CVE-2024-56615 – bpf: fix OOB devmap writes when deleting elements
https://notcve.org/view.php?id=CVE-2024-56615
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: fix OOB devmap writes when deleting elements Jordy reported issue against XSKMAP which also applies to DEVMAP - the index used for accessing map entry, due to being a signed integer, causes the OOB writes. Fix is simple as changing the type from int to u32, however, when compared to XSKMAP case, one more thing needs to be addressed. When map is released from system via dev_map_free(), we iterate through all of the entries and an ite... • https://git.kernel.org/stable/c/546ac1ffb70d25b56c1126940e5ec639c4dd7413 •
CVE-2024-56614 – xsk: fix OOB map writes when deleting elements
https://notcve.org/view.php?id=CVE-2024-56614
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: xsk: fix OOB map writes when deleting elements Jordy says: " In the xsk_map_delete_elem function an unsigned integer (map->max_entries) is compared with a user-controlled signed integer (k). Due to implicit type conversion, a large unsigned value for map->max_entries can bypass the intended bounds check: if (k >= map->max_entries) return -EINVAL; This allows k to hold a negative value (between -2147483648 and -2), which is then used... • https://git.kernel.org/stable/c/fbfc504a24f53f7ebe128ab55cb5dba634f4ece8 •
CVE-2024-56611 – mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM
https://notcve.org/view.php?id=CVE-2024-56611
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM We currently assume that there is at least one VMA in a MM, which isn't true. So we might end up having find_vma() return NULL, to then de-reference NULL. So properly handle find_vma() returning NULL. This fixes the report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-... • https://git.kernel.org/stable/c/39743889aaf76725152f16aa90ca3c45f6d52da3 •
CVE-2024-56610 – kcsan: Turn report_filterlist_lock into a raw_spinlock
https://notcve.org/view.php?id=CVE-2024-56610
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: kcsan: Turn report_filterlist_lock into a raw_spinlock Ran Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see splats like: | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 | preempt_count: 10002, expected: 0 | RCU nest depth: 0, expected: 0 | no locks held by swapper/1/0. | irq event stamp: 156674 | hard... • https://git.kernel.org/stable/c/f4f2ef66d288ea796ddb8ecbdc2df074ab2d5f4d •
CVE-2024-56609 – wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb
https://notcve.org/view.php?id=CVE-2024-56609
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb When removing kernel modules by: rmmod rtw88_8723cs rtw88_8703b rtw88_8723x rtw88_sdio rtw88_core Driver uses skb_queue_purge() to purge TX skb, but not report tx status causing "Have pending ack frames!" warning. Use ieee80211_purge_tx_queue() to correct this. Since ieee80211_purge_tx_queue() doesn't take locks, to prevent racing between TX work and purge TX queue, flush an... • https://git.kernel.org/stable/c/9bca6528f20325d30c22236b23116f161d418f6d •
CVE-2024-56608 – drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'
https://notcve.org/view.php?id=CVE-2024-56608
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' An issue was identified in the dcn21_link_encoder_create function where an out-of-bounds access could occur when the hpd_source index was used to reference the link_enc_hpd_regs array. This array has a fixed size and the index was not being checked against the array's bounds before accessing it. This fix adds a conditional check to ensure that the hpd_source index i... • https://git.kernel.org/stable/c/f01ddd589e162979421e6914b1c74018633f01e0 •
CVE-2024-56607 – wifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask()
https://notcve.org/view.php?id=CVE-2024-56607
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask() When I try to manually set bitrates: iw wlan0 set bitrates legacy-2.4 1 I get sleeping from invalid context error, see below. Fix that by switching to use recently introduced ieee80211_iterate_stations_mtx(). Do note that WCN6855 firmware is still crashing, I'm not sure if that firmware even supports bitrate WMI commands and should we consider disabling ath12k_mac_op_se... • https://git.kernel.org/stable/c/2093f062b26805789b73f2af214691475d9baa29 •
CVE-2024-56606 – af_packet: avoid erroring out after sock_init_data() in packet_create()
https://notcve.org/view.php?id=CVE-2024-56606
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: af_packet: avoid erroring out after sock_init_data() in packet_create() After sock_init_data() the allocated sk object is attached to the provided sock object. On error, packet_create() frees the sk object leaving the dangling pointer in the sock object on return. Some other code may try to use this pointer and cause use-after-free. • https://git.kernel.org/stable/c/71b22837a5e55ac27d6a14b9cdf2326587405c4f •
CVE-2024-56605 – Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()
https://notcve.org/view.php?id=CVE-2024-56605
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code. • https://git.kernel.org/stable/c/f6ad641646b67f29c7578dcd6c25813c7dcbf51e •
CVE-2024-56604 – Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()
https://notcve.org/view.php?id=CVE-2024-56604
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() bt_sock_alloc() attaches allocated sk object to the provided sock object. If rfcomm_dlc_alloc() fails, we release the sk object, but leave the dangling pointer in the sock object, which may cause use-after-free. Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc(). • https://git.kernel.org/stable/c/ac3eaac4cf142a15fe67be747a682b1416efeb6e •