CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-49871 – Input: adp5589-keys - fix NULL pointer dereference
https://notcve.org/view.php?id=CVE-2024-49871
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: Input: adp5589-keys - fix NULL pointer dereference We register a devm action to call adp5589_clear_config() and then pass the i2c client as argument so that we can call i2c_get_clientdata() in order to get our device object. However, i2c_set_clientdata() is only being set at the end of the probe function which means that we'll get a NULL pointer dereference in case the probe function fails early. Ubuntu Security Notice 7166-3 - Several se... • https://git.kernel.org/stable/c/30df385e35a48f773b85117fc490152c2395e45b •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-49870 – cachefiles: fix dentry leak in cachefiles_open_file()
https://notcve.org/view.php?id=CVE-2024-49870
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix dentry leak in cachefiles_open_file() A dentry leak may be caused when a lookup cookie and a cull are concurrent: P1 | P2 ----------------------------------------------------------- cachefiles_lookup_cookie cachefiles_look_up_object lookup_one_positive_unlocked // get dentry cachefiles_cull inode->i_flags |= S_KERNEL_F... • https://git.kernel.org/stable/c/1f08c925e7a38002bde509e66f6f891468848511 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49869 – btrfs: send: fix buffer overflow detection when copying path to cache entry
https://notcve.org/view.php?id=CVE-2024-49869
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: send: fix buffer overflow detection when copying path to cache entry Starting with commit c0247d289e73 ("btrfs: send: annotate struct name_cache_entry with __counted_by()") we annotated the variable length array "name" from the name_cache_entry structure with __counted_by() to improve overflow detection. However that alone was not correct, because the length of that array does not match the "name_len" field - it matches that plus 1... • https://git.kernel.org/stable/c/c0247d289e73e18f6ddb0895de30c09770fbed95 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-49868 – btrfs: fix a NULL pointer dereference when failed to start a new trasacntion
https://notcve.org/view.php?id=CVE-2024-49868
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a NULL pointer dereference when failed to start a new trasacntion [BUG] Syzbot reported a NULL pointer dereference with the following crash: FAULT_INJECTION: forcing a failure. start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676 prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642 relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678 ... BTRFS info (device loop0): balance: ended with status: -1... • https://git.kernel.org/stable/c/1282f001cbf56e5dd6e90a18e205a566793f4be0 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49867 – btrfs: wait for fixup workers before stopping cleaner kthread during umount
https://notcve.org/view.php?id=CVE-2024-49867
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at close_ctree(), we have the following steps in this order: 1) Park the cleaner kthread - this doesn't destroy the kthread, it basically halts its execution (wake ups against it work but do nothing); 2) We stop the cleaner kthread - this results in freeing the respective struct task_struct; 3) We call btrfs_stop_all_workers() which waits ... • https://git.kernel.org/stable/c/cd686dfff63f27d712877aef5b962fbf6b8bc264 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-49866 – tracing/timerlat: Fix a race during cpuhp processing
https://notcve.org/view.php?id=CVE-2024-49866
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Fix a race during cpuhp processing There is another found exception that the "timerlat/1" thread was scheduled on CPU0, and lead to timer corruption finally: ``` ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220 WARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0 Modules linked in: CPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainte... • https://git.kernel.org/stable/c/c8895e271f7994a3ecb13b8a280e39aa53879545 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49865 – drm/xe/vm: move xa_alloc to prevent UAF
https://notcve.org/view.php?id=CVE-2024-49865
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/xe/vm: move xa_alloc to prevent UAF Evil user can guess the next id of the vm before the ioctl completes and then call vm destroy ioctl to trigger UAF since create ioctl is still referencing the same vm. Move the xa_alloc all the way to the end to prevent this. v2: - Rebase (cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9) • https://git.kernel.org/stable/c/dd08ebf6c3525a7ea2186e636df064ea47281987 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-49864 – rxrpc: Fix a race between socket set up and I/O thread creation
https://notcve.org/view.php?id=CVE-2024-49864
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix a race between socket set up and I/O thread creation In rxrpc_open_socket(), it sets up the socket and then sets up the I/O thread that will handle it. This is a problem, however, as there's a gap between the two phases in which a packet may come into rxrpc_encap_rcv() from the UDP packet but we oops when trying to wake the not-yet created I/O thread. As a quick fix, just make rxrpc_encap_rcv() discard the packet if there's n... • https://git.kernel.org/stable/c/a275da62e8c111b897b9cb73eb91df2f4e475ca5 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-49863 – vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()
https://notcve.org/view.php?id=CVE-2024-49863
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") a null pointer dereference bug can be triggered when guest sends an SCSI AN request. In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with `&v_req.tmf.lun[1]` within a switch-case block and is then passed to vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for a ... • https://git.kernel.org/stable/c/3f8ca2e115e55af4c15d97dda635e948d2e380be •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-49862 – powercap: intel_rapl: Fix off by one in get_rpi()
https://notcve.org/view.php?id=CVE-2024-49862
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: powercap: intel_rapl: Fix off by one in get_rpi() The rp->priv->rpi array is either rpi_msr or rpi_tpmi which have NR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >= to prevent an off by one access. • https://git.kernel.org/stable/c/98ff639a7289067247b3ef9dd5d1e922361e7365 •