CVE-2024-27074 – media: go7007: fix a memleak in go7007_load_encoder
https://notcve.org/view.php?id=CVE-2024-27074
In the Linux kernel, the following vulnerability has been resolved: media: go7007: fix a memleak in go7007_load_encoder In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without a deallocation thereafter. After the following call chain: saa7134_go7007_init |-> go7007_boot_encoder |-> go7007_load_encoder |-> kfree(go) go is freed and thus bounce is leaked. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: medios: go7007: corrige una fuga de memoria en go7007_load_encoder En go7007_load_encoder, el rebote (es decir, go->boot_fw) se asigna sin una desasignación posterior. Después de la siguiente cadena de llamadas: saa7134_go7007_init |-> go7007_boot_encoder |-> go7007_load_encoder |-> kfree(go) go se libera y, por lo tanto, se filtra el rebote. • https://git.kernel.org/stable/c/95ef39403f890360a3e48fe550d8e8e5d088ad74 https://git.kernel.org/stable/c/7f11dd3d165b178e738fe73dfeea513e383bedb5 https://git.kernel.org/stable/c/291cda0b805fc0d6e90d201710311630c8667159 https://git.kernel.org/stable/c/b49fe84c6cefcc1c2336d793b53442e716c95073 https://git.kernel.org/stable/c/790fa2c04dfb9f095ec372bf17909424d6e864b3 https://git.kernel.org/stable/c/e04d15c8bb3e111dd69f98894acd92d63e87aac3 https://git.kernel.org/stable/c/f31c1cc37411f5f7bcb266133f9a7e1b4bdf2975 https://git.kernel.org/stable/c/d43988a23c32588ccd0c74219637afb96 •
CVE-2024-27073 – media: ttpci: fix two memleaks in budget_av_attach
https://notcve.org/view.php?id=CVE-2024-27073
In the Linux kernel, the following vulnerability has been resolved: media: ttpci: fix two memleaks in budget_av_attach When saa7146_register_device and saa7146_vv_init fails, budget_av_attach should free the resources it allocates, like the error-handling of ttpci_budget_init does. Besides, there are two fixme comment refers to such deallocations. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: medios: ttpci: corrige dos fugas de mem en Budget_av_attach Cuando fallan saa7146_register_device y saa7146_vv_init, Budget_av_attach debería liberar los recursos que asigna, como lo hace el manejo de errores de ttpci_budget_init. Además, hay dos comentarios fijos que se refieren a dichas desasignaciones. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 https://git.kernel.org/stable/c/af37aed04997e644f7e1b52b696b62dcae3cc016 https://git.kernel.org/stable/c/910363473e4bf97da3c350e08d915546dd6cc30b https://git.kernel.org/stable/c/24e51d6eb578b82ff292927f14b9f5ec05a46beb https://git.kernel.org/stable/c/55ca0c7eae8499bb96f4e5d9b26af95e89c4e6a0 https://git.kernel.org/stable/c/7393c681f9aa05ffe2385e8716989565eed2fe06 https://git.kernel.org/stable/c/1597cd1a88cfcdc4bf8b1b44cd458fed9a5a5d63 https://git.kernel.org/stable/c/656b8cc123d7635dd399d9f02594f27aa •
CVE-2024-27072 – media: usbtv: Remove useless locks in usbtv_video_free()
https://notcve.org/view.php?id=CVE-2024-27072
In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Remove useless locks in usbtv_video_free() Remove locks calls in usbtv_video_free() because are useless and may led to a deadlock as reported here: https://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000 Also remove usbtv_stop() call since it will be called when unregistering the device. Before 'c838530d230b' this issue would only be noticed if you disconnect while streaming and now it is noticeable even when disconnecting while not streaming. [hverkuil: fix minor spelling mistake in log message] En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: medios: usbtv: Eliminar bloqueos inútiles en usbtv_video_free() Eliminar llamadas de bloqueos en usbtv_video_free() porque son inútiles y pueden provocar un punto muerto como se informa aquí: https://syzkaller.appspot .com/x/bisect.txt?x=166dc872180000 También elimine la llamada usbtv_stop() ya que se llamará al cancelar el registro del dispositivo. Antes de 'c838530d230b', este problema solo se notaba si se desconectaba mientras se transmitía y ahora se nota incluso cuando se desconecta mientras no se transmite. [hverkuil: corrige un error ortográfico menor en el mensaje de registro] • https://git.kernel.org/stable/c/f3d27f34fdd7701e499617d2c1d94480a98f6d07 https://git.kernel.org/stable/c/4ec4641df57cbdfdc51bb4959afcdbcf5003ddb9 https://git.kernel.org/stable/c/d5ed208d04acf06781d63d30f9fa991e8d609ebd https://git.kernel.org/stable/c/bdd82c47b22a8befd617b723098b2a41b77373c7 https://git.kernel.org/stable/c/dea46e246ef0f98d89d59a4229157cd9ffb636bf https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2 https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895 •
