CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53193 – clk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider
https://notcve.org/view.php?id=CVE-2024-53193
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: clk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider Some heap space is allocated for the flexible structure `struct clk_hw_onecell_data` and its flexible-array member `hws` through the composite structure `struct loongson2_clk_provider` in function `loongson2_clk_probe()`, as shown below: 289 struct loongson2_clk_provider *clp; ... 296 for (p = data; p->name; p++) 297 clks_num++; 298 299 clp = devm_kzalloc(dev, st... • https://git.kernel.org/stable/c/9796ec0bd04bb0e70487127d44949ca0554df5d3 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53192 – clk: clk-loongson2: Fix potential buffer overflow in flexible-array member access
https://notcve.org/view.php?id=CVE-2024-53192
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: clk: clk-loongson2: Fix potential buffer overflow in flexible-array member access Flexible-array member `hws` in `struct clk_hw_onecell_data` is annotated with the `counted_by()` attribute. This means that when memory is allocated for this array, the _counter_, which in this case is member `num` in the flexible structure, should be set to the maximum number of elements the flexible array can contain, or fewer. In this case, the total number... • https://git.kernel.org/stable/c/9796ec0bd04bb0e70487127d44949ca0554df5d3 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53191 – wifi: ath12k: fix warning when unbinding
https://notcve.org/view.php?id=CVE-2024-53191
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix warning when unbinding If there is an error during some initialization related to firmware, the buffers dp->tx_ring[i].tx_status are released. However this is released again when the device is unbinded (ath12k_pci), and we get: WARNING: CPU: 0 PID: 2098 at mm/slub.c:4689 free_large_kmalloc+0x4d/0x80 Call Trace: free_large_kmalloc ath12k_dp_free ath12k_core_deinit ath12k_pci_remove ... The issue is always reproducible from ... • https://git.kernel.org/stable/c/d889913205cf7ebda905b1e62c5867ed4e39f6c2 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-53190 – wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures
https://notcve.org/view.php?id=CVE-2024-53190
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures Syzkaller reported a hung task with uevent_show() on stack trace. That specific issue was addressed by another commit [0], but even with that fix applied (for example, running v6.12-rc5) we face another type of hung task that comes from the same reproducer [1]. By investigating that, we could narrow it to the following path: (a) Syzkaller emulates a Realtek USB... • https://git.kernel.org/stable/c/0c8173385e549f95cd80c3fff5aab87b4f881d8d •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53189 – wifi: nl80211: fix bounds checker error in nl80211_parse_sched_scan
https://notcve.org/view.php?id=CVE-2024-53189
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix bounds checker error in nl80211_parse_sched_scan The channels array in the cfg80211_scan_request has a __counted_by attribute attached to it, which points to the n_channels variable. This attribute is used in bounds checking, and if it is not set before the array is filled, then the bounds sanitizer will issue a warning or a kernel panic if CONFIG_UBSAN_TRAP is set. This patch sets the size of allocated memory as the init... • https://git.kernel.org/stable/c/aa4ec06c455d0200eea0a4361cc58eb5b8bf68c4 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53188 – wifi: ath12k: fix crash when unbinding
https://notcve.org/view.php?id=CVE-2024-53188
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix crash when unbinding If there is an error during some initialization related to firmware, the function ath12k_dp_cc_cleanup is called to release resources. However this is released again when the device is unbinded (ath12k_pci), and we get: BUG: kernel NULL pointer dereference, address: 0000000000000020 at RIP: 0010:ath12k_dp_cc_cleanup.part.0+0xb6/0x500 [ath12k] Call Trace: ath12k_dp_cc_cleanup ath12k_dp_free ath12k_core_... • https://git.kernel.org/stable/c/d889913205cf7ebda905b1e62c5867ed4e39f6c2 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53187 – io_uring: check for overflows in io_pin_pages
https://notcve.org/view.php?id=CVE-2024-53187
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: io_uring: check for overflows in io_pin_pages WARNING: CPU: 0 PID: 5834 at io_uring/memmap.c:144 io_pin_pages+0x149/0x180 io_uring/memmap.c:144 CPU: 0 UID: 0 PID: 5834 Comm: syz-executor825 Not tainted 6.12.0-next-20241118-syzkaller #0 Call Trace:
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-53186 – ksmbd: fix use-after-free in SMB request handling
https://notcve.org/view.php?id=CVE-2024-53186
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in SMB request handling A race condition exists between SMB request handling in `ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the workqueue handler `handle_ksmbd_work()`. This leads to a UAF. - KASAN: slab-use-after-free Read in handle_ksmbd_work - KASAN: slab-use-after-free in rtlock_slowlock_locked This race condition arises as follows: - `ksmbd_conn_handler_loop()` waits for `conn->r_count` to r... • https://git.kernel.org/stable/c/18f06bacc197d4ac9b518ad1c69999bc3d83e7aa •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53185 – smb: client: fix NULL ptr deref in crypto_aead_setkey()
https://notcve.org/view.php?id=CVE-2024-53185
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix NULL ptr deref in crypto_aead_setkey() Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4. Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->cipher_type check to conditionally call smb3_crypto_aead_allocate(), but that check would alway... • https://git.kernel.org/stable/c/0809fb86ad13b29e1d6d491364fc7ea4fb545995 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-53184 – um: ubd: Do not use drvdata in release
https://notcve.org/view.php?id=CVE-2024-53184
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: um: ubd: Do not use drvdata in release The drvdata is not available in release. Let's just use container_of() to get the ubd instance. Otherwise, removing a ubd device will result in a crash: RIP: 0033:blk_mq_free_tag_set+0x1f/0xba RSP: 00000000e2083bf0 EFLAGS: 00010246 RAX: 000000006021463a RBX: 0000000000000348 RCX: 0000000062604d00 RDX: 0000000004208060 RSI: 00000000605241a0 RDI: 0000000000000348 RBP: 00000000e2083c10 R08: 00000000624140... • https://git.kernel.org/stable/c/23d742a3fcd4781eed015a3a93e6a0e3ab1ef2a8 •