CVSS: 7.4EPSS: 0%CPEs: 7EXPL: 0CVE-2024-27052 – wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work
https://notcve.org/view.php?id=CVE-2024-27052
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work The workqueue might still be running, when the driver is stopped. To avoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: rtl8xxxu: agregue cancel_work_sync() para c2hcmd_work Es posible que la cola de trabajo aún esté ejecutándose cuando se detiene el controlador. Para evitar un use-after-free, llame a cancel_work_sync() en rtl8xxxu_stop(). A vulnerability was found in the Linux kernel's net rtl8xxxu_core.c driver, where a race condition can lead to a use-after-free situation in the rtl8xxxu_stop() function. • https://git.kernel.org/stable/c/e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 https://git.kernel.org/stable/c/dddedfa3b29a63c2ca4336663806a6128b8545b4 https://git.kernel.org/stable/c/ac512507ac89c01ed6cd4ca53032f52cdb23ea59 https://git.kernel.org/stable/c/3518cea837de4d106efa84ddac18a07b6de1384e https://git.kernel.org/stable/c/156012667b85ca7305cb363790d3ae8519a6f41e https://git.kernel.org/stable/c/7059cdb69f8e1a2707dd1e2f363348b507ed7707 https://git.kernel.org/stable/c/58fe3bbddfec10c6b216096d8c0e517cd8463e3a https://git.kernel.org/stable/c/1213acb478a7181cd73eeaf00db430f1e • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-27051 – cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value
https://notcve.org/view.php?id=CVE-2024-27051
In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: cpufreq: brcmstb-avs-cpufreq: agregar verificación para el valor de retorno de cpufreq_cpu_get cpufreq_cpu_get puede devolver NULL. Para evitar la desreferencia NULL, verifíquelo y devuelva 0 en caso de error. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/de322e085995b9417582d6f72229dadb5c09d163 https://git.kernel.org/stable/c/9127599c075caff234359950117018a010dd01db https://git.kernel.org/stable/c/d951cf510fb0df91d3abac0121a59ebbc63c0567 https://git.kernel.org/stable/c/e72160cb6e23b78b41999d6885a34ce8db536095 https://git.kernel.org/stable/c/b25b64a241d769e932a022e5c780cf135ef56035 https://git.kernel.org/stable/c/74b84d0d71180330efe67c82f973a87f828323e5 https://git.kernel.org/stable/c/e6e3e51ffba0784782b1a076d7441605697ea3c6 https://git.kernel.org/stable/c/f661017e6d326ee187db24194cabb013d •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-27050 – libbpf: Use OPTS_SET() macro in bpf_xdp_query()
https://notcve.org/view.php?id=CVE-2024-27050
In the Linux kernel, the following vulnerability has been resolved: libbpf: Use OPTS_SET() macro in bpf_xdp_query() When the feature_flags and xdp_zc_max_segs fields were added to the libbpf bpf_xdp_query_opts, the code writing them did not use the OPTS_SET() macro. This causes libbpf to write to those fields unconditionally, which means that programs compiled against an older version of libbpf (with a smaller size of the bpf_xdp_query_opts struct) will have its stack corrupted by libbpf writing out of bounds. The patch adding the feature_flags field has an early bail out if the feature_flags field is not part of the opts struct (via the OPTS_HAS) macro, but the patch adding xdp_zc_max_segs does not. For consistency, this fix just changes the assignments to both fields to use the OPTS_SET() macro. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: libbpf: use la macro OPTS_SET() en bpf_xdp_query() Cuando los campos feature_flags y xdp_zc_max_segs se agregaron a libbpf bpf_xdp_query_opts, el código que los escribió no usó la macro OPTS_SET(). Esto hace que libbpf escriba en esos campos incondicionalmente, lo que significa que los programas compilados con una versión anterior de libbpf (con un tamaño más pequeño de la estructura bpf_xdp_query_opts) tendrán su pila dañada por la escritura de libbpf fuera de los límites. El parche que agrega el campo feature_flags tiene un rescate anticipado si el campo feature_flags no es parte de la estructura opts (a través de la macro OPTS_HAS), pero el parche que agrega xdp_zc_max_segs no lo hace. • https://git.kernel.org/stable/c/13ce2daa259a3bfbc9a5aeeee8b9a87058703731 https://git.kernel.org/stable/c/fa5bef5e80c6a3321b2b1a7070436f3bc5daf07c https://git.kernel.org/stable/c/682ddd62abd4bdcee7584246903e7a2df005fe0d https://git.kernel.org/stable/c/cd3be9843247edb8fc6fcd8d8237cbce2bc19f5e https://git.kernel.org/stable/c/92a871ab9fa59a74d013bc04f321026a057618e7 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-27048 – wifi: brcm80211: handle pmk_op allocation failure
https://notcve.org/view.php?id=CVE-2024-27048
In the Linux kernel, the following vulnerability has been resolved: wifi: brcm80211: handle pmk_op allocation failure The kzalloc() in brcmf_pmksa_v3_op() will return null if the physical memory has run out. As a result, if we dereference the null value, the null pointer dereference bug will happen. Return -ENOMEM from brcmf_pmksa_v3_op() if kzalloc() fails for pmk_op. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: brcm80211: maneja el error de asignación de pmk_op El kzalloc() en brcmf_pmksa_v3_op() devolverá nulo si la memoria física se ha agotado. Como resultado, si eliminamos la referencia del valor nulo, se producirá el error de desreferencia del puntero nulo. Devuelve -ENOMEM de brcmf_pmksa_v3_op() si kzalloc() falla para pmk_op. • https://git.kernel.org/stable/c/a96202acaea47fa8377088e0952bb63bd02a3bab https://git.kernel.org/stable/c/df62e22c2e27420e8990a4f09e30d7bf56c2036f https://git.kernel.org/stable/c/9975908315c13bae2f2ed5ba92870fa935180b0e https://git.kernel.org/stable/c/6138a82f3bccfc67ed7ac059493579fc326c02e5 https://git.kernel.org/stable/c/b4152222e04cb8afeeca239c90e3fcaf4c553b42 https://access.redhat.com/security/cve/CVE-2024-27048 https://bugzilla.redhat.com/show_bug.cgi?id=2278431 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-27047 – net: phy: fix phy_get_internal_delay accessing an empty array
https://notcve.org/view.php?id=CVE-2024-27047
In the Linux kernel, the following vulnerability has been resolved: net: phy: fix phy_get_internal_delay accessing an empty array The phy_get_internal_delay function could try to access to an empty array in the case that the driver is calling phy_get_internal_delay without defining delay_values and rx-internal-delay-ps or tx-internal-delay-ps is defined to 0 in the device-tree. This will lead to "unable to handle kernel NULL pointer dereference at virtual address 0". To avoid this kernel oops, the test should be delay >= 0. As there is already delay < 0 test just before, the test could only be size == 0. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: net:phy: fix phy_get_internal_delay accediendo a un array vacío La función phy_get_internal_delay podría intentar acceder a un array vacío en el caso de que el driver esté llamando a phy_get_internal_delay sin definir delay_values y rx-internal- delay-ps o tx-internal-delay-ps se define en 0 en el árbol de dispositivos. Esto provocará que "no se pueda manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0". • https://git.kernel.org/stable/c/92252eec913b2dd5e7b5de11ea3efa2e64d65cf4 https://git.kernel.org/stable/c/06dd21045a7e8bc8701b0ebedcd9a30a6325878b https://git.kernel.org/stable/c/0e939a002c8a7d66e60bd0ea6b281fb39d713c1a https://git.kernel.org/stable/c/2a2ff709511617de9c6c072eeee82bcbbdfecaf8 https://git.kernel.org/stable/c/589ec16174dd9378953b8232ae76fad0a96e1563 https://git.kernel.org/stable/c/c0691de7df1d51482a52cac93b7fe82fd9dd296b https://git.kernel.org/stable/c/0307cf443308ecc6be9b2ca312bb31bae5e5a7ad https://git.kernel.org/stable/c/4469c0c5b14a0919f5965c7ceac96b523 •