CVE-2024-40939 – net: wwan: iosm: Fix tainted pointer delete is case of region creation fail
https://notcve.org/view.php?id=CVE-2024-40939
In the Linux kernel, the following vulnerability has been resolved: net: wwan: iosm: Fix tainted pointer delete is case of region creation fail In case of region creation fail in ipc_devlink_create_region(), previously created regions delete process starts from tainted pointer which actually holds error code value. Fix this bug by decreasing region index before delete. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/4dcd183fbd67b105decc8be262311937730ccdbf https://git.kernel.org/stable/c/fe394d59cdae81389dbf995e87c83c1acd120597 https://git.kernel.org/stable/c/040d9384870386eb5dc55472ac573ac7756b2050 https://git.kernel.org/stable/c/37a438704d19bdbe246d51d3749b6b3a8fe65afd https://git.kernel.org/stable/c/b0c9a26435413b81799047a7be53255640432547 https://access.redhat.com/security/cve/CVE-2024-40939 https://bugzilla.redhat.com/show_bug.cgi?id=2297523 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVE-2024-40938 – landlock: Fix d_parent walk
https://notcve.org/view.php?id=CVE-2024-40938
In the Linux kernel, the following vulnerability has been resolved: landlock: Fix d_parent walk The WARN_ON_ONCE() in collect_domain_accesses() can be triggered when trying to link a root mount point. This cannot work in practice because this directory is mounted, but the VFS check is done after the call to security_path_link(). Do not use source directory's d_parent when the source directory is the mount point. [mic: Fix commit message] • https://git.kernel.org/stable/c/b91c3e4ea756b12b7d992529226edce1cfd854d7 https://git.kernel.org/stable/c/b6e5e696435832b33e40775f060ef5c95f4fda1f https://git.kernel.org/stable/c/cc30d05b34f9a087a6928d09b131f7b491e9ab11 https://git.kernel.org/stable/c/c7618c7b0b8c45bcef34410cc1d1e953eb17f8f6 https://git.kernel.org/stable/c/88da52ccd66e65f2e63a6c35c9dff55d448ef4dc •
CVE-2024-40937 – gve: Clear napi->skb before dev_kfree_skb_any()
https://notcve.org/view.php?id=CVE-2024-40937
In the Linux kernel, the following vulnerability has been resolved: gve: Clear napi->skb before dev_kfree_skb_any() gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it is freed with dev_kfree_skb_any(). This can result in a subsequent call to napi_get_frags returning a dangling pointer. Fix this by clearing napi->skb before the skb is freed. • https://git.kernel.org/stable/c/9b8dd5e5ea48bbb7532d20c4093a79d8283e4029 https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442 https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037 https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50 https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e •
CVE-2024-40936 – cxl/region: Fix memregion leaks in devm_cxl_add_region()
https://notcve.org/view.php?id=CVE-2024-40936
In the Linux kernel, the following vulnerability has been resolved: cxl/region: Fix memregion leaks in devm_cxl_add_region() Move the mode verification to __create_region() before allocating the memregion to avoid the memregion leaks. • https://git.kernel.org/stable/c/6e099264185d05f50400ea494f5029264a4fe995 https://git.kernel.org/stable/c/d8316838aa0686da63a8be4194b7a17b0103ae4a https://git.kernel.org/stable/c/bbb5d8746381c82f7e0fb6171094d375b492f266 https://git.kernel.org/stable/c/49ba7b515c4c0719b866d16f068e62d16a8a3dd1 https://access.redhat.com/security/cve/CVE-2024-40936 https://bugzilla.redhat.com/show_bug.cgi?id=2297520 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVE-2024-40935 – cachefiles: flush all requests after setting CACHEFILES_DEAD
https://notcve.org/view.php?id=CVE-2024-40935
In the Linux kernel, the following vulnerability has been resolved: cachefiles: flush all requests after setting CACHEFILES_DEAD In ondemand mode, when the daemon is processing an open request, if the kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write() will always return -EIO, so the daemon can't pass the copen to the kernel. Then the kernel process that is waiting for the copen triggers a hung_task. Since the DEAD state is irreversible, it can only be exited by closing /dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark the cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to avoid the above hungtask. We may still be able to read some of the cached data before closing the fd of /dev/cachefiles. Note that this relies on the patch that adds reference counting to the req, otherwise it may UAF. • https://git.kernel.org/stable/c/c8383054506c77b814489c09877b5db83fd4abf2 https://git.kernel.org/stable/c/320ba9cbca78be79c912143bbba1d1b35ca55cf0 https://git.kernel.org/stable/c/3bf0b8030296e9ee60d3d4c15849ad9ac0b47081 https://git.kernel.org/stable/c/e73fac95084839c5178d97e81c6a2051251bdc00 https://git.kernel.org/stable/c/85e833cd7243bda7285492b0653c3abb1e2e757b •