CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50108 – drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too
https://notcve.org/view.php?id=CVE-2024-50108
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too Stuart Hayhurst has found that both at bootup and fullscreen VA-API video is leading to black screens for around 1 second and kernel WARNING [1] traces when calling dmub_psr_enable() with Parade 08-01 TCON. These symptoms all go away with PSR-SU disabled for this TCON, so disable it for now while DMUB traces [2] from the failure can be analyzed and the failure state properly root caused. (cherry picked from commit afb634a6823d8d9db23c5fb04f79c5549349628b) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: Deshabilitar PSR-SU también en Parade 08-01 TCON Stuart Hayhurst ha descubierto que tanto en el arranque como en pantalla completa, el vídeo VA-API provoca pantallas negras durante alrededor de 1 segundo y rastros de ADVERTENCIA [1] en el kernel al llamar a dmub_psr_enable() con Parade 08-01 TCON. Todos estos síntomas desaparecen con PSR-SU deshabilitado para este TCON, así que deshabilítelo por ahora mientras se pueden analizar los rastros DMUB [2] del fallo y se puede determinar correctamente el estado del fallo. (seleccionado de la confirmación afb634a6823d8d9db23c5fb04f79c5549349628b) • https://git.kernel.org/stable/c/5660bcc4dd533005248577d5042f1c48cce2b443 https://git.kernel.org/stable/c/c79e0a18e4b301401bb745702830be9041cfbf04 https://git.kernel.org/stable/c/fc6afa07b5e251148fb37600ee06e1a7007178c3 https://git.kernel.org/stable/c/ba1959f71117b27f3099ee789e0815360b4081dd •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50106 – nfsd: fix race between laundromat and free_stateid
https://notcve.org/view.php?id=CVE-2024-50106
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix race between laundromat and free_stateid There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. • https://git.kernel.org/stable/c/2d4a532d385f635ab8243b88db3136bb52a0bc29 https://git.kernel.org/stable/c/967faa26f313a62e7bebc55d5b8122eaee43b929 https://git.kernel.org/stable/c/8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50103 – ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()
https://notcve.org/view.php?id=CVE-2024-50103
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() A devm_kzalloc() in asoc_qcom_lpass_cpu_platform_probe() could possibly return NULL pointer. NULL Pointer Dereference may be triggerred without addtional check. Add a NULL check for the returned pointer. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: qcom: Se ha corregido la desreferencia NULL en asoc_qcom_lpass_cpu_platform_probe(). Una devm_kzalloc() en asoc_qcom_lpass_cpu_platform_probe() podría devolver un puntero NULL. La desreferencia de puntero NULL se puede activar sin una comprobación adicional. • https://git.kernel.org/stable/c/b5022a36d28f6a99c1a57f54246e8b566cf094d5 https://git.kernel.org/stable/c/a8e691fe1894c8bdf815a6171ee22ae7da8b18aa https://git.kernel.org/stable/c/e19bf49e903337641fc230d430d49813e3199902 https://git.kernel.org/stable/c/73cc3f905ca9aa95694eea3dfa1acadc90686368 https://git.kernel.org/stable/c/1e235d02d803660777ec911a2c467ae41f8539f5 https://git.kernel.org/stable/c/49da1463c9e3d2082276c3e0e2a8b65a88711cd2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50101 – iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices
https://notcve.org/view.php?id=CVE-2024-50101
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Previously, the domain_context_clear() function incorrectly called pci_for_each_dma_alias() to set up context entries for non-PCI devices. This could lead to kernel hangs or other unexpected behavior. Add a check to only call pci_for_each_dma_alias() for PCI devices. For non-PCI devices, domain_context_clear_one() is called directly. