CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42236 – usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()
https://notcve.org/view.php?id=CVE-2024-42236
07 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() Userspace provided string 's' could trivially have the length zero. Left unchecked this will firstly result in an OOB read in the form `if (str[0 - 1] == '\n') followed closely by an OOB write in the form `str[0 - 1] = '\0'`. There is already a validating check to catch strings that are too long. Let's supply an additional check for invalid strings that are too short. In the... • https://git.kernel.org/stable/c/a444c3fc264119801575ab086e03fb4952f23fd0 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-42235 – s390/mm: Add NULL pointer check to crst_table_free() base_crst_free()
https://notcve.org/view.php?id=CVE-2024-42235
07 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: s390/mm: Add NULL pointer check to crst_table_free() base_crst_free() crst_table_free() used to work with NULL pointers before the conversion to ptdescs. Since crst_table_free() can be called with a NULL pointer (error handling in crst_table_upgrade() add an explicit check. Also add the same check to base_crst_free() for consistency reasons. In real life this should not happen, since order two GFP_KERNEL allocations will not fail, unless FA... • https://git.kernel.org/stable/c/6326c26c1514757242829b292b26eac589013200 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42234 – mm: fix crashes from deferred split racing folio migration
https://notcve.org/view.php?id=CVE-2024-42234
07 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: mm: fix crashes from deferred split racing folio migration Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on flags when freeing, yet the flags shown are not bad: PG_locked had been set and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from deferred_split_scan()'s folio_put(), and a variety of other BUG and WARN symptoms implying double free by deferred split and large folio migration. 6.7 commit 9bcef5973e3... • https://git.kernel.org/stable/c/9bcef5973e31020e5aa8571eb994d67b77318356 •
CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42233 – filemap: replace pte_offset_map() with pte_offset_map_nolock()
https://notcve.org/view.php?id=CVE-2024-42233
07 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: filemap: replace pte_offset_map() with pte_offset_map_nolock() The vmf->ptl in filemap_fault_recheck_pte_none() is still set from handle_pte_fault(). But at the same time, we did a pte_unmap(vmf->pte). After a pte_unmap(vmf->pte) unmap and rcu_read_unlock(), the page table may be racily changed and vmf->ptl maybe fails to protect the actual page table. Fix this by replacing pte_offset_map() with pte_offset_map_nolock(). As David said, the P... • https://git.kernel.org/stable/c/58f327f2ce80f9c7b4a70e9cf017ae8810d44a20 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42232 – libceph: fix race between delayed_work() and ceph_monc_stop()
https://notcve.org/view.php?id=CVE-2024-42232
07 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: libceph: fix race between delayed_work() and ceph_monc_stop() The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs -- __close_session() doesn't mess with the delayed work in order to avoid interfering with the hu... • https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42231 – btrfs: zoned: fix calc_available_free_space() for zoned mode
https://notcve.org/view.php?id=CVE-2024-42231
30 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix calc_available_free_space() for zoned mode calc_available_free_space() returns the total size of metadata (or system) block groups, which can be allocated from unallocated disk space. The logic is wrong on zoned mode in two places. First, the calculation of data_chunk_size is wrong. We always allocate one zone as one chunk, and no partial allocation of a zone. So, we should use zone_size (= data_sinfo->chunk_size) as it is... • https://git.kernel.org/stable/c/cb6cbab79055ca207ad88bc54226b48ececdcef0 •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-42230 – powerpc/pseries: Fix scv instruction crash with kexec
https://notcve.org/view.php?id=CVE-2024-42230
30 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix scv instruction crash with kexec kexec on pseries disables AIL (reloc_on_exc), required for scv instruction support, before other CPUs have been shut down. This means they can execute scv instructions after AIL is disabled, which causes an interrupt at an unexpected entry location that crashes the kernel. Change the kexec sequence to disable AIL after other CPUs have been brought down. As a refresher, the real-mode scv ... • https://git.kernel.org/stable/c/7fa95f9adaee7e5cbb195d3359741120829e488b •
CVSS: 4.1EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42229 – crypto: aead,cipher - zeroize key buffer after use
https://notcve.org/view.php?id=CVE-2024-42229
30 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key. In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies t... • https://git.kernel.org/stable/c/89b9b6fa4463daf820e6a5ef65c3b0c2db239513 •
CVSS: 7.0EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42228 – drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc
https://notcve.org/view.php?id=CVE-2024-42228
30 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian) A vulnerability was found in the Linux kernel's amdgpu driver in the amdgpu_vce_ring_parse_cs() function where the size variable is initialized with a pointer that may not be pr... • https://git.kernel.org/stable/c/d35cf41c8eb5d9fe95b21ae6ee2910f9ba4878e8 • CWE-457: Use of Uninitialized Variable •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42227 – drm/amd/display: Fix overlapping copy within dml_core_mode_programming
https://notcve.org/view.php?id=CVE-2024-42227
30 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix overlapping copy within dml_core_mode_programming [WHY] &mode_lib->mp.Watermark and &locals->Watermark are the same address. memcpy may lead to unexpected behavior. [HOW] memmove should be used. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix overlapping copy within dml_core_mode_programming [WHY] &mode_lib->mp.Watermark and &locals->Watermark are the same address. memcpy may lea... • https://git.kernel.org/stable/c/9342da15f2491d8600eca89c8e0da08876fb969b •