CVE-2024-38575 – wifi: brcmfmac: pcie: handle randbuf allocation failure
https://notcve.org/view.php?id=CVE-2024-38575
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: pcie: handle randbuf allocation failure The kzalloc() in brcmf_pcie_download_fw_nvram() will return null if the physical memory has run out. As a result, if we use get_random_bytes() to generate random bytes in the randbuf, the null pointer dereference bug will happen. In order to prevent allocation failure, this patch adds a separate function using buffer on kernel stack to generate random bytes in the randbuf, which could prevent the kernel stack from overflow. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: brcmfmac: pcie: manejar fallo de asignación de randbuf El kzalloc() en brcmf_pcie_download_fw_nvram() devolverá nulo si la memoria física se ha agotado. Como resultado, si usamos get_random_bytes() para generar bytes aleatorios en randbuf, se producirá el error de desreferencia del puntero nulo. Para evitar fallas en la asignación, este parche agrega una función separada que utiliza el búfer en la pila del kernel para generar bytes aleatorios en randbuf, lo que podría evitar que la pila del kernel se desborde. • https://git.kernel.org/stable/c/c35105f375b530bc27e03ea9250b1c26dd4cae86 https://git.kernel.org/stable/c/91918ce88d9fef408bb12c46a27c73d79b604c20 https://git.kernel.org/stable/c/ba72baed066f3bfa8b489e4b58f1fcaf51c04f83 https://git.kernel.org/stable/c/0eb2c0528e232b3c32cde9d5e1c9f80ba2996e49 https://git.kernel.org/stable/c/c37466406f075476c2702ecc01917928af871f3b https://git.kernel.org/stable/c/7c15eb344b0d4d3468c9b2a7591ad2b859b29b88 https://git.kernel.org/stable/c/3729ca9e48d19a03ae049e2bde510e161c2f3720 https://git.kernel.org/stable/c/316f790ebcf94bdf59f794b7cdea4068d • CWE-476: NULL Pointer Dereference •
CVE-2024-38574 – libbpf: Prevent null-pointer dereference when prog to load has no BTF
https://notcve.org/view.php?id=CVE-2024-38574
In the Linux kernel, the following vulnerability has been resolved: libbpf: Prevent null-pointer dereference when prog to load has no BTF In bpf_objec_load_prog(), there's no guarantee that obj->btf is non-NULL when passing it to btf__fd(), and this function does not perform any check before dereferencing its argument (as bpf_object__btf_fd() used to do). As a consequence, we get segmentation fault errors in bpftool (for example) when trying to load programs that come without BTF information. v2: Keep btf__fd() in the fix instead of reverting to bpf_object__btf_fd(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: libbpf: evita la desreferencia del puntero nulo cuando el programa a cargar no tiene BTF. En bpf_objec_load_prog(), no hay garantía de que obj->btf no sea NULL al pasarlo a btf__fd() , y esta función no realiza ninguna verificación antes de eliminar la referencia a su argumento (como solía hacer bpf_object__btf_fd()). Como consecuencia, obtenemos errores de segmentación en bpftool (por ejemplo) cuando intentamos cargar programas que vienen sin información BTF. v2: Mantenga btf__fd() en la solución en lugar de volver a bpf_object__btf_fd(). • https://git.kernel.org/stable/c/df7c3f7d3a3ddab31ca8cfa9b86a8729ec43fd2e https://git.kernel.org/stable/c/ef80b59acfa4dee4b5eaccb15572b69248831104 https://git.kernel.org/stable/c/1fd91360a75833b7110af9834ae26c977e1273e0 https://git.kernel.org/stable/c/9bf48fa19a4b1d186e08b20bf7e5de26a15644fb •
CVE-2024-38573 – cppc_cpufreq: Fix possible null pointer dereference
https://notcve.org/view.php?id=CVE-2024-38573
In the Linux kernel, the following vulnerability has been resolved: cppc_cpufreq: Fix possible null pointer dereference cppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from different places with various parameters. So cpufreq_cpu_get() can return null as 'policy' in some circumstances. Fix this bug by adding null return check. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cppc_cpufreq: se corrige la posible desreferencia del puntero nulo. cppc_cpufreq_get_rate() y hisi_cppc_cpufreq_get_rate() se pueden llamar desde diferentes lugares con varios parámetros. Entonces cpufreq_cpu_get() puede devolver nulo como 'política' en algunas circunstancias. Corrija este error agregando una verificación de devolución nula. • https://git.kernel.org/stable/c/a28b2bfc099c6b9caa6ef697660408e076a32019 https://git.kernel.org/stable/c/9a185cc5a79ba408e1c73375706630662304f618 https://git.kernel.org/stable/c/769c4f355b7962895205b86ad35617873feef9a5 https://git.kernel.org/stable/c/f84b9b25d045e67a7eee5e73f21278c8ab06713c https://git.kernel.org/stable/c/b18daa4ec727c0266de5bfc78e818d168cc4aedf https://git.kernel.org/stable/c/dfec15222529d22b15e5b0d63572a9e39570cab4 https://git.kernel.org/stable/c/cf7de25878a1f4508c69dc9f6819c21ba177dbfe https://access.redhat.com/security/cve/CVE-2024-38573 • CWE-476: NULL Pointer Dereference •
