CVE-2024-26654 – ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs
https://notcve.org/view.php?id=CVE-2024-26654
In the Linux kernel, the following vulnerability has been resolved: ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs The dreamcastcard->timer could schedule the spu_dma_work and the spu_dma_work could also arm the dreamcastcard->timer. When the snd_pcm_substream is closing, the aica_channel will be deallocated. But it could still be dereferenced in the worker thread. The reason is that del_timer() will return directly regardless of whether the timer handler is running or not and the worker could be rescheduled in the timer handler. As a result, the UAF bug will happen. The racy situation is shown below: (Thread 1) | (Thread 2) snd_aicapcm_pcm_close() | • https://git.kernel.org/stable/c/198de43d758ca2700e2b52b49c0b189b4931466c https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2 https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2 https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845 https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5 https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046 https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901 https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5 •
CVE-2023-52629 – sh: push-switch: Reorder cleanup operations to avoid use-after-free bug
https://notcve.org/view.php?id=CVE-2023-52629
In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | . • https://git.kernel.org/stable/c/9f5e8eee5cfe1328660c71812d87c2a67bda389f https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65 • CWE-416: Use After Free •
CVE-2023-52628 – netfilter: nftables: exthdr: fix 4-byte stack OOB write
https://notcve.org/view.php?id=CVE-2023-52628
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: exthdr: fix 4-byte stack OOB write If priv->len is a multiple of 4, then dst[len / 4] can write past the destination array which leads to stack corruption. This construct is necessary to clean the remainder of the register in case ->len is NOT a multiple of the register size, so make it conditional just like nft_payload.c does. The bug was added in 4.1 cycle and then copied/inherited when tcp/sctp and ip option support was added. Bug reported by Zero Day Initiative project (ZDI-CAN-21950, ZDI-CAN-21951, ZDI-CAN-21961). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nftables: exthdr: corrige escritura OOB de pila de 4 bytes Si priv->len es múltiplo de 4, entonces dst[len / 4] puede escribir más allá de la matriz de destino que conduce a la corrupción de la pila. Esta construcción es necesaria para limpiar el resto del registro en caso de que ->len NO sea un múltiplo del tamaño del registro, así que hágalo condicional tal como lo hace nft_payload.c. El error se agregó en el ciclo 4.1 y luego se copió/heredó cuando se agregó la compatibilidad con las opciones tcp/sctp e ip. Error informado por el proyecto Zero Day Initiative (ZDI-CAN-21950, ZDI-CAN-21951, ZDI-CAN-21961). • https://git.kernel.org/stable/c/49499c3e6e18b7677a63316f3ff54a16533dc28f https://git.kernel.org/stable/c/28a97c43c9e32f437ebb8d6126f9bb7f3ca9521a https://git.kernel.org/stable/c/cf39c4f77a773a547ac2bcf30ecdd303bb0c80cb https://git.kernel.org/stable/c/a7d86a77c33ba1c357a7504341172cc1507f0698 https://git.kernel.org/stable/c/1ad7b189cc1411048434e8595ffcbe7873b71082 https://git.kernel.org/stable/c/d9ebfc0f21377690837ebbd119e679243e0099cc https://git.kernel.org/stable/c/c8f292322ff16b9a2272a67de396c09a50e09dce https://git.kernel.org/stable/c/fd94d9dadee58e09b49075240fe83423e • CWE-787: Out-of-bounds Write •
CVE-2024-26651 – sr9800: Add check for usbnet_get_endpoints
https://notcve.org/view.php?id=CVE-2024-26651
In the Linux kernel, the following vulnerability has been resolved: sr9800: Add check for usbnet_get_endpoints Add check for usbnet_get_endpoints() and return the error if it fails in order to transfer the error. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: sr9800: Agregar verificación para usbnet_get_endpoints Agregar verificación para usbnet_get_endpoints() y devolver el error si falla para transferir el error. • https://git.kernel.org/stable/c/19a38d8e0aa33b4f4d11d3b4baa902ad169daa80 https://git.kernel.org/stable/c/424eba06ed405d557077339edb19ce0ebe39e7c7 https://git.kernel.org/stable/c/8a8b6a24684bc278036c3f159f7b3a31ad89546a https://git.kernel.org/stable/c/6b4a39acafaf0186ed8e97c16e0aa6fca0e52009 https://git.kernel.org/stable/c/276873ae26c8d75b00747c1dadb9561d6ef20581 https://git.kernel.org/stable/c/9c402819620a842cbfe39359a3ddfaac9adc8384 https://git.kernel.org/stable/c/e39a3a14eafcf17f03c037290b78c8f483529028 https://git.kernel.org/stable/c/efba65777f98457773c5b65e3135c6132 •
CVE-2024-26648 – drm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()
https://notcve.org/view.php?id=CVE-2024-26648
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay() In edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay' was dereferenced before the pointer 'link' & 'replay' NULL check. Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amd/display: se corrigió la diferenciación de variables antes de la verificación NULL en edp_setup_replay() En edp_setup_replay(), se eliminó la referencia a 'struct dc *dc' y 'struct dmub_replay *replay' antes de la comprobación NULL del puntero 'enlace' y 'repetición'. Corrige lo siguiente: drivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() advertencia: variable desreferenciada antes de marcar 'enlace' (ver línea 933) • https://git.kernel.org/stable/c/22ae604aea14756954e1c00ae653e34d2afd2935 https://git.kernel.org/stable/c/c02d257c654191ecda1dc1af6875d527e85310e7 https://git.kernel.org/stable/c/7073934f5d73f8b53308963cee36f0d389ea857c •