CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50117 – drm/amd: Guard against bad data for ATIF ACPI method
https://notcve.org/view.php?id=CVE-2024-50117
In the Linux kernel, the following vulnerability has been resolved: drm/amd: Guard against bad data for ATIF ACPI method If a BIOS provides bad data in response to an ATIF method call this causes a NULL pointer dereference in the caller. ``` ? show_regs (arch/x86/kernel/dumpstack.c:478 (discriminator 1)) ? __die (arch/x86/kernel/dumpstack.c:423 arch/x86/kernel/dumpstack.c:434) ? page_fault_oops (arch/x86/mm/fault.c:544 (discriminator 2) arch/x86/mm/fault.c:705 (discriminator 2)) ? do_user_addr_fault (arch/x86/mm/fault.c:440 (discriminator 1) arch/x86/mm/fault.c:1232 (discriminator 1)) ? • https://git.kernel.org/stable/c/d38ceaf99ed015f2a0b9af3499791bd3a3daae21 https://git.kernel.org/stable/c/6032287747f874b52dc8b9d7490e2799736e035f https://git.kernel.org/stable/c/cd67af3c1762de4c2483ae4dbdd98f9ea8fa56e3 https://git.kernel.org/stable/c/975ede2a7bec52b5da1428829b3439667c8a234b https://git.kernel.org/stable/c/1d7175f9c57b1abf9ecfbdfd53ea760761f52ffe https://git.kernel.org/stable/c/bf58f03931fdcf7b3c45cb76ac13244477a60f44 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50116 – nilfs2: fix kernel bug due to missing clearing of buffer delay flag
https://notcve.org/view.php?id=CVE-2024-50116
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix kernel bug due to missing clearing of buffer delay flag Syzbot reported that after nilfs2 reads a corrupted file system image and degrades to read-only, the BUG_ON check for the buffer delay flag in submit_bh_wbc() may fail, causing a kernel bug. This is because the buffer delay flag is not cleared when clearing the buffer state flags to discard a page/folio or a buffer head. So, fix this. This became necessary when the use of nilfs2's own page clear routine was expanded. This state inconsistency does not occur if the buffer is written normally by log writing. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: se corrige un error del kernel debido a la falta de limpieza del indicador de retraso del búfer Syzbot informó que después de que nilfs2 lee una imagen de sistema de archivos corrupta y se degrada a solo lectura, la comprobación BUG_ON para el indicador de retraso del búfer en submission_bh_wbc() puede fallar, lo que provoca un error del kernel. Esto se debe a que el indicador de retraso del búfer no se borra al borrar los indicadores de estado del búfer para descartar una página/folio o un encabezado de búfer. • https://git.kernel.org/stable/c/8c26c4e2694a163d525976e804d81cd955bbb40c https://git.kernel.org/stable/c/822203f6355f4b322d21e7115419f6b98284be25 https://git.kernel.org/stable/c/27524f65621f490184f2ace44cd8e5f3685af4a3 https://git.kernel.org/stable/c/743c78d455e784097011ea958b27396001181567 https://git.kernel.org/stable/c/c6f58ff2d4c552927fe9a187774e668ebba6c7aa https://git.kernel.org/stable/c/6ed469df0bfbef3e4b44fca954a781919db9f7ab •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50115 – KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory
https://notcve.org/view.php?id=CVE-2024-50115
In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: nSVM: Ignorar nCR3[4:0] al cargar PDPTE desde la memoria Ignorar nCR3[4:0] al cargar PDPTE desde la memoria para SVM anidado, ya que los bits 4:0 de CR3 se ignoran cuando se utiliza la paginación PAE y, por lo tanto, VMRUN no aplica la alineación de 32 bytes de nCR3. En el peor de los casos, no ignorar los bits 4:0 puede dar como resultado una lectura fuera de los límites, por ejemplo, si la página de destino está al final de un memslot y el VMM no está utilizando páginas de protección. Según el APM: El registro CR3 apunta a la dirección base de la tabla de punteros de directorio de páginas. • https://git.kernel.org/stable/c/e4e517b4be019787ada4cbbce2f04570c21b0cbd https://git.kernel.org/stable/c/58cb697d80e669c56197f703e188867c8c54c494 https://git.kernel.org/stable/c/6876793907cbe19d42e9edc8c3315a21e06c32ae https://git.kernel.org/stable/c/2c4adc9b192a0815fe58a62bc0709449416cc884 https://git.kernel.org/stable/c/426682afec71ea3f889b972d038238807b9443e4 https://git.kernel.org/stable/c/f559b2e9c5c5308850544ab59396b7d53cfc67bd •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50114 – KVM: arm64: Unregister redistributor for failed vCPU creation
https://notcve.org/view.php?id=CVE-2024-50114
