CVE-2024-46804 – drm/amd/display: Add array index check for hdcp ddc access
https://notcve.org/view.php?id=CVE-2024-46804
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add array index check for hdcp ddc access [Why] Coverity reports OVERRUN warning. Do not check if array index valid. [How] Check msg_id valid and valid array index. • https://git.kernel.org/stable/c/2a63c90c7a90ab2bd23deebc2814fc5b52abf6d2 https://git.kernel.org/stable/c/0ee4387c5a4b57ec733c3fb4365188d5979cd9c7 https://git.kernel.org/stable/c/f338f99f6a04d03c802087d82a83561cbd5bdc99 https://git.kernel.org/stable/c/8b5ccf3d011969417be653b5a145c72dbd30472c https://git.kernel.org/stable/c/a3b5ee22a9d3a30045191da5678ca8451ebaea30 https://git.kernel.org/stable/c/4e70c0f5251c25885c31ee84a31f99a01f7cf50e •
CVE-2024-46803 – drm/amdkfd: Check debug trap enable before write dbg_ev_file
https://notcve.org/view.php?id=CVE-2024-46803
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Check debug trap enable before write dbg_ev_file In interrupt context, write dbg_ev_file will be run by work queue. It will cause write dbg_ev_file execution after debug_trap_disable, which will cause NULL pointer access. v2: cancel work "debug_event_workarea" before set dbg_ev_file as NULL. • https://git.kernel.org/stable/c/e6ea3b8fe398915338147fe54dd2db8155fdafd8 https://git.kernel.org/stable/c/820dcbd38a77bd5fdc4236d521c1c122841227d0 https://git.kernel.org/stable/c/547033b593063eb85bfdf9b25a5f1b8fd1911be2 •
CVE-2024-46802 – drm/amd/display: added NULL check at start of dc_validate_stream
https://notcve.org/view.php?id=CVE-2024-46802
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: added NULL check at start of dc_validate_stream [Why] prevent invalid memory access [How] check if dc and stream are NULL • https://git.kernel.org/stable/c/356fcce9cdbfe338a275e9e1836adfdd7f5c52a9 https://git.kernel.org/stable/c/154a50bf4221a6a6ccf88d565b8184da7c40a2dd https://git.kernel.org/stable/c/6bf920193ba1853bad780bba565a789246d9003c https://git.kernel.org/stable/c/26c56049cc4f1705b498df013949427692a4b0d5 •
CVE-2022-48945 – media: vivid: fix compose size exceed boundary
https://notcve.org/view.php?id=CVE-2022-48945
In the Linux kernel, the following vulnerability has been resolved: media: vivid: fix compose size exceed boundary syzkaller found a bug: BUG: unable to handle page fault for address: ffffc9000a3b1000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0 Oops: 0002 [#1] PREEMPT SMP CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:memcpy_erms+0x6/0x10 [...] Call Trace: <TASK> ? tpg_fill_plane_buffer+0x856/0x15b0 vivid_fillbuff+0x8ac/0x1110 vivid_thread_vid_cap_tick+0x361/0xc90 vivid_thread_vid_cap+0x21a/0x3a0 kthread+0x143/0x180 ret_from_fork+0x1f/0x30 </TASK> This is because we forget to check boundary after adjust compose->height int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem for this case. • https://git.kernel.org/stable/c/ef834f7836ec0502f49f20bbc42f1240577a9c83 https://git.kernel.org/stable/c/8c0ee15d9a102c732d0745566d254040085d5663 https://git.kernel.org/stable/c/5edc3604151919da8da0fb092b71d7dce07d848a https://git.kernel.org/stable/c/9c7fba9503b826f0c061d136f8f0c9f953ed18b9 https://git.kernel.org/stable/c/54f259906039dbfe46c550011409fa16f72370f6 https://git.kernel.org/stable/c/f9d19f3a044ca651b0be52a4bf951ffe74259b9f https://git.kernel.org/stable/c/ab54081a2843aefb837812fac5488cc8f1696142 https://git.kernel.org/stable/c/ccb5392c4fea0e7d9f7ab35567e839d74 •
CVE-2024-46801 – libfs: fix get_stashed_dentry()
https://notcve.org/view.php?id=CVE-2024-46801
In the Linux kernel, the following vulnerability has been resolved: libfs: fix get_stashed_dentry() get_stashed_dentry() tries to optimistically retrieve a stashed dentry from a provided location. It needs to ensure to hold rcu lock before it dereference the stashed location to prevent UAF issues. Use rcu_dereference() instead of READ_ONCE() it's effectively equivalent with some lockdep bells and whistles and it communicates clearly that this expects rcu protection. • https://git.kernel.org/stable/c/07fd7c329839cf0b8c7766883d830a1a0d12d1dd https://git.kernel.org/stable/c/03e2a1209a83a380df34a72f7d6d1bc6c74132c7 https://git.kernel.org/stable/c/4e32c25b58b945f976435bbe51f39b32d714052e •