CVE-2023-52648 – drm/vmwgfx: Unmap the surface before resetting it on a plane state
https://notcve.org/view.php?id=CVE-2023-52648
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Unmap the surface before resetting it on a plane state Switch to a new plane state requires unreferencing of all held surfaces. In the work required for mob cursors the mapped surfaces started being cached but the variable indicating whether the surface is currently mapped was not being reset. This leads to crashes as the duplicated state, incorrectly, indicates the that surface is mapped even when no surface is present. That's because after unreferencing the surface it's perfectly possible for the plane to be backed by a bo instead of a surface. Reset the surface mapped flag when unreferencing the plane state surface to fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx] Code: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f> RSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600 RBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920 R10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000 R13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00 FS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0 Call Trace: <TASK> ? • https://git.kernel.org/stable/c/485d98d472d53f9617ffdfba5e677ac29ad4fe20 https://git.kernel.org/stable/c/0a23f95af7f28dae7c0f7c82578ca5e1a239d461 https://git.kernel.org/stable/c/105f72cc48c4c93f4578fcc61e06276471858e92 https://git.kernel.org/stable/c/75baad63c033b3b900d822bffbc96c9d3649bc75 https://git.kernel.org/stable/c/27571c64f1855881753e6f33c3186573afbab7ba https://access.redhat.com/security/cve/CVE-2023-52648 https://bugzilla.redhat.com/show_bug.cgi?id=2278539 •
CVE-2024-26928 – smb: client: fix potential UAF in cifs_debug_files_proc_show()
https://notcve.org/view.php?id=CVE-2024-26928
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrige UAF potencial en cifs_debug_files_proc_show() Omita las sesiones que se están eliminando (estado == SES_EXITING) para evitar UAF. • https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88 https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1 https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502 •
CVE-2024-26927 – ASoC: SOF: Add some bounds checking to firmware data
https://notcve.org/view.php?id=CVE-2024-26927
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Add some bounds checking to firmware data Smatch complains about "head->full_size - head->header_size" can underflow. To some extent, we're always going to have to trust the firmware a bit. However, it's easy enough to add a check for negatives, and let's add a upper bounds check as well. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ASoC: SOF: agregue algunas comprobaciones de los límites a los datos del firmware. Smatch se queja de que "head->full_size - head->header_size" puede desbordarse. • https://git.kernel.org/stable/c/d2458baa799fff377660d86323dd20a3f4deecb4 https://git.kernel.org/stable/c/d133d67e7e724102d1e53009c4f88afaaf3e167c https://git.kernel.org/stable/c/ced7df8b3c5c4751244cad79011e86cf1f809153 https://git.kernel.org/stable/c/044e220667157fb9d59320341badec59cf45ba48 https://git.kernel.org/stable/c/9eeb8e1231f6450c574c1db979122e171a1813ab https://git.kernel.org/stable/c/98f681b0f84cfc3a1d83287b77697679e0398306 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2023-52646 – aio: fix mremap after fork null-deref
https://notcve.org/view.php?id=CVE-2023-52646
In the Linux kernel, the following vulnerability has been resolved: aio: fix mremap after fork null-deref Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced a null-deref if mremap is called on an old aio mapping after fork as mm->ioctx_table will be set to NULL. [jmoyer@redhat.com: fix 80 column issue] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: aio: corrige mremap después de la bifurcación null-deref Commit e4a0d3e720e7 ("aio: Make it posible reasignar el anillo aio") introdujo un null-deref si se llama a mremap en un mapeo aio antiguo después de la bifurcación como mm->ioctx_table se establecerá en NULL. [jmoyer@redhat.com: soluciona el problema de 80 columnas] • https://git.kernel.org/stable/c/e4a0d3e720e7e508749c1439b5ba3aff56c92976 https://git.kernel.org/stable/c/808f1e4b5723ae4eda724d2ad6f6638905eefd95 https://git.kernel.org/stable/c/d8dca1bfe9adcae38b35add64977818c0c13dd22 https://git.kernel.org/stable/c/4326d0080f7e84fba775da41d158f46cf9d3f1c2 https://git.kernel.org/stable/c/c261f798f7baa8080cf0214081d43d5f86bb073f https://git.kernel.org/stable/c/178993157e8c50aef7f35d7d6d3b44bb428199e1 https://git.kernel.org/stable/c/af126acf01a12bdb04986fd26fc2eb3b40249e0d https://git.kernel.org/stable/c/81e9d6f8647650a7bead74c5f926e2997 •
CVE-2024-26926 – binder: check offset alignment in binder_get_object()
https://notcve.org/view.php?id=CVE-2024-26926
In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying txn") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df ("binder: add function to copy binder object from buffer"), likely removed due to redundancy at the time. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Binder: verifique la alineación de desplazamiento en binder_get_object() El commit 6d98eb95b450 ("binder: evite posibles fugas de datos al copiar txn") introdujo cambios en la forma en que se copian los objetos de Binder. Al hacerlo, eliminó involuntariamente una verificación de alineación de desplazamiento realizada mediante llamadas a binder_alloc_copy_from_buffer() -> check_buffer(). • https://git.kernel.org/stable/c/c056a6ba35e00ae943e377eb09abd77a6915b31a https://git.kernel.org/stable/c/23e9d815fad84c1bee3742a8de4bd39510435362 https://git.kernel.org/stable/c/7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde https://git.kernel.org/stable/c/6d98eb95b450a75adb4516a1d33652dc78d2b20c https://git.kernel.org/stable/c/66e12f5b3a9733f941893a00753b10498724607d https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12 https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da887 •