CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-40962 – btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes
https://notcve.org/view.php?id=CVE-2024-40962
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes Shin'ichiro reported that when he's running fstests' test-case btrfs/167 on emulated zoned devices, he's seeing the following NULL pointer dereference in 'btrfs_zone_finish_endio()': Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU... • https://git.kernel.org/stable/c/cbfce4c7fbde23cc8bcba44822a58c728caf6ec9 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-40961 – ipv6: prevent possible NULL deref in fib6_nh_init()
https://notcve.org/view.php?id=CVE-2024-40961
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL deref in fib6_nh_init() syzbot reminds us that in6_dev_get() can return NULL. fib6_nh_init() ip6_validate_gw( &idev ) ip6_route_check_nh( idev ) *idev = in6_dev_get(dev); // can be NULL Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 11237 Comm: syz-executor.3 N... • https://git.kernel.org/stable/c/428604fb118facce1309670779a35baf27ad044c • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40960 – ipv6: prevent possible NULL dereference in rt6_probe()
https://notcve.org/view.php?id=CVE-2024-40960
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL dereference in rt6_probe() syzbot caught a NULL dereference in rt6_probe() [1] Bail out if __in6_dev_get() returns NULL. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f] CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardwa... • https://git.kernel.org/stable/c/52e1635631b342803aecaf81a362c1464e3da2e5 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40959 – xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
https://notcve.org/view.php?id=CVE-2024-40959
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-40958 – netns: Make get_net_ns() handle zero refcount net
https://notcve.org/view.php?id=CVE-2024-40958
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: netns: Make get_net_ns() handle zero refcount net Syzkaller hit a warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 Modules linked in: CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xdf/0x1d0 Code: 41 49 04 31 ff ... • https://git.kernel.org/stable/c/0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-40957 – seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors
https://notcve.org/view.php?id=CVE-2024-40957
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for PREROUTING hook, in PREROUTING hook, we should passing a valid indev, and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer dereference, as below: [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090 [74830.655633] #PF: supervisor read access i... • https://git.kernel.org/stable/c/7a3f5b0de3647c854e34269c3332d7a1e902901a • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-40956 – dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
https://notcve.org/view.php?id=CVE-2024-40956
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator when the descriptor is reused by another thread without it being deleted from the list. A vulnerability was found in the Linux kernel's DMA eng... • https://git.kernel.org/stable/c/16e19e11228ba660d9e322035635e7dcf160d5c2 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-40955 – ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()
https://notcve.org/view.php?id=CVE-2024-40955
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists() We can trigger a slab-out-of-bounds with the following commands: mkfs.ext4 -F /dev/$disk 10G mount /dev/$disk /tmp/test echo 2147483647 > /sys/fs/ext4/$disk/mb_group_prealloc echo test > /tmp/test/file && sync ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4] Rea... • https://git.kernel.org/stable/c/7e170922f06bf46effa7c57f6035fc463d6edc7e •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-40954 – net: do not leave a dangling sk pointer, when socket creation fails
https://notcve.org/view.php?id=CVE-2024-40954
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: net: do not leave a dangling sk pointer, when socket creation fails It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded and stripped): ================================================================== BUG: KASAN: slab-use-afte... • https://git.kernel.org/stable/c/c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40953 – KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
https://notcve.org/view.php?id=CVE-2024-40953
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 l... • https://git.kernel.org/stable/c/217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 •