CVE-2024-41069 – ASoC: topology: Fix references to freed memory
https://notcve.org/view.php?id=CVE-2024-41069
In the Linux kernel, the following vulnerability has been resolved: ASoC: topology: Fix references to freed memory Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed. • https://git.kernel.org/stable/c/b188d7f3dfab10e332e3c1066e18857964a520d2 https://git.kernel.org/stable/c/ab5a6208b4d6872b1c6ecea1867940fc668cc76d https://git.kernel.org/stable/c/ccae5c6a1fab9494c86b7856faf05e296c617702 https://git.kernel.org/stable/c/97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1 •
CVE-2024-41068 – s390/sclp: Fix sclp_init() cleanup on failure
https://notcve.org/view.php?id=CVE-2024-41068
In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix sclp_init() cleanup on failure If sclp_init() fails it only partially cleans up: if there are multiple failing calls to sclp_init() sclp_state_change_event will be added several times to sclp_reg_list, which results in the following warning: ------------[ cut here ]------------ list_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10. WARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3 Krnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 ... Call Trace: [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8 ([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8) [<000003ffe0a8d37e>] sclp_init+0x40e/0x450 [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0 [<000003ffe15b77a6>] do_initcalls+0x126/0x150 [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8 [<000003ffe0d6650e>] kernel_init+0x2e/0x180 [<000003ffe000301c>] __ret_from_fork+0x3c/0x60 [<000003ffe0d759ca>] ret_from_fork+0xa/0x30 Fix this by removing sclp_state_change_event from sclp_reg_list when sclp_init() fails. • https://git.kernel.org/stable/c/a778987afc36d5dc02a1f82d352a81edcaf7eb83 https://git.kernel.org/stable/c/455a6653d8700a81aa8ed2b6442a3be476007090 https://git.kernel.org/stable/c/2e51db7ab71b89dc5a17068f5e201c69f13a4c9a https://git.kernel.org/stable/c/cf521049fcd07071ed42dc9758fce7d5ee120ec6 https://git.kernel.org/stable/c/79b4be70d5a160969b805f638ac5b4efd0aac7a3 https://git.kernel.org/stable/c/0a31b3fdc7e735c4f8c65fe4339945c717ed6808 https://git.kernel.org/stable/c/be0259796d0b76bbc7461e12c186814a9e58244c https://git.kernel.org/stable/c/6434b33faaa063df500af355ee6c3942e •
CVE-2024-41067 – btrfs: scrub: handle RST lookup error correctly
https://notcve.org/view.php?id=CVE-2024-41067
In the Linux kernel, the following vulnerability has been resolved: btrfs: scrub: handle RST lookup error correctly [BUG] When running btrfs/060 with forced RST feature, it would crash the following ASSERT() inside scrub_read_endio(): ASSERT(sector_nr < stripe->nr_sectors); Before that, we would have tree dump from btrfs_get_raid_extent_offset(), as we failed to find the RST entry for the range. [CAUSE] Inside scrub_submit_extent_sector_read() every time we allocated a new bbio we immediately called btrfs_map_block() to make sure there was some RST range covering the scrub target. But if btrfs_map_block() fails, we immediately call endio for the bbio, while the bbio is newly allocated, it's completely empty. Then inside scrub_read_endio(), we go through the bvecs to find the sector number (as bi_sector is no longer reliable if the bio is submitted to lower layers). And since the bio is empty, such bvecs iteration would not find any sector matching the sector, and return sector_nr == stripe->nr_sectors, triggering the ASSERT(). [FIX] Instead of calling btrfs_map_block() after allocating a new bbio, call btrfs_map_block() first. Since our only objective of calling btrfs_map_block() is only to update stripe_len, there is really no need to do that after btrfs_alloc_bio(). This new timing would avoid the problem of handling empty bbio completely, and in fact fixes a possible race window for the old code, where if the submission thread is the only owner of the pending_io, the scrub would never finish (since we didn't decrease the pending_io counter). Although the root cause of RST lookup failure still needs to be addressed. • https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72 https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5 •
CVE-2024-41066 – ibmvnic: Add tx check to prevent skb leak
https://notcve.org/view.php?id=CVE-2024-41066
In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Add tx check to prevent skb leak Below is a summary of how the driver stores a reference to an skb during transmit: tx_buff[free_map[consumer_index]]->skb = new_skb; free_map[consumer_index] = IBMVNIC_INVALID_MAP; consumer_index ++; Where variable data looks like this: free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3] consumer_index^ tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null] The driver has checks to ensure that free_map[consumer_index] pointed to a valid index but there was no check to ensure that this index pointed to an unused/null skb address. • https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06 https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561 https://access.redhat.com/security/cve/CVE-2024-41066 https://bugzilla.redhat.com/show_bug.cgi?id=2300442 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2024-41065 – powerpc/pseries: Whitelist dtl slub object for copying to userspace
https://notcve.org/view.php?id=CVE-2024-41065
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Whitelist dtl slub object for copying to userspace Reading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-* results in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as shown below. kernel BUG at mm/usercopy.c:102! • https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6 https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2 https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4 https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586 https://access.redhat.com/security/cve/CVE-2024-41065 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •