CVE-2024-38546 – drm: vc4: Fix possible null pointer dereference
https://notcve.org/view.php?id=CVE-2024-38546
In the Linux kernel, the following vulnerability has been resolved: drm: vc4: Fix possible null pointer dereference In vc4_hdmi_audio_init() of_get_address() may return NULL which is later dereferenced. Fix this bug by adding NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm: vc4: corrige posible desreferencia del puntero nulo En vc4_hdmi_audio_init() of_get_address() puede devolver NULL, que luego se desreferencia. Corrija este error agregando una verificación NULL. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/bb7d78568814a31a11fa14f1479a9fe51f1582ad https://git.kernel.org/stable/c/2d9adecc88ab678785b581ab021f039372c324cb https://git.kernel.org/stable/c/6cf1874aec42058a5ad621a23b5b2f248def0e96 https://git.kernel.org/stable/c/80431ea3634efb47a3004305d76486db9dd8ed49 https://git.kernel.org/stable/c/42c22b63056cea259d5313bf138a834840af85a5 https://git.kernel.org/stable/c/2a345fe928c21de6f3c3c7230ff509d715153a31 https://git.kernel.org/stable/c/bd7827d46d403f8cdb43d16744cb1114e4726b21 https://git.kernel.org/stable/c/c534b63bede6cb987c2946ed4d0b0013a •
CVE-2024-38545 – RDMA/hns: Fix UAF for cq async event
https://notcve.org/view.php?id=CVE-2024-38545
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix UAF for cq async event The refcount of CQ is not protected by locks. When CQ asynchronous events and CQ destruction are concurrent, CQ may have been released, which will cause UAF. Use the xa_lock() to protect the CQ refcount. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: RDMA/hns: corrige UAF para el evento cq async El recuento de CQ no está protegido por bloqueos. Cuando los eventos asincrónicos de CQ y la destrucción de CQ son simultáneos, es posible que se haya liberado CQ, lo que provocará UAF. Utilice xa_lock() para proteger el recuento de CQ. • https://git.kernel.org/stable/c/9a4435375cd151e07c0c38fa601b00115986091b https://git.kernel.org/stable/c/330c825e66ef65278e4ebe57fd49c1d6f3f4e34e https://git.kernel.org/stable/c/763780ef0336a973e933e40e919339381732dcaf https://git.kernel.org/stable/c/63da190eeb5c9d849b71f457b15b308c94cbaf08 https://git.kernel.org/stable/c/39d26cf46306bdc7ae809ecfdbfeff5aa1098911 https://git.kernel.org/stable/c/37a7559dc1358a8d300437e99ed8ecdab0671507 https://git.kernel.org/stable/c/a942ec2745ca864cd8512142100e4027dc306a42 •
CVE-2024-38544 – RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt
https://notcve.org/view.php?id=CVE-2024-38544
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the resp_pkts queue and then a decision is made whether to run the completer task inline or schedule it. Finally the skb is dereferenced to bump a 'hw' performance counter. This is wrong because if the completer task is already running in a separate thread it may have already processed the skb and freed it which can cause a seg fault. This has been observed infrequently in testing at high scale. This patch fixes this by changing the order of enqueuing the packet until after the counter is accessed. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: RDMA/rxe: corrige la falla de segmentación en rxe_comp_queue_pkt En rxe_comp_queue_pkt(), un paquete de respuesta entrante skb se pone en cola en la cola resp_pkts y luego se toma una decisión si se ejecuta la tarea de finalización en línea o programarla. • https://git.kernel.org/stable/c/0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 https://git.kernel.org/stable/c/de5a059e36657442b5637cc16df5163e435b9cb4 https://git.kernel.org/stable/c/e0e14dd35d4242340c7346aac60c7ff8fbf87ffc https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19 https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794 https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b60 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2024-38541 – of: module: add buffer overflow check in of_modalias()
https://notcve.org/view.php?id=CVE-2024-38541
In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: of: módulo: agregar control de desbordamiento del búfer of_modalias() En of_modalias(), si el búfer es demasiado pequeño incluso para la primera llamada a snprintf(), el parámetro len se vuelve negativo y el parámetro str (si no es NULL inicialmente) apuntará más allá del final del búfer. Agregue la verificación de desbordamiento del búfer después de la primera llamada a snprintf() y corrija dicha verificación después de la llamada strlen() (teniendo en cuenta el carácter NUL de terminación). A buffer overflow flaw was found in of_modalias() in the Linux kernel, occurring after the first snprintf() call. • https://git.kernel.org/stable/c/bc575064d688c8933a6ca51429bea9bc63628d3b https://git.kernel.org/stable/c/0b0d5701a8bf02f8fee037e81aacf6746558bfd6 https://git.kernel.org/stable/c/ee332023adfd5882808f2dabf037b32d6ce36f9e https://git.kernel.org/stable/c/e45b69360a63165377b30db4a1dfddd89ca18e9a https://git.kernel.org/stable/c/cf7385cb26ac4f0ee6c7385960525ad534323252 https://access.redhat.com/security/cve/CVE-2024-38541 https://bugzilla.redhat.com/show_bug.cgi?id=2293458 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow •
CVE-2024-38538 – net: bridge: xmit: make sure we have at least eth header len bytes
https://notcve.org/view.php?id=CVE-2024-38538
In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL [1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: bridge: xmit: asegúrese de tener al menos el encabezado eth len bytes syzbot desencadenó un error de valor uninit[1] en la ruta xmit del dispositivo puente al enviar un mensaje corto (menos de ETH_HLEN bytes) skb. Para solucionarlo, compruebe si realmente podemos retirar esa cantidad en lugar de suponerla. Probado con dropwatch: soltar en: br_dev_xmit+0xb93/0x12d0 [puente] (0xffffffffc06739b3) origen: marca de tiempo del software: lunes 13 de mayo 11:31:53 2024 778214037 protocolo nsec: 0x88a8 longitud: 2 longitud original: 2 motivo de caída: PKT_TOO_SMALL [1 ] ERROR: KMSAN: valor uninit en br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [en línea] netdev_start_xmit include/linux/netdevice.h:4917 [en línea] xmit_one net/core/dev.c:3531 [en línea] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev .c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [en línea] __bpf_tx_skb net/core/filter.c:2136 [en línea] __bpf_redirect_common net/core/filter.c:2180 [en línea] __bpf_redirect+0x14a6/0x1620 net/ Core/Filter.C: 2187 ____BPF_CLONE_REDIRECT NET/CORE/FILTRO.C: 2460 [Inline] BPF_CLONE_REDIRECT+0x328/0x470 NET/Core/Filter.c: 2432 ___ BPF_PROG_RUN+0X13FE/0XE0F0 KERNEL/BPF/BPF/CORE. 0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [en línea] __bpf_prog_run include/linux/filter.h:657 [en línea] bpf_prog_run include/linux/filter.h:664 [en línea ] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 pf+0x6aa/0xd90 núcleo/ bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [en línea] __se_sys_bpf kernel/bpf/syscall.c:5765 [en línea] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 ys_call+0x96b /0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+ 0x77/0x7f • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2 https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5 https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2 https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc https://access.redhat.com/security/cve/CVE-2024-38538 https://bugzilla.redhat.com/show_bug.cgi?id=2293461 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •