CVE-2024-49933 – blk_iocost: fix more out of bound shifts
https://notcve.org/view.php?id=CVE-2024-49933
In the Linux kernel, the following vulnerability has been resolved: blk_iocost: fix more out of bound shifts Recently running UBSAN caught few out of bound shifts in the ioc_forgive_debts() function: UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... Call Trace: <IRQ> dump_stack_lvl+0xca/0x130 __ubsan_handle_shift_out_of_bounds+0x22c/0x280 ? __lock_acquire+0x6441/0x7c10 ioc_timer_fn+0x6cec/0x7750 ? blk_iocost_init+0x720/0x720 ? call_timer_fn+0x5d/0x470 call_timer_fn+0xfa/0x470 ? blk_iocost_init+0x720/0x720 __run_timer_base+0x519/0x700 ... Actual impact of this issue was not identified but I propose to fix the undefined behaviour. The proposed fix to prevent those out of bound shifts consist of precalculating exponent before using it the shift operations by taking min value from the actual exponent and maximum possible number of bits. • https://git.kernel.org/stable/c/1f61d509257d6a05763d05bf37943b35306522b1 https://git.kernel.org/stable/c/f4ef9bef023d5c543cb0f3194ecacfd47ef590ec https://git.kernel.org/stable/c/59121bb38fdc01434ea3fe361ee02b59f036227f https://git.kernel.org/stable/c/1ab2cfe19700fb3dde4c7dfec392acff34db3120 https://git.kernel.org/stable/c/1b120f151871eb47ce9f283c007af3f8ae1d990e https://git.kernel.org/stable/c/364022095bdd4108efdaaa68576afa4712a5d085 https://git.kernel.org/stable/c/9bce8005ec0dcb23a58300e8522fe4a31da606fa •
CVE-2024-49932 – btrfs: don't readahead the relocation inode on RST
https://notcve.org/view.php?id=CVE-2024-49932
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't readahead the relocation inode on RST On relocation we're doing readahead on the relocation inode, but if the filesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to preallocated extents not being mapped in the RST) from the lookup. But readahead doesn't handle the error and submits invalid reads to the device, causing an assertion in the scatter-gather list code: BTRFS info (device nvme1n1): balance: start -d -m -s BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0 BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0 ------------[ cut here ]------------ kernel BUG at include/linux/scatterlist.h:115! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567 RIP: 0010:__blk_rq_map_sg+0x339/0x4a0 RSP: 0018:ffffc90001a43820 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802 RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000 RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8 R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000 FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0 Call Trace: <TASK> ? __die_body.cold+0x14/0x25 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? • https://git.kernel.org/stable/c/f7a1218a983ab98aba140dc20b25f60b39ee4033 https://git.kernel.org/stable/c/04915240e2c3a018e4c7f23418478d27226c8957 •
CVE-2024-49931 – wifi: ath12k: fix array out-of-bound access in SoC stats
https://notcve.org/view.php?id=CVE-2024-49931
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix array out-of-bound access in SoC stats Currently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process() function access ath12k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath12k_dp_rx_process() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 • https://git.kernel.org/stable/c/d0e4274d9dc9f8409d56d622cd3ecf7b6fd49e2f https://git.kernel.org/stable/c/a4aef827a41cdaf6201bbaf773c1eae4e20e967b https://git.kernel.org/stable/c/ad791e3ec60cb66c1e4dc121ffbf872df312427d https://git.kernel.org/stable/c/e106b7ad13c1d246adaa57df73edb8f8b8acb240 •
CVE-2024-49930 – wifi: ath11k: fix array out-of-bound access in SoC stats
https://notcve.org/view.php?id=CVE-2024-49930
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix array out-of-bound access in SoC stats Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() function access ath11k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath11k_dp_process_rx() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 • https://git.kernel.org/stable/c/0f26f26944035ec67546a944f182cbad6577a9c0 https://git.kernel.org/stable/c/4dd732893bd38cec51f887244314e2b47f0d658f https://git.kernel.org/stable/c/73e235728e515faccc104b0153b47d0f263b3344 https://git.kernel.org/stable/c/7a552bc2f3efe2aaf77a85cb34cdf4a63d81a1a7 https://git.kernel.org/stable/c/6045ef5b4b00fee3629689f791992900a1c94009 https://git.kernel.org/stable/c/01b77f5ee11c89754fb836af8f76799d3b72ae2f https://git.kernel.org/stable/c/69f253e46af98af17e3efa3e5dfa72fcb7d1983d •
CVE-2024-49929 – wifi: iwlwifi: mvm: avoid NULL pointer dereference
https://notcve.org/view.php?id=CVE-2024-49929
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: avoid NULL pointer dereference iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta pointer is not NULL. It retrieves this pointer using iwl_mvm_sta_from_mac80211, which is dereferencing the ieee80211_sta pointer. If sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL pointer. Fix this by checking the sta pointer before retrieving the mvmsta from it. If sta is not NULL, then mvmsta isn't either. • https://git.kernel.org/stable/c/6dcadb2ed3b76623ab96e3e7fbeda1a374d01c28 https://git.kernel.org/stable/c/cdbf51bfa4b0411820806777da36d93d49bc49a1 https://git.kernel.org/stable/c/c0b4f5d94934c290479180868a32c15ba36a6d9e https://git.kernel.org/stable/c/557a6cd847645e667f3b362560bd7e7c09aac284 •