CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-35926 – crypto: iaa - Fix async_disable descriptor leak
https://notcve.org/view.php?id=CVE-2024-35926
In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix async_disable descriptor leak The disable_async paths of iaa_compress/decompress() don't free idxd descriptors in the async_disable case. Currently this only happens in the testcases where req->dst is set to null. Add a test to free them in those paths. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: crypto: iaa - Reparar la fuga del descriptor async_disable Las rutas enable_async de iaa_compress/decompress() no liberan los descriptores idxd en el caso async_disable. Actualmente, esto solo sucede en los casos de prueba donde req->dst está establecido en nulo. • https://git.kernel.org/stable/c/d994f7d77aaded05dc05af58a2720fd4f4b72a83 https://git.kernel.org/stable/c/262534ddc88dfea7474ed18adfecf856e4fbe054 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-35925 – block: prevent division by zero in blk_rq_stat_sum()
https://notcve.org/view.php?id=CVE-2024-35925
In the Linux kernel, the following vulnerability has been resolved: block: prevent division by zero in blk_rq_stat_sum() The expression dst->nr_samples + src->nr_samples may have zero value on overflow. It is necessary to add a check to avoid division by zero. Found by Linux Verification Center (linuxtesting.org) with Svace. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloquear: evitar la división por cero en blk_rq_stat_sum() La expresión dst->nr_samples + src->nr_samples puede tener un valor cero en caso de desbordamiento. Es necesario agregar un cheque para evitar la división por cero. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con Svace. • https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7 https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14 https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8 https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854 https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68 https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35924 – usb: typec: ucsi: Limit read size on v1.2
https://notcve.org/view.php?id=CVE-2024-35924
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Limit read size on v1.2 Between UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was increased from 16 to 256. In order to avoid overflowing reads for older systems, add a mechanism to use the read UCSI version to truncate read sizes on UCSI v1.2. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: usb: typec: ucsi: Limitar el tamaño de lectura en v1.2 Entre UCSI 1.2 y UCSI 2.0, el tamaño de la región MESSAGE_IN se incrementó de 16 a 256. Para evitar el desbordamiento lecturas para sistemas más antiguos, agregue un mecanismo para usar la versión de lectura UCSI para truncar los tamaños de lectura en UCSI v1.2. • https://git.kernel.org/stable/c/266f403ec47573046dee4bcebda82777ce702c40 https://git.kernel.org/stable/c/0defcaa09d3b21e8387829ee3a652c43fa91e13f https://git.kernel.org/stable/c/b3db266fb031fba88c423d4bb8983a73a3db6527 https://access.redhat.com/security/cve/CVE-2024-35924 https://bugzilla.redhat.com/show_bug.cgi?id=2281758 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-35922 – fbmon: prevent division by zero in fb_videomode_from_videomode()
https://notcve.org/view.php?id=CVE-2024-35922
In the Linux kernel, the following vulnerability has been resolved: fbmon: prevent division by zero in fb_videomode_from_videomode() The expression htotal * vtotal can have a zero value on overflow. It is necessary to prevent division by zero like in fb_var_to_videomode(). Found by Linux Verification Center (linuxtesting.org) with Svace. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: fbmon: evita la división por cero en fb_videomode_from_videomode() La expresión htotal * vtotal puede tener un valor cero en caso de desbordamiento. Es necesario evitar la división por cero como en fb_var_to_videomode(). Encontrado por el Centro de verificación de Linux (linuxtesting.org) con Svace. • https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270 https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0 https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029 https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971 https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33 https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4 https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35921 – media: mediatek: vcodec: Fix oops when HEVC init fails
https://notcve.org/view.php?id=CVE-2024-35921
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix oops when HEVC init fails The stateless HEVC decoder saves the instance pointer in the context regardless if the initialization worked or not. This caused a use after free, when the pointer is freed in case of a failure in the deinit function. Only store the instance pointer when the initialization was successful, to solve this issue. Hardware name: Acer Tomato (rev3 - 4) board (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] sp : ffff80008750bc20 x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000 x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000 x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80 x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488 x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00 x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000 Call trace: vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec] vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec] vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec] mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec] fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec] v4l2_release+0x7c/0x100 __fput+0x80/0x2d8 __fput_sync+0x58/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xd8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x1a8/0x1b0 Code: d503201f f9401660 b900127f b900227f (f9400400) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: mediatek: vcodec: corrija el error cuando falla el inicio de HEVC El decodificador HEVC sin estado guarda el puntero de la instancia en el contexto independientemente de si la inicialización funcionó o no. Esto provocó un use after free, cuando el puntero se libera en caso de fallo en la función deinit. Para resolver este problema, almacene únicamente el puntero de instancia cuando la inicialización sea exitosa. Nombre del hardware: Acer Tomato (rev3 - 4) placa (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc: vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] lr: vcodec_send_ap_ipi+0x78 /0x170 [mtk_vcodec_dec] sp: ffff80008750bc20 x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000 x24: 0000000000000000 x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000 x20: 0000000000000010 x19: 310 x18: 000000000000001a x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000 x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80 x11: 0000000000000001 x10: 0000000000001b30 x9: 45c4d12b488 x8: 1fffe25339380d81 x7: 0000000000000001 x6: ffff1299c9c06c00 x5: 0000000000000132 x4: 0000000000000000 x3: 0000000000000 000 x2: 0000000000000010 x1: ffff80008750bc98 x0: 0000000000000000 Rastreo de llamadas : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec] vdec_hevc_slice_deinit+0x30/0x98 tk_vcodec_dec] vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec] mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec] fops_vcodec_release +0x64/0x118 [mtk_vcodec_dec] v4l2_release+0x7c/0x100 __fput+0x80/0x2d8 __fput_sync+0x58/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall+0x50/0x128 .0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/ 0xd8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x1a8/0x1b0 Código: d503201f f9401660 b900127f b900227f (f9400400) • https://git.kernel.org/stable/c/2674486aac7d9c95ceb77daf7c30f862d4295c1c https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4 https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b •