CVE-2024-26914 – drm/amd/display: fix incorrect mpc_combine array size
https://notcve.org/view.php?id=CVE-2024-26914
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix incorrect mpc_combine array size [why] MAX_SURFACES is per stream, while MAX_PLANES is per asic. The mpc_combine is an array that records all the planes per asic. Therefore MAX_PLANES should be used as the array size. Using MAX_SURFACES causes array overflow when there are more than 3 planes. [how] Use the MAX_PLANES for the mpc_combine array size. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amd/display: corrige el tamaño incorrecto de la matriz mpc_combine [por qué] MAX_SURFACES es por flujo, mientras que MAX_PLANES es por asic. mpc_combine es una matriz que registra todos los planos por asic. • https://git.kernel.org/stable/c/0bd8ef618a42d7e6ea3f701065264e15678025e3 https://git.kernel.org/stable/c/39079fe8e660851abbafa90cd55cbf029210661f •
CVE-2024-26913 – drm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue
https://notcve.org/view.php?id=CVE-2024-26913
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue [why] odm calculation is missing for pipe split policy determination and cause Underflow/Corruption issue. [how] Add the odm calculation. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amd/display: solucione el problema de corrupción/desbordamiento de dcn35 8k30 [por qué] falta el cálculo de odm para la determinación de la política de división de tuberías y causa un problema de corrupción/desbordamiento. [cómo] Agregue el cálculo de odm. • https://git.kernel.org/stable/c/cdbe0be8874c63bca85b8c38e5b1eecbdd18df31 https://git.kernel.org/stable/c/faf51b201bc42adf500945732abb6220c707d6f3 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVE-2024-26912 – drm/nouveau: fix several DMA buffer leaks
https://notcve.org/view.php?id=CVE-2024-26912
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix several DMA buffer leaks Nouveau manages GSP-RM DMA buffers with nvkm_gsp_mem objects. Several of these buffers are never dealloced. Some of them can be deallocated right after GSP-RM is initialized, but the rest need to stay until the driver unloads. Also futher bullet-proof these objects by poisoning the buffer and clearing the nvkm_gsp_mem object when it is deallocated. Poisoning the buffer should trigger an error (or crash) from GSP-RM if it tries to access the buffer after we've deallocated it, because we were wrong about when it is safe to deallocate. Finally, change the mem->size field to a size_t because that's the same type that dma_alloc_coherent expects. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/nouveau: corrige varias fugas del búfer DMA Nouveau administra los buffers DMA GSP-RM con objetos nvkm_gsp_mem. • https://git.kernel.org/stable/c/176fdcbddfd288408ce8571c1760ad618d962096 https://git.kernel.org/stable/c/6190d4c08897d748dd25f0b78267a90aa1694e15 https://git.kernel.org/stable/c/042b5f83841fbf7ce39474412db3b5e4765a7ea7 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2024-26911 – drm/buddy: Fix alloc_range() error handling code
https://notcve.org/view.php?id=CVE-2024-26911
In the Linux kernel, the following vulnerability has been resolved: drm/buddy: Fix alloc_range() error handling code Few users have observed display corruption when they boot the machine to KDE Plasma or playing games. We have root caused the problem that whenever alloc_range() couldn't find the required memory blocks the function was returning SUCCESS in some of the corner cases. The right approach would be if the total allocated size is less than the required size, the function should return -ENOSPC. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/buddy: corrige el código de manejo de errores alloc_range() Pocos usuarios han observado daños en la pantalla cuando inician la máquina en KDE Plasma o juegan juegos. Hemos causado el problema de que cada vez que alloc_range() no podía encontrar los bloques de memoria requeridos, la función devolvía ÉXITO en algunos de los casos de esquina. El enfoque correcto sería que si el tamaño total asignado es menor que el tamaño requerido, la función debería devolver -ENOSPC. • https://git.kernel.org/stable/c/0a1844bf0b532d84324453374ad6845f64066c28 https://git.kernel.org/stable/c/4b59c3fada06e5e8010ef7700689c71986e667a2 https://git.kernel.org/stable/c/8746c6c9dfa31d269c65dd52ab42fde0720b7d91 • CWE-755: Improper Handling of Exceptional Conditions •
CVE-2024-26910 – netfilter: ipset: fix performance regression in swap operation
https://notcve.org/view.php?id=CVE-2024-26910
In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix performance regression in swap operation The patch "netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test", commit 28628fa9 fixes a race condition. But the synchronize_rcu() added to the swap function unnecessarily slows it down: it can safely be moved to destroy and use call_rcu() instead. Eric Dumazet pointed out that simply calling the destroy functions as rcu callback does not work: sets with timeout use garbage collectors which need cancelling at destroy which can wait. Therefore the destroy functions are split into two: cancelling garbage collectors safely at executing the command received by netlink and moving the remaining part only into the rcu callback. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: ipset: corrige la regresión de rendimiento en la operación de intercambio El parche "netfilter: ipset: corrige la condición de ejecución entre swap/destroy y add/del/test del lado del kernel", commit 28628fa9 corrige un condición de ejecución. Pero elsync_rcu() agregado a la función swap la ralentiza innecesariamente: se puede mover con seguridad para destruir y usar call_rcu() en su lugar. Eric Dumazet señaló que simplemente llamar a las funciones de destrucción como devolución de llamada de rcu no funciona: los conjuntos con tiempo de espera usan recolectores de basura que necesitan cancelarse en la destrucción y que pueden esperar. • https://git.kernel.org/stable/c/427deb5ba5661c4ae1cfb35955d2e01bd5f3090a https://git.kernel.org/stable/c/e7152a138a5ac77439ff4e7a7533448a7d4c260d https://git.kernel.org/stable/c/8bb930c3a1eacec1b14817f565ff81667c7c5dfa https://git.kernel.org/stable/c/875ee3a09e27b7adb7006ca6d16faf7f33415aa5 https://git.kernel.org/stable/c/23c31036f862582f98386120aee55c9ae23d7899 https://git.kernel.org/stable/c/28628fa952fefc7f2072ce6e8016968cc452b1ba https://git.kernel.org/stable/c/a12606e5ad0cee8f4ba3ec68561c4d6275d2df57 https://git.kernel.org/stable/c/c7f2733e5011bfd136f1ca93497394d43 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •