CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35924 – usb: typec: ucsi: Limit read size on v1.2
https://notcve.org/view.php?id=CVE-2024-35924
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Limit read size on v1.2 Between UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was increased from 16 to 256. In order to avoid overflowing reads for older systems, add a mechanism to use the read UCSI version to truncate read sizes on UCSI v1.2. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: usb: typec: ucsi: Limitar el tamaño de lectura en v1.2 Entre UCSI 1.2 y UCSI 2.0, el tamaño de la región MESSAGE_IN se incrementó de 16 a 256. Para evitar el desbordamiento lecturas para sistemas más antiguos, agregue un mecanismo para usar la versión de lectura UCSI para truncar los tamaños de lectura en UCSI v1.2. • https://git.kernel.org/stable/c/266f403ec47573046dee4bcebda82777ce702c40 https://git.kernel.org/stable/c/0defcaa09d3b21e8387829ee3a652c43fa91e13f https://git.kernel.org/stable/c/b3db266fb031fba88c423d4bb8983a73a3db6527 https://access.redhat.com/security/cve/CVE-2024-35924 https://bugzilla.redhat.com/show_bug.cgi?id=2281758 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-35922 – fbmon: prevent division by zero in fb_videomode_from_videomode()
https://notcve.org/view.php?id=CVE-2024-35922
In the Linux kernel, the following vulnerability has been resolved: fbmon: prevent division by zero in fb_videomode_from_videomode() The expression htotal * vtotal can have a zero value on overflow. It is necessary to prevent division by zero like in fb_var_to_videomode(). Found by Linux Verification Center (linuxtesting.org) with Svace. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: fbmon: evita la división por cero en fb_videomode_from_videomode() La expresión htotal * vtotal puede tener un valor cero en caso de desbordamiento. Es necesario evitar la división por cero como en fb_var_to_videomode(). Encontrado por el Centro de verificación de Linux (linuxtesting.org) con Svace. • https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270 https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0 https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029 https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971 https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33 https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4 https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35921 – media: mediatek: vcodec: Fix oops when HEVC init fails
https://notcve.org/view.php?id=CVE-2024-35921
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix oops when HEVC init fails The stateless HEVC decoder saves the instance pointer in the context regardless if the initialization worked or not. This caused a use after free, when the pointer is freed in case of a failure in the deinit function. Only store the instance pointer when the initialization was successful, to solve this issue. Hardware name: Acer Tomato (rev3 - 4) board (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] sp : ffff80008750bc20 x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000 x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000 x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80 x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488 x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00 x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000 Call trace: vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec] vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec] vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec] mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec] fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec] v4l2_release+0x7c/0x100 __fput+0x80/0x2d8 __fput_sync+0x58/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xd8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x1a8/0x1b0 Code: d503201f f9401660 b900127f b900227f (f9400400) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: mediatek: vcodec: corrija el error cuando falla el inicio de HEVC El decodificador HEVC sin estado guarda el puntero de la instancia en el contexto independientemente de si la inicialización funcionó o no. Esto provocó un use after free, cuando el puntero se libera en caso de fallo en la función deinit. Para resolver este problema, almacene únicamente el puntero de instancia cuando la inicialización sea exitosa. Nombre del hardware: Acer Tomato (rev3 - 4) placa (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc: vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] lr: vcodec_send_ap_ipi+0x78 /0x170 [mtk_vcodec_dec] sp: ffff80008750bc20 x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000 x24: 0000000000000000 x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000 x20: 0000000000000010 x19: 310 x18: 000000000000001a x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000 x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80 x11: 0000000000000001 x10: 0000000000001b30 x9: 45c4d12b488 x8: 1fffe25339380d81 x7: 0000000000000001 x6: ffff1299c9c06c00 x5: 0000000000000132 x4: 0000000000000000 x3: 0000000000000 000 x2: 0000000000000010 x1: ffff80008750bc98 x0: 0000000000000000 Rastreo de llamadas : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec] vdec_hevc_slice_deinit+0x30/0x98 tk_vcodec_dec] vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec] mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec] fops_vcodec_release +0x64/0x118 [mtk_vcodec_dec] v4l2_release+0x7c/0x100 __fput+0x80/0x2d8 __fput_sync+0x58/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall+0x50/0x128 .0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/ 0xd8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x1a8/0x1b0 Código: d503201f f9401660 b900127f b900227f (f9400400) • https://git.kernel.org/stable/c/2674486aac7d9c95ceb77daf7c30f862d4295c1c https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4 https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35920 – media: mediatek: vcodec: adding lock to protect decoder context list
