CVE-2024-46800 – sch/netem: fix use after free in netem_dequeue
https://notcve.org/view.php?id=CVE-2024-46800
In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF • https://git.kernel.org/stable/c/50612537e9ab29693122fab20fc1eed235054ffe https://git.kernel.org/stable/c/f0bddb4de043399f16d1969dad5ee5b984a64e7b https://git.kernel.org/stable/c/295ad5afd9efc5f67b86c64fce28fb94e26dc4c9 https://git.kernel.org/stable/c/98c75d76187944296068d685dfd8a1e9fd8c4fdc https://git.kernel.org/stable/c/14f91ab8d391f249b845916820a56f42cf747241 https://git.kernel.org/stable/c/db2c235682913a63054e741fe4e19645fdf2d68e https://git.kernel.org/stable/c/dde33a9d0b80aae0c69594d1f462515d7ff1cb3d https://git.kernel.org/stable/c/32008ab989ddcff1a485fa2b4906234c2 •
CVE-2024-46781 – nilfs2: fix missing cleanup on rollforward recovery error
https://notcve.org/view.php?id=CVE-2024-46781
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts. • https://git.kernel.org/stable/c/0f3e1c7f23f8a6f8224fa1d275381f6d9279ad4b https://git.kernel.org/stable/c/35a9a7a7d94662146396199b0cfd95f9517cdd14 https://git.kernel.org/stable/c/da02f9eb333333b2e4f25d2a14967cff785ac82e https://git.kernel.org/stable/c/07e4dc2fe000ab008bcfe90be4324ef56b5b4355 https://git.kernel.org/stable/c/8e2d1e9d93c4ec51354229361ac3373058529ec4 https://git.kernel.org/stable/c/ca92c4bff2833cb30d493b935168d6cccd5c805d https://git.kernel.org/stable/c/9d8c3a585d564d776ee60d4aabec59b404be7403 https://git.kernel.org/stable/c/1cf1f7e8cd47244fa947d357ef1f642d9 •
CVE-2024-46778 – drm/amd/display: Check UnboundedRequestEnabled's value
https://notcve.org/view.php?id=CVE-2024-46778
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity. • https://git.kernel.org/stable/c/4e2b49a85e7974d21364798c5d4aa8070aa864d9 https://git.kernel.org/stable/c/a7b38c7852093385d0605aa3c8a2efd6edd1edfd •
CVE-2024-46777 – udf: Avoid excessive partition lengths
https://notcve.org/view.php?id=CVE-2024-46777
In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap. • https://git.kernel.org/stable/c/c0c23130d38e8bc28e9ef581443de9b1fc749966 https://git.kernel.org/stable/c/1497a4484cdb2cf6c37960d788fb6ba67567bdb7 https://git.kernel.org/stable/c/551966371e17912564bc387fbeb2ac13077c3db1 https://git.kernel.org/stable/c/2ddf831451357c6da4b64645eb797c93c1c054d1 https://git.kernel.org/stable/c/0173999123082280cf904bd640015951f194a294 https://git.kernel.org/stable/c/a56330761950cb83de1dfb348479f20c56c95f90 https://git.kernel.org/stable/c/925fd8ee80d5348a5e965548e5484d164d19221d https://git.kernel.org/stable/c/ebbe26fd54a9621994bc16b14f2ba8f84 •
CVE-2024-46776 – drm/amd/display: Run DC_LOG_DC after checking link->link_enc
https://notcve.org/view.php?id=CVE-2024-46776
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity. • https://git.kernel.org/stable/c/874e3bb302f97b94ac548959ec4f925b8e7b45e2 https://git.kernel.org/stable/c/adc74d25cdbba978afbb57caec23bbcd0329f7b8 https://git.kernel.org/stable/c/3a82f62b0d9d7687eac47603bb6cd14a50fa718b •