CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-44978 – drm/xe: Free job before xe_exec_queue_put
https://notcve.org/view.php?id=CVE-2024-44978
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Free job before xe_exec_queue_put Free job depends on job->vm being valid, the last xe_exec_queue_put can destroy the VM. Prevent UAF by freeing job before xe_exec_queue_put. (cherry picked from commit 32a42c93b74c8ca6d0915ea3eba21bceff53042f) • https://git.kernel.org/stable/c/dd08ebf6c3525a7ea2186e636df064ea47281987 https://git.kernel.org/stable/c/98aa0330f200b9b8fb9e1298e006eda57a13351c https://git.kernel.org/stable/c/9e7f30563677fbeff62d368d5d2a5ac7aaa9746a •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-44977 – drm/amdgpu: Validate TA binary size
https://notcve.org/view.php?id=CVE-2024-44977
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Validate TA binary size Add TA binary size validation to avoid OOB write. (cherry picked from commit c0a04e3570d72aaf090962156ad085e37c62e442) • https://git.kernel.org/stable/c/5ab8793b9a6cc059f503cbe6fe596f80765e0f19 https://git.kernel.org/stable/c/50553ea7cbd3344fbf40afb065f6a2d38171c1ad https://git.kernel.org/stable/c/e562415248f402203e7fb6d8c38c1b32fa99220f https://git.kernel.org/stable/c/c99769bceab4ecb6a067b9af11f9db281eea3e2a •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-44975 – cgroup/cpuset: fix panic caused by partcmd_update
https://notcve.org/view.php?id=CVE-2024-44975
In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: fix panic caused by partcmd_update We find a bug as below: BUG: unable to handle page fault for address: 00000003 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 358 Comm: bash Tainted: G W I 6.6.0-10893-g60d6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/4 RIP: 0010:partition_sched_domains_locked+0x483/0x600 Code: 01 48 85 d2 74 0d 48 83 05 29 3f f8 03 01 f3 48 0f bc c2 89 c0 48 9 RSP: 0018:ffffc90000fdbc58 EFLAGS: 00000202 RAX: 0000000100000003 RBX: ffff888100b3dfa0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000002fe80 RBP: ffff888100b3dfb0 R08: 0000000000000001 R09: 0000000000000000 R10: ffffc90000fdbcb0 R11: 0000000000000004 R12: 0000000000000002 R13: ffff888100a92b48 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f44a5425740(0000) GS:ffff888237d80000(0000) knlGS:0000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000100030973 CR3: 000000010722c000 CR4: 00000000000006e0 Call Trace: <TASK> ? show_regs+0x8c/0xa0 ? __die_body+0x23/0xa0 ? __die+0x3a/0x50 ? page_fault_oops+0x1d2/0x5c0 ? • https://git.kernel.org/stable/c/0c7f293efc87a06b51db9aa65256f8cb0a5a0a21 https://git.kernel.org/stable/c/73d6c6cf8ef6a3c532aa159f5114077746a372d6 https://git.kernel.org/stable/c/959ab6350add903e352890af53e86663739fcb9a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-44974 – mptcp: pm: avoid possible UaF when selecting endp
https://notcve.org/view.php?id=CVE-2024-44974
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: avoid possible UaF when selecting endp select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with. • https://git.kernel.org/stable/c/01cacb00b35cb62b139f07d5f84bcf0eeda8eff6 https://git.kernel.org/stable/c/ddee5b4b6a1cc03c1e9921cf34382e094c2009f1 https://git.kernel.org/stable/c/f2c865e9e3ca44fc06b5f73b29a954775e4dbb38 https://git.kernel.org/stable/c/2b4f46f9503633dade75cb796dd1949d0e6581a1 https://git.kernel.org/stable/c/9a9afbbc3fbfca4975eea4aa5b18556db5a0c0b8 https://git.kernel.org/stable/c/0201d65d9806d287a00e0ba96f0321835631f63f https://git.kernel.org/stable/c/48e50dcbcbaaf713d82bf2da5c16aeced94ad07d •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-44973 – mm, slub: do not call do_slab_free for kfence object
https://notcve.org/view.php?id=CVE-2024-44973
In the Linux kernel, the following vulnerability has been resolved: mm, slub: do not call do_slab_free for kfence object In 782f8906f805 the freeing of kfence objects was moved from deep inside do_slab_free to the wrapper functions outside. This is a nice change, but unfortunately it missed one spot in __kmem_cache_free_bulk. This results in a crash like this: BUG skbuff_head_cache (Tainted: G S B E ): Padding overwritten. 0xffff88907fea0f00-0xffff88907fea0fff @offset=3840 slab_err (mm/slub.c:1129) free_to_partial_list (mm/slub.c:? mm/slub.c:4036) slab_pad_check (mm/slub.c:864 mm/slub.c:1290) check_slab (mm/slub.c:?) free_to_partial_list (mm/slub.c:3171 mm/slub.c:4036) kmem_cache_alloc_bulk (mm/slub.c:? mm/slub.c:4495 mm/slub.c:4586 mm/slub.c:4635) napi_build_skb (net/core/skbuff.c:348 net/core/skbuff.c:527 net/core/skbuff.c:549) All the other callers to do_slab_free appear to be ok. Add a kfence_free check in __kmem_cache_free_bulk to avoid the crash. • https://git.kernel.org/stable/c/782f8906f8057efc7151b4b98b0a0280a71d005f https://git.kernel.org/stable/c/b35cd7f1e969aaa63e6716d82480f6b8a3230949 https://git.kernel.org/stable/c/a371d558e6f3aed977a8a7346350557de5d25190 •