CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46701 – libfs: fix infinite directory reads for offset dir
https://notcve.org/view.php?id=CVE-2024-46701
13 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: libfs: fix infinite directory reads for offset dir After we switch tmpfs dir operations from simple_dir_operations to simple_offset_dir_operations, every rename happened will fill new dentry to dest dir's maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free key starting with octx->newx_offset, and then set newx_offset equals to free key + 1. This will lead to infinite readdir combine with rename happened at the same time, which fail gen... • https://git.kernel.org/stable/c/a2e459555c5f9da3e619b7e47a63f98574dc75f1 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46698 – video/aperture: optionally match the device in sysfb_disable()
https://notcve.org/view.php?id=CVE-2024-46698
13 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: video/aperture: optionally match the device in sysfb_disable() In aperture_remove_conflicting_pci_devices(), we currently only call sysfb_disable() on vga class devices. This leads to the following problem when the pimary device is not VGA compatible: 1. A PCI device with a non-VGA class is the boot display 2. That device is probed first and it is not a VGA device so sysfb_disable() is not called, but the device resources are freed by apert... • https://git.kernel.org/stable/c/5ae3716cfdcd286268133867f67d0803847acefc •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46697 – nfsd: ensure that nfsd4_fattr_args.context is zeroed out
https://notcve.org/view.php?id=CVE-2024-46697
13 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: nfsd: ensure that nfsd4_fattr_args.context is zeroed out If nfsd4_encode_fattr4 ends up doing a "goto out" before we get to checking for the security label, then args.context will be set to uninitialized junk on the stack, which we'll then try to free. Initialize it early. In the Linux kernel, the following vulnerability has been resolved: nfsd: ensure that nfsd4_fattr_args.context is zeroed out If nfsd4_encode_fattr4 ends up doing a "goto ... • https://git.kernel.org/stable/c/f59388a579c6a395de8f7372b267d3abecd8d6bf • CWE-457: Use of Uninitialized Variable •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46696 – nfsd: fix potential UAF in nfsd4_cb_getattr_release
https://notcve.org/view.php?id=CVE-2024-46696
13 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: nfsd: fix potential UAF in nfsd4_cb_getattr_release Once we drop the delegation reference, the fields embedded in it are no longer safe to access. Do that last. In the Linux kernel, the following vulnerability has been resolved: nfsd: fix potential UAF in nfsd4_cb_getattr_release Once we drop the delegation reference, the fields embedded in it are no longer safe to access. Do that last. • https://git.kernel.org/stable/c/c5967721e1063648b0506481585ba7e2e49a075e •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-46695 – selinux,smack: don't bypass permissions check in inode_setsecctx hook
https://notcve.org/view.php?id=CVE-2024-46695
13 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: selinux,smack: don't bypass permissions check in inode_setsecctx hook Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode's i_mutex before it * is executed. It also assumes that the caller will make the... • https://git.kernel.org/stable/c/2dbc4b7bac60b02cc6e70d05bf6a7dfd551f9dda • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-46694 – drm/amd/display: avoid using null object of framebuffer
https://notcve.org/view.php?id=CVE-2024-46694
13 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid using null object of framebuffer Instead of using state->fb->obj[0] directly, get object from framebuffer by calling drm_gem_fb_get_obj() and return error code when object is null to avoid using null object of framebuffer. (cherry picked from commit 73dd0ad9e5dad53766ea3e631303430116f834b3) In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid using null object of framebuffer Inste... • https://git.kernel.org/stable/c/5d945cbcd4b16a29d6470a80dfb19738f9a4319f •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46693 – soc: qcom: pmic_glink: Fix race during initialization
https://notcve.org/view.php?id=CVE-2024-46693
13 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink: Fix race during initialization As pointed out by Stephen Boyd it is possible that during initialization of the pmic_glink child drivers, the protection-domain notifiers fires, and the associated work is scheduled, before the client registration returns and as a result the local "client" pointer has been initialized. The outcome of this is a NULL pointer dereference as the "client" pointer is blindly dereferenced. Time... • https://git.kernel.org/stable/c/58ef4ece1e41ac525db3e79529909683325d85df •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46692 – firmware: qcom: scm: Mark get_wq_ctx() as atomic call
https://notcve.org/view.php?id=CVE-2024-46692
13 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: scm: Mark get_wq_ctx() as atomic call Currently get_wq_ctx() is wrongly configured as a standard call. When two SMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to resume the corresponding sleeping thread. But if get_wq_ctx() is interrupted, goes to sleep and another SMC call is waiting to be allocated a waitq context, it leads to a deadlock. To avoid this get_wq_ctx() must be an atomic call and can't be a ... • https://git.kernel.org/stable/c/6bf32599223634294cdc6efb359ffaab1d68073c •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-46691 – usb: typec: ucsi: Move unregister out of atomic section
https://notcve.org/view.php?id=CVE-2024-46691
13 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Move unregister out of atomic section Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-lock non-sleeping")' moved the pmic_glink client list under a spinlock, as it is accessed by the rpmsg/glink callback, which in turn is invoked from IRQ context. This means that ucsi_unregister() is now called from atomic context, which isn't feasible as it's expecting a sleepable context. An effort is under way to get GLINK to ... • https://git.kernel.org/stable/c/9329933699b32d467a99befa20415c4b2172389a •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46690 – nfsd: fix nfsd4_deleg_getattr_conflict in presence of third party lease
https://notcve.org/view.php?id=CVE-2024-46690
13 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsd4_deleg_getattr_conflict in presence of third party lease It is not safe to dereference fl->c.flc_owner without first confirming fl->fl_lmops is the expected manager. nfsd4_deleg_getattr_conflict() tests fl_lmops but largely ignores the result and assumes that flc_owner is an nfs4_delegation anyway. This is wrong. With this patch we restore the "!= &nfsd_lease_mng_ops" case to behave as it did before the change mentioned below... • https://git.kernel.org/stable/c/c5967721e1063648b0506481585ba7e2e49a075e •