CVE-2024-38606 – crypto: qat - validate slices count returned by FW
https://notcve.org/view.php?id=CVE-2024-38606
In the Linux kernel, the following vulnerability has been resolved: crypto: qat - validate slices count returned by FW The function adf_send_admin_tl_start() enables the telemetry (TL) feature on a QAT device by sending the ICP_QAT_FW_TL_START message to the firmware. This triggers the FW to start writing TL data to a DMA buffer in memory and returns an array containing the number of accelerators of each type (slices) supported by this HW. The pointer to this array is stored in the adf_tl_hw_data data structure called slice_cnt. The array slice_cnt is then used in the function tl_print_dev_data() to report in debugfs only statistics about the supported accelerators. An incorrect value of the elements in slice_cnt might lead to an out of bounds memory read. At the moment, there isn't an implementation of FW that returns a wrong value, but for robustness validate the slice count array returned by FW. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: crypto: qat: valida el recuento de segmentos devueltos por el FW. La función adf_send_admin_tl_start() habilita la función de telemetría (TL) en un dispositivo QAT enviando el mensaje ICP_QAT_FW_TL_START al firmware. Esto hace que el FW comience a escribir datos TL en un búfer DMA en la memoria y devuelve una matriz que contiene la cantidad de aceleradores de cada tipo (porciones) admitidos por este HW. • https://git.kernel.org/stable/c/69e7649f7cc2aaa7889174456d39319a623c1a18 https://git.kernel.org/stable/c/e57ed345e2e6043629fc74aa5be051415dcc4f77 https://git.kernel.org/stable/c/9b284b915e2a5e63ca133353f8c456eff4446f82 https://git.kernel.org/stable/c/483fd65ce29317044d1d00757e3fd23503b6b04c •
CVE-2024-38605 – ALSA: core: Fix NULL module pointer assignment at card init
https://notcve.org/view.php?id=CVE-2024-38605
In the Linux kernel, the following vulnerability has been resolved: ALSA: core: Fix NULL module pointer assignment at card init The commit 81033c6b584b ("ALSA: core: Warn on empty module") introduced a WARN_ON() for a NULL module pointer passed at snd_card object creation, and it also wraps the code around it with '#ifdef MODULE'. This works in most cases, but the devils are always in details. "MODULE" is defined when the target code (i.e. the sound core) is built as a module; but this doesn't mean that the caller is also built-in or not. Namely, when only the sound core is built-in (CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m), the passed module pointer is ignored even if it's non-NULL, and card->module remains as NULL. This would result in the missing module reference up/down at the device open/close, leading to a race with the code execution after the module removal. For addressing the bug, move the assignment of card->module again out of ifdef. • https://git.kernel.org/stable/c/81033c6b584b44514cbb16fffc26ca29a0fa6270 https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434 https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811 https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92 https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5 https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12 https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e73511 • CWE-476: NULL Pointer Dereference •
CVE-2024-38604 – block: refine the EOF check in blkdev_iomap_begin
https://notcve.org/view.php?id=CVE-2024-38604
In the Linux kernel, the following vulnerability has been resolved: block: refine the EOF check in blkdev_iomap_begin blkdev_iomap_begin rounds down the offset to the logical block size before stashing it in iomap->offset and checking that it still is inside the inode size. Check the i_size check to the raw pos value so that we don't try a zero size write if iter->pos is unaligned. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque: refina la comprobación de EOF en blkdev_iomap_begin blkdev_iomap_begin redondea hacia abajo el desplazamiento al tamaño del bloque lógico antes de guardarlo en iomap->offset y comprobar que todavía está dentro del tamaño del inodo. Verifique la verificación i_size en el valor pos sin formato para que no intentemos una escritura de tamaño cero si iter->pos no está alineado. • https://git.kernel.org/stable/c/487c607df790d366e67a7d6a30adf785cdd98e55 https://git.kernel.org/stable/c/910717920c8c3f9386277a44c44d448058a18084 https://git.kernel.org/stable/c/72c54e063c32aeb38d43a2bd897821e6e5a1757d https://git.kernel.org/stable/c/10b723bcba8986537a484aa94dbfc9093fd776a1 https://git.kernel.org/stable/c/0c12028aec837f5a002009bbf68d179d506510e8 https://access.redhat.com/security/cve/CVE-2024-38604 https://bugzilla.redhat.com/show_bug.cgi?id=2293361 • CWE-20: Improper Input Validation •
CVE-2024-38603 – drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset()
https://notcve.org/view.php?id=CVE-2024-38603
In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() pci_alloc_irq_vectors() allocates an irq vector. When devm_add_action() fails, the irq vector is not freed, which leads to a memory leak. Replace the devm_add_action with devm_add_action_or_reset to ensure the irq vector can be destroyed when it fails. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers/perf: hisi: hns3: en realidad usa devm_add_action_or_reset() pci_alloc_irq_vectors() asigna un vector irq. Cuando devm_add_action() falla, el vector irq no se libera, lo que provoca una pérdida de memoria. Reemplace devm_add_action con devm_add_action_or_reset para garantizar que el vector irq pueda destruirse cuando falla. • https://git.kernel.org/stable/c/66637ab137b44914356a9dc7a9b3f8ebcf0b0695 https://git.kernel.org/stable/c/1491a01ef5a98149048b12e208f6ed8e86ad10b9 https://git.kernel.org/stable/c/a7678a16c25b6ece1667ac681e3e783ff3de7a6f https://git.kernel.org/stable/c/2fcffaaf529d5fe3fdc6c0ee65a6f266b74de782 https://git.kernel.org/stable/c/b1e86f1ef8fa796f8935be392457639f3a907d91 https://git.kernel.org/stable/c/582c1aeee0a9e73010cf1c4cef338709860deeb0 •
CVE-2024-38602 – ax25: Fix reference count leak issues of ax25_dev
https://notcve.org/view.php?id=CVE-2024-38602
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object "ax25_dev". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object "ax25_dev" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). • https://git.kernel.org/stable/c/d01ffb9eee4af165d83b08dd73ebdf9fe94a519b https://git.kernel.org/stable/c/ef0a2a0565727a48f2e36a2c461f8b1e3a61922d https://git.kernel.org/stable/c/e2b558fe507a1ed4c43db2b0057fc6e41f20a14c https://git.kernel.org/stable/c/418993bbaafb0cd48f904ba68eeda052d624c821 https://git.kernel.org/stable/c/5ea00fc60676c0eebfa8560ec461209d638bca9d https://git.kernel.org/stable/c/9af0fd5c4453a44c692be0cbb3724859b75d739b https://git.kernel.org/stable/c/ae467750a3765dd1092eb29f58247950a2f9b60c https://git.kernel.org/stable/c/38eb01edfdaa1562fa00429be2e33f453 •