CVE-2024-49851 – tpm: Clean up TPM space after command failure
https://notcve.org/view.php?id=CVE-2024-49851
In the Linux kernel, the following vulnerability has been resolved: tpm: Clean up TPM space after command failure tpm_dev_transmit prepares the TPM space before attempting command transmission. However if the command fails no rollback of this preparation is done. This can result in transient handles being leaked if the device is subsequently closed with no further commands performed. Fix this by flushing the space in the event of command transmission failure. • https://git.kernel.org/stable/c/745b361e989af21ad40811c2586b60229f870a68 https://git.kernel.org/stable/c/2c9b228938e9266a1065a3f4fe5c99b7235dc439 https://git.kernel.org/stable/c/ebc4e1f4492d114f9693950621b3ea42b2f82bec https://git.kernel.org/stable/c/c84ceb546f30432fccea4891163f7050f5bee5dd https://git.kernel.org/stable/c/82478cb8a23bd4f97935bbe60d64528c6d9918b4 https://git.kernel.org/stable/c/adf4ce162561222338cf2c9a2caa294527f7f721 https://git.kernel.org/stable/c/3f9f72d843c92fb6f4ff7460d774413cde7f254c https://git.kernel.org/stable/c/e3aaebcbb7c6b403416f442d1de70d437 •
CVE-2024-47757 – nilfs2: fix potential oob read in nilfs_btree_check_delete()
https://notcve.org/view.php?id=CVE-2024-47757
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential oob read in nilfs_btree_check_delete() The function nilfs_btree_check_delete(), which checks whether degeneration to direct mapping occurs before deleting a b-tree entry, causes memory access outside the block buffer when retrieving the maximum key if the root node has no entries. This does not usually happen because b-tree mappings with 0 child nodes are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen if the b-tree root node read from a device is configured that way, so fix this potential issue by adding a check for that case. • https://git.kernel.org/stable/c/17c76b0104e4a6513983777e1a17e0297a12b0c4 https://git.kernel.org/stable/c/d20674f31626e0596ae4c1d9401dfb6739b81b58 https://git.kernel.org/stable/c/c4f8554996e8ada3be872dfb8f60e93bcf15fb27 https://git.kernel.org/stable/c/a8abfda768b9f33630cfbc4af6c4214f1e5681b0 https://git.kernel.org/stable/c/257f9e5185eb6de83377caea686c306e22e871f2 https://git.kernel.org/stable/c/a33e967b681e088a125b979975c93e3453e686cd https://git.kernel.org/stable/c/c4cbcc64bb31e67e02940ce060cc77f7180564cf https://git.kernel.org/stable/c/f9c96351aa6718b42a9f42eaf7adce035 •
CVE-2024-47749 – RDMA/cxgb4: Added NULL check for lookup_atid
https://notcve.org/view.php?id=CVE-2024-47749
In the Linux kernel, the following vulnerability has been resolved: RDMA/cxgb4: Added NULL check for lookup_atid The lookup_atid() function can return NULL if the ATID is invalid or does not exist in the identifier table, which could lead to dereferencing a null pointer without a check in the `act_establish()` and `act_open_rpl()` functions. Add a NULL check to prevent null pointer dereferencing. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/cfdda9d764362ab77b11a410bb928400e6520d57 https://git.kernel.org/stable/c/dd598ac57dcae796cb58551074660c39b43fb155 https://git.kernel.org/stable/c/b11318dc8a1ec565300bb1a9073095af817cc508 https://git.kernel.org/stable/c/39cb9f39913566ec5865581135f3e8123ad1aee1 https://git.kernel.org/stable/c/0d50ae281a1712b9b2ca72830a96b8f11882358d https://git.kernel.org/stable/c/54aaa3ed40972511e423b604324b881425b9ff1e https://git.kernel.org/stable/c/b9c94c8ba5a713817cffd74c4bacc05187469624 https://git.kernel.org/stable/c/e766e6a92410ca269161de059fff0843b •
CVE-2024-47747 – net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition
https://notcve.org/view.php?id=CVE-2024-47747
In the Linux kernel, the following vulnerability has been resolved: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove. • https://git.kernel.org/stable/c/6fd9c53f71862a4797b7ed8a5de80e2c64829f56 https://git.kernel.org/stable/c/338a0582b28e69460df03af50e938b86b4206353 https://git.kernel.org/stable/c/822c7bb1f6f8b0331e8d1927151faf8db3b33afd https://git.kernel.org/stable/c/1c57d61a43293252ad732007c7070fdb112545fd https://git.kernel.org/stable/c/d2abc379071881798d20e2ac1d332ad855ae22f3 https://git.kernel.org/stable/c/516dbc6d16637430808c39568cbb6b841d32b55b https://git.kernel.org/stable/c/77a77331cef0a219b8dd91361435eeef04cb741c https://git.kernel.org/stable/c/b5109b60ee4fcb2f2bb24f589575e10cc •
CVE-2024-47745 – mm: call the security_mmap_file() LSM hook in remap_file_pages()
https://notcve.org/view.php?id=CVE-2024-47745
In the Linux kernel, the following vulnerability has been resolved: mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) [PM: subject line tweaks] • https://git.kernel.org/stable/c/49d3a4ad57c57227c3b0fd6cd4188b2a5ebd6178 https://git.kernel.org/stable/c/3393fddbfa947c8e1fdcc4509226905ffffd8b89 https://git.kernel.org/stable/c/ce14f38d6ee9e88e37ec28427b4b93a7c33c70d3 https://git.kernel.org/stable/c/ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 •