CVE-2024-26922 – drm/amdgpu: validate the parameters of bo mapping operations more clearly
https://notcve.org/view.php?id=CVE-2024-26922
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdgpu: valide los parámetros de las operaciones de mapeo de bo con mayor claridad. Verifique los parámetros de amdgpu_vm_bo_(map/replace_map/clearing_mappings) en un lugar común. • https://git.kernel.org/stable/c/dc54d3d1744d23ed0b345fd8bc1c493b74e8df44 https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9 https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2 https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284 https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e •
CVE-2024-26921 – inet: inet_defrag: prevent sk release while still in use
https://notcve.org/view.php?id=CVE-2024-26921
In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: inet: inet_defrag: evita la liberación de sk mientras aún está en uso ip_local_out() y otras funciones pueden pasar skb->sk como argumento de función. Si el skb es un fragmento y el reensamblaje ocurre antes de que regrese dicha llamada a la función, el sk no debe liberarse. • https://git.kernel.org/stable/c/7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab https://git.kernel.org/stable/c/9705f447bf9a6cd088300ad2c407b5e1c6591091 https://git.kernel.org/stable/c/4318608dc28ef184158b4045896740716bea23f0 https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325 https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727 https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981 https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272 https://access.redhat.com/security/cve/CVE-2024-26921 • CWE-124: Buffer Underwrite ('Buffer Underflow') •
CVE-2024-26920 – tracing/trigger: Fix to return error if failed to alloc snapshot
https://notcve.org/view.php?id=CVE-2024-26920
In the Linux kernel, the following vulnerability has been resolved: tracing/trigger: Fix to return error if failed to alloc snapshot Fix register_snapshot_trigger() to return error code if it failed to allocate a snapshot instead of 0 (success). Unless that, it will register snapshot trigger without an error. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: rastreo/activador: Corrección para devolver error si no se pudo asignar la instantánea. Corrección de Register_snapshot_trigger() para devolver código de error si no se pudo asignar una instantánea en lugar de 0 (éxito). A menos que eso, registrará la activación de la instantánea sin error. • https://git.kernel.org/stable/c/57f2a2ad73e99a7594515848f4da987326a15981 https://git.kernel.org/stable/c/0026e356e51ab3b54322eeb445c75a087ede5b9d https://git.kernel.org/stable/c/0bbe7f719985efd9adb3454679ecef0984cb6800 https://git.kernel.org/stable/c/7c6feb347a4bb1f02e55f6814c93b5f7fab887a8 https://git.kernel.org/stable/c/a289fd864722dcf5363fec66a35965d4964df515 https://git.kernel.org/stable/c/7054f86f268c0d9d62b52a4497dd0e8c10a7e5c7 https://git.kernel.org/stable/c/ffa70d104691aa609a18a9a6692049deb35f431f https://git.kernel.org/stable/c/733c611a758c68894a4480fb999637476 •
CVE-2024-26915 – drm/amdgpu: Reset IH OVERFLOW_CLEAR bit
https://notcve.org/view.php?id=CVE-2024-26915
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Reset IH OVERFLOW_CLEAR bit Allows us to detect subsequent IH ring buffer overflows as well. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdgpu: Restablecer el bit IH OVERFLOW_CLEAR También nos permite detectar desbordamientos posteriores del búfer en anillo IH. • https://git.kernel.org/stable/c/9a9d00c23d170d4ef5a1b28e6b69f5c85dd12bc1 https://git.kernel.org/stable/c/a28f4d1e0bed85943d309ac243fd1c200f8af9a2 https://git.kernel.org/stable/c/8983397951b4b0bd51bb4b4ba9749424e1ccbb70 https://git.kernel.org/stable/c/2827633c9dab6304ec4cdbf369363219832e605d https://git.kernel.org/stable/c/7330256268664ea0a7dd5b07a3fed363093477dd •
CVE-2024-26914 – drm/amd/display: fix incorrect mpc_combine array size
https://notcve.org/view.php?id=CVE-2024-26914
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix incorrect mpc_combine array size [why] MAX_SURFACES is per stream, while MAX_PLANES is per asic. The mpc_combine is an array that records all the planes per asic. Therefore MAX_PLANES should be used as the array size. Using MAX_SURFACES causes array overflow when there are more than 3 planes. [how] Use the MAX_PLANES for the mpc_combine array size. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amd/display: corrige el tamaño incorrecto de la matriz mpc_combine [por qué] MAX_SURFACES es por flujo, mientras que MAX_PLANES es por asic. mpc_combine es una matriz que registra todos los planos por asic. • https://git.kernel.org/stable/c/0bd8ef618a42d7e6ea3f701065264e15678025e3 https://git.kernel.org/stable/c/39079fe8e660851abbafa90cd55cbf029210661f •