CVE-2024-44967 – drm/mgag200: Bind I2C lifetime to DRM device
https://notcve.org/view.php?id=CVE-2024-44967
In the Linux kernel, the following vulnerability has been resolved: drm/mgag200: Bind I2C lifetime to DRM device Managed cleanup with devm_add_action_or_reset() will release the I2C adapter when the underlying Linux device goes away. But the connector still refers to it, so this cleanup leaves behind a stale pointer in struct drm_connector.ddc. Bind the lifetime of the I2C adapter to the connector's lifetime by using DRM's managed release. When the DRM device goes away (after the Linux device) DRM will first clean up the connector and then clean up the I2C adapter. • https://git.kernel.org/stable/c/b279df242972ae816a75cf1cc732af836f999100 https://git.kernel.org/stable/c/55a6916db77102765b22855d3a0add4751988b7c https://git.kernel.org/stable/c/81d34df843620e902dd04aa9205c875833d61c17 https://git.kernel.org/stable/c/9d96b91e03cba9dfcb4ac370c93af4dbc47d5191 https://git.kernel.org/stable/c/eb1ae34e48a09b7a1179c579aed042b032e408f4 •
CVE-2024-44966 – binfmt_flat: Fix corruption when not offsetting data start
https://notcve.org/view.php?id=CVE-2024-44966
In the Linux kernel, the following vulnerability has been resolved: binfmt_flat: Fix corruption when not offsetting data start Commit 04d82a6d0881 ("binfmt_flat: allow not offsetting data start") introduced a RISC-V specific variant of the FLAT format which does not allocate any space for the (obsolete) array of shared library pointers. However, it did not disable the code which initializes the array, resulting in the corruption of sizeof(long) bytes before the DATA segment, generally the end of the TEXT segment. Introduce MAX_SHARED_LIBS_UPDATE which depends on the state of CONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET to guard the initialization of the shared library pointer region so that it will only be initialized if space is reserved for it. • https://git.kernel.org/stable/c/04d82a6d0881ef1ab1e9f66f10805177ee2fb1e8 https://git.kernel.org/stable/c/3a684499261d0f7ed5ee72793025c88c2276809c https://git.kernel.org/stable/c/af65d5383854cc3f172a7d0843b628758bf462c8 https://git.kernel.org/stable/c/49df34d2b7da9e57c839555a2f7877291ce45ad1 https://git.kernel.org/stable/c/9350ba06ee61db392c486716ac68ecc20e030f7c https://git.kernel.org/stable/c/3eb3cd5992f7a0c37edc8d05b4c38c98758d8671 •
CVE-2024-44965 – x86/mm: Fix pti_clone_pgtable() alignment assumption
https://notcve.org/view.php?id=CVE-2024-44965
In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix pti_clone_pgtable() alignment assumption Guenter reported dodgy crashes on an i386-nosmp build using GCC-11 that had the form of endless traps until entry stack exhaust and then #DF from the stack guard. It turned out that pti_clone_pgtable() had alignment assumptions on the start address, notably it hard assumes start is PMD aligned. This is true on x86_64, but very much not true on i386. These assumptions can cause the end condition to malfunction, leading to a 'short' clone. Guess what happens when the user mapping has a short copy of the entry text? Use the correct increment form for addr to avoid alignment assumptions. • https://git.kernel.org/stable/c/16a3fe634f6a568c6234b8747e5d50487fed3526 https://git.kernel.org/stable/c/18da1b27ce16a14a9b636af9232acb4fb24f4c9e https://git.kernel.org/stable/c/25a727233a40a9b33370eec9f0cad67d8fd312f8 https://git.kernel.org/stable/c/d00c9b4bbc442d99e1dafbdfdab848bc1ead73f6 https://git.kernel.org/stable/c/4d143ae782009b43b4f366402e5c37f59d4e4346 https://git.kernel.org/stable/c/5c580c1050bcbc15c3e78090859d798dcf8c9763 https://git.kernel.org/stable/c/ca07aab70dd3b5e7fddb62d7a6ecd7a7d6d0b2ed https://git.kernel.org/stable/c/df3eecb5496f87263d171b254ca6e2758 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2024-44963 – btrfs: do not BUG_ON() when freeing tree block after error
https://notcve.org/view.php?id=CVE-2024-44963
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not BUG_ON() when freeing tree block after error When freeing a tree block, at btrfs_free_tree_block(), if we fail to create a delayed reference we don't deal with the error and just do a BUG_ON(). The error most likely to happen is -ENOMEM, and we have a comment mentioning that only -ENOMEM can happen, but that is not true, because in case qgroups are enabled any error returned from btrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned from btrfs_search_slot() for example) can be propagated back to btrfs_free_tree_block(). So stop doing a BUG_ON() and return the error to the callers and make them abort the transaction to prevent leaking space. Syzbot was triggering this, likely due to memory allocation failure injection. • https://git.kernel.org/stable/c/22d907bcd283d69d5e60497fc0d51969545c583b https://git.kernel.org/stable/c/98251cd60b4d702a8a81de442ab621e83a3fb24f https://git.kernel.org/stable/c/bb3868033a4cccff7be57e9145f2117cbdc91c11 •
CVE-2024-44961 – drm/amdgpu: Forward soft recovery errors to userspace
https://notcve.org/view.php?id=CVE-2024-44961
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Forward soft recovery errors to userspace As we discussed before[1], soft recovery should be forwarded to userspace, or we can get into a really bad state where apps will keep submitting hanging command buffers cascading us to a hard reset. 1: https://lore.kernel.org/all/bf23d5ed-9a6b-43e7-84ee-8cbfd0d60f18@froggi.es/ (cherry picked from commit 434967aadbbbe3ad9103cc29e9a327de20fdba01) • https://git.kernel.org/stable/c/0da0b06165d83a8ecbb6582d9d5a135f9d38a52a https://git.kernel.org/stable/c/c28d207edfc5679585f4e96acb67000076ce90be https://git.kernel.org/stable/c/829798c789f567ef6ba4b084c15b7b5f3bd98d51 •