CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-36897 – drm/amd/display: Atom Integrated System Info v2_2 for DCN35
https://notcve.org/view.php?id=CVE-2024-36897
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Atom Integrated System Info v2_2 for DCN35 New request from KMD/VBIOS in order to support new UMA carveout model. This fixes a null dereference from accessing Ctx->dc_bios->integrated_info while it was NULL. DAL parses through the BIOS and extracts the necessary integrated_info but was missing a case for the new BIOS version 2.3. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: Atom Integrated System Info v2_2 para DCN35 Nueva solicitud de KMD/VBIOS para admitir el nuevo modelo de exclusión UMA. Esto corrige una desreferencia nula al acceder a Ctx->dc_bios->integrated_info mientras era NULL. DAL analiza el BIOS y extrae la información integrada necesaria, pero faltaba un caso para la nueva versión 2.3 del BIOS. • https://git.kernel.org/stable/c/3c7013a87124bab54216d9b99f77e8b6de6fbc1a https://git.kernel.org/stable/c/02f5300f6827206f6e48a77f51e6264993695e5c https://git.kernel.org/stable/c/7e3030774431eb093165a31baff040d35446fb8b https://git.kernel.org/stable/c/c2797ec16d9072327e7578d09ee05bcab52fffd0 https://git.kernel.org/stable/c/9a35d205f466501dcfe5625ca313d944d0ac2d60 • CWE-476: NULL Pointer Dereference •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36896 – USB: core: Fix access violation during port device removal
https://notcve.org/view.php?id=CVE-2024-36896
In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix access violation during port device removal Testing with KASAN and syzkaller revealed a bug in port.c:disable_store(): usb_hub_to_struct_hub() can return NULL if the hub that the port belongs to is concurrently removed, but the function does not check for this possibility before dereferencing the returned value. It turns out that the first dereference is unnecessary, since hub->intfdev is the parent of the port device, so it can be changed easily. Adding a check for hub == NULL prevents further problems. The same bug exists in the disable_show() routine, and it can be fixed the same way. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: USB: core: corrige la infracción de acceso durante la eliminación del dispositivo del puerto. Las pruebas con KASAN y syzkaller revelaron un error en port.c:disable_store(): usb_hub_to_struct_hub() puede devolver NULL si el hub que el puerto al que pertenece se elimina simultáneamente, pero la función no comprueba esta posibilidad antes de desreferenciar el valor devuelto. Resulta que la primera desreferencia es innecesaria, ya que hub->intfdev es el padre del dispositivo portuario, por lo que se puede cambiar fácilmente. • https://git.kernel.org/stable/c/f061f43d7418cb62b8d073e221ec75d3f5b89e17 https://git.kernel.org/stable/c/5f1d68ef5ddac27c6b997adccd1c339cef1e6848 https://git.kernel.org/stable/c/63533549ff53d24daf47c443dbd43c308afc3434 https://git.kernel.org/stable/c/6119ef6517ce501fc548154691abdaf1f954a277 https://git.kernel.org/stable/c/a4b46d450c49f32e9d4247b421e58083fde304ce https://access.redhat.com/security/cve/CVE-2024-36896 https://bugzilla.redhat.com/show_bug.cgi?id=2284556 • CWE-170: Improper Null Termination CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36895 – usb: gadget: uvc: use correct buffer size when parsing configfs lists
https://notcve.org/view.php?id=CVE-2024-36895
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: use correct buffer size when parsing configfs lists This commit fixes uvc gadget support on 32-bit platforms. Commit 0df28607c5cb ("usb: gadget: uvc: Generalise helper functions for reuse") introduced a helper function __uvcg_iter_item_entries() to aid with parsing lists of items on configfs attributes stores. This function is a generalization of another very similar function, which used a stack-allocated temporary buffer of fixed size for each item in the list and used the sizeof() operator to check for potential buffer overruns. The new function was changed to allocate the now variably sized temp buffer on heap, but wasn't properly updated to also check for max buffer size using the computed size instead of sizeof() operator. As a result, the maximum item size was 7 (plus null terminator) on 64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just barely enough, 3 is definitely too small for some of UVC configfs attributes. For example, dwFrameInteval, specified in 100ns units, usually has 6-digit item values, e.g. 166666 for 60fps. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: usb: gadget: uvc: use el tamaño de búfer correcto al analizar listas de configfs. • https://git.kernel.org/stable/c/0df28607c5cb4fe60bba591e9858a8f7ba39aa4a https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528 https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410 •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2024-36894 – usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
https://notcve.org/view.php?id=CVE-2024-36894
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. • https://git.kernel.org/stable/c/2e4c7553cd6f9c68bb741582dcb614edcbeca70f https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311 https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867 https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14 https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb251 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-36893 – usb: typec: tcpm: Check for port partner validity before consuming it
https://notcve.org/view.php?id=CVE-2024-36893
In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: Check for port partner validity before consuming it typec_register_partner() does not guarantee partner registration to always succeed. In the event of failure, port->partner is set to the error value or NULL. Given that port->partner validity is not checked, this results in the following crash: Unable to handle kernel NULL pointer dereference at virtual address xx pc : run_state_machine+0x1bc8/0x1c08 lr : run_state_machine+0x1b90/0x1c08 .. Call trace: run_state_machine+0x1bc8/0x1c08 tcpm_state_machine_work+0x94/0xe4 kthread_worker_fn+0x118/0x328 kthread+0x1d0/0x23c ret_from_fork+0x10/0x20 To prevent the crash, check for port->partner validity before derefencing it in all the call sites. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: typec: tcpm: verifique la validez del socio del puerto antes de consumirlo. typec_register_partner() no garantiza que el registro del socio sea siempre exitoso. En caso de error, puerto->socio se establece en el valor de error o NULL. • https://git.kernel.org/stable/c/9b7cd3fe01f0d03cf5820b351a6be2a6e0a6da6f https://git.kernel.org/stable/c/c97cd0b4b54eb42aed7f6c3c295a2d137f6d2416 https://git.kernel.org/stable/c/31220bd89c22a18478f52fcd8069e8e2adb8f4f2 https://git.kernel.org/stable/c/2897b36d2482b84f35e659989d5cb4501fb31ccd https://git.kernel.org/stable/c/cbcf107780aecf51aba68488044a416d95060b6d https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57 https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887a364637 https://git.kernel.org/stable/c/fc2b655cb6dd2b381f1f284989721002e • CWE-476: NULL Pointer Dereference •