CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-49884 – ext4: fix slab-use-after-free in ext4_split_extent_at()
https://notcve.org/view.php?id=CVE-2024-49884
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49883 – ext4: aovid use-after-free in ext4_ext_insert_extent()
https://notcve.org/view.php?id=CVE-2024-49883
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: aovid use-after-free in ext4_ext_insert_extent() As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and cause UAF. Below is a sample trace with dummy values: ext4_ext_insert_extent path = *ppath = 2000 ext4_ext_create_new_leaf(ppath) ext4_find_extent(ppath) path = *ppath = 2000 if (depth > path[0].p_maxdepth) kfree(path = 2000); *ppath = path = ... • https://git.kernel.org/stable/c/10809df84a4d868db61af621bae3658494165279 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49882 – ext4: fix double brelse() the buffer of the extents path
https://notcve.org/view.php?id=CVE-2024-49882
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix double brelse() the buffer of the extents path In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been released, otherwise it may be released twice. An example of what triggers this is as follows: split2 map split1 |--------|-------|--------| ext4_ext_map_blocks ext4_ext_handle_unwritten_extents ext4_split_convert_extents // path->p_depth == 0 ext4_split_extent // 1. do split1 ext4_split_extent_at |ext4_ext_inser... • https://git.kernel.org/stable/c/ecb94f5fdf4b72547fca022421a9dca1672bddd4 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-49881 – ext4: update orig_path in ext4_find_extent()
https://notcve.org/view.php?id=CVE-2024-49881
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: update orig_path in ext4_find_extent() In ext4_find_extent(), if the path is not big enough, we free it and set *orig_path to NULL. But after reallocating and successfully initializing the path, we don't update *orig_path, in which case the caller gets a valid path but a NULL ppath, and this may cause a NULL pointer dereference or a path memory leak. For example: ext4_split_extent path = *ppath = 2000 ext4_find_extent if (depth > path... • https://git.kernel.org/stable/c/10809df84a4d868db61af621bae3658494165279 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-49879 – drm: omapdrm: Add missing check for alloc_ordered_workqueue
https://notcve.org/view.php?id=CVE-2024-49879
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm: omapdrm: Add missing check for alloc_ordered_workqueue As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue. In the Linux kernel, the following vulnerability has been resolved: drm: omapdrm: Add missing check for alloc_ordered_workqueue As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue. Andy N... • https://git.kernel.org/stable/c/2f95bc6d324a93b2411bcc5defe4d4414c45f325 •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-49877 – ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
https://notcve.org/view.php?id=CVE-2024-49877
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if bh is NULL. In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger NULL pointer derefe... • https://git.kernel.org/stable/c/6c150df9c2e80b5cf86f5a0d98beb7390ad63bfc •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-49875 – nfsd: map the EBADMSG to nfserr_io to avoid warning
https://notcve.org/view.php?id=CVE-2024-49875
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: nfsd: map the EBADMSG to nfserr_io to avoid warning Ext4 will throw -EBADMSG through ext4_readdir when a checksum error occurs, resulting in the following WARNING. Fix it by mapping EBADMSG to nfserr_io. nfsd_buffered_readdir iterate_dir // -EBADMSG -74 ext4_readdir // .iterate_shared ext4_dx_readdir ext4_htree_fill_tree htree_dirblock_to_tree ext4_read_dirblock __ext4_read_dirblock ext4_dirblock_csum_verify warn_no_space_for_csum __warn_no... • https://git.kernel.org/stable/c/0ea4333c679f333e23956de743ad17387819d3f2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-49868 – btrfs: fix a NULL pointer dereference when failed to start a new trasacntion
https://notcve.org/view.php?id=CVE-2024-49868
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a NULL pointer dereference when failed to start a new trasacntion [BUG] Syzbot reported a NULL pointer dereference with the following crash: FAULT_INJECTION: forcing a failure. start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676 prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642 relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678 ... BTRFS info (device loop0): balance: ended with status: -12 Oops: general pr... • https://git.kernel.org/stable/c/1282f001cbf56e5dd6e90a18e205a566793f4be0 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49867 – btrfs: wait for fixup workers before stopping cleaner kthread during umount
https://notcve.org/view.php?id=CVE-2024-49867
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at close_ctree(), we have the following steps in this order: 1) Park the cleaner kthread - this doesn't destroy the kthread, it basically halts its execution (wake ups against it work but do nothing); 2) We stop the cleaner kthread - this results in freeing the respective struct task_struct; 3) We call btrfs_stop_all_workers() which waits for any job... • https://git.kernel.org/stable/c/cd686dfff63f27d712877aef5b962fbf6b8bc264 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-49863 – vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()
https://notcve.org/view.php?id=CVE-2024-49863
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") a null pointer dereference bug can be triggered when guest sends an SCSI AN request. In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with `&v_req.tmf.lun[1]` within a switch-case block and is then passed to vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for a `VI... • https://git.kernel.org/stable/c/3f8ca2e115e55af4c15d97dda635e948d2e380be •