CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-42074 – ASoC: amd: acp: add a null check for chip_pdev structure
https://notcve.org/view.php?id=CVE-2024-42074
In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: add a null check for chip_pdev structure When acp platform device creation is skipped, chip->chip_pdev value will remain NULL. Add NULL check for chip->chip_pdev structure in snd_acp_resume() function to avoid null pointer dereference. • https://git.kernel.org/stable/c/088a40980efbc2c449b72f0f2c7ebd82f71d08e2 https://git.kernel.org/stable/c/e158ed266fc1adfa456880fb6dabce2e5623843b https://git.kernel.org/stable/c/b0c39ae1cc86afe74aa2f6273ccb514f8d180cf6 https://git.kernel.org/stable/c/98d919dfee1cc402ca29d45da642852d7c9a2301 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-42073 – mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems
https://notcve.org/view.php?id=CVE-2024-42073
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems The following two shared buffer operations make use of the Shared Buffer Status Register (SBSR): # devlink sb occupancy snapshot pci/0000:01:00.0 # devlink sb occupancy clearmax pci/0000:01:00.0 The register has two masks of 256 bits to denote on which ingress / egress ports the register should operate on. Spectrum-4 has more than 256 ports, so the register was extended by cited commit with a new 'port_page' field. However, when filling the register's payload, the driver specifies the ports as absolute numbers and not relative to the first port of the port page, resulting in memory corruptions [1]. Fix by specifying the ports relative to the first port of the port page. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 Read of size 1 at addr ffff8881068cb00f by task devlink/1566 [...] Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 mlxsw_devlink_sb_occ_snapshot+0x75/0xb0 devlink_nl_sb_occ_snapshot_doit+0x1f9/0x2a0 genl_family_rcv_msg_doit+0x20c/0x300 genl_rcv_msg+0x567/0x800 netlink_rcv_skb+0x170/0x450 genl_rcv+0x2d/0x40 netlink_unicast+0x547/0x830 netlink_sendmsg+0x8d4/0xdb0 __sys_sendto+0x49b/0x510 __x64_sys_sendto+0xe5/0x1c0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f [...] Allocated by task 1: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 copy_verifier_state+0xbc2/0xfb0 do_check_common+0x2c51/0xc7e0 bpf_check+0x5107/0x9960 bpf_prog_load+0xf0e/0x2690 __sys_bpf+0x1a61/0x49d0 __x64_sys_bpf+0x7d/0xc0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x109/0x170 __kasan_slab_free+0x14/0x30 kfree+0xca/0x2b0 free_verifier_state+0xce/0x270 do_check_common+0x4828/0xc7e0 bpf_check+0x5107/0x9960 bpf_prog_load+0xf0e/0x2690 __sys_bpf+0x1a61/0x49d0 __x64_sys_bpf+0x7d/0xc0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f • https://git.kernel.org/stable/c/f8538aec88b46642553a9ba9efa0952f5958dbed https://git.kernel.org/stable/c/bfa86a96912faa0b6142a918db88cc0c738a769e https://git.kernel.org/stable/c/942901e0fc74ad4b7992ef7ca9336e68d5fd6d36 https://git.kernel.org/stable/c/bf8781ede7bd9a37c0fcabca78976e61300b5a1a https://git.kernel.org/stable/c/c28947de2bed40217cf256c5d0d16880054fcf13 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42070 – netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
https://notcve.org/view.php?id=CVE-2024-42070
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers register store validation for NFT_DATA_VALUE is conditional, however, the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This only requires a new helper function to infer the register type from the set datatype so this conditional check can be removed. Otherwise, pointer to chain object can be leaked through the registers. This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of packet filtering. • https://git.kernel.org/stable/c/96518518cc417bb0a8c80b9fb736202e28acdf96 https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4 https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8 https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007 https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564 https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-42069 – net: mana: Fix possible double free in error handling path
https://notcve.org/view.php?id=CVE-2024-42069
In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix possible double free in error handling path When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), callback function adev_release calls kfree(madev). We shouldn't call kfree(madev) again in the error handling path. Set 'madev' to NULL. • https://git.kernel.org/stable/c/a69839d4327d053b18d8e1b0e7ddeee78db78f4f https://git.kernel.org/stable/c/3243e64eb4d897c3eeb48b2a7221ab5a95e1282a https://git.kernel.org/stable/c/ed45c0a0b662079d4c0e518014cc148c753979b4 https://git.kernel.org/stable/c/1864b8224195d0e43ddb92a8151f54f6562090cc •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-42068 – bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()
https://notcve.org/view.php?id=CVE-2024-42068
In the Linux kernel, the following vulnerability has been resolved: bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro() set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. • https://git.kernel.org/stable/c/a359696856ca9409fb97655c5a8ef0f549cb6e03 https://git.kernel.org/stable/c/e4f602e3ff749ba770bf8ff10196e18358de6720 https://git.kernel.org/stable/c/fdd411af8178edc6b7bf260f8fa4fba1bedd0a6d https://git.kernel.org/stable/c/e3540e5a7054d6daaf9a1415a48aacb092112a89 https://git.kernel.org/stable/c/05412471beba313ecded95aa17b25fe84bb2551a https://git.kernel.org/stable/c/7d2cc63eca0c993c99d18893214abf8f85d566d8 •