CVE-2024-38572 – wifi: ath12k: fix out-of-bound access of qmi_invoke_handler()
https://notcve.org/view.php?id=CVE-2024-38572
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix out-of-bound access of qmi_invoke_handler() Currently, there is no terminator entry for ath12k_qmi_msg_handlers hence facing below KASAN warning, ================================================================== BUG: KASAN: global-out-of-bounds in qmi_invoke_handler+0xa4/0x148 Read of size 8 at addr ffffffd00a6428d8 by task kworker/u8:2/1273 CPU: 0 PID: 1273 Comm: kworker/u8:2 Not tainted 5.4.213 #0 Workqueue: qmi_msg_handler qmi_data_ready_work Call trace: dump_backtrace+0x0/0x20c show_stack+0x14/0x1c dump_stack+0xe0/0x138 print_address_description.isra.5+0x30/0x330 __kasan_report+0x16c/0x1bc kasan_report+0xc/0x14 __asan_load8+0xa8/0xb0 qmi_invoke_handler+0xa4/0x148 qmi_handle_message+0x18c/0x1bc qmi_data_ready_work+0x4ec/0x528 process_one_work+0x2c0/0x440 worker_thread+0x324/0x4b8 kthread+0x210/0x228 ret_from_fork+0x10/0x18 The address belongs to the variable: ath12k_mac_mon_status_filter_default+0x4bd8/0xfffffffffffe2300 [ath12k] [...] ================================================================== Add a dummy terminator entry at the end to assist the qmi_invoke_handler() in traversing up to the terminator entry without accessing an out-of-boundary index. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath12k: corrige el acceso fuera de los límites de qmi_invoke_handler() Actualmente, no hay ninguna entrada de terminador para ath12k_qmi_msg_handlers, por lo que se enfrenta a la siguiente advertencia de KASAN, ======== ==================================================== ======== ERROR: KASAN: global fuera de los límites en qmi_invoke_handler+0xa4/0x148 Lectura de tamaño 8 en la dirección ffffffd00a6428d8 por tarea kworker/u8:2/1273 CPU: 0 PID: 1273 Comm: kworker /u8:2 No contaminado 5.4.213 #0 Cola de trabajo: qmi_msg_handler qmi_data_ready_work Rastreo de llamadas: dump_backtrace+0x0/0x20c show_stack+0x14/0x1c dump_stack+0xe0/0x138 print_address_description.isra.5+0x30/0x330 __kasan_report+0x16 c/0x1bc kasan_report+0xc /0x14 __asan_load8+0xa8/0xb0 qmi_invoke_handler+0xa4/0x148 qmi_handle_message+0x18c/0x1bc qmi_data_ready_work+0x4ec/0x528 Process_one_work+0x2c0/0x440 trabajador_thread+0x324/0x4b8 0x228 ret_from_fork+0x10/0x18 La dirección pertenece a la variable: ath12k_mac_mon_status_filter_default +0x4bd8/0xfffffffffffe2300 [ath12k] [...] ======================================= ============================ Agregue una entrada de terminador ficticia al final para ayudar a qmi_invoke_handler() a atravesar hasta la entrada del terminador sin acceder a un índice fuera de los límites. Probado en: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 • https://git.kernel.org/stable/c/d889913205cf7ebda905b1e62c5867ed4e39f6c2 https://git.kernel.org/stable/c/95575de7dede7b1ed3b9718dab9dda97914ea775 https://git.kernel.org/stable/c/b48d40f5840c505b7af700594aa8379eec28e925 https://git.kernel.org/stable/c/a1abdb63628b04855a929850772de97435ed1555 https://git.kernel.org/stable/c/e1bdff48a1bb4a4ac660c19c55a820968c48b3f2 •
CVE-2024-38571 – thermal/drivers/tsens: Fix null pointer dereference
https://notcve.org/view.php?id=CVE-2024-38571
In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/tsens: Fix null pointer dereference compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c) as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null pointer dereference (if DEBUG or DYNAMIC_DEBUG set). Fix this bug by adding null pointer check. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Thermal/drivers/tsens: se corrigió la desreferencia del puntero nulo Compute_intercept_slope() se llama desde calibrate_8960() (en tsens-8960.c) como Compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) lo que conduce a la desreferencia del puntero nulo (si DEBUG o DYNAMIC_DEBUG están configurados). Corrija este error agregando una verificación de puntero nulo. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/dfc1193d4dbd6c3cb68c944413146c940bde290a https://git.kernel.org/stable/c/27600e0c5272a262b0903e35ae1df37d33c5c1ad https://git.kernel.org/stable/c/11c731386ed82053c2759b6fea1a82ae946e5e0f https://git.kernel.org/stable/c/2d5ca6e4a2872e92a32fdfd87e04dd7d3ced7278 https://git.kernel.org/stable/c/06d17744b77bc6cb29a6c785f4fad8c4163ee653 https://git.kernel.org/stable/c/fcf5f1b5f308f2eb422f6aca55d295b25890906b https://git.kernel.org/stable/c/d998ddc86a27c92140b9f7984ff41e3d1d07a48f •