CVE-2024-41032 – mm: vmalloc: check if a hash-index is in cpu_possible_mask
https://notcve.org/view.php?id=CVE-2024-41032
In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: check if a hash-index is in cpu_possible_mask The problem is that there are systems where cpu_possible_mask has gaps between set CPUs, for example SPARC. In this scenario addr_to_vb_xa() hash function can return an index which accesses to not-possible and not setup CPU area using per_cpu() macro. This results in an oops on SPARC. A per-cpu vmap_block_queue is also used as hash table, incorrectly assuming the cpu_possible_mask has no gaps. Fix it by adjusting an index to a next possible CPU. • https://git.kernel.org/stable/c/062eacf57ad91b5c272f89dc964fd6dd9715ea7d https://git.kernel.org/stable/c/28acd531c9a365dac01b32e6bc54aed8c1429bcb https://git.kernel.org/stable/c/47f9b6e49b422392fb0e348a65eb925103ba1882 https://git.kernel.org/stable/c/a34acf30b19bc4ee3ba2f1082756ea2604c19138 https://access.redhat.com/security/cve/CVE-2024-41032 https://bugzilla.redhat.com/show_bug.cgi?id=2300398 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVE-2024-41031 – mm/filemap: skip to create PMD-sized page cache if needed
https://notcve.org/view.php?id=CVE-2024-41031
In the Linux kernel, the following vulnerability has been resolved: mm/filemap: skip to create PMD-sized page cache if needed On ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The PMD-sized page cache can't be supported by xarray as the following error messages indicate. ------------[ cut here ]------------ WARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \ fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \ sha1_ce virtio_net net_failover virtio_console virtio_blk failover \ dimlib virtio_mmio CPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x720 sp : ffff800087a4f6c0 x29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff x26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858 x23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000 x17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000 x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020 x11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28 x8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8 x5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x720 truncate_inode_partial_folio+0xdc/0x160 truncate_inode_pages_range+0x1b4/0x4a8 truncate_pagecache_range+0x84/0xa0 xfs_flush_unmap_range+0x70/0x90 [xfs] xfs_file_fallocate+0xfc/0x4d8 [xfs] vfs_fallocate+0x124/0x2e8 ksys_fallocate+0x4c/0xa0 __arm64_sys_fallocate+0x24/0x38 invoke_syscall.constprop.0+0x7c/0xd8 do_el0_svc+0xb4/0xd0 el0_svc+0x44/0x1d8 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Fix it by skipping to allocate PMD-sized page cache when its size is larger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to regular path where the readahead window is determined by BDI's sysfs file (read_ahead_kb). A vulnerability was found in the Linux kernel related to how large page caching is handled, particularly for AMD64 architectures. The issue stems from the xarray data structure's inability to support PMD-sized page caches when the base page size is larger than MAX_PAGECACHE_ORDER. • https://git.kernel.org/stable/c/4687fdbb805a92ce5a9f23042c436dc64fef8b77 https://git.kernel.org/stable/c/06b5a69c27ec405a3c3f2da8520ff1ee70b94a21 https://git.kernel.org/stable/c/1ef650d3b1b2a16473981b447f38705fe9b93972 https://git.kernel.org/stable/c/3390916aca7af1893ed2ebcdfee1d6fdb65bb058 https://access.redhat.com/security/cve/CVE-2024-41031 https://bugzilla.redhat.com/show_bug.cgi?id=2300395 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVE-2024-41030 – ksmbd: discard write access to the directory open
https://notcve.org/view.php?id=CVE-2024-41030
In the Linux kernel, the following vulnerability has been resolved: ksmbd: discard write access to the directory open may_open() does not allow a directory to be opened with the write access. However, some writing flags set by client result in adding write access on server, making ksmbd incompatible with FUSE file system. Simply, let's discard the write access when opening a directory. list_add corruption. next is NULL. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:26! pc : __list_add_valid+0x88/0xbc lr : __list_add_valid+0x88/0xbc Call trace: __list_add_valid+0x88/0xbc fuse_finish_open+0x11c/0x170 fuse_open_common+0x284/0x5e8 fuse_dir_open+0x14/0x24 do_dentry_open+0x2a4/0x4e0 dentry_open+0x50/0x80 smb2_open+0xbe4/0x15a4 handle_ksmbd_work+0x478/0x5ec process_one_work+0x1b4/0x448 worker_thread+0x25c/0x430 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20 • https://git.kernel.org/stable/c/66cf853e1c7a2407f15d9f7aaa3e47d61745e361 https://git.kernel.org/stable/c/9e84b1ba5c98fb5c9f869c85db1d870354613baa https://git.kernel.org/stable/c/198498b2049c0f11f7670be6974570e02b0cc035 https://git.kernel.org/stable/c/e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd •
CVE-2024-41028 – platform/x86: toshiba_acpi: Fix array out-of-bounds access
https://notcve.org/view.php?id=CVE-2024-41028
In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_acpi: Fix array out-of-bounds access In order to use toshiba_dmi_quirks[] together with the standard DMI matching functions, it must be terminated by a empty entry. Since this entry is missing, an array out-of-bounds access occurs every time the quirk list is processed. Fix this by adding the terminating empty entry. • https://git.kernel.org/stable/c/3cb1f40dfdc3b9f5449076c96b4e2523139f5cd0 https://git.kernel.org/stable/c/e030aa6c972641cb069086a8c7a0f747653e472a https://git.kernel.org/stable/c/639868f1cb87b683cf830353bbee0c4078202313 https://git.kernel.org/stable/c/0d71da43d6b7916d36cf1953d793da80433c50bf https://git.kernel.org/stable/c/b6e02c6b0377d4339986e07aeb696c632cd392aa •
CVE-2024-41027 – Fix userfaultfd_api to return EINVAL as expected
https://notcve.org/view.php?id=CVE-2024-41027
In the Linux kernel, the following vulnerability has been resolved: Fix userfaultfd_api to return EINVAL as expected Currently if we request a feature that is not set in the Kernel config we fail silently and return all the available features. However, the man page indicates we should return an EINVAL. We need to fix this issue since we can end up with a Kernel warning should a program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with the config not set with this feature. [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660 [ 200.820738] Modules linked in: [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8 [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022 [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660 • https://git.kernel.org/stable/c/e06f1e1dd4998ffc9da37f580703b55a93fc4de4 https://git.kernel.org/stable/c/519547760f16eae7803d2658d9524bc5ba7a20a7 https://git.kernel.org/stable/c/14875fd5f9bcf60ac5518c63bfb676ade44aa7c6 https://git.kernel.org/stable/c/cd94cac4069a763ab5206be2c64c9a8beae590ba https://git.kernel.org/stable/c/8111f902b7c95d75fc80c7e577f5045886c6b384 https://git.kernel.org/stable/c/1723f04caacb32cadc4e063725d836a0c4450694 •