CVE-2024-40942 – wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
https://notcve.org/view.php?id=CVE-2024-40942
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects The hwmp code use objects of type mesh_preq_queue, added to a list in ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath gets deleted, ex mesh interface is removed, the entries in that list will never get cleaned. Fix this by flushing all corresponding items of the preq_queue in mesh_path_flush_pending(). This should take care of KASAN reports like this: unreferenced object 0xffff00000668d800 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s) hex dump (first 32 bytes): 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h..... 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>........... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 unreferenced object 0xffff000009051f00 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s) hex dump (first 32 bytes): 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h..... 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy..... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 • https://git.kernel.org/stable/c/050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95 https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3 https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0 https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4 https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c •
CVE-2024-40941 – wifi: iwlwifi: mvm: don't read past the mfuart notifcation
https://notcve.org/view.php?id=CVE-2024-40941
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't read past the mfuart notifcation In case the firmware sends a notification that claims it has more data than it has, we will read past that was allocated for the notification. Remove the print of the buffer, we won't see it by default. If needed, we can see the content with tracing. This was reported by KFENCE. • https://git.kernel.org/stable/c/bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87 https://git.kernel.org/stable/c/15b37c6fab9d5e40ac399fa1c725118588ed649c https://git.kernel.org/stable/c/6532f18e66b384b8d4b7e5c9caca042faaa9e8de https://git.kernel.org/stable/c/46c59a25337049a2a230ce7f7c3b9f21d0aaaad7 https://git.kernel.org/stable/c/65686118845d427df27ee83a6ddd4885596b0805 https://git.kernel.org/stable/c/a8bc8276af9aeacabb773f0c267cfcdb847c6f2d https://git.kernel.org/stable/c/a05018739a5e6b9dc112c95bd4c59904062c8940 https://git.kernel.org/stable/c/acdfa33c3cf5e1cd185cc1e0486bd0ea9 • CWE-125: Out-of-bounds Read •
CVE-2024-40940 – net/mlx5: Fix tainted pointer delete is case of flow rules creation fail
https://notcve.org/view.php?id=CVE-2024-40940
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix tainted pointer delete is case of flow rules creation fail In case of flow rule creation fail in mlx5_lag_create_port_sel_table(), instead of previously created rules, the tainted pointer is deleted deveral times. Fix this bug by using correct flow rules pointers. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/352899f384d4aefa77ede6310d08c1b515612a8f https://git.kernel.org/stable/c/531eab2da27dd42d68dfb841d82e987f4a6738b8 https://git.kernel.org/stable/c/d857df86837ac1c30592e8a068204d16feac9930 https://git.kernel.org/stable/c/a03a3fa12769e25f4385bee587afe1445aee7f7a https://git.kernel.org/stable/c/229bedbf62b13af5aba6525ad10b62ad38d9ccb5 https://access.redhat.com/security/cve/CVE-2024-40940 https://bugzilla.redhat.com/show_bug.cgi?id=2297524 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVE-2024-40939 – net: wwan: iosm: Fix tainted pointer delete is case of region creation fail
https://notcve.org/view.php?id=CVE-2024-40939
In the Linux kernel, the following vulnerability has been resolved: net: wwan: iosm: Fix tainted pointer delete is case of region creation fail In case of region creation fail in ipc_devlink_create_region(), previously created regions delete process starts from tainted pointer which actually holds error code value. Fix this bug by decreasing region index before delete. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/4dcd183fbd67b105decc8be262311937730ccdbf https://git.kernel.org/stable/c/fe394d59cdae81389dbf995e87c83c1acd120597 https://git.kernel.org/stable/c/040d9384870386eb5dc55472ac573ac7756b2050 https://git.kernel.org/stable/c/37a438704d19bdbe246d51d3749b6b3a8fe65afd https://git.kernel.org/stable/c/b0c9a26435413b81799047a7be53255640432547 https://access.redhat.com/security/cve/CVE-2024-40939 https://bugzilla.redhat.com/show_bug.cgi?id=2297523 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVE-2024-40938 – landlock: Fix d_parent walk
https://notcve.org/view.php?id=CVE-2024-40938
In the Linux kernel, the following vulnerability has been resolved: landlock: Fix d_parent walk The WARN_ON_ONCE() in collect_domain_accesses() can be triggered when trying to link a root mount point. This cannot work in practice because this directory is mounted, but the VFS check is done after the call to security_path_link(). Do not use source directory's d_parent when the source directory is the mount point. [mic: Fix commit message] • https://git.kernel.org/stable/c/b91c3e4ea756b12b7d992529226edce1cfd854d7 https://git.kernel.org/stable/c/b6e5e696435832b33e40775f060ef5c95f4fda1f https://git.kernel.org/stable/c/cc30d05b34f9a087a6928d09b131f7b491e9ab11 https://git.kernel.org/stable/c/c7618c7b0b8c45bcef34410cc1d1e953eb17f8f6 https://git.kernel.org/stable/c/88da52ccd66e65f2e63a6c35c9dff55d448ef4dc •