CVE-2024-46803 – drm/amdkfd: Check debug trap enable before write dbg_ev_file
https://notcve.org/view.php?id=CVE-2024-46803
27 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Check debug trap enable before write dbg_ev_file In interrupt context, write dbg_ev_file will be run by work queue. It will cause write dbg_ev_file execution after debug_trap_disable, which will cause NULL pointer access. v2: cancel work "debug_event_workarea" before set dbg_ev_file as NULL. In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Check debug trap enable before write dbg_ev_file In interru... • https://git.kernel.org/stable/c/e6ea3b8fe398915338147fe54dd2db8155fdafd8 •
CVE-2024-46802 – drm/amd/display: added NULL check at start of dc_validate_stream
https://notcve.org/view.php?id=CVE-2024-46802
27 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: added NULL check at start of dc_validate_stream [Why] prevent invalid memory access [How] check if dc and stream are NULL In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: added NULL check at start of dc_validate_stream [Why] prevent invalid memory access [How] check if dc and stream are NULL Ubuntu Security Notice 7156-1 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linu... • https://git.kernel.org/stable/c/356fcce9cdbfe338a275e9e1836adfdd7f5c52a9 •
CVE-2022-48945 – media: vivid: fix compose size exceed boundary
https://notcve.org/view.php?id=CVE-2022-48945
23 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: media: vivid: fix compose size exceed boundary syzkaller found a bug: BUG: unable to handle page fault for address: ffffc9000a3b1000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0 Oops: 0002 [#1] PREEMPT SMP CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0... • https://git.kernel.org/stable/c/ef834f7836ec0502f49f20bbc42f1240577a9c83 •
CVE-2024-46801 – libfs: fix get_stashed_dentry()
https://notcve.org/view.php?id=CVE-2024-46801
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: libfs: fix get_stashed_dentry() get_stashed_dentry() tries to optimistically retrieve a stashed dentry from a provided location. It needs to ensure to hold rcu lock before it dereference the stashed location to prevent UAF issues. Use rcu_dereference() instead of READ_ONCE() it's effectively equivalent with some lockdep bells and whistles and it communicates clearly that this expects rcu protection. In the Linux kernel, the following vulner... • https://git.kernel.org/stable/c/07fd7c329839cf0b8c7766883d830a1a0d12d1dd •
CVE-2024-46800 – sch/netem: fix use after free in netem_dequeue
https://notcve.org/view.php?id=CVE-2024-46800
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set du... • https://git.kernel.org/stable/c/50612537e9ab29693122fab20fc1eed235054ffe •
CVE-2024-46799 – net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX
https://notcve.org/view.php?id=CVE-2024-46799
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX If number of TX queues are set to 1 we get a NULL pointer dereference during XDP_TX. ~# ethtool -L eth0 tx 1 ~# ./xdp-trafficgen udp -A
CVE-2024-46798 – ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
https://notcve.org/view.php?id=CVE-2024-46798
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x27... • https://git.kernel.org/stable/c/a72706ed8208ac3f72d1c3ebbc6509e368b0dcb0 •
CVE-2024-46797 – powerpc/qspinlock: Fix deadlock in MCS queue
https://notcve.org/view.php?id=CVE-2024-46797
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the "next" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spi... • https://git.kernel.org/stable/c/84990b169557428c318df87b7836cd15f65b62dc •
CVE-2024-46796 – smb: client: fix double put of @cfile in smb2_set_path_size()
https://notcve.org/view.php?id=CVE-2024-46796
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call. This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19... • https://git.kernel.org/stable/c/1e60bc0e954389af82f1d9a85f13a63f6572350f •
CVE-2024-46795 – ksmbd: unset the binding mark of a reused connection
https://notcve.org/view.php?id=CVE-2024-46795
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey.... • https://git.kernel.org/stable/c/f5a544e3bab78142207e0242d22442db85ba1eff •