CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-35956 – btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations
https://notcve.org/view.php?id=CVE-2024-35956
In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Create subvolume, create snapshot and delete subvolume all use btrfs_subvolume_reserve_metadata() to reserve metadata for the changes done to the parent subvolume's fs tree, which cannot be mediated in the normal way via start_transaction. When quota groups (squota or qgroups) are enabled, this reserves qgroup metadata of type PREALLOC. Once the operation is associated to a transaction, we convert PREALLOC to PERTRANS, which gets cleared in bulk at the end of the transaction. However, the error paths of these three operations were not implementing this lifecycle correctly. They unconditionally converted the PREALLOC to PERTRANS in a generic cleanup step regardless of errors or whether the operation was fully associated to a transaction or not. This resulted in error paths occasionally converting this rsv to PERTRANS without calling record_root_in_trans successfully, which meant that unless that root got recorded in the transaction by some other thread, the end of the transaction would not free that root's PERTRANS, leaking it. • https://git.kernel.org/stable/c/e85fde5162bf1b242cbd6daf7dba0f9b457d592b https://git.kernel.org/stable/c/2978cb474745b2d93c263008d265e89985706094 https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9 https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2024-35955 – kprobes: Fix possible use-after-free issue on kprobe registration
https://notcve.org/view.php?id=CVE-2024-35955
In the Linux kernel, the following vulnerability has been resolved: kprobes: Fix possible use-after-free issue on kprobe registration When unloading a module, its state is changing MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take a time. `is_module_text_address()` and `__module_text_address()` works with MODULE_STATE_LIVE and MODULE_STATE_GOING. If we use `is_module_text_address()` and `__module_text_address()` separately, there is a chance that the first one is succeeded but the next one is failed because module->state becomes MODULE_STATE_UNFORMED between those operations. In `check_kprobe_address_safe()`, if the second `__module_text_address()` is failed, that is ignored because it expected a kernel_text address. But it may have failed simply because module->state has been changed to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify non-exist module text address (use-after-free). To fix this problem, we should not use separated `is_module_text_address()` and `__module_text_address()`, but use only `__module_text_address()` once and do `try_module_get(module)` which is only available with MODULE_STATE_LIVE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: kprobes: soluciona un posible problema de use after free en el registro de kprobe Al descargar un módulo, su estado cambia MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. • https://git.kernel.org/stable/c/1c836bad43f3e2ff71cc397a6e6ccb4e7bd116f8 https://git.kernel.org/stable/c/6a119c1a584aa7a2c6216458f1f272bf1bc93a93 https://git.kernel.org/stable/c/2a49b025c36ae749cee7ccc4b7e456e02539cdc3 https://git.kernel.org/stable/c/a1edb85e60fdab1e14db63ae8af8db3f0d798fb6 https://git.kernel.org/stable/c/28f6c37a2910f565b4f5960df52b2eccae28c891 https://git.kernel.org/stable/c/4262b6eb057d86c7829168c541654fe0d48fdac8 https://git.kernel.org/stable/c/97e813e6a143edf4208e15c72199c495ed80cea5 https://git.kernel.org/stable/c/16a544f1e013ba0660612f3fe35393b14 • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35953 – accel/ivpu: Fix deadlock in context_xa
https://notcve.org/view.php?id=CVE-2024-35953
In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix deadlock in context_xa ivpu_device->context_xa is locked both in kernel thread and IRQ context. It requires XA_FLAGS_LOCK_IRQ flag to be passed during initialization otherwise the lock could be acquired from a thread and interrupted by an IRQ that locks it for the second time causing the deadlock. This deadlock was reported by lockdep and observed in internal tests. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: accel/ivpu: corrige el punto muerto en context_xa ivpu_device->context_xa está bloqueado tanto en el subproceso del kernel como en el contexto IRQ. Requiere que se pase el indicador XA_FLAGS_LOCK_IRQ durante la inicialización; de lo contrario, el bloqueo podría adquirirse de un subproceso e interrumpirse mediante una IRQ que lo bloquee por segunda vez, provocando el punto muerto. Este punto muerto fue informado por lockdep y observado en pruebas internas. • https://git.kernel.org/stable/c/35b137630f08d913fc2e33df33ccc2570dff3f7d https://git.kernel.org/stable/c/d43e11d9c7fcb16f18bd46ab2556c2772ffc5775 https://git.kernel.org/stable/c/e6011411147209bc0cc14628cbc155356837e52a https://git.kernel.org/stable/c/fd7726e75968b27fe98534ccbf47ccd6fef686f3 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-35952 – drm/ast: Fix soft lockup
https://notcve.org/view.php?id=CVE-2024-35952
In the Linux kernel, the following vulnerability has been resolved: drm/ast: Fix soft lockup There is a while-loop in ast_dp_set_on_off() that could lead to infinite-loop. This is because the register, VGACRI-Dx, checked in this API is a scratch register actually controlled by a MCU, named DPMCU, in BMC. These scratch registers are protected by scu-lock. If suc-lock is not off, DPMCU can not update these registers and then host will have soft lockup due to never updated status. DPMCU is used to control DP and relative registers to handshake with host's VGA driver. Even the most time-consuming task, DP's link training, is less than 100ms. 200ms should be enough. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/ast: corrige el bloqueo suave. • https://git.kernel.org/stable/c/594e9c04b5864b4b8b151ef4ba9521c59e0f5c54 https://git.kernel.org/stable/c/8a6fea3fcb577a543ef67683ca7105bde49a38fb https://git.kernel.org/stable/c/a81b2acd43e24e419f65df97348c76a5a1496066 https://git.kernel.org/stable/c/35768baf0fdfc47ede42d899506bad78450e9294 https://git.kernel.org/stable/c/bc004f5038220b1891ef4107134ccae44be55109 https://access.redhat.com/security/cve/CVE-2024-35952 https://bugzilla.redhat.com/show_bug.cgi?id=2281938 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35951 – drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()
https://notcve.org/view.php?id=CVE-2024-35951
In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() Subject: [PATCH] drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() If some the pages or sgt allocation failed, we shouldn't release the pages ref we got earlier, otherwise we will end up with unbalanced get/put_pages() calls. We should instead leave everything in place and let the BO release function deal with extra cleanup when the object is destroyed, or let the fault handler try again next time it's called. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/panfrost: corrige la ruta de error en panfrost_mmu_map_fault_addr() Asunto: [PATCH] drm/panfrost: corrige la ruta de error en panfrost_mmu_map_fault_addr() Si algunas páginas o la asignación de sgt fallaron, No deberíamos publicar la referencia de páginas que obtuvimos anteriormente, de lo contrario terminaremos con llamadas get/put_pages() desequilibradas. En su lugar, deberíamos dejar todo en su lugar y dejar que la función de liberación de BO se encargue de una limpieza adicional cuando se destruya el objeto, o dejar que el controlador de fallos lo intente nuevamente la próxima vez que se llame. • https://git.kernel.org/stable/c/187d2929206e6b098312c174ea873e4cedf5420d https://git.kernel.org/stable/c/31806711e8a4b75e09b1c43652f2a6420e6e1002 https://git.kernel.org/stable/c/e18070c622c63f0cab170348e320454728c277aa https://git.kernel.org/stable/c/1fc9af813b25e146d3607669247d0f970f5a87c3 http://www.openwall.com/lists/oss-security/2024/05/30/1 http://www.openwall.com/lists/oss-security/2024/05/30/2 •