CVE-2024-46676 – nfc: pn533: Add poll mod list filling check
https://notcve.org/view.php?id=CVE-2024-46676
In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Add poll mod list filling check In case of im_protocols value is 1 and tm_protocols value is 0 this combination successfully passes the check 'if (!im_protocols && !tm_protocols)' in the nfc_start_poll(). But then after pn533_poll_create_mod_list() call in pn533_start_poll() poll mod list will remain empty and dev->poll_mod_count will remain 0 which lead to division by zero. Normally no im protocol has value 1 in the mask, so this combination is not expected by driver. But these protocol values actually come from userspace via Netlink interface (NFC_CMD_START_POLL operation). So a broken or malicious program may pass a message containing a "bad" combination of protocol parameter values so that dev->poll_mod_count is not incremented inside pn533_poll_create_mod_list(), thus leading to division by zero. Call trace looks like: nfc_genl_start_poll() nfc_start_poll() ->start_poll() pn533_start_poll() Add poll mod list filling check. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/dfccd0f580445d176acea174175b3e6518cc91f7 https://git.kernel.org/stable/c/c5e05237444f32f6cfe5d907603a232c77a08b31 https://git.kernel.org/stable/c/8ddaea033de051ed61b39f6b69ad54a411172b33 https://git.kernel.org/stable/c/7535db0624a2dede374c42040808ad9a9101d723 https://git.kernel.org/stable/c/7ecd3dd4f8eecd3309432156ccfe24768e009ec4 https://git.kernel.org/stable/c/56ad559cf6d87f250a8d203b555dfc3716afa946 https://git.kernel.org/stable/c/64513d0e546a1f19e390f7e5eba3872bfcbdacf5 https://git.kernel.org/stable/c/febccb39255f9df35527b88c953b2e0de •
CVE-2024-46675 – usb: dwc3: core: Prevent USB core invalid event buffer address access
https://notcve.org/view.php?id=CVE-2024-46675
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Prevent USB core invalid event buffer address access This commit addresses an issue where the USB core could access an invalid event buffer address during runtime suspend, potentially causing SMMU faults and other memory issues in Exynos platforms. The problem arises from the following sequence. 1. In dwc3_gadget_suspend, there is a chance of a timeout when moving the USB core to the halt state after clearing the run/stop bit by software. 2. In dwc3_core_exit, the event buffer is cleared regardless of the USB core's status, which may lead to an SMMU faults and other memory issues. if the USB core tries to access the event buffer address. To prevent this hardware quirk on Exynos platforms, this commit ensures that the event buffer address is not cleared by software when the USB core is active during runtime suspend by checking its status before clearing the buffer address. • https://git.kernel.org/stable/c/eca3f543f817da87c00d1a5697b473efb548204f https://git.kernel.org/stable/c/d2afc2bffec77316b90d530b07695e3f534df914 https://git.kernel.org/stable/c/b72da4d89b97da71e056cc4d1429b2bc426a9c2f https://git.kernel.org/stable/c/111277b881def3153335acfe0d1f43e6cd83ac93 https://git.kernel.org/stable/c/2189fd13c577d7881f94affc09c950a795064c4b https://git.kernel.org/stable/c/7bb11a75dd4d3612378b90e2a4aa49bdccea28ab https://git.kernel.org/stable/c/e23f6ad8d110bf632f7471482e10b43dc174fb72 https://git.kernel.org/stable/c/14e497183df28c006603cc67fd3797a53 •
CVE-2024-46674 – usb: dwc3: st: fix probed platform device ref count on probe error path
https://notcve.org/view.php?id=CVE-2024-46674
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: st: fix probed platform device ref count on probe error path The probe function never performs any paltform device allocation, thus error path "undo_platform_dev_alloc" is entirely bogus. It drops the reference count from the platform device being probed. If error path is triggered, this will lead to unbalanced device reference counts and premature release of device resources, thus possible use-after-free when releasing remaining devm-managed resources. • https://git.kernel.org/stable/c/f83fca0707c66e36f14efef7f68702cb12de70b7 https://git.kernel.org/stable/c/b0979a885b9d4df2a25b88e9d444ccaa5f9f495c https://git.kernel.org/stable/c/f3498650df0805c75b4e1c94d07423c46cbf4ce1 https://git.kernel.org/stable/c/6aee4c5635d81f4809c3b9f0c198a65adfbb2ada https://git.kernel.org/stable/c/060f41243ad7f6f5249fa7290dda0c01f723d12d https://git.kernel.org/stable/c/4c6735299540f3c82a5033d35be76a5c42e0fb18 https://git.kernel.org/stable/c/e1e5e8ea2731150d5ba7c707f9e02fafebcfeb49 https://git.kernel.org/stable/c/1de989668708ce5875efc9d669d227212 •
CVE-2024-46673 – scsi: aacraid: Fix double-free on probe failure
https://notcve.org/view.php?id=CVE-2024-46673
In the Linux kernel, the following vulnerability has been resolved: scsi: aacraid: Fix double-free on probe failure aac_probe_one() calls hardware-specific init functions through the aac_driver_ident::init pointer, all of which eventually call down to aac_init_adapter(). If aac_init_adapter() fails after allocating memory for aac_dev::queues, it frees the memory but does not clear that member. After the hardware-specific init function returns an error, aac_probe_one() goes down an error path that frees the memory pointed to by aac_dev::queues, resulting.in a double-free. • https://git.kernel.org/stable/c/8e0c5ebde82b08f6d996e11983890fc4cc085fab https://git.kernel.org/stable/c/d237c7d06ffddcdb5d36948c527dc01284388218 https://git.kernel.org/stable/c/564e1986b00c5f05d75342f8407f75f0a17b94df https://git.kernel.org/stable/c/9e96dea7eff6f2bbcd0b42a098012fc66af9eb69 https://git.kernel.org/stable/c/85449b28ff6a89c4513115e43ddcad949b5890c9 https://git.kernel.org/stable/c/60962c3d8e18e5d8dfa16df788974dd7f35bd87a https://git.kernel.org/stable/c/8a3995a3ffeca280a961b59f5c99843d81b15929 https://git.kernel.org/stable/c/4b540ec7c0045c2d01c4e479f34bbc8f1 •
CVE-2024-46672 – wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion
https://notcve.org/view.php?id=CVE-2024-46672
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the driver for SAE/OWE offload cases") SSID based PMKSA del commands. brcmfmac is not prepared and tries to dereference the NULL bssid and pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based updates so copy the SSID. • https://git.kernel.org/stable/c/a96202acaea47fa8377088e0952bb63bd02a3bab https://git.kernel.org/stable/c/4291f94f8c6b01505132c22ee27b59ed27c3584f https://git.kernel.org/stable/c/1f566eb912d192c83475a919331aea59619e1197 https://git.kernel.org/stable/c/2ad4e1ada8eebafa2d75a4b75eeeca882de6ada1 •