CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50001 – net/mlx5: Fix error path in multi-packet WQE transmit
https://notcve.org/view.php?id=CVE-2024-50001
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix error path in multi-packet WQE transmit Remove the erroneous unmap in case no DMA mapping was established The multi-packet WQE transmit code attempts to obtain a DMA mapping for the skb. This could fail, e.g. under memory pressure, when the IOMMU driver just can't allocate more memory for page tables. While the code tries to handle this in the path below the err_unmap label it erroneously unmaps one entry from the sq's FIFO li... • https://git.kernel.org/stable/c/5af75c747e2a868abbf8611494b50ed5e076fca7 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50000 – net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()
https://notcve.org/view.php?id=CVE-2024-50000
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() In mlx5e_tir_builder_alloc() kvzalloc() may return NULL which is dereferenced on the next line in a reference to the modify field. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() In mlx5e_tir_builder_alloc() kvzalloc() may return NULL which is dere... • https://git.kernel.org/stable/c/a6696735d694b365bca45873e9dbca26120a8375 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-49999 – afs: Fix the setting of the server responding flag
https://notcve.org/view.php?id=CVE-2024-49999
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: afs: Fix the setting of the server responding flag In afs_wait_for_operation(), we set transcribe the call responded flag to the server record that we used after doing the fileserver iteration loop - but it's possible to exit the loop having had a response from the server that we've discarded (e.g. it returned an abort or we started receiving data, but the call didn't complete). This means that op->server might be NULL, but we don't check t... • https://git.kernel.org/stable/c/98f9fda2057ba34b720c4d353351024d6dcee90f •
CVSS: 4.7EPSS: 0%CPEs: 5EXPL: 0CVE-2024-49998 – net: dsa: improve shutdown sequence
https://notcve.org/view.php?id=CVE-2024-49998
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: improve shutdown sequence Alexander Sverdlin presents 2 problems during shutdown with the lan9303 driver. One is specific to lan9303 and the other just happens to reproduce there. The first problem is that lan9303 is unique among DSA drivers in that it calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown, not remove): phy_state_machine() -> ... -> dsa_user_phy_read() -> ds->ops->phy_read() -> lan9303_phy_read() ... • https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49997 – net: ethernet: lantiq_etop: fix memory disclosure
https://notcve.org/view.php?id=CVE-2024-49997
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix memory disclosure When applying padding, the buffer is not zeroed, which results in memory disclosure. The mentioned data is observed on the wire. This patch uses skb_put_padto() to pad Ethernet frames properly. The mentioned function zeroes the expanded buffer. In case the packet cannot be padded it is silently dropped. • https://git.kernel.org/stable/c/504d4721ee8e432af4b5f196a08af38bc4dac5fe •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-49996 – cifs: Fix buffer overflow when parsing NFS reparse points
https://notcve.org/view.php?id=CVE-2024-49996
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: cifs: Fix buffer overflow when parsing NFS reparse points ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength. Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable l... • https://git.kernel.org/stable/c/d5ecebc4900df7f6e8dff0717574668885110553 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49995 – tipc: guard against string buffer overrun
https://notcve.org/view.php?id=CVE-2024-49995
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: tipc: guard against string buffer overrun Smatch reports that copying media_name and if_name to name_parts may overwrite the destination. .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) This does seem to be the case so guard against this possibility by us... • https://git.kernel.org/stable/c/8298b6e45fb4d8944f356b08e4ea3e54df5e0488 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-49994 – block: fix integer overflow in BLKSECDISCARD
https://notcve.org/view.php?id=CVE-2024-49994
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: block: fix integer overflow in BLKSECDISCARD I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infinite loop inside blkdev_issue_secure_erase(): a.out: attempt to access beyond end of device loop0: rw=5, sector=3399043073, nr_sectors = 1024 limi... • https://git.kernel.org/stable/c/0842ddd83939eb4db940b9af7d39e79722bc41aa •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-49992 – drm/stm: Avoid use-after-free issues with crtc and plane
https://notcve.org/view.php?id=CVE-2024-49992
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/stm: Avoid use-after-free issues with crtc and plane ltdc_load() calls functions drm_crtc_init_with_planes(), drm_universal_plane_init() and drm_encoder_init(). These functions should not be called with parameters allocated with devm_kzalloc() to avoid use-after-free issues [1]. Use allocations managed by the DRM framework. Found by Linux Verification Center (linuxtesting.org). [1] https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2... • https://git.kernel.org/stable/c/d02611ff001454358be6910cb926799e2d818716 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-49991 – drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer
https://notcve.org/view.php?id=CVE-2024-49991
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pass pointer reference to amdgpu_bo_unref to clear the correct pointer, otherwise amdgpu_bo_unref clear the local variable, the original pointer not set to NULL, this could cause use-after-free bug. In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pass pointer reference to amdgpu_bo_unref to clear the correc... • https://git.kernel.org/stable/c/e7831613cbbcd9058d3658fbcdc5d5884ceb2e0c •