CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-41072 – wifi: cfg80211: wext: add extra SIOCSIWSCAN data check
https://notcve.org/view.php?id=CVE-2024-41072
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: wext: add extra SIOCSIWSCAN data check In 'cfg80211_wext_siwscan()', add extra check whether number of channels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed IW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise. • https://git.kernel.org/stable/c/b02ba9a0b55b762bd04743a22f3d9f9645005e79 https://git.kernel.org/stable/c/de5fcf757e33596eed32de170ce5a93fa44dd2ac https://git.kernel.org/stable/c/6295bad58f988eaafcf0e6f8b198a580398acb3b https://git.kernel.org/stable/c/a43cc0558530b6c065976b6b9246f512f8d3593b https://git.kernel.org/stable/c/001120ff0c9e3557dee9b5ee0d358e0fc189996f https://git.kernel.org/stable/c/fe9644efd86704afe50e56b64b609de340ab7c95 https://git.kernel.org/stable/c/35cee10ccaee5bd451a480521bbc25dc9f07fa5b https://git.kernel.org/stable/c/6ef09cdc5ba0f93826c09d810c141a8d1 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41071 – wifi: mac80211: Avoid address calculations via out of bounds array indexing
https://notcve.org/view.php?id=CVE-2024-41071
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] <TASK> [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810 • https://git.kernel.org/stable/c/4f43a614b1b84f0d1e3c48cc541c3bfdf414a6d0 https://git.kernel.org/stable/c/2663d0462eb32ae7c9b035300ab6b1523886c718 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-41070 – KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()
https://notcve.org/view.php?id=CVE-2024-41070
In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). It looks up `stt` from tablefd, but then continues to use it after doing fdput() on the returned fd. After the fdput() the tablefd is free to be closed by another thread. The close calls kvm_spapr_tce_release() and then release_spapr_tce_table() (via call_rcu()) which frees `stt`. Although there are calls to rcu_read_lock() in kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent the UAF, because `stt` is used outside the locked regions. With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF: BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV Call Trace: dump_stack_lvl+0xb4/0x108 (unreliable) print_report+0x2b4/0x6ec kasan_report+0x118/0x2b0 __asan_load4+0xb8/0xd0 kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] kvm_vfio_set_attr+0x524/0xac0 [kvm] kvm_device_ioctl+0x144/0x240 [kvm] sys_ioctl+0x62c/0x1810 system_call_exception+0x190/0x440 system_call_vectored_common+0x15c/0x2ec ... Freed by task 0: ... kfree+0xec/0x3e0 release_spapr_tce_table+0xd4/0x11c [kvm] rcu_core+0x568/0x16a0 handle_softirqs+0x23c/0x920 do_softirq_own_stack+0x6c/0x90 do_softirq_own_stack+0x58/0x90 __irq_exit_rcu+0x218/0x2d0 irq_exit+0x30/0x80 arch_local_irq_restore+0x128/0x230 arch_local_irq_enable+0x1c/0x30 cpuidle_enter_state+0x134/0x5cc cpuidle_enter+0x6c/0xb0 call_cpuidle+0x7c/0x100 do_idle+0x394/0x410 cpu_startup_entry+0x60/0x70 start_secondary+0x3fc/0x410 start_secondary_prolog+0x10/0x14 Fix it by delaying the fdput() until `stt` is no longer in use, which is effectively the entire function. To keep the patch minimal add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or __cleanup style cleanup. With the fix in place the test case no longer triggers the UAF. • https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491 https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0 https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47 https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-41069 – ASoC: topology: Fix references to freed memory
https://notcve.org/view.php?id=CVE-2024-41069
In the Linux kernel, the following vulnerability has been resolved: ASoC: topology: Fix references to freed memory Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed. • https://git.kernel.org/stable/c/b188d7f3dfab10e332e3c1066e18857964a520d2 https://git.kernel.org/stable/c/ab5a6208b4d6872b1c6ecea1867940fc668cc76d https://git.kernel.org/stable/c/ccae5c6a1fab9494c86b7856faf05e296c617702 https://git.kernel.org/stable/c/97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-41068 – s390/sclp: Fix sclp_init() cleanup on failure
https://notcve.org/view.php?id=CVE-2024-41068
In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix sclp_init() cleanup on failure If sclp_init() fails it only partially cleans up: if there are multiple failing calls to sclp_init() sclp_state_change_event will be added several times to sclp_reg_list, which results in the following warning: ------------[ cut here ]------------ list_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10. WARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3 Krnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 ... Call Trace: [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8 ([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8) [<000003ffe0a8d37e>] sclp_init+0x40e/0x450 [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0 [<000003ffe15b77a6>] do_initcalls+0x126/0x150 [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8 [<000003ffe0d6650e>] kernel_init+0x2e/0x180 [<000003ffe000301c>] __ret_from_fork+0x3c/0x60 [<000003ffe0d759ca>] ret_from_fork+0xa/0x30 Fix this by removing sclp_state_change_event from sclp_reg_list when sclp_init() fails. • https://git.kernel.org/stable/c/a778987afc36d5dc02a1f82d352a81edcaf7eb83 https://git.kernel.org/stable/c/455a6653d8700a81aa8ed2b6442a3be476007090 https://git.kernel.org/stable/c/2e51db7ab71b89dc5a17068f5e201c69f13a4c9a https://git.kernel.org/stable/c/cf521049fcd07071ed42dc9758fce7d5ee120ec6 https://git.kernel.org/stable/c/79b4be70d5a160969b805f638ac5b4efd0aac7a3 https://git.kernel.org/stable/c/0a31b3fdc7e735c4f8c65fe4339945c717ed6808 https://git.kernel.org/stable/c/be0259796d0b76bbc7461e12c186814a9e58244c https://git.kernel.org/stable/c/6434b33faaa063df500af355ee6c3942e •