CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-38549 – drm/mediatek: Add 0 size check to mtk_drm_gem_obj
https://notcve.org/view.php?id=CVE-2024-38549
In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Add 0 size check to mtk_drm_gem_obj Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object of 0 bytes. Currently, no such check exists and the kernel will panic if a userspace application attempts to allocate a 0x0 GBM buffer. Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and verifying that we now return EINVAL. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm/mediatek: Agregar verificación de tamaño 0 a mtk_drm_gem_obj Agregar una verificación a mtk_drm_gem_init si intentamos asignar un objeto GEM de 0 bytes. Actualmente, no existe tal verificación y el kernel entrará en pánico si una aplicación de espacio de usuario intenta asignar un búfer GBM 0x0. Probado intentando asignar un búfer GBM 0x0 en un MT8188 y verificando que ahora devolvemos EINVAL. • https://git.kernel.org/stable/c/119f5173628aa7a0c3cf9db83460d40709e8241d https://git.kernel.org/stable/c/79078880795478d551a05acc41f957700030d364 https://git.kernel.org/stable/c/be34a1b351ea7faeb15dde8c44fe89de3980ae67 https://git.kernel.org/stable/c/d17b75ee9c2e44d3a3682c4ea5ab713ea6073350 https://git.kernel.org/stable/c/0e3b6f9123726858cac299e1654e3d20424cabe4 https://git.kernel.org/stable/c/13562c2d48c9ee330de1077d00146742be368f05 https://git.kernel.org/stable/c/af26ea99019caee1500bf7e60c861136c0bf8594 https://git.kernel.org/stable/c/9489951e3ae505534c4013db4e76b1b5a •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-38547 – media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries
https://notcve.org/view.php?id=CVE-2024-38547
In the Linux kernel, the following vulnerability has been resolved: media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries The allocation failure of mycs->yuv_scaler_binary in load_video_binaries() is followed with a dereference of mycs->yuv_scaler_binary after the following call chain: sh_css_pipe_load_binaries() |-> load_video_binaries(mycs->yuv_scaler_binary == NULL) | |-> sh_css_pipe_unload_binaries() |-> unload_video_binaries() In unload_video_binaries(), it calls to ia_css_binary_unload with argument &pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer dereference is triggered. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: media: atomisp: ssh_css: corrige una desreferencia de puntero nulo en load_video_binaries La falla de asignación de mycs->yuv_scaler_binary en load_video_binaries() va seguida de una desreferencia de mycs->yuv_scaler_binary después de siguiente cadena de llamadas: sh_css_pipe_load_binaries() |-> load_video_binaries(mycs->yuv_scaler_binary == NULL) | |-> sh_css_pipe_unload_binaries() |-> unload_video_binaries() En unload_video_binaries(), llama a ia_css_binary_unload con el argumento &pipe->pipe_settings.video.yuv_scaler_binary[i], que se refiere a la misma ranura de memoria que mycs->yuv_scaler_binary. Por lo tanto, se activa una desreferencia de puntero nulo. • https://git.kernel.org/stable/c/a49d25364dfb9f8a64037488a39ab1f56c5fa419 https://git.kernel.org/stable/c/4b68b861b514a5c09220d622ac3784c0ebac6c80 https://git.kernel.org/stable/c/82c2c85aead3ea3cbceef4be077cf459c5df2272 https://git.kernel.org/stable/c/a1ab99dcc8604afe7e3bccb01b10da03bdd7ea35 https://git.kernel.org/stable/c/cc20c87b04db86c8e3e810bcdca686b406206069 https://git.kernel.org/stable/c/69b27ff82f87379afeaaea4b2f339032fdd8486e https://git.kernel.org/stable/c/6482c433863b257b0b9b687c28ce80b89d5f89f0 https://git.kernel.org/stable/c/3b621e9e9e148c0928ab109ac3d4b8148 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-38546 – drm: vc4: Fix possible null pointer dereference
https://notcve.org/view.php?id=CVE-2024-38546
In the Linux kernel, the following vulnerability has been resolved: drm: vc4: Fix possible null pointer dereference In vc4_hdmi_audio_init() of_get_address() may return NULL which is later dereferenced. Fix this bug by adding NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm: vc4: corrige posible desreferencia del puntero nulo En vc4_hdmi_audio_init() of_get_address() puede devolver NULL, que luego se desreferencia. Corrija este error agregando una verificación NULL. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/bb7d78568814a31a11fa14f1479a9fe51f1582ad https://git.kernel.org/stable/c/2d9adecc88ab678785b581ab021f039372c324cb https://git.kernel.org/stable/c/6cf1874aec42058a5ad621a23b5b2f248def0e96 https://git.kernel.org/stable/c/80431ea3634efb47a3004305d76486db9dd8ed49 https://git.kernel.org/stable/c/42c22b63056cea259d5313bf138a834840af85a5 https://git.kernel.org/stable/c/2a345fe928c21de6f3c3c7230ff509d715153a31 https://git.kernel.org/stable/c/bd7827d46d403f8cdb43d16744cb1114e4726b21 https://git.kernel.org/stable/c/c534b63bede6cb987c2946ed4d0b0013a •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-38545 – RDMA/hns: Fix UAF for cq async event
https://notcve.org/view.php?id=CVE-2024-38545
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix UAF for cq async event The refcount of CQ is not protected by locks. When CQ asynchronous events and CQ destruction are concurrent, CQ may have been released, which will cause UAF. Use the xa_lock() to protect the CQ refcount. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: RDMA/hns: corrige UAF para el evento cq async El recuento de CQ no está protegido por bloqueos. Cuando los eventos asincrónicos de CQ y la destrucción de CQ son simultáneos, es posible que se haya liberado CQ, lo que provocará UAF. Utilice xa_lock() para proteger el recuento de CQ. • https://git.kernel.org/stable/c/9a4435375cd151e07c0c38fa601b00115986091b https://git.kernel.org/stable/c/763780ef0336a973e933e40e919339381732dcaf https://git.kernel.org/stable/c/63da190eeb5c9d849b71f457b15b308c94cbaf08 https://git.kernel.org/stable/c/39d26cf46306bdc7ae809ecfdbfeff5aa1098911 https://git.kernel.org/stable/c/37a7559dc1358a8d300437e99ed8ecdab0671507 https://git.kernel.org/stable/c/a942ec2745ca864cd8512142100e4027dc306a42 •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-38544 – RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt
https://notcve.org/view.php?id=CVE-2024-38544
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the resp_pkts queue and then a decision is made whether to run the completer task inline or schedule it. Finally the skb is dereferenced to bump a 'hw' performance counter. This is wrong because if the completer task is already running in a separate thread it may have already processed the skb and freed it which can cause a seg fault. This has been observed infrequently in testing at high scale. This patch fixes this by changing the order of enqueuing the packet until after the counter is accessed. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: RDMA/rxe: corrige la falla de segmentación en rxe_comp_queue_pkt En rxe_comp_queue_pkt(), un paquete de respuesta entrante skb se pone en cola en la cola resp_pkts y luego se toma una decisión si se ejecuta la tarea de finalización en línea o programarla. • https://git.kernel.org/stable/c/0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19 https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794 https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6 https://access.redhat.com/security/cve/CVE-2024-38544 https://bugzilla.redhat.com/show_bug.cgi?id=2293455 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •