CVE-2024-35794 – dm-raid: really frozen sync_thread during suspend
https://notcve.org/view.php?id=CVE-2024-35794
In the Linux kernel, the following vulnerability has been resolved: dm-raid: really frozen sync_thread during suspend 1) commit f52f5c71f3d4 ("md: fix stopping sync thread") remove MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that dm-raid relies on __md_stop_writes() to frozen sync_thread indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in md_stop_writes(), and since stop_sync_thread() is only used for dm-raid in this case, also move stop_sync_thread() to md_stop_writes(). 2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen, it only prevent new sync_thread to start, and it can't stop the running sync thread; In order to frozen sync_thread, after seting the flag, stop_sync_thread() should be used. 3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use it as condition for md_stop_writes() in raid_postsuspend() doesn't look correct. Consider that reentrant stop_sync_thread() do nothing, always call md_stop_writes() in raid_postsuspend(). 4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime, and if MD_RECOVERY_FROZEN is cleared while the array is suspended, new sync_thread can start unexpected. Fix this by disallow raid_message() to change sync_thread status during suspend. Note that after commit f52f5c71f3d4 ("md: fix stopping sync thread"), the test shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(), and with previous fixes, the test won't hang there anymore, however, the test will still fail and complain that ext4 is corrupted. And with this patch, the test won't hang due to stop_sync_thread() or fail due to ext4 is corrupted anymore. • https://git.kernel.org/stable/c/9dbd1aa3a81c6166608fec87994b6c464701f73a https://git.kernel.org/stable/c/af916cb66a80597f3523bc85812e790bcdcfd62b https://git.kernel.org/stable/c/eaa8fc9b092837cf2c754bde1a15d784ce9a85ab https://git.kernel.org/stable/c/16c4770c75b1223998adbeb7286f9a15c65fba73 https://access.redhat.com/security/cve/CVE-2024-35794 https://bugzilla.redhat.com/show_bug.cgi?id=2281045 •
CVE-2024-35793 – debugfs: fix wait/cancellation handling during remove
https://notcve.org/view.php?id=CVE-2024-35793
In the Linux kernel, the following vulnerability has been resolved: debugfs: fix wait/cancellation handling during remove Ben Greear further reports deadlocks during concurrent debugfs remove while files are being accessed, even though the code in question now uses debugfs cancellations. Turns out that despite all the review on the locking, we missed completely that the logic is wrong: if the refcount hits zero we can finish (and need not wait for the completion), but if it doesn't we have to trigger all the cancellations. As written, we can _never_ get into the loop triggering the cancellations. Fix this, and explain it better while at it. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: debugfs: corrige el manejo de espera/cancelación durante la eliminación Ben Greear informa además bloqueos durante la eliminación de debugfs concurrentes mientras se accede a los archivos, aunque el código en cuestión ahora usa cancelaciones de debugfs. • https://git.kernel.org/stable/c/8c88a474357ead632b07c70bf7f119ace8c3b39e https://git.kernel.org/stable/c/e88b5ae01901c4a655a53158397746334778a57b https://git.kernel.org/stable/c/3d08cca5fd0aabb62b7015067ab40913b33da906 https://git.kernel.org/stable/c/952c3fce297f12c7ff59380adb66b564e2bc9b64 •
CVE-2024-35792 – crypto: rk3288 - Fix use after free in unprepare
https://notcve.org/view.php?id=CVE-2024-35792
In the Linux kernel, the following vulnerability has been resolved: crypto: rk3288 - Fix use after free in unprepare The unprepare call must be carried out before the finalize call as the latter can free the request. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: crypto: rk3288 - Arreglar el uso después de liberar en unprepare La llamada de unprepare debe realizarse antes de la llamada de finalización ya que esta última puede liberar la solicitud. • https://git.kernel.org/stable/c/c66c17a0f69b0e017bbc01d999a28ed96ee84826 https://git.kernel.org/stable/c/48dd260fdb728eda4a246f635d1325e82f0d3555 https://git.kernel.org/stable/c/eb2a41a8ae8c8c4f68aef3bd94665c0cf23e04be https://git.kernel.org/stable/c/c0afb6b88fbbc177fa322a835f874be217bffe45 •
CVE-2024-35791 – KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()
https://notcve.org/view.php?id=CVE-2024-35791
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock to fix use-after-free issues where region and/or its array of pages could be freed by a different task, e.g. if userspace has __unregister_enc_region_locked() already queued up for the region. Note, the "obvious" alternative of using local variables doesn't fully resolve the bug, as region->pages is also dynamically allocated. I.e. the region structure itself would be fine, but region->pages could be freed. Flushing multiple pages under kvm->lock is unfortunate, but the entire flow is a rare slow path, and the manual flush is only needed on CPUs that lack coherency for encrypted memory. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: SVM: Vaciar páginas bajo kvm->lock para arreglar UAF en svm_register_enc_region() Realice el vaciado de caché de las páginas convertidas en svm_register_enc_region() antes de eliminar kvm->lock para arreglar el uso -Problemas posteriores a la liberación en los que la región y/o su conjunto de páginas podrían liberarse mediante una tarea diferente, por ejemplo, si el espacio de usuario ya tiene __unregister_enc_region_locked() en cola para la región. Tenga en cuenta que la alternativa "obvia" de usar variables locales no resuelve completamente el error, ya que región->páginas también se asigna dinámicamente. Es decir, la estructura de la región en sí estaría bien, pero se podrían liberar regiones->páginas. • https://git.kernel.org/stable/c/4f627ecde7329e476a077bb0590db8f27bb8f912 https://git.kernel.org/stable/c/19a23da53932bc8011220bd8c410cb76012de004 https://git.kernel.org/stable/c/f1ecde00ce1694597f923f0d25f7a797c5243d99 https://git.kernel.org/stable/c/848bcb0a1d96f67d075465667d3a1ad4af56311e https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7 https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865 https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61b •
CVE-2024-35790 – usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group
https://notcve.org/view.php?id=CVE-2024-35790
In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group The DisplayPort driver's sysfs nodes may be present to the userspace before typec_altmode_set_drvdata() completes in dp_altmode_probe. This means that a sysfs read can trigger a NULL pointer error by deferencing dp->hpd in hpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns NULL in those cases. Remove manual sysfs node creation in favor of adding attribute group as default for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is not used here otherwise the path to the sysfs nodes is no longer compliant with the ABI. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: usb: typec: altmodes/displayport: cree nodos sysfs como grupo de atributos de dispositivo predeterminado del controlador Los nodos sysfs del controlador DisplayPort pueden estar presentes en el espacio de usuario antes de que typec_altmode_set_drvdata() se complete en dp_altmode_probe. Esto significa que una lectura de sysfs puede desencadenar un error de puntero NULL al hacer una diferencia entre dp->hpd en hpd_show o dp->lock en pin_assignment_show, ya que dev_get_drvdata() devuelve NULL en esos casos. • https://git.kernel.org/stable/c/0e3bb7d6894d9b6e67d6382bb03a46a1dc989588 https://git.kernel.org/stable/c/4a22aeac24d0d5f26ba741408e8b5a4be6dc5dc0 https://git.kernel.org/stable/c/0ad011776c057ce881b7fd6d8c79ecd459c087e9 https://git.kernel.org/stable/c/165376f6b23e9a779850e750fb2eb06622e5a531 https://access.redhat.com/security/cve/CVE-2024-35790 https://bugzilla.redhat.com/show_bug.cgi?id=2281054 •