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unregister redistributor for failed vCPU creation Alex reports that syzkaller has managed to trigger a use-after-free when tearing down a VM: BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758 CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119 print_report+0x144/0x7a4 mm/kasan/report.c:377 kasan_report+0xcc/0x128 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409 __fput+0x198/0x71c fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x1cc/0x23c kernel/task_work.c:228 do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50 el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Upon closer inspection, it appears that we do not properly tear down the MMIO registration for a vCPU that fails creation late in the game, e.g. a vCPU w/ the same ID already exists in the VM. It is important to consider the context of commit that introduced this bug by moving the unregistration out of __kvm_vgic_vcpu_destroy(). That change correctly sought to avoid an srcu v. config_lock inversion by breaking up the vCPU teardown into two parts, one guarded by the config_lock. Fix the use-after-free while avoiding lock inversion by adding a special-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe because failed vCPUs are torn down outside of the config_lock. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: arm64: Anular el registro del redistribuidor en caso de creación fallida de una vCPU. Alex informa que syzkaller ha conseguido activar un use-after-free al desmantelar una máquina virtual: ERROR: KASAN: slab-use-after-free en kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 Lectura de tamaño 8 en la dirección ffffff801c6890d0 por la tarea syz.3.2219/10758 CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 No contaminado 6.11.0-rc6-dirty #64 Nombre del hardware: linux,dummy-virt (DT) Rastreo de llamadas: dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:93 [en línea] dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119 print_report+0x144/0x7a4 mm/kasan/report.c:377 kasan_report+0xcc/0x128 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409 __fput+0x198/0x71c fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x1cc/0x23c kernel/task_work.c:228 do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50 el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Tras una inspección más detallada, parece que no eliminamos correctamente el registro MMIO para una vCPU que falla en la creación tarde en el juego, por ejemplo, una vCPU con el mismo ID ya existe en la VM. • https://git.kernel.org/stable/c/f616506754d34bcfdbfbc7508b562e5c98461e9a https://git.kernel.org/stable/c/6bcc2890b883ba1d16b8942937750565f6e9db0d https://git.kernel.org/stable/c/ae8f8b37610269009326f4318df161206c59843e •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50113 – firewire: core: fix invalid port index for parent device
https://notcve.org/view.php?id=CVE-2024-50113
In the Linux kernel, the following vulnerability has been resolved: firewire: core: fix invalid port index for parent device In a commit 24b7f8e5cd65 ("firewire: core: use helper functions for self ID sequence"), the enumeration over self ID sequence was refactored with some helper functions with KUnit tests. These helper functions are guaranteed to work expectedly by the KUnit tests, however their application includes a mistake to assign invalid value to the index of port connected to parent device. This bug affects the case that any extra node devices which has three or more ports are connected to 1394 OHCI controller. In the case, the path to update the tree cache could hits WARN_ON(), and gets general protection fault due to the access to invalid address computed by the invalid value. This commit fixes the bug to assign correct port index. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: firewire: core: fix invalid port index for parent device En una confirmación 24b7f8e5cd65 ("firewire: core: use helper functions for self ID sequence"), la enumeración sobre la secuencia de auto-identificación se refactorizó con algunas funciones auxiliares con pruebas KUnit. Se garantiza que estas funciones auxiliares funcionarán como se espera mediante las pruebas KUnit, sin embargo, su aplicación incluye un error para asignar un valor no válido al índice del puerto conectado al dispositivo principal. • https://git.kernel.org/stable/c/24b7f8e5cd656196a13077e160aec45ad89b58d9 https://git.kernel.org/stable/c/90753a38bc3d058820981f812a908a99f7b337c1 https://git.kernel.org/stable/c/f6a6780e0b9bbcf311a727afed06fee533a5e957 •