CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56669 – iommu/vt-d: Remove cache tags before disabling ATS
https://notcve.org/view.php?id=CVE-2024-56669
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Remove cache tags before disabling ATS The current implementation removes cache tags after disabling ATS, leading to potential memory leaks and kernel crashes. Specifically, CACHE_TAG_DEVTLB type cache tags may still remain in the list even after the domain is freed, causing a use-after-free condition. This issue really shows up when multiple VFs from different PFs passed through to a single user-space process via vfio-pci. In s... • https://git.kernel.org/stable/c/3b1d9e2b2d6856eabf5faa12d20c97fef657999f •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56668 – iommu/vt-d: Fix qi_batch NULL pointer with nested parent domain
https://notcve.org/view.php?id=CVE-2024-56668
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix qi_batch NULL pointer with nested parent domain The qi_batch is allocated when assigning cache tag for a domain. While for nested parent domain, it is missed. Hence, when trying to map pages to the nested parent, NULL dereference occurred. Also, there is potential memleak since there is no lock around domain->qi_batch allocation. To solve it, add a helper for qi_batch allocation, and call it in both the __cache_tag_assign_do... • https://git.kernel.org/stable/c/705c1cdf1e73c4c727bbfc8775434e6dd36e8baf •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56667 – drm/i915: Fix NULL pointer dereference in capture_engine
https://notcve.org/view.php?id=CVE-2024-56667
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix NULL pointer dereference in capture_engine When the intel_context structure contains NULL, it raises a NULL pointer dereference error in drm_info(). (cherry picked from commit 754302a5bc1bd8fd3b7d85c168b0a1af6d4bba4d) In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix NULL pointer dereference in capture_engine When the intel_context structure contains NULL, it raises a NULL pointer dereference er... • https://git.kernel.org/stable/c/e8a3319c31a14aa9925418bc7813c2866903b2c6 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56666 – drm/amdkfd: Dereference null return value
https://notcve.org/view.php?id=CVE-2024-56666
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Dereference null return value In the function pqm_uninit there is a call-assignment of "pdd = kfd_get_process_device_data" which could be null, and this value was later dereferenced without checking. In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Dereference null return value In the function pqm_uninit there is a call-assignment of "pdd = kfd_get_process_device_data" which could be null, and this... • https://git.kernel.org/stable/c/fb91065851cd5f2735348c5f3eddeeca3d7c2973 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-56665 – bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog
https://notcve.org/view.php?id=CVE-2024-56665
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog Syzbot reported [1] crash that happens for following tracing scenario: - create tracepoint perf event with attr.inherit=1, attach it to the process and set bpf program to it - attached process forks -> chid creates inherited event the new child event shares the parent's bpf program and tp_event (hence prog_array) which is global for tracepoint - exit both process and its ... • https://git.kernel.org/stable/c/7a5c653ede645693422e43cccaa3e8f905d21c74 •
CVSS: 6.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56664 – bpf, sockmap: Fix race between element replace and close()
https://notcve.org/view.php?id=CVE-2024-56664
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix race between element replace and close() Element replace (with a socket different from the one stored) may race with socket's close() link popping & unlinking. __sock_map_delete() unconditionally unrefs the (wrong) element: // set map[0] = s0 map_update_elem(map, 0, s0) // drop fd of s0 close(s0) sock_map_close() lock_sock(sk) (s0!) sock_map_remove_links(sk) link = sk_psock_link_pop() sock_map_unlink(sk, link) sock_map_del... • https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-56663 – wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one
https://notcve.org/view.php?id=CVE-2024-56663
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one Since the netlink attribute range validation provides inclusive checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. One crash stack for demonstration: ================================================================== BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:... • https://git.kernel.org/stable/c/7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2024-56662 – acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl
https://notcve.org/view.php?id=CVE-2024-56662
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl Fix an issue detected by syzbot with KASAN: BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/ core.c:416 [inline] BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459 The issue occurs in cmd_to_func when the call_pkg->nd_reserved2 array is accessed without verifying that call_pkg points to a buffer that is appropriately sized a... • https://git.kernel.org/stable/c/ebe9f6f19d80d8978d16078dff3d5bd93ad8d102 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56661 – tipc: fix NULL deref in cleanup_bearer()
https://notcve.org/view.php?id=CVE-2024-56661
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL deref in cleanup_bearer() syzbot found [1] that after blamed commit, ub->ubsock->sk was NULL when attempting the atomic_dec() : atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); Fix this by caching the tipc_net pointer. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 0... • https://git.kernel.org/stable/c/4e69457f9dfae67435f3ccf29008768eae860415 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-56660 – net/mlx5: DR, prevent potential error pointer dereference
https://notcve.org/view.php?id=CVE-2024-56660
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: DR, prevent potential error pointer dereference The dr_domain_add_vport_cap() function generally returns NULL on error but sometimes we want it to return ERR_PTR(-EBUSY) so the caller can retry. The problem here is that "ret" can be either -EBUSY or -ENOMEM and if it's and -ENOMEM then the error pointer is propogated back and eventually dereferenced in dr_ste_v0_build_src_gvmi_qpn_tag(). In the Linux kernel, the following vulnerab... • https://git.kernel.org/stable/c/11a45def2e197532c46aa908dedd52bc1ee378a2 •