CVE-2024-27071 – backlight: hx8357: Fix potential NULL pointer dereference
https://notcve.org/view.php?id=CVE-2024-27071
In the Linux kernel, the following vulnerability has been resolved: backlight: hx8357: Fix potential NULL pointer dereference The "im" pins are optional. Add missing check in the hx8357_probe(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: retroiluminación: hx8357: corrige una posible desreferencia del puntero NULL Los pines "im" son opcionales. Agregue el cheque que falta en hx8357_probe(). • https://git.kernel.org/stable/c/7d84a63a39b78443d09f2b4edf7ecb1d586379b4 https://git.kernel.org/stable/c/67e578c8ff2d7df03bf8ca9a7f5436b1796f6ad1 https://git.kernel.org/stable/c/b1ba8bcb2d1ffce11b308ce166c9cc28d989e3b9 •
CVE-2024-27070 – f2fs: fix to avoid use-after-free issue in f2fs_filemap_fault
https://notcve.org/view.php?id=CVE-2024-27070
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid use-after-free issue in f2fs_filemap_fault syzbot reports a f2fs bug as below: BUG: KASAN: slab-use-after-free in f2fs_filemap_fault+0xd1/0x2c0 fs/f2fs/file.c:49 Read of size 8 at addr ffff88807bb22680 by task syz-executor184/5058 CPU: 0 PID: 5058 Comm: syz-executor184 Not tainted 6.7.0-syzkaller-09928-g052d534373b7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x163/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x170 mm/kasan/report.c:601 f2fs_filemap_fault+0xd1/0x2c0 fs/f2fs/file.c:49 __do_fault+0x131/0x450 mm/memory.c:4376 do_shared_fault mm/memory.c:4798 [inline] do_fault mm/memory.c:4872 [inline] do_pte_missing mm/memory.c:3745 [inline] handle_pte_fault mm/memory.c:5144 [inline] __handle_mm_fault+0x23b7/0x72b0 mm/memory.c:5285 handle_mm_fault+0x27e/0x770 mm/memory.c:5450 do_user_addr_fault arch/x86/mm/fault.c:1364 [inline] handle_page_fault arch/x86/mm/fault.c:1507 [inline] exc_page_fault+0x456/0x870 arch/x86/mm/fault.c:1563 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570 The root cause is: in f2fs_filemap_fault(), vmf->vma may be not alive after filemap_fault(), so it may cause use-after-free issue when accessing vmf->vma->vm_flags in trace_f2fs_filemap_fault(). So it needs to keep vm_flags in separated temporary variable for tracepoint use. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: f2fs: solución para evitar el problema de use-after-free en f2fs_filemap_fault syzbot informa un error de f2fs como se muestra a continuación: ERROR: KASAN: slab-use-after-free en f2fs_filemap_fault+0xd1/0x2c0 fs/f2fs/file.c:49 Lectura de tamaño 8 en la dirección ffff88807bb22680 por tarea syz-executor184/5058 CPU: 0 PID: 5058 Comm: syz-executor184 Not tainted 6.7.0-syzkaller-09928-g052d534373b7 #0 Nombre de hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 17/11/2023 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 print_address_description mm/kasan/ report.c:377 [en línea] print_report+0x163/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x170 mm/kasan/report.c:601 f2fs_filemap_fault+0xd1/0x2c0 fs/f2fs/file.c:49 __do_fault+0x131/0x450 mm/memory.c:4376 do_shared_fault mm/memory.c:4798 [en línea] do_fault mm/memory.c:4872 [en línea] do_pte_missing mm/memory.c:3745 [en línea] handle_pte_fault mm/memory. c:5144 [en línea] __handle_mm_fault+0x23b7/0x72b0 mm/memory.c:5285 handle_mm_fault+0x27e/0x770 mm/memory.c:5450 do_user_addr_fault arch/x86/mm/fault.c:1364 [en línea] handle_page_fault arch/x86/ mm/fault.c:1507 [en línea] exc_page_fault+0x456/0x870 arch/x86/mm/fault.c:1563 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570 La causa raíz es: en f2fs_filemap_fault(), es posible que vmf->vma no esté activo después de filemap_fault(), por lo que puede causar un problema de use-after-free al acceder a vmf->vma->vm_flags en trace_f2fs_filemap_fault(). Por lo tanto, debe mantener vm_flags en una variable temporal separada para su uso en puntos de seguimiento. • https://git.kernel.org/stable/c/87f3afd366f7c668be0269efda8a89741a3ea6b3 https://git.kernel.org/stable/c/8186e16a766d709a08f188d2f4e84098f364bea1 https://git.kernel.org/stable/c/eb70d5a6c932d9d23f4bb3e7b83782c21ac4b064 •