CVE-2024-38626 – fuse: clear FR_SENT when re-adding requests into pending list
https://notcve.org/view.php?id=CVE-2024-38626
In the Linux kernel, the following vulnerability has been resolved: fuse: clear FR_SENT when re-adding requests into pending list The following warning was reported by lee bruce: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300 fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 Modules linked in: CPU: 0 PID: 8264 Comm: ab2 Not tainted 6.9.0-rc7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 ...... Call Trace: <TASK> fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334 fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367 call_read_iter include/linux/fs.h:2104 [inline] new_sync_read fs/read_write.c:395 [inline] vfs_read+0x85b/0xba0 fs/read_write.c:476 ksys_read+0x12f/0x260 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ...... </TASK> The warning is due to the FUSE_NOTIFY_RESEND notify sent by the write() syscall in the reproducer program and it happens as follows: (1) calls fuse_dev_read() to read the INIT request The read succeeds. During the read, bit FR_SENT will be set on the request. (2) calls fuse_dev_write() to send an USE_NOTIFY_RESEND notify The resend notify will resend all processing requests, so the INIT request is moved from processing list to pending list again. (3) calls fuse_dev_read() with an invalid output address fuse_dev_read() will try to copy the same INIT request to the output address, but it will fail due to the invalid address, so the INIT request is ended and triggers the warning in fuse_request_end(). Fix it by clearing FR_SENT when re-adding requests into pending list. • https://git.kernel.org/stable/c/760eac73f9f69aa28fcb3050b4946c2dcc656d12 https://git.kernel.org/stable/c/533070db659a9589310a743e9de14cf9d651ffaf https://git.kernel.org/stable/c/246014876d782bbf2e652267482cd2e799fb5fcd •
CVE-2024-38625 – fs/ntfs3: Check 'folio' pointer for NULL
https://notcve.org/view.php?id=CVE-2024-38625
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Check 'folio' pointer for NULL It can be NULL if bmap is called. • https://git.kernel.org/stable/c/82cae269cfa953032fbb8980a7d554d60fb00b17 https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8 https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641 https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803 •
CVE-2024-38624 – fs/ntfs3: Use 64 bit variable to avoid 32 bit overflow
https://notcve.org/view.php?id=CVE-2024-38624
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Use 64 bit variable to avoid 32 bit overflow For example, in the expression: vbo = 2 * vbo + skip • https://git.kernel.org/stable/c/b46acd6a6a627d876898e1c84d3f84902264b445 https://git.kernel.org/stable/c/2d1ad595d15f36a925480199bf1d9ad72614210b https://git.kernel.org/stable/c/98db3155b54d3684ef0ab5bfa0b856d13f65843d https://git.kernel.org/stable/c/109d85a98345ee52d47c650405dc51bdd2bc7d40 https://git.kernel.org/stable/c/847db4049f6189427ddaefcfc967d4d235b73c57 https://git.kernel.org/stable/c/e931f6b630ffb22d66caab202a52aa8cbb10c649 •
CVE-2024-38623 – fs/ntfs3: Use variable length array instead of fixed size
https://notcve.org/view.php?id=CVE-2024-38623
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Use variable length array instead of fixed size Should fix smatch warning: ntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: fs/ntfs3: use una matriz de longitud variable en lugar de un tamaño fijo. Debería corregirse la advertencia de coincidencia: error ntfs_set_label(): __builtin_memcpy() 'uni->name' demasiado pequeño (20 vs 256) • https://git.kernel.org/stable/c/4534a70b7056fd4b9a1c6db5a4ce3c98546b291e https://git.kernel.org/stable/c/a2de301d90b782ac5d7a5fe32995caaee9ab3a0f https://git.kernel.org/stable/c/3839a9b19a4b70eff6b6ad70446f639f7fd5a3d7 https://git.kernel.org/stable/c/1fe1c9dc21ee52920629d2d9b9bd84358931a8d1 https://git.kernel.org/stable/c/cceef44b34819c24bb6ed70dce5b524bd3e368d1 https://git.kernel.org/stable/c/1997cdc3e727526aa5d84b32f7cbb3f56459b7ef • CWE-129: Improper Validation of Array Index •
CVE-2024-38622 – drm/msm/dpu: Add callback function pointer check before its call
https://notcve.org/view.php?id=CVE-2024-38622
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add callback function pointer check before its call In dpu_core_irq_callback_handler() callback function pointer is compared to NULL, but then callback function is unconditionally called by this pointer. Fix this bug by adding conditional return. Found by Linux Verification Center (linuxtesting.org) with SVACE. Patchwork: https://patchwork.freedesktop.org/patch/588237/ • https://git.kernel.org/stable/c/c929ac60b3ed34accd25a052a4833e418900f466 https://git.kernel.org/stable/c/873f67699114452c2a996c4e10faac8ff860c241 https://git.kernel.org/stable/c/9078630ed7f8f25d65d11823e7f2b11a8e2f4f0f https://git.kernel.org/stable/c/530f272053a5e72243a9cb07bb1296af6c346002 •