CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36925 – swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y
https://notcve.org/view.php?id=CVE-2024-36925
In the Linux kernel, the following vulnerability has been resolved: swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y Using restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunction with dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y) leads to the following crash when initialising the restricted pools at boot-time: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 | Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP | pc : rmem_swiotlb_device_init+0xfc/0x1ec | lr : rmem_swiotlb_device_init+0xf0/0x1ec | Call trace: | rmem_swiotlb_device_init+0xfc/0x1ec | of_reserved_mem_device_init_by_idx+0x18c/0x238 | of_dma_configure_id+0x31c/0x33c | platform_dma_configure+0x34/0x80 faddr2line reveals that the crash is in the list validation code: include/linux/list.h:83 include/linux/rculist.h:79 include/linux/rculist.h:106 kernel/dma/swiotlb.c:306 kernel/dma/swiotlb.c:1695 because add_mem_pool() is trying to list_add_rcu() to a NULL 'mem->pools'. Fix the crash by initialising the 'mem->pools' list_head in rmem_swiotlb_device_init() before calling add_mem_pool(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: swiotlb: inicializa el grupo restringido list_head cuando SWIOTLB_DYNAMIC=y El uso de grupos DMA restringidos (CONFIG_DMA_RESTRICTED_POOL=y) junto con SWIOTLB dinámico (CONFIG_SWIOTLB_DYNAMIC=y) provoca el siguiente bloqueo al inicializar el grupo restringido grupos en el momento del arranque: | No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000008 | Error interno: Ups: 0000000096000005 [#1] SMP ANTICIPADO | ordenador personal: rmem_swiotlb_device_init+0xfc/0x1ec | lr: rmem_swiotlb_device_init+0xf0/0x1ec | Rastreo de llamadas: | rmem_swiotlb_device_init+0xfc/0x1ec | of_reserved_mem_device_init_by_idx+0x18c/0x238 | of_dma_configure_id+0x31c/0x33c | platform_dma_configure+0x34/0x80 faddr2line revela que el bloqueo está en el código de validación de la lista: include/linux/list.h:83 include/linux/rculist.h:79 include/linux/rculist.h:106 kernel/dma/swiotlb. c:306 kernel/dma/swiotlb.c:1695 porque add_mem_pool() está intentando list_add_rcu() a un NULL 'mem->pools'. Solucione el problema inicializando el list_head 'mem->pools' en rmem_swiotlb_device_init() antes de llamar a add_mem_pool(). • https://git.kernel.org/stable/c/1aaa736815eb04f4dae3f0b3e977b2a0677a4cfb https://git.kernel.org/stable/c/f2a6b3ed20f2dea4cb645abc6a73c4595662adca https://git.kernel.org/stable/c/f62e0fefcdfe2c05ccb1aa80521a69524eea9c84 https://git.kernel.org/stable/c/75961ffb5cb3e5196f19cae7683f35cc88b50800 • CWE-476: NULL Pointer Dereference •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36924 – scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()
https://notcve.org/view.php?id=CVE-2024-36924
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() lpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the hbalock. Thus, lpfc_worker_wake_up() should not be called while holding the hbalock to avoid potential deadlock. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: lpfc: Libere hbalock antes de llamar a lpfc_worker_wake_up() lpfc_worker_wake_up() llama a la rutina lpfc_work_done(), que toma el hbalock. Por lo tanto, no se debe llamar a lpfc_worker_wake_up() mientras se mantiene presionado el hbalock para evitar un posible punto muerto. • https://git.kernel.org/stable/c/6503c39398506cadda9f4c81695a9655ca5fb4fd https://git.kernel.org/stable/c/e8bf2c05e8ad68e90f9d5889a9e4ef3f6fe00683 https://git.kernel.org/stable/c/ee833d7e62de2b84ed1332d501b67f12e7e5678f https://git.kernel.org/stable/c/ded20192dff31c91cef2a04f7e20e60e9bb887d3 https://access.redhat.com/security/cve/CVE-2024-36924 https://bugzilla.redhat.com/show_bug.cgi?id=2284506 • CWE-833: Deadlock •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36923 – fs/9p: fix uninitialized values during inode evict
https://notcve.org/view.php?id=CVE-2024-36923
In the Linux kernel, the following vulnerability has been resolved: fs/9p: fix uninitialized values during inode evict If an iget fails due to not being able to retrieve information from the server then the inode structure is only partially initialized. When the inode gets evicted, references to uninitialized structures (like fscache cookies) were being made. This patch checks for a bad_inode before doing anything other than clearing the inode from the cache. Since the inode is bad, it shouldn't have any state associated with it that needs to be written back (and there really isn't a way to complete those anyways). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fs/9p: corrige valores no inicializados durante el desalojo de inodo. Si un iget falla debido a que no puede recuperar información del servidor, entonces la estructura del inodo solo se inicializa parcialmente. • https://git.kernel.org/stable/c/1b4cb6e91f19b81217ad98142ee53a1ab25893fd https://git.kernel.org/stable/c/6630036b7c228f57c7893ee0403e92c2db2cd21d •
CVSS: 4.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36922 – wifi: iwlwifi: read txq->read_ptr under lock
https://notcve.org/view.php?id=CVE-2024-36922
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: read txq->read_ptr under lock If we read txq->read_ptr without lock, we can read the same value twice, then obtain the lock, and reclaim from there to two different places, but crucially reclaim the same entry twice, resulting in the WARN_ONCE() a little later. Fix that by reading txq->read_ptr under lock. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: iwlwifi: leer txq->read_ptr bajo bloqueo Si leemos txq->read_ptr sin bloqueo, podemos leer el mismo valor dos veces, luego obtener el bloqueo y reclamar desde allí a dos lugares diferentes, pero fundamentalmente reclama la misma entrada dos veces, lo que resulta en WARN_ONCE() un poco más tarde. Solucione eso leyendo txq->read_ptr bajo bloqueo. • https://git.kernel.org/stable/c/b83db8e756dec68a950ed2f056248b1704b3deaa https://git.kernel.org/stable/c/43d07103df670484cdd26f9588eabef80f69db89 https://git.kernel.org/stable/c/c2ace6300600c634553657785dfe5ea0ed688ac2 https://access.redhat.com/security/cve/CVE-2024-36922 https://bugzilla.redhat.com/show_bug.cgi?id=2284511 • CWE-413: Improper Resource Locking •
CVSS: 6.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36921 – wifi: iwlwifi: mvm: guard against invalid STA ID on removal
https://notcve.org/view.php?id=CVE-2024-36921
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: guard against invalid STA ID on removal Guard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that would result in out-of-bounds array accesses. This prevents issues should the driver get into a bad state during error handling. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wifi: iwlwifi: mvm: proteger contra ID de STA no válido al eliminarlo Proteger contra ID de estación no válidos en iwl_mvm_mld_rm_sta_id ya que eso daría como resultado accesos a la matriz fuera de los límites. Esto evita problemas en caso de que el controlador entre en mal estado durante el manejo de errores. An out-of-bounds memory access flaw was found in the Linux kernel’s Wireless WiFi Link Next-Gen AGN driver in how a user removes it. • https://git.kernel.org/stable/c/94f80a8ec15e238b78521f20f8afaed60521a294 https://git.kernel.org/stable/c/fab21d220017daa5fd8a3d788ff25ccfecfaae2f https://git.kernel.org/stable/c/17f64517bf5c26af56b6c3566273aad6646c3c4f https://access.redhat.com/security/cve/CVE-2024-36921 https://bugzilla.redhat.com/show_bug.cgi?id=2284513 • CWE-125: Out-of-bounds Read •