CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26825 – nfc: nci: free rx_data_reassembly skb on NCI device cleanup
https://notcve.org/view.php?id=CVE-2024-26825
In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free rx_data_reassembly skb on NCI device cleanup rx_data_reassembly skb is stored during NCI data exchange for processing fragmented packets. It is dropped only when the last fragment is processed or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received. However, the NCI device may be deallocated before that which leads to skb leak. As by design the rx_data_reassembly skb is bound to the NCI device and nothing prevents the device to be freed before the skb is processed in some way and cleaned, free it on the NCI device cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfc: nci: rx_data_reassembly skb gratuito en la limpieza del dispositivo NCI rx_data_reassembly skb se almacena durante el intercambio de datos NCI para procesar paquetes fragmentados. Se elimina solo cuando se procesa el último fragmento o cuando se recibe un paquete NTF con el código de operación NCI_OP_RF_DEACTIVATE_NTF. Sin embargo, el dispositivo NCI puede desasignarse antes de lo que provoca una fuga de skb. • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 https://git.kernel.org/stable/c/7e9a8498658b398bf11b8e388005fa54e40aed81 https://git.kernel.org/stable/c/71349abe3aba7fedcab5b3fcd7aa82371fb5ccbf https://git.kernel.org/stable/c/2f6d16f0520d6505241629ee2f5c131b547d5f9d https://git.kernel.org/stable/c/471c9ede8061357b43a116fa692e70d91941ac23 https://git.kernel.org/stable/c/5c0c5ffaed73cbae6c317374dc32ba6cacc60895 https://git.kernel.org/stable/c/16d3f507b0fa70453dc54550df093d6e9ac630c1 https://git.kernel.org/stable/c/a3d90fb5c23f29ba59c04005ae76c5228 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52642 – media: rc: bpf attach/detach requires write permission
https://notcve.org/view.php?id=CVE-2023-52642
In the Linux kernel, the following vulnerability has been resolved: media: rc: bpf attach/detach requires write permission Note that bpf attach/detach also requires CAP_NET_ADMIN. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: medios: rc: bpf adjunto/detach requiere permiso de escritura. Tenga en cuenta que bpf adjunto/detach también requiere CAP_NET_ADMIN. • https://git.kernel.org/stable/c/93d8109bf182510629bbefc8cd45296d2393987f https://git.kernel.org/stable/c/d98210108e7b2ff64b332b0a3541c8ad6a0617b0 https://git.kernel.org/stable/c/9f6087851ec6dce5b15f694aeaf3e8ec8243224e https://git.kernel.org/stable/c/93136132d1b5792bf44151e3494ae3691cd738e8 https://git.kernel.org/stable/c/caf2da1d4562de4e35eedec0be2b7f1ee25d83be https://git.kernel.org/stable/c/6a9d552483d50953320b9d3b57abdee8d436f23f https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html •
CVSS: -EPSS: 0%CPEs: 8EXPL: 1CVE-2024-26817 – amdkfd: use calloc instead of kzalloc to avoid integer overflow
https://notcve.org/view.php?id=CVE-2024-26817
In the Linux kernel, the following vulnerability has been resolved: amdkfd: use calloc instead of kzalloc to avoid integer overflow This uses calloc instead of doing the multiplication which might overflow. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: amdkfd: usa calloc en lugar de kzalloc para evitar el desbordamiento de enteros. Esto usa calloc en lugar de hacer la multiplicación que podría desbordarse. • https://github.com/MaherAzzouzi/CVE-2024-26817-amdkfd https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751 https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0 https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91 https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7 https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a http •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47219 – scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()
https://notcve.org/view.php?id=CVE-2021-47219
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs() The following issue was observed running syzkaller: BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831 Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815 CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xe4/0x14a lib/dump_stack.c:118 print_address_description+0x73/0x280 mm/kasan/report.c:253 kasan_report_error mm/kasan/report.c:352 [inline] kasan_report+0x272/0x370 mm/kasan/report.c:410 memcpy+0x1f/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:377 [inline] sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831 fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021 resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772 schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429 scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835 scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896 scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034 __blk_run_queue_uncond block/blk-core.c:464 [inline] __blk_run_queue+0x1a4/0x380 block/blk-core.c:484 blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78 sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847 sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716 sg_write+0x64/0xa0 drivers/scsi/sg.c:622 __vfs_write+0xed/0x690 fs/read_write.c:485 kill_bdev:block_device:00000000e138492c vfs_write+0x184/0x4c0 fs/read_write.c:549 ksys_write+0x107/0x240 fs/read_write.c:599 do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe We get 'alen' from command its type is int. If userspace passes a large length we will get a negative 'alen'. Switch n, alen, and rlen to u32. • https://git.kernel.org/stable/c/8440377e1a5644779b4c8d013aa2a917f5fc83c3 https://git.kernel.org/stable/c/66523553fa62c7878fc5441dc4e82be71934eb77 https://git.kernel.org/stable/c/f347c26836c270199de1599c3cd466bb7747caa9 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47217 – x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails
https://notcve.org/view.php?id=CVE-2021-47217
In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails Check for a valid hv_vp_index array prior to derefencing hv_vp_index when setting Hyper-V's TSC change callback. If Hyper-V setup failed in hyperv_init(), the kernel will still report that it's running under Hyper-V, but will have silently disabled nearly all functionality. BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:set_hv_tscchange_cb+0x15/0xa0 Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08 ... Call Trace: kvm_arch_init+0x17c/0x280 kvm_init+0x31/0x330 vmx_init+0xba/0x13a do_one_initcall+0x41/0x1c0 kernel_init_freeable+0x1f2/0x23b kernel_init+0x16/0x120 ret_from_fork+0x22/0x30 • https://git.kernel.org/stable/c/93286261de1b46339aa27cd4c639b21778f6cade https://git.kernel.org/stable/c/b20ec58f8a6f4fef32cc71480ddf824584e24743 https://git.kernel.org/stable/c/b0e44dfb4e4c699cca33ede431b8d127e6e8d661 https://git.kernel.org/stable/c/9c177eee116cf888276d3748cb176e72562cfd5c https://git.kernel.org/stable/c/8823ea27fff6084bbb4bc71d15378fae0220b1d8 https://git.kernel.org/stable/c/daf972118c517b91f74ff1731417feb4270625a4 •