CVE-2024-46796 – smb: client: fix double put of @cfile in smb2_set_path_size()
https://notcve.org/view.php?id=CVE-2024-46796
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call. This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? • https://git.kernel.org/stable/c/1e60bc0e954389af82f1d9a85f13a63f6572350f https://git.kernel.org/stable/c/71f15c90e785d1de4bcd65a279e7256684c25c0d https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28 https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638 https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220 •
CVE-2024-46795 – ksmbd: unset the binding mark of a reused connection
https://notcve.org/view.php?id=CVE-2024-46795
In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] <TASK> ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? • https://git.kernel.org/stable/c/f5a544e3bab78142207e0242d22442db85ba1eff https://git.kernel.org/stable/c/9914f1bd61d5e838bb1ab15a71076d37a6db65d1 https://git.kernel.org/stable/c/93d54a4b59c4b3d803d20aa645ab5ca71f3b3b02 https://git.kernel.org/stable/c/41bc256da7e47b679df87c7fc7a5b393052b9cce https://git.kernel.org/stable/c/4c8496f44f5bb5c06cdef5eb130ab259643392a1 https://git.kernel.org/stable/c/78c5a6f1f630172b19af4912e755e1da93ef0ab5 •
CVE-2024-46794 – x86/tdx: Fix data leak in mmio_read()
https://notcve.org/view.php?id=CVE-2024-46794
In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ] • https://git.kernel.org/stable/c/31d58c4e557d46fa7f8557714250fb6f89c941ae https://git.kernel.org/stable/c/26c6af49d26ffc377e392e30d4086db19eed0ef7 https://git.kernel.org/stable/c/ef00818c50cf55a3a56bd9a9fae867c92dfb84e7 https://git.kernel.org/stable/c/b55ce742afcb8e8189d82f2f1e635ba1b5a461fa https://git.kernel.org/stable/c/b6fb565a2d15277896583d471b21bc14a0c99661 •
CVE-2024-46793 – ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder
https://notcve.org/view.php?id=CVE-2024-46793
In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder Since commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to the address of the next variable stored in the data section as the "dummy" variable has an address but no size, so even dereferencing dais[0] is already an out of bounds array reference. Which means that the if (dais[i].codecs->name) check added in commit 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards") relies on that the part of the next variable which the name member maps to just happens to be NULL. Which apparently so far it usually is, except when it isn't and then it results in crashes like this one: [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 ... [ 28.795780] Call Trace: [ 28.795787] <TASK> ... [ 28.795862] ? strcmp+0x18/0x40 [ 28.795872] 0xffffffffc150c605 [ 28.795887] platform_probe+0x40/0xa0 ... [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] Really fix things this time around by checking dais.num_codecs != 0. • https://git.kernel.org/stable/c/7d99a70b65951108d82e1618c67abe69c3ed7720 https://git.kernel.org/stable/c/85cda5b040bda9c577b34eb72d5b2e5b7e31985c https://git.kernel.org/stable/c/0cc65482f5b03ac2b1c240bc34665e43ea2d71bb •
CVE-2024-46792 – riscv: misaligned: Restrict user access to kernel memory
https://notcve.org/view.php?id=CVE-2024-46792
In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address. • https://git.kernel.org/stable/c/7c83232161f609bbc452a1255f823f41afc411dd https://git.kernel.org/stable/c/a3b6ff6c896aee5ef9b581e40d0045ff04fcbc8c https://git.kernel.org/stable/c/b686ecdeacf6658e1348c1a32a08e2e72f7c0f00 •