CVE-2024-46804 – drm/amd/display: Add array index check for hdcp ddc access
https://notcve.org/view.php?id=CVE-2024-46804
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add array index check for hdcp ddc access [Why] Coverity reports OVERRUN warning. Do not check if array index valid. [How] Check msg_id valid and valid array index. • https://git.kernel.org/stable/c/2a63c90c7a90ab2bd23deebc2814fc5b52abf6d2 https://git.kernel.org/stable/c/0ee4387c5a4b57ec733c3fb4365188d5979cd9c7 https://git.kernel.org/stable/c/f338f99f6a04d03c802087d82a83561cbd5bdc99 https://git.kernel.org/stable/c/8b5ccf3d011969417be653b5a145c72dbd30472c https://git.kernel.org/stable/c/a3b5ee22a9d3a30045191da5678ca8451ebaea30 https://git.kernel.org/stable/c/4e70c0f5251c25885c31ee84a31f99a01f7cf50e •
CVE-2024-46803 – drm/amdkfd: Check debug trap enable before write dbg_ev_file
https://notcve.org/view.php?id=CVE-2024-46803
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Check debug trap enable before write dbg_ev_file In interrupt context, write dbg_ev_file will be run by work queue. It will cause write dbg_ev_file execution after debug_trap_disable, which will cause NULL pointer access. v2: cancel work "debug_event_workarea" before set dbg_ev_file as NULL. • https://git.kernel.org/stable/c/e6ea3b8fe398915338147fe54dd2db8155fdafd8 https://git.kernel.org/stable/c/820dcbd38a77bd5fdc4236d521c1c122841227d0 https://git.kernel.org/stable/c/547033b593063eb85bfdf9b25a5f1b8fd1911be2 •
CVE-2024-46802 – drm/amd/display: added NULL check at start of dc_validate_stream
https://notcve.org/view.php?id=CVE-2024-46802
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: added NULL check at start of dc_validate_stream [Why] prevent invalid memory access [How] check if dc and stream are NULL • https://git.kernel.org/stable/c/356fcce9cdbfe338a275e9e1836adfdd7f5c52a9 https://git.kernel.org/stable/c/154a50bf4221a6a6ccf88d565b8184da7c40a2dd https://git.kernel.org/stable/c/6bf920193ba1853bad780bba565a789246d9003c https://git.kernel.org/stable/c/26c56049cc4f1705b498df013949427692a4b0d5 •
CVE-2022-48945 – media: vivid: fix compose size exceed boundary
https://notcve.org/view.php?id=CVE-2022-48945
In the Linux kernel, the following vulnerability has been resolved: media: vivid: fix compose size exceed boundary syzkaller found a bug: BUG: unable to handle page fault for address: ffffc9000a3b1000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0 Oops: 0002 [#1] PREEMPT SMP CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:memcpy_erms+0x6/0x10 [...] Call Trace: <TASK> ? tpg_fill_plane_buffer+0x856/0x15b0 vivid_fillbuff+0x8ac/0x1110 vivid_thread_vid_cap_tick+0x361/0xc90 vivid_thread_vid_cap+0x21a/0x3a0 kthread+0x143/0x180 ret_from_fork+0x1f/0x30 </TASK> This is because we forget to check boundary after adjust compose->height int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem for this case. • https://git.kernel.org/stable/c/ef834f7836ec0502f49f20bbc42f1240577a9c83 https://git.kernel.org/stable/c/8c0ee15d9a102c732d0745566d254040085d5663 https://git.kernel.org/stable/c/5edc3604151919da8da0fb092b71d7dce07d848a https://git.kernel.org/stable/c/9c7fba9503b826f0c061d136f8f0c9f953ed18b9 https://git.kernel.org/stable/c/54f259906039dbfe46c550011409fa16f72370f6 https://git.kernel.org/stable/c/f9d19f3a044ca651b0be52a4bf951ffe74259b9f https://git.kernel.org/stable/c/ab54081a2843aefb837812fac5488cc8f1696142 https://git.kernel.org/stable/c/ccb5392c4fea0e7d9f7ab35567e839d74 •
CVE-2024-46800 – sch/netem: fix use after free in netem_dequeue
https://notcve.org/view.php?id=CVE-2024-46800
In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF • https://git.kernel.org/stable/c/50612537e9ab29693122fab20fc1eed235054ffe https://git.kernel.org/stable/c/f0bddb4de043399f16d1969dad5ee5b984a64e7b https://git.kernel.org/stable/c/295ad5afd9efc5f67b86c64fce28fb94e26dc4c9 https://git.kernel.org/stable/c/98c75d76187944296068d685dfd8a1e9fd8c4fdc https://git.kernel.org/stable/c/14f91ab8d391f249b845916820a56f42cf747241 https://git.kernel.org/stable/c/db2c235682913a63054e741fe4e19645fdf2d68e https://git.kernel.org/stable/c/dde33a9d0b80aae0c69594d1f462515d7ff1cb3d https://git.kernel.org/stable/c/32008ab989ddcff1a485fa2b4906234c2 •