CVE-2024-39467 – f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
https://notcve.org/view.php?id=CVE-2024-39467
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() syzbot reports a kernel bug as below: F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 ================================================================== BUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline] BUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline] BUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600 Read of size 1 at addr ffff88807a58c76c by task syz-executor280/5076 CPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline] current_nat_addr fs/f2fs/node.h:213 [inline] f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600 f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline] f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925 ioctl_fiemap fs/ioctl.c:220 [inline] do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838 __do_sys_ioctl fs/ioctl.c:902 [inline] __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is we missed to do sanity check on i_xattr_nid during f2fs_iget(), so that in fiemap() path, current_nat_addr() will access nat_bitmap w/ offset from invalid i_xattr_nid, result in triggering kasan bug report, fix it. • https://git.kernel.org/stable/c/c559a8d840562fbfce9f318448dda2f7d3e6d8e8 https://git.kernel.org/stable/c/75c87e2ac6149abf44bdde0dd6d541763ddb0dff https://git.kernel.org/stable/c/1640dcf383cdba52be8b28d2a1a2aa7ef7a30c98 https://git.kernel.org/stable/c/8c8aa473fe6eb46a4bf99f3ea2dbe52bf0c1a1f0 https://git.kernel.org/stable/c/be0155202e431f3007778568a72432c68f8946ba https://git.kernel.org/stable/c/68e3cd4ecb8603936cccdc338929130045df2e57 https://git.kernel.org/stable/c/20faaf30e55522bba2b56d9c46689233205d7717 •
CVE-2024-39466 – thermal/drivers/qcom/lmh: Check for SCM availability at probe
https://notcve.org/view.php?id=CVE-2024-39466
In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/qcom/lmh: Check for SCM availability at probe Up until now, the necessary scm availability check has not been performed, leading to possible null pointer dereferences (which did happen for me on RB1). Fix that. • https://git.kernel.org/stable/c/53bca371cdf7addc1e93e1b99285b3d3935685ec https://git.kernel.org/stable/c/2226b145afa5e13cb60dbe77fb20fb0666a1caf3 https://git.kernel.org/stable/c/560d69c975072974c11434ca6953891e74c1a665 https://git.kernel.org/stable/c/0a47ba94ec3d8f782b33e3d970cfcb769b962464 https://git.kernel.org/stable/c/aa1a0807b4a76b44fb6b58a7e9087cd4b18ab41b https://git.kernel.org/stable/c/d9d3490c48df572edefc0b64655259eefdcbb9be •
CVE-2024-39465 – media: mgb4: Fix double debugfs remove
https://notcve.org/view.php?id=CVE-2024-39465
In the Linux kernel, the following vulnerability has been resolved: media: mgb4: Fix double debugfs remove Fixes an error where debugfs_remove_recursive() is called first on a parent directory and then again on a child which causes a kernel panic. [hverkuil: added Fixes/Cc tags] • https://git.kernel.org/stable/c/0ab13674a9bd10514486cf1670d71dbd8afec421 https://git.kernel.org/stable/c/252204b634efffd8b167d77413c93d0192aaf5f6 https://git.kernel.org/stable/c/825fc49497957310e421454fe3fb8b8d8d8e2dd2 •
CVE-2024-39464 – media: v4l: async: Fix notifier list entry init
https://notcve.org/view.php?id=CVE-2024-39464
In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Fix notifier list entry init struct v4l2_async_notifier has several list_head members, but only waiting_list and done_list are initialized. notifier_entry was kept 'zeroed' leading to an uninitialized list_head. This results in a NULL-pointer dereference if csi2_async_register() fails, e.g. node for remote endpoint is disabled, and returns -ENOTCONN. The following calls to v4l2_async_nf_unregister() results in a NULL pointer dereference. Add the missing list head initializer. • https://git.kernel.org/stable/c/b8ec754ae4c563f6aab8c0cb47aeb2eae67f1da3 https://git.kernel.org/stable/c/a80d1da923f671c1e6a14e8417cd2f117b27a442 https://git.kernel.org/stable/c/44f6d619c30f0c65fcdd2b6eba70fdb4460d87ad https://git.kernel.org/stable/c/6d8acd02c4c6a8f917eefac1de2e035521ca119d •
CVE-2024-39463 – 9p: add missing locking around taking dentry fid list
https://notcve.org/view.php?id=CVE-2024-39463
In the Linux kernel, the following vulnerability has been resolved: 9p: add missing locking around taking dentry fid list Fix a use-after-free on dentry's d_fsdata fid list when a thread looks up a fid through dentry while another thread unlinks it: UAF thread: refcount_t: addition on 0; use-after-free. p9_fid_get linux/./include/net/9p/client.h:262 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248 Freed by: p9_fid_destroy (inlined) p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456 p9_fid_put linux/./include/net/9p/client.h:278 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335 The problem is that d_fsdata was not accessed under d_lock, because d_release() normally is only called once the dentry is otherwise no longer accessible but since we also call it explicitly in v9fs_remove that lock is required: move the hlist out of the dentry under lock then unref its fids once they are no longer accessible. This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the p9_fid object. • https://git.kernel.org/stable/c/154372e67d4053e56591245eb413686621941333 https://git.kernel.org/stable/c/3bb6763a8319170c2d41c4232c8e7e4c37dcacfb https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456 https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5 https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4 https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409 https://www.zerodayinitiative.com/advisories/ZDI-24-1194 • CWE-416: Use After Free •