CVE-2024-26801 – Bluetooth: Avoid potential use-after-free in hci_error_reset
https://notcve.org/view.php?id=CVE-2024-26801
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Avoid potential use-after-free in hci_error_reset While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset. Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 This patch holds the reference count on the hci_dev while processing a HCI_EV_HARDWARE_ERROR event to avoid potential crash. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: evite el posible use-after-free en hci_error_reset Mientras se maneja el evento HCI_EV_HARDWARE_ERROR, si el controlador BT subyacente no responde, el mecanismo de reinicio de GPIO liberaría hci_dev y provocaría un error. use-after-free en hci_error_reset. • https://git.kernel.org/stable/c/c7741d16a57cbf97eebe53f27e8216b1ff20e20c https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03 https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090 https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2 https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14 https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1 https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6 •
CVE-2024-26800 – tls: fix use-after-free on failed backlog decryption
https://notcve.org/view.php?id=CVE-2024-26800
In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tls: corrige el use-after-free en el descifrado fallido del trabajo pendiente Cuando la solicitud de descifrado va al trabajo pendiente y crypto_aead_decrypt devuelve -EBUSY, tls_do_decryption esperará hasta que se hayan completado todos los descifrados asíncronos. • https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754 https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694 https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368 https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1 https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89 https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0 •
CVE-2024-26799 – ASoC: qcom: Fix uninitialized pointer dmactl
https://notcve.org/view.php?id=CVE-2024-26799
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Fix uninitialized pointer dmactl In the case where __lpass_get_dmactl_handle is called and the driver id dai_id is invalid the pointer dmactl is not being assigned a value, and dmactl contains a garbage value since it has not been initialized and so the null check may not work. Fix this to initialize dmactl to NULL. One could argue that modern compilers will set this to zero, but it is useful to keep this initialized as per the same way in functions __lpass_platform_codec_intf_init and lpass_cdc_dma_daiops_hw_params. Cleans up clang scan build warning: sound/soc/qcom/lpass-cdc-dma.c:275:7: warning: Branch condition evaluates to a garbage value [core.uninitialized.Branch] En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: qcom: corrige el puntero no inicializado dmactl. En el caso de que se llame a __lpass_get_dmactl_handle y el ID del controlador dai_id no sea válido, al puntero dmactl no se le asigna un valor y dmactl contiene un valor basura. ya que no se ha inicializado y, por lo tanto, es posible que la verificación nula no funcione. Solucione esto para inicializar dmactl a NULL. • https://git.kernel.org/stable/c/b81af585ea54ee9f749391e594ee9cbd44061eae https://git.kernel.org/stable/c/99adc8b4d2f38bf0d06483ec845bc48f60c3f8cf https://git.kernel.org/stable/c/d5a7726e6ea62d447b79ab5baeb537ea6bdb225b https://git.kernel.org/stable/c/1382d8b55129875b2e07c4d2a7ebc790183769ee •
CVE-2024-26798 – fbcon: always restore the old font data in fbcon_do_set_font()
https://notcve.org/view.php?id=CVE-2024-26798
In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the "system"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. • https://git.kernel.org/stable/c/ebd6f886aa2447fcfcdce5450c9e1028e1d681bb https://git.kernel.org/stable/c/a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 https://git.kernel.org/stable/c/f08ccb792d3eaf1dc62d8cbf6a30d6522329f660 https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520 https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8 https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb •
CVE-2024-26795 – riscv: Sparse-Memory/vmemmap out-of-bounds fix
https://notcve.org/view.php?id=CVE-2024-26795
In the Linux kernel, the following vulnerability has been resolved: riscv: Sparse-Memory/vmemmap out-of-bounds fix Offset vmemmap so that the first page of vmemmap will be mapped to the first page of physical memory in order to ensure that vmemmap’s bounds will be respected during pfn_to_page()/page_to_pfn() operations. The conversion macros will produce correct SV39/48/57 addresses for every possible/valid DRAM_BASE inside the physical memory limits. v2:Address Alex's comments En el kernel de Linux, se resolvió la siguiente vulnerabilidad: riscv: Sparse-Memory/vmemmap fuera de los límites corrige Offset vmemmap para que la primera página de vmemmap se asigne a la primera página de la memoria física para garantizar que vmemmap Los límites se respetarán durante las operaciones pfn_to_page()/page_to_pfn(). Las macros de conversión producirán direcciones SV39/48/57 correctas para cada DRAM_BASE posible/válida dentro de los límites de la memoria física. v2: Abordar los comentarios de Alex • https://git.kernel.org/stable/c/d95f1a542c3df396137afa217ef9bd39cb8931ca https://git.kernel.org/stable/c/8af1c121b0102041809bc137ec600d1865eaeedd https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9 https://lists.debian.org/debian-lts-announce/2024/06/ •