CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-36014 – drm/arm/malidp: fix a possible null pointer dereference
https://notcve.org/view.php?id=CVE-2024-36014
In the Linux kernel, the following vulnerability has been resolved: drm/arm/malidp: fix a possible null pointer dereference In malidp_mw_connector_reset, new memory is allocated with kzalloc, but no check is performed. In order to prevent null pointer dereferencing, ensure that mw_state is checked before calling __drm_atomic_helper_connector_reset. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/arm/malidp: corrige una posible desreferencia del puntero nulo En malidp_mw_connector_reset, se asigna nueva memoria con kzalloc, pero no se realiza ninguna verificación. Para evitar la desreferenciación del puntero nulo, asegúrese de que mw_state esté marcado antes de llamar a __drm_atomic_helper_connector_reset. • https://git.kernel.org/stable/c/8cbc5caf36ef7a299b5cbedf55f27fd898d700bf https://git.kernel.org/stable/c/b6cc5dd06336ed8bb3a7a1fc5aaf7d5e88bc0818 https://git.kernel.org/stable/c/565d9ad7e5a18eb69ed8b66a9e9bb3f45346520c https://git.kernel.org/stable/c/a5fa5b40a278a3ca978fed64707bd27614adb1eb https://git.kernel.org/stable/c/3e54d4e95120641216dfe91a6c49f116a9f68490 https://git.kernel.org/stable/c/e4b52d49383306ef73fd1bd9102538beebb0fe07 https://git.kernel.org/stable/c/335cc45ef2b81b68be63c698b4f867a530bdf7a5 https://git.kernel.org/stable/c/b77620730f614059db2470e8ebab3e725 •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36013 – Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
https://notcve.org/view.php?id=CVE-2024-36013
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: L2CAP: corrige slab-use-after-free en l2cap_connect() Amplia una sección crítica para evitar que chan se libere anticipadamente. También anule el tipo de retorno l2cap_connect(). Nada utiliza el valor devuelto, pero es feo devolver un puntero potencialmente liberado. • https://git.kernel.org/stable/c/73ffa904b78287f6acf8797e040150aa26a4af4a https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5 https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6 https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658 http://www.openwall.com/lists/oss-security/2024/05/30/1 http://www.openwall.com/lists/oss-security/2024/05/30/2 • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36012 – Bluetooth: msft: fix slab-use-after-free in msft_do_close()
https://notcve.org/view.php?id=CVE-2024-36012
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: msft: fix slab-use-after-free in msft_do_close() Tying the msft->data lifetime to hdev by freeing it in hci_release_dev() to fix the following case: [use] msft_do_close() msft = hdev->msft_data; if (!msft) ...(1) <- passed. return; mutex_lock(&msft->filter_lock); ...(4) <- used after freed. [free] msft_unregister() msft = hdev->msft_data; hdev->msft_data = NULL; ...(2) kfree(msft); ...(3) <- msft is freed. ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: msft: corrija slab-use-after-free en msft_do_close() Vinculando la vida útil de msft->data a hdev liberándolo en hci_release_dev() para solucionar el siguiente caso: [usar] msft_do_close() msft = hdev->msft_data; if (!msft) ...(1) <- aprobado. devolver; mutex_lock(&msft->filter_lock); ...(4) <- usado después de liberado. [gratis] msft_unregister() msft = hdev->msft_data; hdev->msft_data = NULL; ...(2) klibre(msft); ...(3) <- se libera msft. ==================================================== ================ ERROR: KASAN: slab-use-after-free en __mutex_lock_common kernel/locking/mutex.c:587 [en línea] ERROR: KASAN: slab-use-after -free en __mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Lectura de tamaño 8 en addr ffff888106cbbca8 por tarea kworker/u5:2/309 • https://git.kernel.org/stable/c/bf6a4e30ffbd9e9ef8934582feb937f6532f8b68 https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76 https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940 https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56 https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-36011 – Bluetooth: HCI: Fix potential null-ptr-deref
https://notcve.org/view.php?id=CVE-2024-36011
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HCI: Fix potential null-ptr-deref Fix potential null-ptr-deref in hci_le_big_sync_established_evt(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: HCI: Reparar potencial null-ptr-deref Reparar potencial null-ptr-deref en hci_le_big_sync_establecido_evt(). • https://git.kernel.org/stable/c/f777d88278170410b06a1f6633f3b9375a4ddd6b https://git.kernel.org/stable/c/970aaee1d264ff8b6907005f47b8724ad45f1e48 https://git.kernel.org/stable/c/993fffbcc6164a9b9b6446f21f3caa649e3c7346 https://git.kernel.org/stable/c/1f7ebb69c1d65732bcac2fda9d15421f76f01e81 https://git.kernel.org/stable/c/9f3be61f55d4eedc20eedc56c0f04a5ce2b4a55a https://git.kernel.org/stable/c/d2706004a1b8b526592e823d7e52551b518a7941 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-36009 – ax25: Fix netdev refcount issue
https://notcve.org/view.php?id=CVE-2024-36009
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix netdev refcount issue The dev_tracker is added to ax25_cb in ax25_bind(). When the ax25 device is detaching, the dev_tracker of ax25_cb should be deallocated in ax25_kill_by_device() instead of the dev_tracker of ax25_dev. The log reported by ref_tracker is shown below: [ 80.884935] ref_tracker: reference already released. [ 80.885150] ref_tracker: allocated in: [ 80.885349] ax25_dev_device_up+0x105/0x540 [ 80.885730] ax25_device_event+0xa4/0x420 [ 80.885730] notifier_call_chain+0xc9/0x1e0 [ 80.885730] __dev_notify_flags+0x138/0x280 [ 80.885730] dev_change_flags+0xd7/0x180 [ 80.885730] dev_ifsioc+0x6a9/0xa30 [ 80.885730] dev_ioctl+0x4d8/0xd90 [ 80.885730] sock_do_ioctl+0x1c2/0x2d0 [ 80.885730] sock_ioctl+0x38b/0x4f0 [ 80.885730] __se_sys_ioctl+0xad/0xf0 [ 80.885730] do_syscall_64+0xc4/0x1b0 [ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 80.885730] ref_tracker: freed in: [ 80.885730] ax25_device_event+0x272/0x420 [ 80.885730] notifier_call_chain+0xc9/0x1e0 [ 80.885730] dev_close_many+0x272/0x370 [ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180 [ 80.885730] unregister_netdev+0xcf/0x120 [ 80.885730] sixpack_close+0x11f/0x1b0 [ 80.885730] tty_ldisc_kill+0xcb/0x190 [ 80.885730] tty_ldisc_hangup+0x338/0x3d0 [ 80.885730] __tty_hangup+0x504/0x740 [ 80.885730] tty_release+0x46e/0xd80 [ 80.885730] __fput+0x37f/0x770 [ 80.885730] __x64_sys_close+0x7b/0xb0 [ 80.885730] do_syscall_64+0xc4/0x1b0 [ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 80.893739] ------------[ cut here ]------------ [ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0 [ 80.894297] Modules linked in: [ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11 [ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4 [ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0 [ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9 [ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286 [ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000 [ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518 [ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a [ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4 [ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518 [ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000 [ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0 ... [ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at [ 80.935774] ax25_bind+0x424/0x4e0 [ 80.935774] __sys_bind+0x1d9/0x270 [ 80.935774] __x64_sys_bind+0x75/0x80 [ 80.935774] do_syscall_64+0xc4/0x1b0 [ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f Change ax25_dev->dev_tracker to the dev_tracker of ax25_cb in order to mitigate the bug. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ax25: soluciona el problema de recuento de netdev. El dev_tracker se agrega a ax25_cb en ax25_bind(). • https://git.kernel.org/stable/c/feef318c855a361a1eccd880f33e88c460eb63b4 https://git.kernel.org/stable/c/b8c07f33aa35dacf5444e7053ed9662d1869f536 https://git.kernel.org/stable/c/b1e0a6fc7f17500484c402ad1cd018c24dfc14b3 https://git.kernel.org/stable/c/7528d0f2210c3a1154186175516ed37aa970f2b1 https://git.kernel.org/stable/c/57cc15f5fd550316e4104eaf84b90fbc640fd7a5 https://git.kernel.org/stable/c/b982492ec3a115e0a136856a1b2dbe32f2d21a0e https://git.kernel.org/stable/c/0d14f104027e30720582448706c7d6b43065c851 https://git.kernel.org/stable/c/4fee8fa86a15d7790268eea458b1aec69 •