CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26751 – ARM: ep93xx: Add terminator to gpiod_lookup_table
https://notcve.org/view.php?id=CVE-2024-26751
In the Linux kernel, the following vulnerability has been resolved: ARM: ep93xx: Add terminator to gpiod_lookup_table Without the terminator, if a con_id is passed to gpio_find() that does not exist in the lookup table the function will not stop looping correctly, and eventually cause an oops. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ARM: ep93xx: Agregar terminador a gpiod_lookup_table Sin el terminador, si se pasa un con_id a gpio_find() que no existe en la tabla de búsqueda, la función no dejará de repetirse correctamente y eventualmente causará un oops • https://git.kernel.org/stable/c/b2e63555592f81331c8da3afaa607d8cf83e8138 https://git.kernel.org/stable/c/9e200a06ae2abb321939693008290af32b33dd6e https://git.kernel.org/stable/c/999a8bb70da2946336327b4480824d1691cae1fa https://git.kernel.org/stable/c/70d92abbe29692a3de8697ae082c60f2d21ab482 https://git.kernel.org/stable/c/eec6cbbfa1e8d685cc245cfd5626d0715a127a48 https://git.kernel.org/stable/c/786f089086b505372fb3f4f008d57e7845fff0d8 https://git.kernel.org/stable/c/97ba7c1f9c0a2401e644760d857b2386aa895997 https://git.kernel.org/stable/c/6abe0895b63c20de06685c8544b908c7e •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26749 – usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()
https://notcve.org/view.php?id=CVE-2024-26749
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() ... cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); list_del_init(&priv_req->list); ... 'priv_req' actually free at cdns3_gadget_ep_free_request(). But list_del_init() use priv_req->list after it. [ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4 [ 1542.642868][ T534] [ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3): [ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4 [ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3] [ 1542.671571][ T534] usb_ep_disable+0x44/0xe4 [ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8 [ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368 [ 1542.685478][ T534] ffs_func_disable+0x18/0x28 Move list_del_init() before cdns3_gadget_ep_free_request() to resolve this problem. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: usb: cdns3: uso de memoria fijo después de liberar en cdns3_gadget_ep_disable() ... cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); list_del_init(&priv_req->lista); ... 'priv_req' en realidad es gratuito en cdns3_gadget_ep_free_request(). Pero list_del_init() usa priv_req->list después. [ 1542.642868][ T534] ERROR: KFENCE: lectura de uso después de liberación en __list_del_entry_valid+0x10/0xd4 [ 1542.642868][ T534] [ 1542.653162][ T534] Lectura de uso después de liberación en 0x000000009ed0ba99 (en kfence-#3 ): [ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4 [ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3] [ 1542.671571][ T534] usb_ep_disable+0x44/0x e4 [ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8 [ 1542.680839] [ T534] ffs_func_set_alt+0x74/0x368 [ 1542.685478][ T534] ffs_func_disable+0x18/0x28 Mueva list_del_init() antes de cdns3_gadget_ep_free_request() para resolver este problema. • https://git.kernel.org/stable/c/7733f6c32e36ff9d7adadf40001039bf219b1cbe https://git.kernel.org/stable/c/cfa9abb5570c489dabf6f7fb3a066cc576fc8824 https://git.kernel.org/stable/c/b40328eea93c75a5645891408010141a0159f643 https://git.kernel.org/stable/c/4e5c73b15d95452c1ba9c771dd013a3fbe052ff3 https://git.kernel.org/stable/c/2134e9906e17b1e5284300fab547869ebacfd7d9 https://git.kernel.org/stable/c/29e42e1578a10c611b3f1a38f3229b2d664b5d16 https://git.kernel.org/stable/c/9a07244f614bc417de527b799da779dcae780b5d https://git.kernel.org/stable/c/cd45f99034b0c8c9cb346dd0d6407a95c •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26748 – usb: cdns3: fix memory double free when handle zero packet
https://notcve.org/view.php?id=CVE-2024-26748
