CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-35818 – LoongArch: Define the __io_aw() hook as mmiowb()
https://notcve.org/view.php?id=CVE-2024-35818
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Define the __io_aw() hook as mmiowb() Commit fb24ea52f78e0d595852e ("drivers: Remove explicit invocations of mmiowb()") remove all mmiowb() in drivers, but it says: "NOTE: mmiowb() has only ever guaranteed ordering in conjunction with spin_unlock(). However, pairing each mmiowb() removal in this patch with the corresponding call to spin_unlock() is not at all trivial, so there is a small chance that this change may regress any drivers incorrectly relying on mmiowb() to order MMIO writes between CPUs using lock-free synchronisation." The mmio in radeon_ring_commit() is protected by a mutex rather than a spinlock, but in the mutex fastpath it behaves similar to spinlock. We can add mmiowb() calls in the radeon driver but the maintainer says he doesn't like such a workaround, and radeon is not the only example of mutex protected mmio. So we should extend the mmiowb tracking system from spinlock to mutex, and maybe other locking primitives. This is not easy and error prone, so we solve it in the architectural code, by simply defining the __io_aw() hook as mmiowb(). • https://git.kernel.org/stable/c/97cd43ba824aec764f5ea2790d0c0a318f885167 https://git.kernel.org/stable/c/d7d7c6cdea875be3b241d7d39873bb431db7154d https://git.kernel.org/stable/c/0b61a7dc6712b78799b3949997e8a5e94db5c4b0 https://git.kernel.org/stable/c/9adec248bba33b1503252caf8e59d81febfc5ceb https://git.kernel.org/stable/c/9c68ece8b2a5c5ff9b2fcaea923dd73efeb174cd •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-35817 – drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag
https://notcve.org/view.php?id=CVE-2024-35817
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag Otherwise after the GTT bo is released, the GTT and gart space is freed but amdgpu_ttm_backend_unbind will not clear the gart page table entry and leave valid mapping entry pointing to the stale system page. Then if GPU access the gart address mistakely, it will read undefined value instead page fault, harder to debug and reproduce the real issue. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amdgpu: amdgpu_ttm_gart_bind establece el indicador vinculado a gtt. De lo contrario, después de que se libera GTT bo, se libera el espacio GTT y gart, pero amdgpu_ttm_backend_unbind no borrará la entrada de la tabla de páginas de gart y dejará una asignación válida. entrada que apunta a la página del sistema obsoleto. Luego, si la GPU accede a la dirección de Gart por error, leerá un valor indefinido en lugar de un error de página, lo que será más difícil de depurar y reproducir el problema real. • https://git.kernel.org/stable/c/5d5f1a7f3b1039925f79c7894f153c2a905201fb https://git.kernel.org/stable/c/589c414138a1bed98e652c905937d8f790804efe https://git.kernel.org/stable/c/6fcd12cb90888ef2d8af8d4c04e913252eee4ef3 https://git.kernel.org/stable/c/e8d27caef2c829a306e1f762fb95f06e8ec676f6 https://git.kernel.org/stable/c/5cdce3dda3b3dacde902f63a8ee72c2b7f91912d https://git.kernel.org/stable/c/6c6064cbe58b43533e3451ad6a8ba9736c109ac3 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-35814 – swiotlb: Fix double-allocation of slots due to broken alignment handling
https://notcve.org/view.php?id=CVE-2024-35814
In the Linux kernel, the following vulnerability has been resolved: swiotlb: Fix double-allocation of slots due to broken alignment handling Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool. When virtio allocates the virtqueues for the vsock device using dma_alloc_coherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer: # Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800) This ends badly (typically buffer corruption and/or a hang) because swiotlb_alloc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page. Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page. This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and resulting in alignment requirements exceeding swiotlb_max_mapping_size(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: swiotlb: corregida la doble asignación de ranuras debido a un manejo de alineación roto. Confirmación bbb73a103fbb ("swiotlb: corrija un barino en la corrección de verificación de alineación"), que fue una solución para la confirmación 0eee5ae10256 ( "swiotlb: corregir comprobaciones de alineación de ranuras"), provoca una regresión funcional con vsock en una máquina virtual mediante el rebote a través de un grupo DMA SWIOTLB restringido. Cuando virtio asigna las colas virtio para el dispositivo vsock usando dma_alloc_coherent(), la búsqueda de SWIOTLB puede devolver asignaciones de página no alineadas si 'area->index' quedó desalineado por una asignación anterior del búfer: # La dirección final entre paréntesis es la dirección de SWIOTLB devuelto a la persona que llama | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: obtuvo la ranura 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: obtuvo la ranura 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: obtuvo la ranura 1653-1657/7168 (0x9832a800) Esto termina mal (normalmente corrupción del búfer y/o bloqueo) porque swiotlb_alloc() está esperando una página -asignación alineada y, por lo tanto, devuelve ciegamente un puntero a la 'struct page' correspondiente a la asignación, por lo que asigna dos veces la primera mitad (ranura de 2 KB) de la página de 4 KB. Solucione el problema tratando la alineación de asignación por separado de cualquier requisito de alineación adicional del dispositivo, utilizando el máximo de los dos como paso para buscar las ranuras del búfer y teniendo cuidado de garantizar un mínimo de alineación de página para búferes más grandes que una página. • https://git.kernel.org/stable/c/0eee5ae1025699ea93d44fdb6ef2365505082103 https://git.kernel.org/stable/c/3e7acd6e25ba77dde48c3b721c54c89cd6a10534 https://git.kernel.org/stable/c/c88668aa6c1da240ea3eb4d128b7906e740d3cb8 https://git.kernel.org/stable/c/777391743771040e12cc40d3d0d178f70c616491 https://git.kernel.org/stable/c/04867a7a33324c9c562ee7949dbcaab7aaad1fb4 https://access.redhat.com/security/cve/CVE-2024-35814 https://bugzilla.redhat.com/show_bug.cgi?id=2281207 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-1055: Multiple Inheritance from Concrete Classes •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-35813 – mmc: core: Avoid negative index with array access
https://notcve.org/view.php?id=CVE-2024-35813
In the Linux kernel, the following vulnerability has been resolved: mmc: core: Avoid negative index with array access Commit 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") assigns prev_idata = idatas[i - 1], but doesn't check that the iterator i is greater than zero. Let's fix this by adding a check. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mmc: core: evitar índice negativo con acceso a matriz Commit 4d0c8d0aef63 ("mmc: core: usar mrq.sbc en ffu cerrado") asigna prev_idata = idatas[i - 1] , pero no comprueba que el iterador i sea mayor que cero. Arreglemos esto agregando una comprobación. • https://git.kernel.org/stable/c/f49f9e802785291149bdc9c824414de4604226b4 https://git.kernel.org/stable/c/59020bf0999ff7da8aedcd00ef8f0d75d93b6d20 https://git.kernel.org/stable/c/50b8b7a22e90bab9f1949b64a88ff17ab10913ec https://git.kernel.org/stable/c/c4edcd134bb72b3b0acc884612d624e48c9d057f https://git.kernel.org/stable/c/1653a8102868264f3488c298a9f20af2add9a288 https://git.kernel.org/stable/c/eed9119f8f8e8fbf225c08abdbb58597fba807e0 https://git.kernel.org/stable/c/4d0c8d0aef6355660b6775d57ccd5d4ea2e15802 https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b3694 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-35811 – wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
https://notcve.org/view.php?id=CVE-2024-35811
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. [arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free] En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: brcmfmac: corregido el error de use after free en brcmf_cfg80211_detach Este es el parche candidato de CVE-2023-47233: https://nvd.nist.gov/vuln/detail /CVE-2023-47233 En el controlador brcm80211, comienza con la siguiente cadena de invocación para iniciar un trabajador de tiempo de espera: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg ->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); Si desconectamos el USB mediante hotplug, llamará a brcmf_usb_disconnect para realizar la limpieza. La cadena de invocación es: brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); Mientras que el activador de tiempo de espera aún puede estar ejecutándose. Esto provocará un error de use after free en cfg en brcmf_cfg80211_escan_timeout_worker. • https://git.kernel.org/stable/c/e756af5b30b008f6ffcfebf8ad0b477f6f225b62 https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169 https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1 https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731 https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744 https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9 •