CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-47686 – ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate()
https://notcve.org/view.php?id=CVE-2024-47686
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() The psc->div[] array has psc->num_div elements. These values come from when we call clk_hw_register_div(). It's adc_divisors and ARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >= instead of > to prevent an out of bounds read. In the Linux kernel, the following vulnerability has been resolved: ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() The psc->div[]... • https://git.kernel.org/stable/c/9645ccc7bd7a16cd73c3be9dee70cd702b03be37 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2024-47685 – netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()
https://notcve.org/view.php?id=CVE-2024-47685
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255... • https://git.kernel.org/stable/c/c8d7b98bec43faaa6583c3135030be5eb4693acb •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2024-47684 – tcp: check skb is non-NULL in tcp_rto_delta_us()
https://notcve.org/view.php?id=CVE-2024-47684
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: tcp: check skb is non-NULL in tcp_rto_delta_us() We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic kernel that are running ceph and recently hit a null ptr dereference in tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also saw it getting hit from the RACK case as well. Here are examples of the oops messages we saw in each of those cases: Jul 26 15:05:02 rx [11061395.780353] BUG: ... • https://git.kernel.org/stable/c/e1a10ef7fa876f8510aaec36ea5c0cf34baba410 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-47683 – drm/amd/display: Skip Recompute DSC Params if no Stream on Link
https://notcve.org/view.php?id=CVE-2024-47683
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip Recompute DSC Params if no Stream on Link [why] Encounter NULL pointer dereference uner mst + dsc setup. BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2 Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022 RIP: 0010:drm_dp_atomic_find_time... • https://git.kernel.org/stable/c/7c887efda1201110211fed8921a92a713e0b6bcd •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-47682 – scsi: sd: Fix off-by-one error in sd_read_block_characteristics()
https://notcve.org/view.php?id=CVE-2024-47682
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: sd: Fix off-by-one error in sd_read_block_characteristics() Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for example), sd_read_block_characteristics() may attempt an out-of-bounds memory access when accessing the zoned field at offset 8. In the Linux kernel, the following vulnerability has been resolved: scsi: sd: Fix off-by-one error in sd_read_block_characteristics() Ff the device returns page 0xb1 with len... • https://git.kernel.org/stable/c/7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-47681 – wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he
https://notcve.org/view.php?id=CVE-2024-47681
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he Fix the NULL pointer dereference in mt7996_mcu_sta_bfer_he routine adding an sta interface to the mt7996 driver. Found by code review. • https://git.kernel.org/stable/c/98686cd21624c75a043e96812beadddf4f6f48e5 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-47679 – vfs: fix race between evice_inodes() and find_inode()&iput()
https://notcve.org/view.php?id=CVE-2024-47679
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between evice_inodes() and find_inode()&iput() Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict... • https://git.kernel.org/stable/c/63997e98a3be68d7cec806d22bf9b02b2e1daabb •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-47678 – icmp: change the order of rate limits
https://notcve.org/view.php?id=CVE-2024-47678
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: icmp: change the order of rate limits ICMP messages are ratelimited : After the blamed commits, the two rate limiters are applied in this order: 1) host wide ratelimit (icmp_global_allow()) 2) Per destination ratelimit (inetpeer based) In order to avoid side-channels attacks, we need to apply the per destination check first. This patch makes the following change : 1) icmp_global_allow() checks if the host wide limit is reached. But credits ... • https://git.kernel.org/stable/c/4cdf507d54525842dfd9f6313fdafba039084046 •
CVSS: 6.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-47675 – bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()
https://notcve.org/view.php?id=CVE-2024-47675
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in bpf_uprobe_multi_link_attach() If bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the error_free label and frees the array of bpf_uprobe's without calling bpf_uprobe_unregister(). This leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer without removing it from the uprobe->consumers list. • https://git.kernel.org/stable/c/89ae89f53d201143560f1e9ed4bfa62eee34f88e • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-47674 – mm: avoid leaving partial pfn mappings around in error case
https://notcve.org/view.php?id=CVE-2024-47674
15 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: mm: avoid leaving partial pfn mappings around in error case As Jann points out, PFN mappings are special, because unlike normal memory mappings, there is no lifetime information associated with the mapping - it is just a raw mapping of PFNs with no reference counting of a 'struct page'. That's all very much intentional, but it does mean that it's easy to mess up the cleanup in case of errors. Yes, a failed mmap() will always eventually clea... • https://git.kernel.org/stable/c/3213fdcab961026203dd587a4533600c70b3336b •