CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-41069 – ASoC: topology: Fix references to freed memory
https://notcve.org/view.php?id=CVE-2024-41069
In the Linux kernel, the following vulnerability has been resolved: ASoC: topology: Fix references to freed memory Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed. • https://git.kernel.org/stable/c/b188d7f3dfab10e332e3c1066e18857964a520d2 https://git.kernel.org/stable/c/ab5a6208b4d6872b1c6ecea1867940fc668cc76d https://git.kernel.org/stable/c/ccae5c6a1fab9494c86b7856faf05e296c617702 https://git.kernel.org/stable/c/97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-41068 – s390/sclp: Fix sclp_init() cleanup on failure
https://notcve.org/view.php?id=CVE-2024-41068
In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix sclp_init() cleanup on failure If sclp_init() fails it only partially cleans up: if there are multiple failing calls to sclp_init() sclp_state_change_event will be added several times to sclp_reg_list, which results in the following warning: ------------[ cut here ]------------ list_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10. WARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3 Krnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 ... Call Trace: [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8 ([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8) [<000003ffe0a8d37e>] sclp_init+0x40e/0x450 [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0 [<000003ffe15b77a6>] do_initcalls+0x126/0x150 [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8 [<000003ffe0d6650e>] kernel_init+0x2e/0x180 [<000003ffe000301c>] __ret_from_fork+0x3c/0x60 [<000003ffe0d759ca>] ret_from_fork+0xa/0x30 Fix this by removing sclp_state_change_event from sclp_reg_list when sclp_init() fails. • https://git.kernel.org/stable/c/a778987afc36d5dc02a1f82d352a81edcaf7eb83 https://git.kernel.org/stable/c/455a6653d8700a81aa8ed2b6442a3be476007090 https://git.kernel.org/stable/c/2e51db7ab71b89dc5a17068f5e201c69f13a4c9a https://git.kernel.org/stable/c/cf521049fcd07071ed42dc9758fce7d5ee120ec6 https://git.kernel.org/stable/c/79b4be70d5a160969b805f638ac5b4efd0aac7a3 https://git.kernel.org/stable/c/0a31b3fdc7e735c4f8c65fe4339945c717ed6808 https://git.kernel.org/stable/c/be0259796d0b76bbc7461e12c186814a9e58244c https://git.kernel.org/stable/c/6434b33faaa063df500af355ee6c3942e •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41067 – btrfs: scrub: handle RST lookup error correctly
https://notcve.org/view.php?id=CVE-2024-41067
In the Linux kernel, the following vulnerability has been resolved: btrfs: scrub: handle RST lookup error correctly [BUG] When running btrfs/060 with forced RST feature, it would crash the following ASSERT() inside scrub_read_endio(): ASSERT(sector_nr < stripe->nr_sectors); Before that, we would have tree dump from btrfs_get_raid_extent_offset(), as we failed to find the RST entry for the range. [CAUSE] Inside scrub_submit_extent_sector_read() every time we allocated a new bbio we immediately called btrfs_map_block() to make sure there was some RST range covering the scrub target. But if btrfs_map_block() fails, we immediately call endio for the bbio, while the bbio is newly allocated, it's completely empty. Then inside scrub_read_endio(), we go through the bvecs to find the sector number (as bi_sector is no longer reliable if the bio is submitted to lower layers). And since the bio is empty, such bvecs iteration would not find any sector matching the sector, and return sector_nr == stripe->nr_sectors, triggering the ASSERT(). [FIX] Instead of calling btrfs_map_block() after allocating a new bbio, call btrfs_map_block() first. Since our only objective of calling btrfs_map_block() is only to update stripe_len, there is really no need to do that after btrfs_alloc_bio(). This new timing would avoid the problem of handling empty bbio completely, and in fact fixes a possible race window for the old code, where if the submission thread is the only owner of the pending_io, the scrub would never finish (since we didn't decrease the pending_io counter). Although the root cause of RST lookup failure still needs to be addressed. • https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72 https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-41066 – ibmvnic: Add tx check to prevent skb leak
https://notcve.org/view.php?id=CVE-2024-41066
In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Add tx check to prevent skb leak Below is a summary of how the driver stores a reference to an skb during transmit: tx_buff[free_map[consumer_index]]->skb = new_skb; free_map[consumer_index] = IBMVNIC_INVALID_MAP; consumer_index ++; Where variable data looks like this: free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3] consumer_index^ tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null] The driver has checks to ensure that free_map[consumer_index] pointed to a valid index but there was no check to ensure that this index pointed to an unused/null skb address. So, if, by some chance, our free_map and tx_buff lists become out of sync then we were previously risking an skb memory leak. This could then cause tcp congestion control to stop sending packets, eventually leading to ETIMEDOUT. Therefore, add a conditional to ensure that the skb address is null. If not then warn the user (because this is still a bug that should be patched) and free the old pointer to prevent memleak/tcp problems. • https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06 https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-41065 – powerpc/pseries: Whitelist dtl slub object for copying to userspace
https://notcve.org/view.php?id=CVE-2024-41065
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Whitelist dtl slub object for copying to userspace Reading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-* results in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as shown below. kernel BUG at mm/usercopy.c:102! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85 Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8 REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3) MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 2828220f XER: 0000000e CFAR: c0000000001fdc80 IRQMASK: 0 [ ... GPRs omitted ... ] NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0 LR [c0000000005d23d0] usercopy_abort+0x74/0xb0 Call Trace: usercopy_abort+0x74/0xb0 (unreliable) __check_heap_object+0xf8/0x120 check_heap_object+0x218/0x240 __check_object_size+0x84/0x1a4 dtl_file_read+0x17c/0x2c4 full_proxy_read+0x8c/0x110 vfs_read+0xdc/0x3a0 ksys_read+0x84/0x144 system_call_exception+0x124/0x330 system_call_vectored_common+0x15c/0x2ec --- interrupt: 3000 at 0x7fff81f3ab34 Commit 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") requires that only whitelisted areas in slab/slub objects can be copied to userspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY. Dtl contains hypervisor dispatch events which are expected to be read by privileged users. Hence mark this safe for user access. Specify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the entire object. • https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6 https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2 https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4 https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586 •