CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-38581 – drm/amdgpu/mes: fix use-after-free issue
https://notcve.org/view.php?id=CVE-2024-38581
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/mes: fix use-after-free issue Delete fence fallback timer to fix the ramdom use-after-free issue. v2: move to amdgpu_mes.c En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amdgpu/mes: soluciona el problema de use-after-free. Elimina el temporizador de reserva de valla para solucionar el problema de use-after-free. v2: pasar a amdgpu_mes.c A flaw was found in the Linux kernel. This issue is due to a possible use-after-free in drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c. • https://git.kernel.org/stable/c/70b1bf6d9edc8692d241f59a65f073aec6d501de https://git.kernel.org/stable/c/39cfce75168c11421d70b8c0c65f6133edccb82a https://git.kernel.org/stable/c/0f98c144c15c8fc0f3176c994bd4e727ef718a5c https://git.kernel.org/stable/c/948255282074d9367e01908b3f5dcf8c10fc9c3d https://access.redhat.com/security/cve/CVE-2024-38581 https://bugzilla.redhat.com/show_bug.cgi?id=2293408 •
CVSS: 3.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-38580 – epoll: be better about file lifetimes
https://notcve.org/view.php?id=CVE-2024-38580
In the Linux kernel, the following vulnerability has been resolved: epoll: be better about file lifetimes epoll can call out to vfs_poll() with a file pointer that may race with the last 'fput()'. That would make f_count go down to zero, and while the ep->mtx locking means that the resulting file pointer tear-down will be blocked until the poll returns, it means that f_count is already dead, and any use of it won't actually get a reference to the file any more: it's dead regardless. Make sure we have a valid ref on the file pointer before we call down to vfs_poll() from the epoll routines. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: epoll: mejore la duración de los archivos epoll puede llamar a vfs_poll() con un puntero de archivo que puede competir con el último 'fput()'. Eso haría que f_count bajara a cero, y aunque el bloqueo ep->mtx significa que el desmontaje del puntero del archivo resultante se bloqueará hasta que regrese la encuesta, significa que f_count ya está muerto y no se podrá utilizar. De hecho, ya no obtengo una referencia al archivo: está muerto de todos modos. • https://git.kernel.org/stable/c/cbfd1088e24ec4c1199756a37cb8e4cd0a4b016e https://git.kernel.org/stable/c/559214eb4e5c3d05e69428af2fae2691ba1eb784 https://git.kernel.org/stable/c/4f65f4defe4e23659275ce5153541cd4f76ce2d2 https://git.kernel.org/stable/c/16e3182f6322575eb7c12e728ad3c7986a189d5d https://git.kernel.org/stable/c/4efaa5acf0a1d2b5947f98abb3acf8bfd966422b https://access.redhat.com/security/cve/CVE-2024-38580 https://bugzilla.redhat.com/show_bug.cgi?id=2293412 •
CVSS: 4.4EPSS: 0%CPEs: 9EXPL: 0CVE-2024-38579 – crypto: bcm - Fix pointer arithmetic
https://notcve.org/view.php?id=CVE-2024-38579
In the Linux kernel, the following vulnerability has been resolved: crypto: bcm - Fix pointer arithmetic In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: crypto: bcm - Arreglar la aritmética de punteros En spu2_dump_omd() el valor de ptr aumenta en ciph_key_len en lugar de hash_iv_len, lo que podría llevar a ir más allá de los límites del búfer. Corrija este error cambiando ciph_key_len a hash_iv_len. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/9d12ba86f818aa9cfe9f01b750336aa441f2ffa2 https://git.kernel.org/stable/c/c256b616067bfd6d274c679c06986b78d2402434 https://git.kernel.org/stable/c/e719c8991c161977a67197775067ab456b518c7b https://git.kernel.org/stable/c/ebed0d666fa709bae9e8cafa8ec6e7ebd1d318c6 https://git.kernel.org/stable/c/c69a1e4b419c2c466dd8c5602bdebadc353973dd https://git.kernel.org/stable/c/49833a8da6407e7e9b532cc4054fdbcaf78f5fdd https://git.kernel.org/stable/c/d0f14ae223c2421b334c1f1a9e48f1e809aee3a0 https://git.kernel.org/stable/c/c0082ee420639a97e40cae66778b02b34 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-38578 – ecryptfs: Fix buffer size for tag 66 packet
https://notcve.org/view.php?id=CVE-2024-38578
In the Linux kernel, the following vulnerability has been resolved: ecryptfs: Fix buffer size for tag 66 packet The 'TAG 66 Packet Format' description is missing the cipher code and checksum fields that are packed into the message packet. As a result, the buffer allocated for the packet is 3 bytes too small and write_tag_66_packet() will write up to 3 bytes past the end of the buffer. Fix this by increasing the size of the allocation so the whole packet will always fit in the buffer. This fixes the below kasan slab-out-of-bounds bug: BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0 Write of size 1 at addr ffff88800afbb2a5 by task touch/181 CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4c/0x70 print_report+0xc5/0x610 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? kasan_complete_mode_report_info+0x44/0x210 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 kasan_report+0xc2/0x110 ? • https://git.kernel.org/stable/c/dddfa461fc8951f9b5f951c13565b6cac678635a https://git.kernel.org/stable/c/1c125b9287e58f364d82174efb167414b92b11f1 https://git.kernel.org/stable/c/235b85981051cd68fc215fd32a81c6f116bfc4df https://git.kernel.org/stable/c/edbfc42ab080e78c6907d40a42c9d10b69e445c1 https://git.kernel.org/stable/c/12db25a54ce6bb22b0af28010fff53ef9cb3fe93 https://git.kernel.org/stable/c/0d0f8ba042af16519f1ef7dd10463a33b21b677c https://git.kernel.org/stable/c/2ed750b7ae1b5dc72896d7dd114c419afd3d1910 https://git.kernel.org/stable/c/a20f09452e2f58f761d11ad7b96b5c894 •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-38570 – gfs2: Fix potential glock use-after-free on unmount
https://notcve.org/view.php?id=CVE-2024-38570
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: gfs2: soluciona el posible use-after-free de glock al desmontar Cuando se libera un espacio de bloqueo de DLM y todavía hay bloqueos en ese espacio de bloqueo, DLM desbloqueará esos bloqueos automáticamente. El commit fb6791d100d1b comenzó a explotar este comportamiento para acelerar el desmontaje del sistema de archivos: gfs2 simplemente liberaría las glocks que no quería desbloquear y luego liberaría el espacio de bloqueo. • https://git.kernel.org/stable/c/fb6791d100d1bba20b5cdbc4912e1f7086ec60f8 https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37 https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0 https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73 https://access.redhat.com/security/cve/CVE-2024-38570 https://bugzilla.redhat.com/show_bug.cgi?id=2293423 • CWE-416: Use After Free •