CVE-2024-50256 – netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
https://notcve.org/view.php?id=CVE-2024-50256
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:... • https://git.kernel.org/stable/c/c8d7b98bec43faaa6583c3135030be5eb4693acb •
CVE-2024-50255 – Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs
https://notcve.org/view.php?id=CVE-2024-50255
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes. __hci_cmd_sync_sk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as there is no... • https://git.kernel.org/stable/c/abfeea476c68afea54c9c050a2d3b19d5d2ee873 • CWE-476: NULL Pointer Dereference •
CVE-2024-50254 – bpf: Free dynamically allocated bits in bpf_iter_bits_destroy()
https://notcve.org/view.php?id=CVE-2024-50254
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Free dynamically allocated bits in bpf_iter_bits_destroy() bpf_iter_bits_destroy() uses "kit->nr_bits <= 64" to check whether the bits are dynamically allocated. However, the check is incorrect and may cause a kmemleak as shown below: unreferenced object 0xffff88812628c8c0 (size 32): comm "swapper/0", pid 1, jiffies 4294727320 hex dump (first 32 bytes): b0 c1 55 f5 81 88 ff ff f0 f0 f0 f0 f0 f0 f0 f0 ..U........... f0 f0 f0 f0 f0 f0 f0... • https://git.kernel.org/stable/c/4665415975b0827e9646cab91c61d02a6b364d59 •
CVE-2024-50253 – bpf: Check the validity of nr_words in bpf_iter_bits_new()
https://notcve.org/view.php?id=CVE-2024-50253
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Check the validity of nr_words in bpf_iter_bits_new() Check the validity of nr_words in bpf_iter_bits_new(). Without this check, when multiplication overflow occurs for nr_bits (e.g., when nr_words = 0x0400-0001, nr_bits becomes 64), stack corruption may occur due to bpf_probe_read_kernel_common(..., nr_bytes = 0x2000-0008). Fix it by limiting the maximum value of nr_words to 511. The value is derived from the current implementation of... • https://git.kernel.org/stable/c/4665415975b0827e9646cab91c61d02a6b364d59 •
CVE-2024-50252 – mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address
https://notcve.org/view.php?id=CVE-2024-50252
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address The device stores IPv6 addresses that are used for encapsulation in linear memory that is managed by the driver. Changing the remote address of an ip6gre net device never worked properly, but since cited commit the following reproducer [1] would result in a warning [2] and a memory leak [3]. The problem is that the new remote address is never added by the driver to its ... • https://git.kernel.org/stable/c/cf42911523e02026cb56d329e584ae5923e94ba1 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2024-50251 – netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
https://notcve.org/view.php?id=CVE-2024-50251
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_payload: sanitize offset and length before calling skb_checksum() If access to offset + length is larger than the skbuff length, then skb_checksum() triggers BUG_ON(). skb_checksum() internally subtracts the length parameter while iterating over skbuff, BUG_ON(len) at the end of it checks that the expected length to be included in the checksum calculation is fully consumed. An incorrect buffer length flaw was found in the Lin... • https://github.com/slavin-ayu/CVE-2024-50251-PoC •
CVE-2024-50250 – fsdax: dax_unshare_iter needs to copy entire blocks
https://notcve.org/view.php?id=CVE-2024-50250
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: fsdax: dax_unshare_iter needs to copy entire blocks The code that copies data from srcmap to iomap in dax_unshare_iter is very very broken, which bfoster's recent fsx changes have exposed. If the pos and len passed to dax_file_unshare are not aligned to an fsblock boundary, the iter pos and length in the _iter function will reflect this unalignment. dax_iomap_direct_access always returns a pointer to the start of the kmapped fsdax page, eve... • https://git.kernel.org/stable/c/1bec6782a25c9b92c203ea7a1b3e3dc6a468cbc4 •
CVE-2024-50249 – ACPI: CPPC: Make rmw_lock a raw_spin_lock
https://notcve.org/view.php?id=CVE-2024-50249
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Make rmw_lock a raw_spin_lock The following BUG was triggered: ============================= [ BUG: Invalid wait context ] 6.12.0-rc2-XXX #406 Not tainted ----------------------------- kworker/1:1/62 is trying to lock: ffffff8801593030 (&cpc_ptr->rmw_lock){+.+.}-{3:3}, at: cpc_write+0xcc/0x370 other info that might help us debug this: context-{5:5} 2 locks held by kworker/1:1/62: #0: ffffff897ef5ec98 (&rq->__lock){-.-.}-{2:2}, a... • https://git.kernel.org/stable/c/94e8c988468dafde1d2bfe0532a60a3117f6394b •
CVE-2024-50248 – ntfs3: Add bounds checking to mi_enum_attr()
https://notcve.org/view.php?id=CVE-2024-50248
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: ntfs3: Add bounds checking to mi_enum_attr() Added bounds checking to make sure that every attr don't stray beyond valid memory region. In the Linux kernel, the following vulnerability has been resolved: ntfs3: Add bounds checking to mi_enum_attr() Added bounds checking to make sure that every attr don't stray beyond valid memory region. • https://git.kernel.org/stable/c/4534a70b7056fd4b9a1c6db5a4ce3c98546b291e •
CVE-2024-50247 – fs/ntfs3: Check if more than chunk-size bytes are written
https://notcve.org/view.php?id=CVE-2024-50247
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Check if more than chunk-size bytes are written A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off. In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Check if more than chunk-size bytes are written A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max... • https://git.kernel.org/stable/c/4534a70b7056fd4b9a1c6db5a4ce3c98546b291e •