
CVE-2024-40904 – USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
https://notcve.org/view.php?id=CVE-2024-40904
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages The syzbot fuzzer found that the interrupt-URB completion callback in the cdc-wdm driver was taking too long, and the driver's immediate resubmission of interrupt URBs with -EPROTO status combined with the dummy-hcd emulation to cause a CPU lockup: cdc_wdm 1-1:1.0: nonzero urb status received: -71 cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes watchdog: BUG: soft lockup - CPU... • https://git.kernel.org/stable/c/9908a32e94de2141463e104c9924279ed3509447 • CWE-667: Improper Locking •

CVE-2024-40902 – jfs: xattr: fix buffer overflow for invalid xattr
https://notcve.org/view.php?id=CVE-2024-40902
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: jfs: xattr: fix buffer overflow for invalid xattr When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all up by properly restricting the size of the debug hex dump in the kernel log. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ... • https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow •

CVE-2024-40901 – scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
https://notcve.org/view.php?id=CVE-2024-40901
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump: BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./inc... • https://git.kernel.org/stable/c/c696f7b83edeac804e898952058089143f49ca0a •

CVE-2024-39509 – HID: core: remove unnecessary WARN_ON() in implement()
https://notcve.org/view.php?id=CVE-2024-39509
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: HID: core: remove unnecessary WARN_ON() in implement() Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID... • https://git.kernel.org/stable/c/95d1c8951e5bd50bb89654a99a7012b1e75646bd •

CVE-2024-39506 – liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
https://notcve.org/view.php?id=CVE-2024-39506
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value, but then it is unconditionally passed to skb_add_rx_frag() which looks strange and could lead to null pointer dereference. lio_vf_rep_copy_packet() call trace looks like: octeon_droq_process_packets octeon_droq_fast_process_packets octeon_droq_dispatch_pkt octeon_create_recv_info ...search in the dis... • https://git.kernel.org/stable/c/1f233f327913f3dee0602cba9c64df1903772b55 • CWE-476: NULL Pointer Dereference •

CVE-2024-39499 – vmci: prevent speculation leaks by sanitizing event in event_deliver()
https://notcve.org/view.php?id=CVE-2024-39499
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: vmci: prevent speculation leaks by sanitizing event in event_deliver() Coverity spotted that event_msg is controlled by user-space, event_msg->event_data.event is passed to event_deliver() and used as an index without sanitization. This change ensures that the event index is sanitized to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by S... • https://git.kernel.org/stable/c/1d990201f9bb499b7c76ab00abeb7e803c0bcb2a • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVE-2024-39495 – greybus: Fix use-after-free bug in gb_interface_release due to race condition.
https://notcve.org/view.php?id=CVE-2024-39495
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: greybus: Fix use-after-free bug in gb_interface_release due to race condition. In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. • https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201 • CWE-416: Use After Free •

CVE-2024-39494 – ima: Fix use-after-free on a dentry's dname.name
https://notcve.org/view.php?id=CVE-2024-39494
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ima: corrige el use... • https://git.kernel.org/stable/c/2fe5d6def1672ae6635dd71867bf36dcfaa7434b • CWE-416: Use After Free •

CVE-2024-39490 – ipv6: sr: fix missing sk_buff release in seg6_input_core
https://notcve.org/view.php?id=CVE-2024-39490
10 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix missing sk_buff release in seg6_input_core The seg6_input() function is responsible for adding the SRH into a packet, delegating the operation to the seg6_input_core(). This function uses the skb_cow_head() to ensure that there is sufficient headroom in the sk_buff for accommodating the link-layer header. In the event that the skb_cow_header() function fails, the seg6_input_core() catches the error but it does not release the ... • https://git.kernel.org/stable/c/af3b5158b89d3bab9be881113417558c71b71ca4 • CWE-401: Missing Release of Memory after Effective Lifetime •

CVE-2024-39489 – ipv6: sr: fix memleak in seg6_hmac_init_algo
https://notcve.org/view.php?id=CVE-2024-39489
10 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix memleak in seg6_hmac_init_algo seg6_hmac_init_algo returns without cleaning up the previous allocations if one fails, so it's going to leak all that memory and the crypto tfms. Update seg6_hmac_exit to only free the memory when allocated, so we can reuse the code directly. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ipv6: sr: corrige memleak en seg6_hmac_init_algo seg6_hmac_init_algo regresa sin limpiar las... • https://git.kernel.org/stable/c/bf355b8d2c30a289232042cacc1cfaea4923936c •