CVE-2024-36961 – thermal/debugfs: Fix two locking issues with thermal zone debug
https://notcve.org/view.php?id=CVE-2024-36961
In the Linux kernel, the following vulnerability has been resolved: thermal/debugfs: Fix two locking issues with thermal zone debug With the current thermal zone locking arrangement in the debugfs code, user space can open the "mitigations" file for a thermal zone before the zone's debugfs pointer is set which will result in a NULL pointer dereference in tze_seq_start(). Moreover, thermal_debug_tz_remove() is not called under the thermal zone lock, so it can run in parallel with the other functions accessing the thermal zone's struct thermal_debugfs object. Then, it may clear tz->debugfs after one of those functions has checked it and the struct thermal_debugfs object may be freed prematurely. To address the first problem, pass a pointer to the thermal zone's struct thermal_debugfs object to debugfs_create_file() in thermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(), tze_seq_stop(), and tze_seq_show() retrieve it from s->private instead of a pointer to the thermal zone object. This will ensure that tz_debugfs will be valid across the "mitigations" file accesses until thermal_debugfs_remove_id() called by thermal_debug_tz_remove() removes that file. To address the second problem, use tz->lock in thermal_debug_tz_remove() around the tz->debugfs value check (in case the same thermal zone is removed at the same time in two different threads) and its reset to NULL. Cc :6.8+ <stable@vger.kernel.org> # 6.8+ En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal/debugfs: soluciona dos problemas de bloqueo con la depuración de la zona térmica. Con la disposición actual de bloqueo de la zona térmica en el código debugfs, el espacio de usuario puede abrir el archivo de "mitigaciones" para una zona térmica antes. El puntero debugfs de la zona está configurado, lo que dará como resultado una desreferencia del puntero NULL en tze_seq_start(). • https://git.kernel.org/stable/c/7ef01f228c9f54c6260319858be138a8a7e9e704 https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8 https://access.redhat.com/security/cve/CVE-2024-36961 https://bugzilla.redhat.com/show_bug.cgi?id=2290407 • CWE-667: Improper Locking •
CVE-2024-36960 – drm/vmwgfx: Fix invalid reads in fence signaled events
https://notcve.org/view.php?id=CVE-2024-36960
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix invalid reads in fence signaled events Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/vmwgfx: corrige lecturas no válidas en eventos señalizados de valla establezca correctamente la longitud de drm_event al tamaño de la estructura que realmente se utiliza. La longitud de drm_event se configuró en la estructura principal en lugar de en drm_vmw_event_fence que se supone debe leerse. drm_read usa el parámetro de longitud para copiar el evento al espacio del usuario, lo que resulta en lecturas oob. This vulnerability allows local attackers to disclose sensitive information on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of vmw fence events. • https://git.kernel.org/stable/c/8b7de6aa84682a3396544fd88cd457f95484573a https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9 https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36 https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0 https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22 https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb7242834 • CWE-125: Out-of-bounds Read •
CVE-2024-36959 – pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
https://notcve.org/view.php?id=CVE-2024-36959
In the Linux kernel, the following vulnerability has been resolved: pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() If we fail to allocate propname buffer, we need to drop the reference count we just took. Because the pinctrl_dt_free_maps() includes the droping operation, here we call it directly. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: pinctrl: devicetree: corrige la fuga de recuento de referencia en pinctrl_dt_to_map() Si no asignamos el búfer de nombre de propiedad, debemos eliminar el recuento de referencias que acabamos de tomar. Debido a que pinctrl_dt_free_maps() incluye la operación de eliminación, aquí la llamamos directamente. • https://git.kernel.org/stable/c/a988dcd3dd9e691c5ccc3324b209688f3b5453e9 https://git.kernel.org/stable/c/040f726fecd88121f3b95e70369785ad452dddf9 https://git.kernel.org/stable/c/777430aa4ddccaa5accec6db90ffc1d47f00d471 https://git.kernel.org/stable/c/97e5b508e96176f1a73888ed89df396d7041bfcb https://git.kernel.org/stable/c/91d5c5060ee24fe8da88cd585bb43b843d2f0dce https://git.kernel.org/stable/c/aaf552c5d53abe4659176e099575fe870d2e4768 https://git.kernel.org/stable/c/b4d9f55cd38435358bc16d580612bc0d798d7b4c https://git.kernel.org/stable/c/5834a3a98cd266ad35a229923c0adbd0a •
CVE-2024-36958 – NFSD: Fix nfsd4_encode_fattr4() crasher
https://notcve.org/view.php?id=CVE-2024-36958
In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix nfsd4_encode_fattr4() crasher Ensure that args.acl is initialized early. It is used in an unconditional call to kfree() on the way out of nfsd4_encode_fattr4(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: NFSD: corrija el error nfsd4_encode_fattr4() Asegúrese de que args.acl se inicialice temprano. Se utiliza en una llamada incondicional a kfree() al salir de nfsd4_encode_fattr4(). • https://git.kernel.org/stable/c/83ab8678ad0c6f27594c716cafe59c8bbd5e49ef https://git.kernel.org/stable/c/6a7b07689af6e4e023404bf69b1230f43b2a15bc https://git.kernel.org/stable/c/18180a4550d08be4eb0387fe83f02f703f92d4e7 •
CVE-2024-36957 – octeontx2-af: avoid off-by-one read from userspace
https://notcve.org/view.php?id=CVE-2024-36957
In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: avoid off-by-one read from userspace We try to access count + 1 byte from userspace with memdup_user(buffer, count + 1). However, the userspace only provides buffer of count bytes and only these count bytes are verified to be okay to access. To ensure the copied buffer is NUL terminated, we use memdup_user_nul instead. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: octeontx2-af: evitar lecturas uno por uno desde el espacio de usuario Intentamos acceder al recuento + 1 byte desde el espacio de usuario con memdup_user (búfer, recuento + 1). Sin embargo, el espacio de usuario solo proporciona un búfer de bytes de recuento y solo se verifica que se puede acceder a estos bytes de recuento. • https://git.kernel.org/stable/c/dae49384d0d7695540e2d75168f323cef1384810 https://git.kernel.org/stable/c/3a2eb515d1367c0f667b76089a6e727279c688b8 https://git.kernel.org/stable/c/c9a2ed3fdd037314a71e6a6ba5d99a3605f6f9c7 https://git.kernel.org/stable/c/bcdac70adceb44373da204c3c297f2a98e13216e https://git.kernel.org/stable/c/ec697fbd38cbe2eef0948b58673b146caa95402f https://git.kernel.org/stable/c/8f11fe3ea3fc261640cfc8a5addd838000407c67 https://git.kernel.org/stable/c/0a0285cee11c7dcc2657bcd456e469958a5009e7 https://git.kernel.org/stable/c/fc3e0076c1f82fe981d321e3a7bad4cbe • CWE-193: Off-by-one Error •