CVE-2024-42115 – jffs2: Fix potential illegal address access in jffs2_free_inode
https://notcve.org/view.php?id=CVE-2024-42115
In the Linux kernel, the following vulnerability has been resolved: jffs2: Fix potential illegal address access in jffs2_free_inode During the stress testing of the jffs2 file system,the following abnormal printouts were found: [ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948 [ 2430.649622] Mem abort info: [ 2430.649829] ESR = 0x96000004 [ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits [ 2430.650564] SET = 0, FnV = 0 [ 2430.650795] EA = 0, S1PTW = 0 [ 2430.651032] FSC = 0x04: level 0 translation fault [ 2430.651446] Data abort info: [ 2430.651683] ISV = 0, ISS = 0x00000004 [ 2430.652001] CM = 0, WnR = 0 [ 2430.652558] [0069696969696948] address between user and kernel address ranges [ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33 [ 2430.655008] Hardware name: linux,dummy-virt (DT) [ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2430.656142] pc : kfree+0x78/0x348 [ 2430.656630] lr : jffs2_free_inode+0x24/0x48 [ 2430.657051] sp : ffff800009eebd10 [ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000 [ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000 [ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14 [ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000 [ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000 [ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19 [ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14 [ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302 [ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342 [ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000 [ 2430.664217] Call trace: [ 2430.664528] kfree+0x78/0x348 [ 2430.664855] jffs2_free_inode+0x24/0x48 [ 2430.665233] i_callback+0x24/0x50 [ 2430.665528] rcu_do_batch+0x1ac/0x448 [ 2430.665892] rcu_core+0x28c/0x3c8 [ 2430.666151] rcu_core_si+0x18/0x28 [ 2430.666473] __do_softirq+0x138/0x3cc [ 2430.666781] irq_exit+0xf0/0x110 [ 2430.667065] handle_domain_irq+0x6c/0x98 [ 2430.667447] gic_handle_irq+0xac/0xe8 [ 2430.667739] call_on_irq_stack+0x28/0x54 The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of the jffs_inode_info structure. It was found that all variables in the jffs_inode_info structure were 5a5a5a5a, except for the first member sem. It is suspected that these variables are not initialized because they were set to 5a5a5a5a during memory testing, which is meant to detect uninitialized memory.The sem variable is initialized in the function jffs2_i_init_once, while other members are initialized in the function jffs2_init_inode_info. The function jffs2_init_inode_info is called after iget_locked, but in the iget_locked function, the destroy_inode process is triggered, which releases the inode and consequently, the target member of the inode is not initialized.In concurrent high pressure scenarios, iget_locked may enter the destroy_inode branch as described in the code. Since the destroy_inode functionality of jffs2 only releases the target, the fix method is to set target to NULL in jffs2_i_init_once. • https://git.kernel.org/stable/c/b6c8b3e31eb88c85094d848a0bd8b4bafe67e4d8 https://git.kernel.org/stable/c/0b3246052e01e61a55bb3a15b76acb006759fe67 https://git.kernel.org/stable/c/6d6d94287f6365282bbf41e9a5b5281985970789 https://git.kernel.org/stable/c/5ca26334fc8a3711fed14db7f9eb1c621be4df65 https://git.kernel.org/stable/c/751987a5d8ead0cc405fad96e83ebbaa51c82dbc https://git.kernel.org/stable/c/d0bbbf31462a400bef4df33e22de91864f475455 https://git.kernel.org/stable/c/05fc1ef892f862c1197b11b288bc00f602d2df0c https://git.kernel.org/stable/c/af9a8730ddb6a4b2edd779ccc0aceb994 •
CVE-2024-42105 – nilfs2: fix inode number range checks
https://notcve.org/view.php?id=CVE-2024-42105
