CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-56677 – powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init()
https://notcve.org/view.php?id=CVE-2024-56677
28 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init() During early init CMA_MIN_ALIGNMENT_BYTES can be PAGE_SIZE, since pageblock_order is still zero and it gets initialized later during initmem_init() e.g. setup_arch() -> initmem_init() -> sparse_init() -> set_pageblock_order() One such use case where this causes issue is - early_setup() -> early_init_devtree() -> fadump_reserve_mem() -> fadump_cma_init() This causes CM... • https://git.kernel.org/stable/c/11ac3e87ce09c27f4587a8c4fe0829d814021a82 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-56675 – bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
https://notcve.org/view.php?id=CVE-2024-56675
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU protection. But it is possible to attach a non-sleepable BPF program to a uprobe, and non-sleepable BPF programs are freed via normal RCU (see __bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal RCU grace period does not imply a tasks-trace-RCU grace period. Fix it by explicitly waiting fo... • https://git.kernel.org/stable/c/8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-56672 – blk-cgroup: Fix UAF in blkcg_unpin_online()
https://notcve.org/view.php?id=CVE-2024-56672
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c... • https://git.kernel.org/stable/c/4308a434e5e08c78676aa66bc626ef78cbef0883 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56670 – usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer
https://notcve.org/view.php?id=CVE-2024-56670
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Considering that in some extreme cases, when u_serial driver is accessed by multiple threads, Thread A is executing the open operation and calling the gs_open, Thread B is executing the disconnect operation and calling the gserial_disconnect function,The port->port_usb pointer will be set to NULL. E.g. Thread A Thread B gs_open() gadget_unbind_driver... • https://git.kernel.org/stable/c/c1dca562be8ada614ef193aa246c6f8705bcd6b9 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-56665 – bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog
https://notcve.org/view.php?id=CVE-2024-56665
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog Syzbot reported [1] crash that happens for following tracing scenario: - create tracepoint perf event with attr.inherit=1, attach it to the process and set bpf program to it - attached process forks -> chid creates inherited event the new child event shares the parent's bpf program and tp_event (hence prog_array) which is global for tracepoint - exit both process and its ... • https://git.kernel.org/stable/c/7a5c653ede645693422e43cccaa3e8f905d21c74 •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56664 – bpf, sockmap: Fix race between element replace and close()
https://notcve.org/view.php?id=CVE-2024-56664
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix race between element replace and close() Element replace (with a socket different from the one stored) may race with socket's close() link popping & unlinking. __sock_map_delete() unconditionally unrefs the (wrong) element: // set map[0] = s0 map_update_elem(map, 0, s0) // drop fd of s0 close(s0) sock_map_close() lock_sock(sk) (s0!) sock_map_remove_links(sk) link = sk_psock_link_pop() sock_map_unlink(sk, link) sock_map_del... • https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-56663 – wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one
https://notcve.org/view.php?id=CVE-2024-56663
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one Since the netlink attribute range validation provides inclusive checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. One crash stack for demonstration: ================================================================== BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:... • https://git.kernel.org/stable/c/7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2024-56662 – acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl
https://notcve.org/view.php?id=CVE-2024-56662
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl Fix an issue detected by syzbot with KASAN: BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/ core.c:416 [inline] BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459 The issue occurs in cmd_to_func when the call_pkg->nd_reserved2 array is accessed without verifying that call_pkg points to a buffer that is appropriately sized a... • https://git.kernel.org/stable/c/ebe9f6f19d80d8978d16078dff3d5bd93ad8d102 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56661 – tipc: fix NULL deref in cleanup_bearer()
https://notcve.org/view.php?id=CVE-2024-56661
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL deref in cleanup_bearer() syzbot found [1] that after blamed commit, ub->ubsock->sk was NULL when attempting the atomic_dec() : atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); Fix this by caching the tipc_net pointer. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 0... • https://git.kernel.org/stable/c/4e69457f9dfae67435f3ccf29008768eae860415 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-56660 – net/mlx5: DR, prevent potential error pointer dereference
https://notcve.org/view.php?id=CVE-2024-56660
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: DR, prevent potential error pointer dereference The dr_domain_add_vport_cap() function generally returns NULL on error but sometimes we want it to return ERR_PTR(-EBUSY) so the caller can retry. The problem here is that "ret" can be either -EBUSY or -ENOMEM and if it's and -ENOMEM then the error pointer is propogated back and eventually dereferenced in dr_ste_v0_build_src_gvmi_qpn_tag(). In the Linux kernel, the following vulnerab... • https://git.kernel.org/stable/c/11a45def2e197532c46aa908dedd52bc1ee378a2 •