CVE-2024-39500 – sock_map: avoid race between sock_map_close and sk_psock_put
https://notcve.org/view.php?id=CVE-2024-39500
In the Linux kernel, the following vulnerability has been resolved: sock_map: avoid race between sock_map_close and sk_psock_put sk_psock_get will return NULL if the refcount of psock has gone to 0, which will happen when the last call of sk_psock_put is done. • https://git.kernel.org/stable/c/aadb2bb83ff789de63b48b4edeab7329423a50d3 https://git.kernel.org/stable/c/4959ffc65a0e94f8acaac20deac49f89e6ded52d https://git.kernel.org/stable/c/5eabdf17fed2ad41b836bb4055ec36d95e512c50 https://git.kernel.org/stable/c/e946428439a0d2079959f5603256ac51b6047017 https://git.kernel.org/stable/c/3627605de498639a3c586c8684d12c89cba11073 https://git.kernel.org/stable/c/4b4647add7d3c8530493f7247d11e257ee425bf0 •
CVE-2024-39499 – vmci: prevent speculation leaks by sanitizing event in event_deliver()
https://notcve.org/view.php?id=CVE-2024-39499
In the Linux kernel, the following vulnerability has been resolved: vmci: prevent speculation leaks by sanitizing event in event_deliver() Coverity spotted that event_msg is controlled by user-space, event_msg->event_data.event is passed to event_deliver() and used as an index without sanitization. This change ensures that the event index is sanitized to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Only compile tested, no access to HW. A vulnerability was found in the event_deliver() function in the Linux kernel's VMCI component, where the issue involves a lack of sanitization for the event_data.event index controlled by user-space, which could lead to speculative information leaks. • https://git.kernel.org/stable/c/1d990201f9bb499b7c76ab00abeb7e803c0bcb2a https://git.kernel.org/stable/c/58730dfbd4ae01c1b022b0d234a8bf8c02cdfb81 https://git.kernel.org/stable/c/681967c4ff210e06380acf9b9a1b33ae06e77cbd https://git.kernel.org/stable/c/f70ff737346744633e7b655c1fb23e1578491ff3 https://git.kernel.org/stable/c/95ac3e773a1f8da83c4710a720fbfe80055aafae https://git.kernel.org/stable/c/95bac1c8bedb362374ea1937b1d3e833e01174ee https://git.kernel.org/stable/c/e293c6b38ac9029d76ff0d2a6b2d74131709a9a8 https://git.kernel.org/stable/c/757804e1c599af5d2a7f864c8e8b28424 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2024-39498 – drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2
https://notcve.org/view.php?id=CVE-2024-39498
In the Linux kernel, the following vulnerability has been resolved: drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2 [Why] Commit: - commit 5aa1dfcdf0a4 ("drm/mst: Refactor the flow for payload allocation/removement") accidently overwrite the commit - commit 54d217406afe ("drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2") which cause regression. [How] Recover the original NULL fix and remove the unnecessary input parameter 'state' for drm_dp_add_payload_part2(). (cherry picked from commit 4545614c1d8da603e57b60dd66224d81b6ffc305) • https://git.kernel.org/stable/c/5aa1dfcdf0a429e4941e2eef75b006a8c7a8ac49 https://git.kernel.org/stable/c/8e21de5f99b2368a5155037ce0aae8aaba3f5241 https://git.kernel.org/stable/c/5a507b7d2be15fddb95bf8dee01110b723e2bcd9 https://access.redhat.com/security/cve/CVE-2024-39498 https://bugzilla.redhat.com/show_bug.cgi?id=2297470 • CWE-476: NULL Pointer Dereference •
CVE-2024-39497 – drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)
https://notcve.org/view.php?id=CVE-2024-39497
In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot: BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags)); Return -EINVAL early if COW mapping is detected. This bug affects all drm drivers using default shmem helpers. It can be reproduced by this simple example: void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset); ptr[0] = 0; • https://git.kernel.org/stable/c/2194a63a818db71065ebe09c8104f5f021ca4e7b https://git.kernel.org/stable/c/a508a102edf8735adc9bb73d37dd13c38d1a1b10 https://git.kernel.org/stable/c/3ae63a8c1685e16958560ec08d30defdc5b9cca0 https://git.kernel.org/stable/c/2219e5f97244b79c276751a1167615b9714db1b0 https://git.kernel.org/stable/c/1b4a8b89bf6787090b56424d269bf84ba00c3263 https://git.kernel.org/stable/c/03c71c42809ef4b17f5d874cdb2d3bf40e847b86 https://git.kernel.org/stable/c/39bc27bd688066a63e56f7f64ad34fae03fbe3b8 https://access.redhat.com/security/cve/CVE-2024-39497 • CWE-825: Expired Pointer Dereference •
CVE-2024-39496 – btrfs: zoned: fix use-after-free due to race with dev replace
https://notcve.org/view.php?id=CVE-2024-39496
In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. ... En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs:zoned: corrige el use-after-free debido a la ejecución con el reemplazo de desarrollo. • https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43 https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6 https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752 https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9 • CWE-416: Use After Free •