CVE-2024-43831 – media: mediatek: vcodec: Handle invalid decoder vsi
https://notcve.org/view.php?id=CVE-2024-43831
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Handle invalid decoder vsi Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi is valid for future use. • https://git.kernel.org/stable/c/590577a4e5257ac3ed72999a94666ad6ba8f24bc https://git.kernel.org/stable/c/1c109f23b271a02b9bb195c173fab41e3285a8db https://git.kernel.org/stable/c/cdf05ae76198c513836bde4eb55f099c44773280 https://git.kernel.org/stable/c/59d438f8e02ca641c58d77e1feffa000ff809e9f •
CVE-2024-43830 – leds: trigger: Unregister sysfs attributes before calling deactivate()
https://notcve.org/view.php?id=CVE-2024-43830
In the Linux kernel, the following vulnerability has been resolved: leds: trigger: Unregister sysfs attributes before calling deactivate() Triggers which have trigger specific sysfs attributes typically store related data in trigger-data allocated by the activate() callback and freed by the deactivate() callback. Calling device_remove_groups() after calling deactivate() leaves a window where the sysfs attributes show/store functions could be called after deactivation and then operate on the just freed trigger-data. Move the device_remove_groups() call to before deactivate() to close this race window. This also makes the deactivation path properly do things in reverse order of the activation path which calls the activate() callback before calling device_add_groups(). • https://git.kernel.org/stable/c/a7e7a3156300a7e1982b03cc9cb8fb0c86434c49 https://git.kernel.org/stable/c/c3b7a650c8717aa89df318364609c86cbc040156 https://git.kernel.org/stable/c/d1415125b701ef13370e2761f691ec632a5eb93a https://git.kernel.org/stable/c/09c1583f0e10c918855d6e7540a79461a353e5d6 https://git.kernel.org/stable/c/3fb6a9d67cfd812a547ac73ec02e1077c26c640d https://git.kernel.org/stable/c/734ba6437e80dfc780e9ee9d95f912392d12b5ea https://git.kernel.org/stable/c/cb8aa9d2a4c8a15d6a43ccf901ef3d094aa60374 https://git.kernel.org/stable/c/0788a6f3523d3686a9eed5ea1e6fcce68 • CWE-416: Use After Free •
CVE-2024-43829 – drm/qxl: Add check for drm_cvt_mode
https://notcve.org/view.php?id=CVE-2024-43829
In the Linux kernel, the following vulnerability has been resolved: drm/qxl: Add check for drm_cvt_mode Add check for the return value of drm_cvt_mode() and return the error if it fails in order to avoid NULL pointer dereference. • https://git.kernel.org/stable/c/1b043677d4be206c96b51811855502e50057f343 https://git.kernel.org/stable/c/62ef8d7816c8e4a6088275553818b9afc0ffaa03 https://git.kernel.org/stable/c/4e87f592a46bb804d8f833da6ce702ae4b55053f https://git.kernel.org/stable/c/3efe34f95b1ac8c138a46b14ce75956db0d6ee7c https://git.kernel.org/stable/c/f28b353c0c6c7831a70ccca881bf2db5e6785cdd https://git.kernel.org/stable/c/4b1f303bdeceac049e56e4b20eb5280bd9e02f4f https://git.kernel.org/stable/c/d4c57354a06cb4a77998ff8aa40af89eee30e07b https://git.kernel.org/stable/c/7bd09a2db0f617377027a2bb0b9179e69 •
CVE-2024-43819 – kvm: s390: Reject memory region operations for ucontrol VMs
https://notcve.org/view.php?id=CVE-2024-43819
In the Linux kernel, the following vulnerability has been resolved: kvm: s390: Reject memory region operations for ucontrol VMs This change rejects the KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM. This is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and would thus result in a null pointer dereference further in. Memory management needs to be performed in userspace and using the ioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP. Also improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2. [frankja@linux.ibm.com: commit message spelling fix, subject prefix fix] • https://git.kernel.org/stable/c/27e0393f15fc8bc855c6a888387ff5ffd2181089 https://git.kernel.org/stable/c/49c9945c054df4c22008e2bf87ca74d3e2507aa6 https://git.kernel.org/stable/c/7816e58967d0e6cadce05c8540b47ed027dc2499 •
CVE-2024-43817 – net: missing check virtio
https://notcve.org/view.php?id=CVE-2024-43817
In the Linux kernel, the following vulnerability has been resolved: net: missing check virtio Two missing check in virtio_net_hdr_to_skb() allowed syzbot to crash kernels again 1. After the skb_segment function the buffer may become non-linear (nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere the __skb_linearize function will not be executed, then the buffer will remain non-linear. Then the condition (offset >= skb_headlen(skb)) becomes true, which causes WARN_ON_ONCE in skb_checksum_help. 2. The struct sk_buff and struct virtio_net_hdr members must be mathematically related. (gso_size) must be greater than (needed) otherwise WARN_ON_ONCE. (remainder) must be greater than (needed) otherwise WARN_ON_ONCE. (remainder) may be 0 if division is without remainder. offset+2 (4191) > skb_headlen() (1116) WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303 Modules linked in: CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303 Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209 RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001 RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d FS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777 ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584 ip_finish_output_gso net/ipv4/ip_output.c:286 [inline] __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433 dst_output include/net/dst.h:451 [inline] ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129 iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline] sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3545 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 __sys_sendto+0x255/0x340 net/socket.c:2190 __do_sys_sendto net/socket.c:2202 [inline] __se_sys_sendto net/socket.c:2198 [inline] __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Found by Linux Verification Center (linuxtesting.org) with Syzkaller • https://git.kernel.org/stable/c/0f6925b3e8da0dbbb52447ca8a8b42b371aac7db https://git.kernel.org/stable/c/2789bc090f4a2caef0cceb3f108867de608bb23a https://git.kernel.org/stable/c/16851e34b621bc7e652c508bb28c47948fb86958 https://git.kernel.org/stable/c/a05fb4ac72fb2ddbdcb135c87b0087ac59fa4de4 https://git.kernel.org/stable/c/a36703d08c83b1488a2f2922f0dc4263125ccd2d https://git.kernel.org/stable/c/27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f https://git.kernel.org/stable/c/5b1997487a3f3373b0f580c8a20b56c1b64b0775 https://git.kernel.org/stable/c/90d41ebe0cd4635f6410471efc1dd71b3 • CWE-130: Improper Handling of Length Parameter Inconsistency •