402e0e5de9124a3108db7a14163fcf9a6d322f https://git.kernel.org/stable/c/7e4f50dfc98c49b3dc6875a35c3112522fb25639 https://git.kernel.org/stable/c/f187fcbbb8f8bf10c6687f0beae22509369f7563 https://git.kernel.org/stable/c/308de6be0c9c7ba36915c0d398e771725c0ea911 https://git.kernel.org/stable/c/130afc8a886183a94cf6eab7d24f300014ff87ba • CWE-369: Divide By Zero •