CVE-2024-42310 – drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes
https://notcve.org/view.php?id=CVE-2024-42310
In the Linux kernel, the following vulnerability has been resolved: drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. • https://git.kernel.org/stable/c/6a227d5fd6c4abe6a9226a40f6981825e9da5fbe https://git.kernel.org/stable/c/f392c36cebf4c1d6997a4cc2c0f205254acef42a https://git.kernel.org/stable/c/a658ae2173ab74667c009e2550455e6de5b33ddc https://git.kernel.org/stable/c/b6ac46a00188cde50ffba233e6efb366354a1de5 https://git.kernel.org/stable/c/08f45102c81ad8bc9f85f7a25e9f64e128edb87d https://git.kernel.org/stable/c/e74eb5e8089427c8c49e0dd5067e5f39ce3a4d56 https://git.kernel.org/stable/c/2d209b2f862f6b8bff549ede541590a8d119da23 https://git.kernel.org/stable/c/977ee4fe895e1729cd36cc26916bbb100 •
CVE-2024-42309 – drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes
https://notcve.org/view.php?id=CVE-2024-42309
In the Linux kernel, the following vulnerability has been resolved: drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. • https://git.kernel.org/stable/c/89c78134cc54dff016c83367912eb055637fa50c https://git.kernel.org/stable/c/13b5f3ee94bdbdc4b5f40582aab62977905aedee https://git.kernel.org/stable/c/d6ad202f73f8edba0cbc0065aa57a79ffe8fdcdc https://git.kernel.org/stable/c/6735d02ead7dd3adf74eb8b70aebd09e0ce78ec9 https://git.kernel.org/stable/c/7e52c62ff029f95005915c0a11863b5fb5185c8c https://git.kernel.org/stable/c/f70ffeca546452d1acd3a70ada56ecb2f3e7f811 https://git.kernel.org/stable/c/46d2ef272957879cbe30a884574320e7f7d78692 https://git.kernel.org/stable/c/475a5b3b7c8edf6e583a9eb59cf28ea77 •
CVE-2024-42307 – cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path
https://notcve.org/view.php?id=CVE-2024-42307
In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path Dan Carpenter reported a Smack static checker warning: fs/smb/client/cifsfs.c:1981 init_cifs() error: we previously assumed 'serverclose_wq' could be null (see line 1895) The patch which introduced the serverclose workqueue used the wrong oredering in error paths in init_cifs() for freeing it on errors. • https://git.kernel.org/stable/c/8c99dfb49bdc17edffc7ff3d46b400c8c291686c https://git.kernel.org/stable/c/6f17163b9339fac92023a1d9bef22128db3b9a4b https://git.kernel.org/stable/c/173217bd73365867378b5e75a86f0049e1069ee8 https://git.kernel.org/stable/c/40a5d14c9d3b585d55d3209fb5efe202dcaac926 https://git.kernel.org/stable/c/6018971710fdc7739f8655c1540832b4bb903671 https://git.kernel.org/stable/c/160235efb4f9b55212dedff5de0094c606c4b303 https://git.kernel.org/stable/c/3739d711246d8fbc95ff73dbdace9741cdce4777 https://git.kernel.org/stable/c/193cc89ea0ca1da311877d2b4bb5e9f03 •
CVE-2024-42306 – udf: Avoid using corrupted block bitmap buffer
https://notcve.org/view.php?id=CVE-2024-42306
In the Linux kernel, the following vulnerability has been resolved: udf: Avoid using corrupted block bitmap buffer When the filesystem block bitmap is corrupted, we detect the corruption while loading the bitmap and fail the allocation with error. However the next allocation from the same bitmap will notice the bitmap buffer is already loaded and tries to allocate from the bitmap with mixed results (depending on the exact nature of the bitmap corruption). Fix the problem by using BH_verified bit to indicate whether the bitmap is valid or not. • https://git.kernel.org/stable/c/7648ea9896b31aff38830d81188f5b7a1773e4a8 https://git.kernel.org/stable/c/4ac54312f623c6d2ca30c36c1ef530c11f5aff64 https://git.kernel.org/stable/c/099bf90d7fc4622da9fd4727f6d318a0f12d10be https://git.kernel.org/stable/c/6ac8f2c8362afd2baa8e7b9c946597589e587d22 https://git.kernel.org/stable/c/1e0d4adf17e7ef03281d7b16555e7c1508c8ed2d https://git.kernel.org/stable/c/f862a9049c3f6e73a5504a1ac10ffd5bc253ab55 https://git.kernel.org/stable/c/4622cc1b6d86013e01c56b60b092b5e4726c8e52 https://git.kernel.org/stable/c/cae9e59cc41683408b70b9ab569f86548 •
CVE-2024-42305 – ext4: check dot and dotdot of dx_root before making dir indexed
https://notcve.org/view.php?id=CVE-2024-42305
In the Linux kernel, the following vulnerability has been resolved: ext4: check dot and dotdot of dx_root before making dir indexed Syzbot reports a issue as follows: ============================================ BUG: unable to handle page fault for address: ffffed11022e24fe PGD 23ffee067 P4D 23ffee067 PUD 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0 Call Trace: <TASK> make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451 ext4_rename fs/ext4/namei.c:3936 [inline] ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214 [...] ============================================ The immediate cause of this problem is that there is only one valid dentry for the block to be split during do_split, so split==0 results in out of bounds accesses to the map triggering the issue. do_split unsigned split dx_make_map count = 1 split = count/2 = 0; continued = hash2 == map[split - 1].hash; ---> map[4294967295] The maximum length of a filename is 255 and the minimum block size is 1024, so it is always guaranteed that the number of entries is greater than or equal to 2 when do_split() is called. But syzbot's crafted image has no dot and dotdot in dir, and the dentry distribution in dirblock is as follows: bus dentry1 hole dentry2 free |xx--|xx-------------|...............|xx-------------|...............| 0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024 So when renaming dentry1 increases its name_len length by 1, neither hole nor free is sufficient to hold the new dentry, and make_indexed_dir() is called. In make_indexed_dir() it is assumed that the first two entries of the dirblock must be dot and dotdot, so bus and dentry1 are left in dx_root because they are treated as dot and dotdot, and only dentry2 is moved to the new leaf block. That's why count is equal to 1. Therefore add the ext4_check_dx_root() helper function to add more sanity checks to dot and dotdot before starting the conversion to avoid the above issue. • https://git.kernel.org/stable/c/ac27a0ec112a089f1a5102bc8dffc79c8c815571 https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8 https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2 https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d239 •