CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-49885 – mm, slub: avoid zeroing kmalloc redzone
https://notcve.org/view.php?id=CVE-2024-49885
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: mm, slub: avoid zeroing kmalloc redzone Since commit 946fa0dbf2d8 ("mm/slub: extend redzone check to extra allocated kmalloc space than requested"), setting orig_size treats the wasted space (object_size - orig_size) as a redzone. However with init_on_free=1 we clear the full object->size, including the redzone. Additionally we clear the object metadata, including the stored orig_size, making it zero, which makes check_object() treat the wh... • https://git.kernel.org/stable/c/946fa0dbf2d8923a587f7348adf16563d59f1b3d •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-49884 – ext4: fix slab-use-after-free in ext4_split_extent_at()
https://notcve.org/view.php?id=CVE-2024-49884
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49883 – ext4: aovid use-after-free in ext4_ext_insert_extent()
https://notcve.org/view.php?id=CVE-2024-49883
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: aovid use-after-free in ext4_ext_insert_extent() As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and cause UAF. Below is a sample trace with dummy values: ext4_ext_insert_extent path = *ppath = 2000 ext4_ext_create_new_leaf(ppath) ext4_find_extent(ppath) path = *ppath = 2000 if (depth > path[0].p_maxdepth) kfree(path = 2000); *ppath = path = ... • https://git.kernel.org/stable/c/10809df84a4d868db61af621bae3658494165279 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49882 – ext4: fix double brelse() the buffer of the extents path
https://notcve.org/view.php?id=CVE-2024-49882
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix double brelse() the buffer of the extents path In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been released, otherwise it may be released twice. An example of what triggers this is as follows: split2 map split1 |--------|-------|--------| ext4_ext_map_blocks ext4_ext_handle_unwritten_extents ext4_split_convert_extents // path->p_depth == 0 ext4_split_extent // 1. do split1 ext4_split_extent_at |ext4_ext_inser... • https://git.kernel.org/stable/c/ecb94f5fdf4b72547fca022421a9dca1672bddd4 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-49881 – ext4: update orig_path in ext4_find_extent()
https://notcve.org/view.php?id=CVE-2024-49881
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: update orig_path in ext4_find_extent() In ext4_find_extent(), if the path is not big enough, we free it and set *orig_path to NULL. But after reallocating and successfully initializing the path, we don't update *orig_path, in which case the caller gets a valid path but a NULL ppath, and this may cause a NULL pointer dereference or a path memory leak. For example: ext4_split_extent path = *ppath = 2000 ext4_find_extent if (depth > path... • https://git.kernel.org/stable/c/10809df84a4d868db61af621bae3658494165279 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-49880 – ext4: fix off by one issue in alloc_flex_gd()
https://notcve.org/view.php?id=CVE-2024-49880
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix off by one issue in alloc_flex_gd() Wesley reported an issue: ================================================================== EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks ------------[ cut here ]------------ kernel BUG at fs/ext4/resize.c:324! CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27 RIP: 0010:ext4_resize_fs+0x1212/0x12d0 Call Trace: __ext4_ioctl+0x4e0/0x1800 ext4_ioctl+0x12/0x20 __x64_s... • https://git.kernel.org/stable/c/665d3e0af4d35acf9a5f58dfd471bc27dbf55880 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-49879 – drm: omapdrm: Add missing check for alloc_ordered_workqueue
https://notcve.org/view.php?id=CVE-2024-49879
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm: omapdrm: Add missing check for alloc_ordered_workqueue As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue. In the Linux kernel, the following vulnerability has been resolved: drm: omapdrm: Add missing check for alloc_ordered_workqueue As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue. Andy N... • https://git.kernel.org/stable/c/2f95bc6d324a93b2411bcc5defe4d4414c45f325 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-49878 – resource: fix region_intersects() vs add_memory_driver_managed()
https://notcve.org/view.php?id=CVE-2024-49878
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: resource: fix region_intersects() vs add_memory_driver_managed() On a system with CXL memory, the resource tree (/proc/iomem) related to CXL memory may look like something as follows. 490000000-50fffffff : CXL Window 0 490000000-50fffffff : region0 490000000-50fffffff : dax0.0 490000000-50fffffff : System RAM (kmem) Because drivers/dax/kmem.c calls add_memory_driver_managed() during onlining CXL memory, which makes "System RAM (kmem)" a des... • https://git.kernel.org/stable/c/c221c0b0308fd01d9fb33a16f64d2fd95f8830a4 •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-49877 – ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
https://notcve.org/view.php?id=CVE-2024-49877
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if bh is NULL. In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger NULL pointer derefe... • https://git.kernel.org/stable/c/6c150df9c2e80b5cf86f5a0d98beb7390ad63bfc •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-49876 – drm/xe: fix UAF around queue destruction
https://notcve.org/view.php?id=CVE-2024-49876
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/xe: fix UAF around queue destruction We currently do stuff like queuing the final destruction step on a random system wq, which will outlive the driver instance. With bad timing we can teardown the driver with one or more work workqueue still being alive leading to various UAF splats. Add a fini step to ensure user queues are properly torn down. At this point GuC should already be nuked so queue itself should no longer be referenced fro... • https://git.kernel.org/stable/c/dd08ebf6c3525a7ea2186e636df064ea47281987 •