CVSS: 5.2EPSS: 0%CPEs: 4EXPL: 0CVE-2024-41056 – firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files
https://notcve.org/view.php?id=CVE-2024-41056
In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files Use strnlen() instead of strlen() on the algorithm and coefficient name string arrays in V1 wmfw files. In V1 wmfw files the name is a NUL-terminated string in a fixed-size array. cs_dsp should protect against overrunning the array if the NUL terminator is missing. • https://git.kernel.org/stable/c/f6bc909e7673c30abcbdb329e7d0aa2e83c103d7 https://git.kernel.org/stable/c/16d76857d6b5426f41b587d0bb925de3f25bfb21 https://git.kernel.org/stable/c/392cff2f86a25a4286ff3151c7739143c61c1781 https://git.kernel.org/stable/c/53a9f8cdbf35a682e9894e1a606f4640e5359185 https://git.kernel.org/stable/c/680e126ec0400f6daecf0510c5bb97a55779ff03 https://access.redhat.com/security/cve/CVE-2024-41056 https://bugzilla.redhat.com/show_bug.cgi?id=2300430 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-41055 – mm: prevent derefencing NULL ptr in pfn_section_valid()
https://notcve.org/view.php?id=CVE-2024-41055
In the Linux kernel, the following vulnerability has been resolved: mm: prevent derefencing NULL ptr in pfn_section_valid() Commit 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing memory_section->usage") changed pfn_section_valid() to add a READ_ONCE() call around "ms->usage" to fix a race with section_deactivate() where ms->usage can be cleared. The READ_ONCE() call, by itself, is not enough to prevent NULL pointer dereference. We need to check its value before dereferencing it. • https://git.kernel.org/stable/c/90ad17575d26874287271127d43ef3c2af876cea https://git.kernel.org/stable/c/b448de2459b6d62a53892487ab18b7d823ff0529 https://git.kernel.org/stable/c/68ed9e33324021e9d6b798e9db00ca3093d2012a https://git.kernel.org/stable/c/70064241f2229f7ba7b9599a98f68d9142e81a97 https://git.kernel.org/stable/c/5ec8e8ea8b7783fab150cf86404fc38cb4db8800 https://git.kernel.org/stable/c/3a01daace71b521563c38bbbf874e14c3e58adb7 https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982 https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f533350 • CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-41054 – scsi: ufs: core: Fix ufshcd_clear_cmd racing issue
https://notcve.org/view.php?id=CVE-2024-41054
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix ufshcd_clear_cmd racing issue When ufshcd_clear_cmd is racing with the completion ISR, the completed tag of the request's mq_hctx pointer will be set to NULL by the ISR. And ufshcd_clear_cmd's call to ufshcd_mcq_req_to_hwq will get NULL pointer KE. Return success when the request is completed by ISR because sq does not need cleanup. The racing flow is: Thread A ufshcd_err_handler step 1 ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_clear_cmd ... ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5 Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done ... __blk_mq_free_request rq->mq_hctx = NULL; step 4 Below is KE back trace: ufshcd_try_to_abort_task: cmd pending in the device. tag = 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc [ufs_mediatek_mod_ise] Workqueue: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise] Call trace: dump_backtrace+0xf8/0x148 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x7c dump_stack+0x18/0x3c mrdump_common_die+0x24c/0x398 [mrdump] ipanic_die+0x20/0x34 [mrdump] notify_die+0x80/0xd8 die+0x94/0x2b8 __do_kernel_fault+0x264/0x298 do_page_fault+0xa4/0x4b8 do_translation_fault+0x38/0x54 do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise] ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise] ufshcd_err_handler+0xa7c/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20 • https://git.kernel.org/stable/c/8d7290348992f27242dd6a696fa2eede709f0b14 https://git.kernel.org/stable/c/bed0896008334eeee4b4bfd7150491ca098cbf72 https://git.kernel.org/stable/c/11d81233f4ebe6907b12c79ad7d8787aa4db0633 https://git.kernel.org/stable/c/9307a998cb9846a2557fdca286997430bee36a2a •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-41053 – scsi: ufs: core: Fix ufshcd_abort_one racing issue
https://notcve.org/view.php?id=CVE-2024-41053
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix ufshcd_abort_one racing issue When ufshcd_abort_one is racing with the completion ISR, the completed tag of the request's mq_hctx pointer will be set to NULL by ISR. Return success when request is completed by ISR because ufshcd_abort_one does not need to do anything. The racing flow is: Thread A ufshcd_err_handler step 1 ... ufshcd_abort_one ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5 Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done ... __blk_mq_free_request rq->mq_hctx = NULL; step 4 Below is KE back trace. ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device. ufshcd_try_to_abort_task: cmd at tag=41 is cleared. Aborting tag 41 / CDB 0x28 succeeded Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise] do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20 • https://git.kernel.org/stable/c/ff7699d3620763b0dfe2ff93df4528880bf903a8 https://git.kernel.org/stable/c/93e6c0e19d5bb12b49534a411c85e21d333731fa https://git.kernel.org/stable/c/c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0 https://git.kernel.org/stable/c/b5a6ac887256762758bfe7f2918cb0233aa544f4 https://git.kernel.org/stable/c/74736103fb4123c71bf11fb7a6abe7c884c5269e •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41052 – vfio/pci: Init the count variable in collecting hot-reset devices
https://notcve.org/view.php?id=CVE-2024-41052
In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Init the count variable in collecting hot-reset devices The count variable is used without initialization, it results in mistakes in the device counting and crashes the userspace if the get hot reset info path is triggered. • https://git.kernel.org/stable/c/618fbf4c910a06a3aa6a8b88a5fb1f2197f964f3 https://git.kernel.org/stable/c/9313244c26f3792daa86f3a18cc3bd5ad60310e0 https://git.kernel.org/stable/c/f476dffc52ea70745dcabf63288e770e50ac9ab3 https://git.kernel.org/stable/c/f44136b9652291ac1fc39ca67c053ac624d0d11b https://git.kernel.org/stable/c/5a88a3f67e37e39f933b38ebb4985ba5822e9eca •