https://notcve.org/view.php?id=CVE-2024-35920
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: adding lock to protect decoder context list Add a lock for the ctx_list, to avoid accessing a NULL pointer within the 'vpu_dec_ipi_handler' function when the ctx_list has been deleted due to an unexpected behavior on the SCP IP block. Hardware name: Google juniper sku16 board (DT) pstate: 20400005 (nzCv daif +PAN -UAO -TCO BTYPE=--) pc : vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec] lr : scp_ipi_handler+0xd0/0x194 [mtk_scp] sp : ffffffc0131dbbd0 x29: ffffffc0131dbbd0 x28: 0000000000000000 x27: ffffff9bb277f348 x26: ffffff9bb242ad00 x25: ffffffd2d440d3b8 x24: ffffffd2a13ff1d4 x23: ffffff9bb7fe85a0 x22: ffffffc0133fbdb0 x21: 0000000000000010 x20: ffffff9b050ea328 x19: ffffffc0131dbc08 x18: 0000000000001000 x17: 0000000000000000 x16: ffffffd2d461c6e0 x15: 0000000000000242 x14: 000000000000018f x13: 000000000000004d x12: 0000000000000000 x11: 0000000000000001 x10: fffffffffffffff0 x9 : ffffff9bb6e793a8 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : fffffffffffffff0 x3 : 0000000000000020 x2 : ffffff9bb6e79080 x1 : 0000000000000010 x0 : ffffffc0131dbc08 Call trace: vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec (HASH:6c3f 2)] scp_ipi_handler+0xd0/0x194 [mtk_scp (HASH:7046 3)] mt8183_scp_irq_handler+0x44/0x88 [mtk_scp (HASH:7046 3)] scp_irq_handler+0x48/0x90 [mtk_scp (HASH:7046 3)] irq_thread_fn+0x38/0x94 irq_thread+0x100/0x1c0 kthread+0x140/0x1fc ret_from_fork+0x10/0x30 Code: 54000088 f94ca50a eb14015f 54000060 (f9400108) ---[ end trace ace43ce36cbd5c93 ]--- Kernel panic - not syncing: Oops: Fatal exception SMP: stopping secondary CPUs Kernel Offset: 0x12c4000000 from 0xffffffc010000000 PHYS_OFFSET: 0xffffffe580000000 CPU features: 0x08240002,2188200c Memory Limit: none En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: mediatek: vcodec: agregar bloqueo para proteger la lista de contexto del decodificador. Agregue un bloqueo para ctx_list, para evitar acceder a un puntero NULL dentro de la función 'vpu_dec_ipi_handler' cuando se ha eliminado ctx_list debido a un comportamiento inesperado en el bloque de IP de SCP. Nombre del hardware: placa Google Juniper sku16 (DT) pstate: 20400005 (nzCv daif +PAN -UAO -TCO BTYPE=--) pc: vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec] lr: scp_ipi_handler+0xd0/0x194 [mtk_scp] sp: 31dbbd0 x29: ffffffc0131dbbd0 x28: 0000000000000000 x27: ffffff9bb277f348 x26: ffffff9bb242ad00 x25: ffffffd2d440d3b8 x24: ffffffd2a13ff1d4 x23: ffffff9bb7fe85a0 22: ffffffc0133fbdb0 x21: 0000000000000010 x20: ffffff9b050ea328 x19: ffffffc0131dbc08 x18: 0000000000001000 x17: 0000000000000000 x16: 461c6e0 x15: 0000000000000242 x14: 000000000000018f x13: 000000000000004d x12: 0000000000000000 x11: 0000000000000001 x10: fffffffffffffff0 x9: ffffff9bb6e793a8 x8: 0000000000000000 x7: 00000000000 00000 x6: 000000000000003f x5: 0000000000000040 x4: fffffffffffffff0 x3: 0000000000000020 x2: ffffff9bb6e79080 x1: 0000000000000010 x0: ffffffc013 1dbc08 Rastreo de llamadas: vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec (HASH:6c3f 2)] scp_ipi_handler+0xd0/0x194 [mtk_scp (HASH:7046 3)] mt8183_scp_irq_handler+0x44/0x88 [mtk_scp (HASH:7046 3)] scp_irq_handler+0x48/0x90 (HASH:7046 3)] irq_thread_fn +0x38/0x94 irq_thread+0x100/0x1c0 kthread+0x140/0x1fc ret_from_fork+0x10/0x30 Código: 54000088 f94ca50a eb14015f 54000060 (f9400108) ---[ end trace ace43ce36cbd5c93 ] --- Pánico del kernel: no se sincroniza: Ups: excepción fatal SMP : detener CPU secundarias Desplazamiento del kernel: 0x12c4000000 de 0xffffffc010000000 PHYS_OFFSET: 0xffffffe580000000 Características de la CPU: 0x08240002,2188200c Límite de memoria: ninguno • https://git.kernel.org/stable/c/655b86e52eacdce79c2e02c5ec7258a97fcc2e4a https://git.kernel.org/stable/c/0a2dc707aa42214f9c4827bd57e344e29a0841d6 https://git.kernel.org/stable/c/23aaf824121055ba81b55f75444355bd83c8eb38 https://git.kernel.org/stable/c/6467cda18c9f9b5f2f9a0aa1e2861c653e41f382 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35919 – media: mediatek: vcodec: adding lock to protect encoder context list
https://notcve.org/view.php?id=CVE-2024-35919
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: adding lock to protect encoder context list Add a lock for the ctx_list, to avoid accessing a NULL pointer within the 'vpu_enc_ipi_handler' function when the ctx_list has been deleted due to an unexpected behavior on the SCP IP block. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: mediatek: vcodec: añadir bloqueo para proteger la lista de contexto del codificador. Agregue un bloqueo para ctx_list, para evitar acceder a un puntero NULL dentro de la función 'vpu_enc_ipi_handler' cuando se ha eliminado ctx_list debido a un comportamiento inesperado en el bloque de IP de SCP. • https://git.kernel.org/stable/c/1972e32431ed14682909ad568c6fd660572ae6ab https://git.kernel.org/stable/c/41671f0c0182b2bae74ca7e3b0f155559e3e2fc5 https://git.kernel.org/stable/c/51c84a8aac6e3b59af2b0e92ba63cabe2e641a2d https://git.kernel.org/stable/c/afaaf3a0f647a24a7bf6a2145d8ade37baaf75ad •