CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50273 – btrfs: reinitialize delayed ref list after deleting it from the list
https://notcve.org/view.php?id=CVE-2024-50273
In the Linux kernel, the following vulnerability has been resolved: btrfs: reinitialize delayed ref list after deleting it from the list At insert_delayed_ref() if we need to update the action of an existing ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's ref_add_list using list_del(), which leaves the ref's add_list member not reinitialized, as list_del() sets the next and prev members of the list to LIST_POISON1 and LIST_POISON2, respectively. If later we end up calling drop_delayed_ref() against the ref, which can happen during merging or when destroying delayed refs due to a transaction abort, we can trigger a crash since at drop_delayed_ref() we call list_empty() against the ref's add_list, which returns false since the list was not reinitialized after the list_del() and as a consequence we call list_del() again at drop_delayed_ref(). This results in an invalid list access since the next and prev members are set to poison pointers, resulting in a splat if CONFIG_LIST_HARDENED and CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences otherwise. So fix this by deleting from the list with list_del_init() instead. • https://git.kernel.org/stable/c/1d57ee941692d0cc928526e21a1557b2ae3e11db https://git.kernel.org/stable/c/2fd0948a483e9cb2d669c7199bc620a21c97673d https://git.kernel.org/stable/c/93c5b8decc0ef39ba84f4211d2db6da0a4aefbeb https://git.kernel.org/stable/c/bf0b0c6d159767c0d1c21f793950d78486690ee0 https://git.kernel.org/stable/c/c24fa427fc0ae827b2a3a07f13738cbf82c3f851 https://git.kernel.org/stable/c/2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6 https://git.kernel.org/stable/c/f04be6d68f715c1473a8422fc0460f57b5e99931 https://git.kernel.org/stable/c/50a3933760b427759afdd23156a7280a1 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50272 – filemap: Fix bounds checking in filemap_read()
https://notcve.org/view.php?id=CVE-2024-50272
In the Linux kernel, the following vulnerability has been resolved: filemap: Fix bounds checking in filemap_read() If the caller supplies an iocb->ki_pos value that is close to the filesystem upper limit, and an iterator with a count that causes us to overflow that limit, then filemap_read() enters an infinite loop. This behaviour was discovered when testing xfstests generic/525 with the "localio" optimisation for loopback NFS mounts. • https://git.kernel.org/stable/c/c2a9737f45e27d8263ff9643f994bda9bac0b944 https://git.kernel.org/stable/c/272830350bb1bb5bb39395966ea63b9864b135d1 https://git.kernel.org/stable/c/fbc7b803831e5c8a42c1f3427a17e55a814d6b3c https://git.kernel.org/stable/c/3d549dcfbbb0ecdaa571431a27ee5da9f2466716 https://git.kernel.org/stable/c/26530b757c81f1389fb33ae0357500150933161b https://git.kernel.org/stable/c/a2746ab3bbc9c6408da5cd072653ec8c24749235 https://git.kernel.org/stable/c/6450e73f4c86d481ac2e22e1bc848d346e140826 https://git.kernel.org/stable/c/ace149e0830c380ddfce7e466fe860ca5 •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2024-50269 – usb: musb: sunxi: Fix accessing an released usb phy
https://notcve.org/view.php?id=CVE-2024-50269
In the Linux kernel, the following vulnerability has been resolved: usb: musb: sunxi: Fix accessing an released usb phy Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on exit") will cause that usb phy @glue->xceiv is accessed after released. 1) register platform driver @sunxi_musb_driver // get the usb phy @glue->xceiv sunxi_musb_probe() -> devm_usb_get_phy(). 2) register and unregister platform driver @musb_driver musb_probe() -> sunxi_musb_init() use the phy here //the phy is released here musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy() 3) register @musb_driver again musb_probe() -> sunxi_musb_init() use the phy here but the phy has been released at 2). ... Fixed by reverting the commit, namely, removing devm_usb_put_phy() from sunxi_musb_exit(). • https://git.kernel.org/stable/c/6ed05c68cbcae42cd52b8e53b66952bfa9c002ce https://git.kernel.org/stable/c/583a4219841d00e96b5de55be160aa7eb7721a4d https://git.kernel.org/stable/c/b4ecc15d6f5a13c0bbe2777438e87e321f83faaa https://git.kernel.org/stable/c/a2259ebaa933331c53904caf792b619ec42f0da5 https://git.kernel.org/stable/c/721ddad945596220c123eb6f7126729fe277ee4f https://git.kernel.org/stable/c/4aa77d5ea9944468e16c3eed15e858fd5de44de1 https://git.kernel.org/stable/c/6e2848d1c8c0139161e69ac0a94133e90e9988e8 https://git.kernel.org/stable/c/63559ba8077cbadae1c92a65b73ea522b •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50268 – usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()
https://notcve.org/view.php?id=CVE-2024-50268
In the Linux kernel, the following vulnerability has been resolved: usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() The "*cmd" variable can be controlled by the user via debugfs. That means "new_cam" can be as high as 255 while the size of the uc->updated[] array is UCSI_MAX_ALTMODES (30). The call tree is: ucsi_cmd() // val comes from simple_attr_write_xsigned() -> ucsi_send_command() -> ucsi_send_command_common() -> ucsi_run_command() // calls ucsi->ops->sync_control() -> ucsi_ccg_sync_control() • https://git.kernel.org/stable/c/170a6726d0e266f2c8f306e3d61715c32f4ee41e https://git.kernel.org/stable/c/d76923164705821aa1b01b8d9d1741f20c654ab4 https://git.kernel.org/stable/c/8f47984b35f3be0cfc652c2ca358d5768ea3456b https://git.kernel.org/stable/c/604314ecd682913925980dc955caea2d036eab5f https://git.kernel.org/stable/c/69e19774f15e12dda6c6c58001d059e30895009b https://git.kernel.org/stable/c/3a2ba841659a0f15102585120dea75d8d5209616 https://git.kernel.org/stable/c/7dd08a0b4193087976db6b3ee7807de7e8316f96 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50267 – USB: serial: io_edgeport: fix use after free in debug printk
https://notcve.org/view.php?id=CVE-2024-50267
In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_edgeport: fix use after free in debug printk The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) is a use after free of the "urb" pointer. Store the "dev" pointer at the start of the function to avoid this issue. • https://git.kernel.org/stable/c/984f68683298ba53af32f909de1f9452fbb37ccb https://git.kernel.org/stable/c/e6ceb04eeb6115d872d4c4078d12f1170ed755ce https://git.kernel.org/stable/c/39709ce93f5c3f9eb535efe2afea088805d1128f https://git.kernel.org/stable/c/e567fc8f7a4460e486e52c9261b1e8b9f5dc42aa https://git.kernel.org/stable/c/44fff2c16c5aafbdb70c7183dae0a415ae74705e https://git.kernel.org/stable/c/275258c30bbda29467216e96fb655b16bcc9992b https://git.kernel.org/stable/c/13d6ff3ca76056d06a9d88300be2a293442ff595 https://git.kernel.org/stable/c/314bdf446053e123f37543aa535197ee7 •