CVE-2024-39464 – media: v4l: async: Fix notifier list entry init
https://notcve.org/view.php?id=CVE-2024-39464
In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Fix notifier list entry init struct v4l2_async_notifier has several list_head members, but only waiting_list and done_list are initialized. notifier_entry was kept 'zeroed' leading to an uninitialized list_head. This results in a NULL-pointer dereference if csi2_async_register() fails, e.g. node for remote endpoint is disabled, and returns -ENOTCONN. The following calls to v4l2_async_nf_unregister() results in a NULL pointer dereference. Add the missing list head initializer. • https://git.kernel.org/stable/c/b8ec754ae4c563f6aab8c0cb47aeb2eae67f1da3 https://git.kernel.org/stable/c/a80d1da923f671c1e6a14e8417cd2f117b27a442 https://git.kernel.org/stable/c/44f6d619c30f0c65fcdd2b6eba70fdb4460d87ad https://git.kernel.org/stable/c/6d8acd02c4c6a8f917eefac1de2e035521ca119d •
CVE-2024-39463 – 9p: add missing locking around taking dentry fid list
https://notcve.org/view.php?id=CVE-2024-39463
In the Linux kernel, the following vulnerability has been resolved: 9p: add missing locking around taking dentry fid list Fix a use-after-free on dentry's d_fsdata fid list when a thread looks up a fid through dentry while another thread unlinks it: UAF thread: refcount_t: addition on 0; use-after-free. p9_fid_get linux/./include/net/9p/client.h:262 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248 Freed by: p9_fid_destroy (inlined) p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456 p9_fid_put linux/./include/net/9p/client.h:278 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335 The problem is that d_fsdata was not accessed under d_lock, because d_release() normally is only called once the dentry is otherwise no longer accessible but since we also call it explicitly in v9fs_remove that lock is required: move the hlist out of the dentry under lock then unref its fids once they are no longer accessible. This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. • https://git.kernel.org/stable/c/154372e67d4053e56591245eb413686621941333 https://git.kernel.org/stable/c/3bb6763a8319170c2d41c4232c8e7e4c37dcacfb https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456 https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5 https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4 https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409 https://www.zerodayinitiative.com/advisories/ZDI-24-1194 • CWE-416: Use After Free •
CVE-2024-39462 – clk: bcm: dvp: Assign ->num before accessing ->hws
https://notcve.org/view.php?id=CVE-2024-39462
In the Linux kernel, the following vulnerability has been resolved: clk: bcm: dvp: Assign ->num before accessing ->hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer about the number of elements in hws, so that it can warn when hws is accessed out of bounds. ... En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clk: bcm: dvp: Assign ->num before accessing ->hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") anotó el miembro hws de 'struct clk_hw_onecell_data' con __counted_by, que informa al sanitizante de los límites sobre la cantidad de elementos en hws, para que pueda advertir cuando se accede a hws fuera de los límites. • https://git.kernel.org/stable/c/f316cdff8d677db9ad9c90acb44c4cd535b0ee27 https://git.kernel.org/stable/c/0dc913217fb79096597005bba9ba738e2db5cd02 https://git.kernel.org/stable/c/a1dd92fca0d6b58b55ed0484f75d4205dbb77010 https://git.kernel.org/stable/c/9368cdf90f52a68120d039887ccff74ff33b4444 • CWE-400: Uncontrolled Resource Consumption •
CVE-2024-39461 – clk: bcm: rpi: Assign ->num before accessing ->hws
https://notcve.org/view.php?id=CVE-2024-39461
In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Assign ->num before accessing ->hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer about the number of elements in hws, so that it can warn when hws is accessed out of bounds. • https://git.kernel.org/stable/c/f316cdff8d677db9ad9c90acb44c4cd535b0ee27 https://git.kernel.org/stable/c/9562dbe5cdbb16ac887d27ef6f179980bb99193c https://git.kernel.org/stable/c/cdf9c7871d58d3df59d2775982e3533adb8ec920 https://git.kernel.org/stable/c/6dc445c1905096b2ed4db1a84570375b4e00cc0f •
CVE-2024-39371 – io_uring: check for non-NULL file pointer in io_file_can_poll()
https://notcve.org/view.php?id=CVE-2024-39371
In the Linux kernel, the following vulnerability has been resolved: io_uring: check for non-NULL file pointer in io_file_can_poll() In earlier kernels, it was possible to trigger a NULL pointer dereference off the forced async preparation path, if no file had been assigned. • https://git.kernel.org/stable/c/a76c0b31eef50fdb8b21d53a6d050f59241fb88e https://git.kernel.org/stable/c/c2844d5e58576c55d8e8d4a9f74902d3f7be8044 https://git.kernel.org/stable/c/43cfac7b88adedfb26c27834386992650f1642f3 https://git.kernel.org/stable/c/65561b4c1c9e01443cb76387eb36a9109e7048ee https://git.kernel.org/stable/c/5fc16fa5f13b3c06fdb959ef262050bd810416a2 •