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix inode number range checks Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value. This patch (of 3): In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked. As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly. In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment. Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros. Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time. • https://git.kernel.org/stable/c/57235c3c88bb430043728d0d02f44a4efe386476 https://git.kernel.org/stable/c/08cab183a624ba71603f3754643ae11cab34dbc4 https://git.kernel.org/stable/c/731011ac6c37cbe97ece229fc6daa486276052c5 https://git.kernel.org/stable/c/3be4dcc8d7bea52ea41f87aa4bbf959efe7a5987 https://git.kernel.org/stable/c/fae1959d6ab2c52677b113935e36ab4e25df37ea https://git.kernel.org/stable/c/9194f8ca57527958bee207919458e372d638d783 https://git.kernel.org/stable/c/1c91058425a01131ea30dda6cf43c67b17884d6a https://git.kernel.org/stable/c/e2fec219a36e0993642844be0f3455135 •
CVE-2024-42104 – nilfs2: add missing check for inode numbers on directory entries
https://notcve.org/view.php?id=CVE-2024-42104
In the Linux kernel, the following vulnerability has been resolved: nilfs2: add missing check for inode numbers on directory entries Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis. • https://git.kernel.org/stable/c/c33c2b0d92aa1c2262d999b2598ad6fbd53bd479 https://git.kernel.org/stable/c/07c176e7acc5579c133bb923ab21316d192d0a95 https://git.kernel.org/stable/c/2f2fa9cf7c3537958a82fbe8c8595a5eb0861ad7 https://git.kernel.org/stable/c/b11e8fb93ea5eefb2e4e719497ea177a58ff6131 https://git.kernel.org/stable/c/1b7d549ed2c1fa202c751b69423a0d3a6bd5a180 https://git.kernel.org/stable/c/3ab40870edb883b9633dc5cd55f5a2a11afa618d https://git.kernel.org/stable/c/265fff1a01cdc083aeaf0d934c929db5cc64aebf https://git.kernel.org/stable/c/bb76c6c274683c8570ad788f79d4b875b •
CVE-2024-42101 – drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes
https://notcve.org/view.php?id=CVE-2024-42101
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes In nouveau_connector_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. A flaw was found in the Linux kernel’s nouveau module. The return value of the drm_mode_duplicate function is not checked in the nouveau_connector_get_modes function in the drivers/gpu/drm/nouveau/nouveau_connector.c file, possibly causing a NULL pointer dereference and resulting in a denial of service. • https://git.kernel.org/stable/c/6ee738610f41b59733f63718f0bdbcba7d3a3f12 https://git.kernel.org/stable/c/9baf60323efa992b7c915094529f0a1882c34e7e https://git.kernel.org/stable/c/e36364f5f3785d054a94e57e971385284886d41a https://git.kernel.org/stable/c/274cba8d2d1b48c72d8bd90e76c9e2dc1aa0a81d https://git.kernel.org/stable/c/f48dd3f19614022f2e1b794fbd169d2b4c398c07 https://git.kernel.org/stable/c/1f32535238493008587a8c5cb17eb2ca097592ef https://git.kernel.org/stable/c/744b229f09134ccd091427a6f9ea6d97302cfdd9 https://git.kernel.org/stable/c/7db5411c5d0bd9c29b8c2ad93c36b5c16 • CWE-476: NULL Pointer Dereference •
CVE-2023-52888 – media: mediatek: vcodec: Only free buffer VA that is not NULL
https://notcve.org/view.php?id=CVE-2023-52888
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Only free buffer VA that is not NULL In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly called only when the buffer to free exists, there are some instances that didn't do the check and triggered warnings in practice. We believe those checks were forgotten unintentionally. Add the checks back to fix the warnings. • https://git.kernel.org/stable/c/5c217253c76c94f76d1df31d0bbdcb88dc07be91 https://git.kernel.org/stable/c/303d01082edaf817ee2df53a40dca9da637a2c04 https://git.kernel.org/stable/c/eb005c801ec70ff4307727bd3bd6e8280169ef32 •