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu/vt-d: Se corrige pci_for_each_dma_alias() incorrecto para dispositivos que no sean PCI Anteriormente, la función domain_context_clear() llamaba incorrectamente a pci_for_each_dma_alias() para configurar entradas de contexto para dispositivos que no sean PCI. Esto podría provocar bloqueos del kernel u otro comportamiento inesperado. Agregue una verificación para llamar solo a pci_for_each_dma_alias() para dispositivos PCI. • https://git.kernel.org/stable/c/9807860f6ad446459d0446550cf4a2dc23bbee6c https://git.kernel.org/stable/c/59862b869275c27beb25cda2054b59a8b5d04970 https://git.kernel.org/stable/c/48f2183a4f9d3540fc5cfc8f8451621ee92c09f8 https://git.kernel.org/stable/c/9a16ab9d640274b20813d2d17475e18d3e99d834 https://git.kernel.org/stable/c/0bd9a30c22afb5da203386b811ec31429d2caa78 https://git.kernel.org/stable/c/cbfa3a83eba05240ce37839ed48280a05e8e8f6c https://git.kernel.org/stable/c/fe2e0b6cd00abea3efac66de1da22d844364c1b0 https://git.kernel.org/stable/c/04d6826ba7ba81213422276e96c90c656 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50099 – arm64: probes: Remove broken LDR (literal) uprobe support
https://notcve.org/view.php?id=CVE-2024-50099
In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Remove broken LDR (literal) uprobe support The simulate_ldr_literal() and simulate_ldrsw_literal() functions are unsafe to use for uprobes. Both functions were originally written for use with kprobes, and access memory with plain C accesses. When uprobes was added, these were reused unmodified even though they cannot safely access user memory. There are three key problems: 1) The plain C accesses do not have corresponding extable entries, and thus if they encounter a fault the kernel will treat these as unintentional accesses to user memory, resulting in a BUG() which will kill the kernel thread, and likely lead to further issues (e.g. lockup or panic()). 2) The plain C accesses are subject to HW PAN and SW PAN, and so when either is in use, any attempt to simulate an access to user memory will fault. Thus neither simulate_ldr_literal() nor simulate_ldrsw_literal() can do anything useful when simulating a user instruction on any system with HW PAN or SW PAN. 3) The plain C accesses are privileged, as they run in kernel context, and in practice can access a small range of kernel virtual addresses. The instructions they simulate have a range of +/-1MiB, and since the simulated instructions must itself be a user instructions in the TTBR0 address range, these can address the final 1MiB of the TTBR1 acddress range by wrapping downwards from an address in the first 1MiB of the TTBR0 address range. In contemporary kernels the last 8MiB of TTBR1 address range is reserved, and accesses to this will always fault, meaning this is no worse than (1). Historically, it was theoretically possible for the linear map or vmemmap to spill into the final 8MiB of the TTBR1 address range, but in practice this is extremely unlikely to occur as this would require either: * Having enough physical memory to fill the entire linear map all the way to the final 1MiB of the TTBR1 address range. * Getting unlucky with KASLR randomization of the linear map such that the populated region happens to overlap with the last 1MiB of the TTBR address range. ... and in either case if we were to spill into the final page there would be larger problems as the final page would alias with error pointers. Practically speaking, (1) and (2) are the big issues. Given there have been no reports of problems since the broken code was introduced, it appears that no-one is relying on probing these instructions with uprobes. Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW (literal), limiting the use of simulate_ldr_literal() and simulate_ldrsw_literal() to kprobes. • https://git.kernel.org/stable/c/9842ceae9fa8deae141533d52a6ead7666962c09 https://git.kernel.org/stable/c/3728b4eb27910ffedd173018279a970705f2e03a https://git.kernel.org/stable/c/ad4bc35a6d22e9ff9b67d0d0c38bce654232f195 https://git.kernel.org/stable/c/bae792617a7e911477f67a3aff850ad4ddf51572 https://git.kernel.org/stable/c/9f1e7735474e7457a4d919a517900e46868ae5f6 https://git.kernel.org/stable/c/20cde998315a3d2df08e26079a3ea7501abce6db https://git.kernel.org/stable/c/acc450aa07099d071b18174c22a1119c57da8227 •