CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-26956 – nilfs2: fix failure to detect DAT corruption in btree and direct mappings
https://notcve.org/view.php?id=CVE-2024-26956
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix failure to detect DAT corruption in btree and direct mappings Patch series "nilfs2: fix kernel bug at submit_bh_wbc()". This resolves a kernel BUG reported by syzbot. Since there are two flaws involved, I've made each one a separate patch. The first patch alone resolves the syzbot-reported bug, but I think both fixes should be sent to stable, so I've tagged them as such. This patch (of 2): Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data to a nilfs2 file system whose metadata is corrupted. There are two flaws involved in this issue. The first flaw is that when nilfs_get_block() locates a data block using btree or direct mapping, if the disk address translation routine nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata corruption, it can be passed back to nilfs_get_block(). This causes nilfs_get_block() to misidentify an existing block as non-existent, causing both data block lookup and insertion to fail inconsistently. The second flaw is that nilfs_get_block() returns a successful status in this inconsistent state. This causes the caller __block_write_begin_int() or others to request a read even though the buffer is not mapped, resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc() failing. This fixes the first issue by changing the return value to code -EINVAL when a conversion using DAT fails with code -ENOENT, avoiding the conflicting condition that leads to the kernel bug described above. Here, code -EINVAL indicates that metadata corruption was detected during the block lookup, which will be properly handled as a file system error and converted to -EIO when passing through the nilfs2 bmap layer. • https://git.kernel.org/stable/c/c3a7abf06ce719a51139e62a034590be99abbc2c https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35 https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84 https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7 https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862 https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-26955 – nilfs2: prevent kernel bug at submit_bh_wbc()
https://notcve.org/view.php?id=CVE-2024-26955
In the Linux kernel, the following vulnerability has been resolved: nilfs2: prevent kernel bug at submit_bh_wbc() Fix a bug where nilfs_get_block() returns a successful status when searching and inserting the specified block both fail inconsistently. If this inconsistent behavior is not due to a previously fixed bug, then an unexpected race is occurring, so return a temporary error -EAGAIN instead. This prevents callers such as __block_write_begin_int() from requesting a read into a buffer that is not mapped, which would cause the BUG_ON check for the BH_Mapped flag in submit_bh_wbc() to fail. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nilfs2: previene el error del kernel en submit_bh_wbc(). Se corrige un error por el cual nilfs_get_block() devuelve un estado exitoso cuando la búsqueda y la inserción del bloque especificado fallan de manera inconsistente. Si este comportamiento inconsistente no se debe a un error solucionado previamente, entonces se está produciendo una ejecución inesperada, por lo que se devuelve un error temporal -EAGAIN. • https://git.kernel.org/stable/c/1f5abe7e7dbcd83e73212c6cb135a6106cea6a0b https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183 https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07 https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186 https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5 https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-26954 – ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()
https://notcve.org/view.php?id=CVE-2024-26954
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() If ->NameOffset of smb2_create_req is smaller than Buffer offset of smb2_create_req, slab-out-of-bounds read can happen from smb2_open. This patch set the minimum value of the name offset to the buffer offset to validate name length of smb2_create_req(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrige slab-out-of-bounds en smb_strndup_from_utf16() Si ->NameOffset de smb2_create_req es menor que el desplazamiento del búfer de smb2_create_req, puede ocurrir una lectura de slab-out-of-bounds de smb2_open. Este parche establece el valor mínimo del desplazamiento del nombre en el desplazamiento del búfer para validar la longitud del nombre de smb2_create_req(). • https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57 https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178 https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26952 – ksmbd: fix potencial out-of-bounds when buffer offset is invalid
https://notcve.org/view.php?id=CVE-2024-26952
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial out-of-bounds when buffer offset is invalid I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrige posibles límites cuando el desplazamiento del búfer no es válido. Encontré posibles límites cuando los campos de desplazamiento del búfer de algunas solicitudes no son válidos. Este parche establece el valor mínimo del campo de compensación del búfer en ->Desplazamiento del búfer para validar la longitud del búfer. • https://git.kernel.org/stable/c/39bdc4197acf2ed13269167ccf093ee28cfa2a4e https://git.kernel.org/stable/c/2dcda336b6e80b72d58d30d40f2fad9724e5fe63 https://git.kernel.org/stable/c/0c5541b4c980626fa3cab16ba1a451757778bbb5 https://git.kernel.org/stable/c/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-125: Out-of-bounds Read •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26948 – drm/amd/display: Add a dc_state NULL check in dc_state_release
https://notcve.org/view.php?id=CVE-2024-26948
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add a dc_state NULL check in dc_state_release [How] Check wheather state is NULL before releasing it. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: agregue una verificación dc_state NULL en dc_state_release [Cómo] Verifique si el estado es NULL antes de liberarlo. • https://git.kernel.org/stable/c/d37a08f840485995e3fb91dad95e441b9d28a269 https://git.kernel.org/stable/c/334b56cea5d9df5989be6cf1a5898114fa70ad98 •