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: cdns3: corrige la memoria doblemente libre cuando se maneja el paquete cero 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, solicitud 832); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (solicitud->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, solicitud); El controlador agrega una solicitud de paquete cero adicional cuando pone en cola un paquete, cuya longitud mod tamaño máximo del paquete es 0. Cuando se complete la transferencia, ejecute la línea 831, usb_gadget_giveback_request() liberará esta solicitud. • https://git.kernel.org/stable/c/7733f6c32e36ff9d7adadf40001039bf219b1cbe https://git.kernel.org/stable/c/aad6132ae6e4809e375431f8defd1521985e44e7 https://git.kernel.org/stable/c/1e204a8e9eb514e22a6567fb340ebb47df3f3a48 https://git.kernel.org/stable/c/3a2a909942b5335b7ea66366d84261b3ed5f89c8 https://git.kernel.org/stable/c/9a52b694b066f299d8b9800854a8503457a8b64c https://git.kernel.org/stable/c/70e8038813f9d3e72df966748ebbc40efe466019 https://git.kernel.org/stable/c/92d20406a3d4ff3e8be667c79209dc9ed31df5b3 https://git.kernel.org/stable/c/5fd9e45f1ebcd57181358af28506e8a66 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26747 – usb: roles: fix NULL pointer issue when put module's reference
https://notcve.org/view.php?id=CVE-2024-26747
In the Linux kernel, the following vulnerability has been resolved: usb: roles: fix NULL pointer issue when put module's reference In current design, usb role class driver will get usb_role_switch parent's module reference after the user get usb_role_switch device and put the reference after the user put the usb_role_switch device. However, the parent device of usb_role_switch may be removed before the user put the usb_role_switch. If so, then, NULL pointer issue will be met when the user put the parent module's reference. This will save the module pointer in structure of usb_role_switch. Then, we don't need to find module by iterating long relations. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: roles: soluciona el problema del puntero NULL al colocar la referencia del módulo. • https://git.kernel.org/stable/c/5c54fcac9a9de559b444ac63ec3cd82f1d157a0b https://git.kernel.org/stable/c/7b169e33a3bc9040e06988b2bc15e83d2af80358 https://git.kernel.org/stable/c/e279bf8e51893e1fe160b3d8126ef2dd00f661e1 https://git.kernel.org/stable/c/ef982fc41055fcebb361a92288d3225783d12913 https://git.kernel.org/stable/c/0158216805ca7e498d07de38840d2732166ae5fa https://git.kernel.org/stable/c/4b45829440b1b208948b39cc71f77a37a2536734 https://git.kernel.org/stable/c/01f82de440f2ab07c259b7573371e1c42e5565db https://git.kernel.org/stable/c/1c9be13846c0b2abc2480602f8ef42136 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26744 – RDMA/srpt: Support specifying the srpt_service_guid parameter
https://notcve.org/view.php?id=CVE-2024-26744
In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Support specifying the srpt_service_guid parameter Make loading ib_srpt with this parameter set work. The current behavior is that setting that parameter while loading the ib_srpt kernel module triggers the following kernel crash: BUG: kernel NULL pointer dereference, address: 0000000000000000 Call Trace: <TASK> parse_one+0x18c/0x1d0 parse_args+0xe1/0x230 load_module+0x8de/0xa60 init_module_from_file+0x8b/0xd0 idempotent_init_module+0x181/0x240 __x64_sys_finit_module+0x5a/0xb0 do_syscall_64+0x5f/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/srpt: admite la especificación del parámetro srpt_service_guid. Hace que la carga de ib_srpt con este conjunto de parámetros funcione. El comportamiento actual es que configurar ese parámetro mientras se carga el módulo del kernel ib_srpt desencadena el siguiente fallo del kernel: ERROR: desreferencia del puntero NULL del kernel, dirección: 0000000000000000 Seguimiento de llamadas: parse_one+0x18c/0x1d0 parse_args+0xe1/0x230 load_module+0x8de/ 0xa60 init_module_from_file+0x8b/0xd0 idempotent_init_module+0x181/0x240 __x64_sys_finit_module+0x5a/0xb0 do_syscall_64+0x5f/0xe0 Entry_SYSCALL_64_after_hwframe+0x6e/0x76 A flaw was foundin the Linux Kernel when specifying the srpt_service_guid parameter, which may lead to kernel crash. • https://git.kernel.org/stable/c/a42d985bd5b234da8b61347a78dc3057bf7bb94d https://git.kernel.org/stable/c/84f1dac960cfa210a3b7a7522e6c2320ae91932b https://git.kernel.org/stable/c/5a5c039dac1b1b7ba3e91c791f4421052bf79b82 https://git.kernel.org/stable/c/989af2f29342a9a7c7515523d879b698ac8465f4 https://git.kernel.org/stable/c/aee4dcfe17219fe60f2821923adea98549060af8 https://git.kernel.org/stable/c/fe2a73d57319feab4b3b175945671ce43492172f https://git.kernel.org/stable/c/c99a827d3cff9f84e1cb997b7cc6386d107aa74d https://git.kernel.org/stable/c/fdfa083549de5d50ebf7f6811f3375778 • CWE-476: NULL Pointer Dereference •