CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2024-53155 – ocfs2: fix uninitialized value in ocfs2_file_read_iter()
https://notcve.org/view.php?id=CVE-2024-53155
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix uninitialized value in ocfs2_file_read_iter() Syzbot has reported the following KMSAN splat: BUG: KMSAN: uninit-value in ocfs2_file_read_iter+0x9a4/0xf80 ocfs2_file_read_iter+0x9a4/0xf80 __io_read+0x8d4/0x20f0 io_read+0x3e/0xf0 io_issue_sqe+0x42b/0x22c0 io_wq_submit_work+0xaf9/0xdc0 io_worker_handle_work+0xd13/0x2110 io_wq_worker+0x447/0x1410 ret_from_fork+0x6f/0x90 ret_from_fork_asm+0x1a/0x30 Uninit was created at: __alloc_pages_noprof+0x9a7/0xe00 alloc_pages_mpol_noprof+0x299/0x990 alloc_pages_noprof+0x1bf/0x1e0 allocate_slab+0x33a/0x1250 ___slab_alloc+0x12ef/0x35e0 kmem_cache_alloc_bulk_noprof+0x486/0x1330 __io_alloc_req_refill+0x84/0x560 io_submit_sqes+0x172f/0x2f30 __se_sys_io_uring_enter+0x406/0x41c0 __x64_sys_io_uring_enter+0x11f/0x1a0 x64_sys_call+0x2b54/0x3ba0 do_syscall_64+0xcd/0x1e0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Since an instance of 'struct kiocb' may be passed from the block layer with 'private' field uninitialized, introduce 'ocfs2_iocb_init_rw_locked()' and use it from where 'ocfs2_dio_end_io()' might take care, i.e. in 'ocfs2_file_read_iter()' and 'ocfs2_file_write_iter()'. • https://git.kernel.org/stable/c/7cdfc3a1c3971c9125c317cb8c2525745851798e https://git.kernel.org/stable/c/6c8f8d1e595dabd5389817f6d798cc8bd95c40ab https://git.kernel.org/stable/c/f4078ef38d3163e6be47403a619558b19c4bfccd https://git.kernel.org/stable/c/66b7ddd1804e2c4216dd7ead8eeb746cdbb3b62f https://git.kernel.org/stable/c/8c966150d5abff58c3c2bdb9a6e63fd773782905 https://git.kernel.org/stable/c/83f8713a0ef1d55d6a287bcfadcaab8245ac5098 https://git.kernel.org/stable/c/8e0de82ed18ba0e71f817adbd81317fd1032ca5a https://git.kernel.org/stable/c/366c933c2ab34dd6551acc03b4872726b •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2024-53154 – clk: clk-apple-nco: Add NULL check in applnco_probe
https://notcve.org/view.php?id=CVE-2024-53154
In the Linux kernel, the following vulnerability has been resolved: clk: clk-apple-nco: Add NULL check in applnco_probe Add NULL check in applnco_probe, to handle kernel NULL pointer dereference error. • https://git.kernel.org/stable/c/6641057d5dba87338780cf3e0d0ae8389ef1125c https://git.kernel.org/stable/c/9a5905b725739af6a105f9e564e7c80d69969d2b https://git.kernel.org/stable/c/72ea9a7e9e260aa39f9d1c9254cf92adfb05c4f5 https://git.kernel.org/stable/c/066c14619e8379c1bafbbf8196fd38eac303472b https://git.kernel.org/stable/c/534e02f83889ccef5fe6beb46e773ab9d4ae1655 https://git.kernel.org/stable/c/969c765e2b508cca9099d246c010a1e48dcfd089 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2024-53151 – svcrdma: Address an integer overflow
https://notcve.org/view.php?id=CVE-2024-53151
In the Linux kernel, the following vulnerability has been resolved: svcrdma: Address an integer overflow Dan Carpenter reports: > Commit 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data > structure") from Jun 22, 2020 (linux-next), leads to the following > Smatch static checker warning: > > net/sunrpc/xprtrdma/svc_rdma_recvfrom.c:498 xdr_check_write_chunk() > warn: potential user controlled sizeof overflow 'segcount * 4 * 4' > > net/sunrpc/xprtrdma/svc_rdma_recvfrom.c > 488 static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt) > 489 { > 490 u32 segcount; > 491 __be32 *p; > 492 > 493 if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount)) > ^^^^^^^^ > > 494 return false; > 495 > 496 /* A bogus segcount causes this buffer overflow check to fail. */ > 497 p = xdr_inline_decode(&rctxt->rc_stream, > --> 498 segcount * rpcrdma_segment_maxsz * sizeof(*p)); > > > segcount is an untrusted u32. On 32bit systems anything >= SIZE_MAX / 16 will > have an integer overflow and some those values will be accepted by > xdr_inline_decode(). • https://git.kernel.org/stable/c/78147ca8b4a9b6cf0e597ddd6bf17959e08376c2 https://git.kernel.org/stable/c/21e1cf688fb0397788c8dd42e1e0b08d58ac5c7b https://git.kernel.org/stable/c/c1f8195bf68edd2cef0f18a4cead394075a54b5a https://git.kernel.org/stable/c/838dd342962cef4c320632a5af48d3c31f2f9877 https://git.kernel.org/stable/c/4cbc3ba6dc2f746497cade60bcbaa82ae3696689 https://git.kernel.org/stable/c/e5c440c227ecdc721f2da0dd88b6358afd1031a7 https://git.kernel.org/stable/c/3c63d8946e578663b868cb9912dac616ea68bfd0 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2024-53150 – ALSA: usb-audio: Fix out of bounds reads when finding clock sources
https://notcve.org/view.php?id=CVE-2024-53150
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check. • https://git.kernel.org/stable/c/a632bdcb359fd8145e86486ff8612da98e239acd https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b https://git.kernel.org/stable/c/ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9 https://git.kernel.org/stable/c/da13ade87a12dd58829278bc816a61bea06a56a9 https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77 https://git.kernel.org/stable/c/ea0fa76f61cf8e932d1d26e6193513230816e11d https://git.kernel.org/stable/c/096bb5b43edf755bc4477e64004fa3a20539ec2f https://git.kernel.org/stable/c/a3dd4d63eeb452cfb064a13862fb376ab •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2024-53148 – comedi: Flush partial mappings in error case
https://notcve.org/view.php?id=CVE-2024-53148
In the Linux kernel, the following vulnerability has been resolved: comedi: Flush partial mappings in error case If some remap_pfn_range() calls succeeded before one failed, we still have buffer pages mapped into the userspace page tables when we drop the buffer reference with comedi_buf_map_put(bm). The userspace mappings are only cleaned up later in the mmap error path. Fix it by explicitly flushing all mappings in our VMA on the error path. See commit 79a61cc3fc04 ("mm: avoid leaving partial pfn mappings around in error case"). • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 https://git.kernel.org/stable/c/57f048c2d205b85e34282a9b0b0ae177e84c2f44 https://git.kernel.org/stable/c/b9322408d83accc8b96322bc7356593206288c56 https://git.kernel.org/stable/c/8797b7712de704dc231f9e821d8eb3b9aeb3a032 https://git.kernel.org/stable/c/16c507df509113c037cdc0ba642b9ab3389bd26c https://git.kernel.org/stable/c/9b07fb464eb69a752406e78e62ab3a60bfa7b00d https://git.kernel.org/stable/c/c6963a06ce5c61d3238751ada04ee1569663a828 https://git.kernel.org/stable/c/297f14fbb81895f4ccdb0ad25d196786d •