CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-47716 – ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros
https://notcve.org/view.php?id=CVE-2024-47716
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros Floating point instructions in userspace can crash some arm kernels built with clang/LLD 17.0.6: BUG: unsupported FP instruction in kernel mode FPEXC == 0xc0000780 Internal error: Oops - undefined instruction: 0 [#1] ARM CPU: 0 PID: 196 Comm: vfp-reproducer Not tainted 6.10.0 #1 Hardware name: BCM2835 PC is at vfp_support_entry+0xc8/0x2cc LR is at do_undefinstr+0xa8/0x250 pc : [
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-47715 – wifi: mt76: mt7915: fix oops on non-dbdc mt7986
https://notcve.org/view.php?id=CVE-2024-47715
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix oops on non-dbdc mt7986 mt7915_band_config() sets band_idx = 1 on the main phy for mt7986 with MT7975_ONE_ADIE or MT7976_ONE_ADIE. Commit 0335c034e726 ("wifi: mt76: fix race condition related to checking tx queue fill status") introduced a dereference of the phys array indirectly indexed by band_idx via wcid->phy_idx in mt76_wcid_cleanup(). This caused the following Oops on affected mt7986 devices: Unable to handle k... • https://git.kernel.org/stable/c/d2defcddfe90b3be0cfccc2482495ab1fb759586 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-47714 – wifi: mt76: mt7996: use hweight16 to get correct tx antenna
https://notcve.org/view.php?id=CVE-2024-47714
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: use hweight16 to get correct tx antenna The chainmask is u16 so using hweight8 cannot get correct tx_ant. Without this patch, the tx_ant of band 2 would be -1 and lead to the following issue: BUG: KASAN: stack-out-of-bounds in mt7996_mcu_add_sta+0x12e0/0x16e0 [mt7996e] In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: use hweight16 to get correct tx antenna The chainmask is u16 so us... • https://git.kernel.org/stable/c/98686cd21624c75a043e96812beadddf4f6f48e5 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-47713 – wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()
https://notcve.org/view.php?id=CVE-2024-47713
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() Since '__dev_queue_xmit()' should be called with interrupts enabled, the following backtrace: ieee80211_do_stop() ... spin_lock_irqsave(&local->queue_stop_reason_lock, flags) ... ieee80211_free_txskb() ieee80211_report_used_skb() ieee80211_report_ack_skb() cfg80211_mgmt_tx_status_ext() nl80211_frame_tx_status() genlmsg_multicast_netns() genlmsg_multicast_netns_filtered() n... • https://git.kernel.org/stable/c/5061b0c2b9066de426fbc63f1278d2210e789412 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2024-47712 – wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param
https://notcve.org/view.php?id=CVE-2024-47712
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param In the `wilc_parse_join_bss_param` function, the TSF field of the `ies` structure is accessed after the RCU read-side critical section is unlocked. According to RCU usage rules, this is illegal. Reusing this pointer can lead to unpredictable behavior, including accessing memory that has been updated or causing use-after-free issues. This possible bug was identi... • https://git.kernel.org/stable/c/e556006de4ea93abe2b46cba202a2556c544b8b2 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-47711 – af_unix: Don't return OOB skb in manage_oob().
https://notcve.org/view.php?id=CVE-2024-47711
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't return OOB skb in manage_oob(). syzbot reported use-after-free in unix_stream_recv_urg(). [0] The scenario is 1. send(MSG_OOB) 2. recv(MSG_OOB) -> The consumed OOB remains in recv queue 3. send(MSG_OOB) 4. recv() -> manage_oob() returns the next skb of the consumed OOB -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared 5. recv(MSG_OOB) -> unix_sk(sk)->oob_skb is used but already freed The recent commit 8594d9b85c07 ... • https://git.kernel.org/stable/c/93c99f21db360957d49853e5666b5c147f593bda •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-47710 – sock_map: Add a cond_resched() in sock_hash_free()
https://notcve.org/view.php?id=CVE-2024-47710
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: sock_map: Add a cond_resched() in sock_hash_free() Several syzbot soft lockup reports all have in common sock_hash_free() If a map with a large number of buckets is destroyed, we need to yield the cpu when needed. In the Linux kernel, the following vulnerability has been resolved: sock_map: Add a cond_resched() in sock_hash_free() Several syzbot soft lockup reports all have in common sock_hash_free() If a map with a large number of buckets ... • https://git.kernel.org/stable/c/5bed77b0a2a0e6b6bc0ae8e851cafb38ef0374df •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-47709 – can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().
https://notcve.org/view.php?id=CVE-2024-47709
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). syzbot reported a warning in bcm_release(). [0] The blamed change fixed another warning that is triggered when connect() is issued again for a socket whose connect()ed device has been unregistered. However, if the socket is just close()d without the 2nd connect(), the remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry() in bcm_release(). Let's clear bo->bcm_proc_re... • https://git.kernel.org/stable/c/5c680022c4e28ba18ea500f3e29f0428271afa92 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-47708 – netkit: Assign missing bpf_net_context
https://notcve.org/view.php?id=CVE-2024-47708
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: netkit: Assign missing bpf_net_context During the introduction of struct bpf_net_context handling for XDP-redirect, the netkit driver has been missed, which also requires it because NETKIT_REDIRECT invokes skb_do_redirect() which is accessing the per-CPU variables. Otherwise we see the following crash: BUG: kernel NULL pointer dereference, address: 0000000000000038 bpf_redirect() netkit_xmit() dev_hard_start_xmit() Set the bpf_net_context b... • https://git.kernel.org/stable/c/401cb7dae8130fd34eb84648e02ab4c506df7d5e •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-47707 – ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
https://notcve.org/view.php?id=CVE-2024-47707
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Blamed commit accidentally removed a check for rt->rt6i_idev being NULL, as spotted by syzbot: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g6254031777... • https://git.kernel.org/stable/c/e332bc67cf5e5e5b71a1aec9750d0791aac65183 •