CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56599 – wifi: ath10k: avoid NULL pointer error during sdio remove
https://notcve.org/view.php?id=CVE-2024-56599
In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: avoid NULL pointer error during sdio remove When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON is set to yes, kernel panic will happen: Call trace: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c This is because during 'rmmod ath10k', ath10k_sdio_remove() will call ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release() will finally be called in ath10k_core_destroy(). This function will free struct cfg80211_registered_device *rdev and all its members, including wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON. After device release, destroy_workqueue() will use NULL pointer then the kernel panic happen. Call trace: ath10k_sdio_remove ->ath10k_core_unregister …… ->ath10k_core_stop ->ath10k_hif_stop ->ath10k_sdio_irq_disable ->ath10k_hif_power_down ->del_timer_sync(&ar_sdio->sleep_timer) ->ath10k_core_destroy ->ath10k_mac_destroy ->ieee80211_free_hw ->wiphy_free …… ->wiphy_dev_release ->destroy_workqueue Need to call destroy_workqueue() before ath10k_core_destroy(), free the work queue buffer first and then free pointer of work queue by ath10k_core_destroy(). This order matches the error path order in ath10k_sdio_probe(). No work will be queued on sdio workqueue between it is destroyed and ath10k_core_destroy() is called. • https://git.kernel.org/stable/c/543c0924d446b21f35701ca084d7feca09511220 https://git.kernel.org/stable/c/95c38953cb1ecf40399a676a1f85dfe2b5780a9a •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56598 – jfs: array-index-out-of-bounds fix in dtReadFirst
https://notcve.org/view.php?id=CVE-2024-56598
In the Linux kernel, the following vulnerability has been resolved: jfs: array-index-out-of-bounds fix in dtReadFirst The value of stbl can be sometimes out of bounds due to a bad filesystem. Added a check with appopriate return of error code in that case. • https://git.kernel.org/stable/c/25f1e673ef61d6bf9a6022e27936785896d74948 https://git.kernel.org/stable/c/8c97a4d5463a1c972ef576ac499ea9b05f956097 https://git.kernel.org/stable/c/823d573f5450ca6be80b36f54d1902ac7cd23fb9 https://git.kernel.org/stable/c/2eea5fda5556ef03defebf07b0a12fcd2c5210f4 https://git.kernel.org/stable/c/fd993b2180b4c373af8b99aa28d4dcda5c2a8f10 https://git.kernel.org/stable/c/22dcbf7661c6ffc3247978c254dc40b833a0d429 https://git.kernel.org/stable/c/ca84a2c9be482836b86d780244f0357e5a778c46 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56597 – jfs: fix shift-out-of-bounds in dbSplit
https://notcve.org/view.php?id=CVE-2024-56597
In the Linux kernel, the following vulnerability has been resolved: jfs: fix shift-out-of-bounds in dbSplit When dmt_budmin is less than zero, it causes errors in the later stages. Added a check to return an error beforehand in dbAllocCtl itself. • https://git.kernel.org/stable/c/bbb24ce7f06ef9b7c05beb9340787cbe9fd3d08e https://git.kernel.org/stable/c/df7c76636952670b31bd6c12b3aed3c502122273 https://git.kernel.org/stable/c/6676034aa753aa448beb30dbd75630927ba7cd96 https://git.kernel.org/stable/c/51a203470f502a64a3da8dcea51c4748e8267a6c https://git.kernel.org/stable/c/c56245baf3fd1f79145dd7408e3ead034b74255c https://git.kernel.org/stable/c/52756a57e978e2706543a254f88f266cc6702f36 https://git.kernel.org/stable/c/a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56596 – jfs: fix array-index-out-of-bounds in jfs_readdir
https://notcve.org/view.php?id=CVE-2024-56596
In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in jfs_readdir The stbl might contain some invalid values. Added a check to return error code in that case. • https://git.kernel.org/stable/c/b62f41aeec9d250144c53875b507c1d45ae8c8fc https://git.kernel.org/stable/c/97e693593162eef6851d232f0c8148169ed46a5c https://git.kernel.org/stable/c/9efe72eefd4c4a7ce63b3e4d667d766d2b360cb4 https://git.kernel.org/stable/c/ff9fc48fab0e1ea0d423c23c99b91bba178f0b05 https://git.kernel.org/stable/c/e7d376f94f72b020f84e77278b150ec1cc27502c https://git.kernel.org/stable/c/8ff7579554571d92e3deab168f5a7d7b146ed368 https://git.kernel.org/stable/c/839f102efb168f02dfdd46717b7c6dddb26b015e •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56595 – jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
https://notcve.org/view.php?id=CVE-2024-56595
In the Linux kernel, the following vulnerability has been resolved: jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree When the value of lp is 0 at the beginning of the for loop, it will become negative in the next assignment and we should bail out. • https://git.kernel.org/stable/c/b15000bcbecf27e0f7c0f149a409e5b865e28ca2 https://git.kernel.org/stable/c/368a533152220b0a6f1142327d96c6b6361f3002 https://git.kernel.org/stable/c/a3d408870bc19b794646871bc4c3a5daa66f91c5 https://git.kernel.org/stable/c/491487eeddccc4bb49f2e59d8c8f35bec89c15ca https://git.kernel.org/stable/c/3b5d21b56c3774bc84eab0a93aaac22a4475e2c4 https://git.kernel.org/stable/c/8a4311bbde702362fe7412045d06ab6767235dac https://git.kernel.org/stable/c/a174706ba4dad895c40b1d2277bade16dfacdcd9 •