CVE-2024-43854 – block: initialize integrity buffer to zero before writing it to media
https://notcve.org/view.php?id=CVE-2024-43854
In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes. • https://git.kernel.org/stable/c/7ba1ba12eeef0aa7113beb16410ef8b7c748e18b https://git.kernel.org/stable/c/9f4af4cf08f9a0329ade3d938f55d2220c40d0a6 https://git.kernel.org/stable/c/129f95948a96105c1fad8e612c9097763e88ac5f https://git.kernel.org/stable/c/3fd11fe4f20756b4c0847f755a64cd96f8c6a005 https://git.kernel.org/stable/c/cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2 https://git.kernel.org/stable/c/d418313bd8f55c079a7da12651951b489a638ac1 https://git.kernel.org/stable/c/23a19655fb56f241e592041156dfb1c6d04da644 https://git.kernel.org/stable/c/ebc0e91ba76dc6544fff9f5b66408b198 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2024-43853 – cgroup/cpuset: Prevent UAF in proc_cpuset_show()
https://notcve.org/view.php?id=CVE-2024-43853
In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: Prevent UAF in proc_cpuset_show() An UAF can happen when /proc/cpuset is read as reported in [1]. This can be reproduced by the following methods: 1.add an mdelay(1000) before acquiring the cgroup_lock In the cgroup_path_ns function. 2.$cat /proc/<pid>/cpuset repeatly. 3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ $umount /sys/fs/cgroup/cpuset/ repeatly. The race that cause this bug can be shown as below: (umount) | (cat /proc/<pid>/cpuset) css_release | proc_cpuset_show css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id); css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...); cgroup_destroy_root | mutex_lock(&cgroup_mutex); rebind_subsystems | cgroup_free_root | | // cgrp was freed, UAF | cgroup_path_ns_locked(cgrp,..); When the cpuset is initialized, the root node top_cpuset.css.cgrp will point to &cgrp_dfl_root.cgrp. • https://git.kernel.org/stable/c/a79a908fd2b080977b45bf103184b81c9d11ad07 https://git.kernel.org/stable/c/27d6dbdc6485d68075a0ebf8544d6425c1ed84bb https://git.kernel.org/stable/c/10aeaa47e4aa2432f29b3e5376df96d7dac5537a https://git.kernel.org/stable/c/688325078a8b5badd6e07ae22b27cd04e9947aec https://git.kernel.org/stable/c/4e8d6ac8fc9f843e940ab7389db8136634e07989 https://git.kernel.org/stable/c/29a8d4e02fd4840028c38ceb1536cc8f82a257d4 https://git.kernel.org/stable/c/96226fbed566f3f686f53a489a29846f2d538080 https://git.kernel.org/stable/c/29ac1d238b3bf126af36037df80d7ecc4 •
CVE-2024-43839 – bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
https://notcve.org/view.php?id=CVE-2024-43839
In the Linux kernel, the following vulnerability has been resolved: bna: adjust 'name' buf size of bna_tcb and bna_ccb structures To have enough space to write all possible sprintf() args. Currently 'name' size is 16, but the first '%s' specifier may already need at least 16 characters, since 'bnad->netdev->name' is used there. For '%d' specifiers, assume that they require: * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8 * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX is 16 And replace sprintf with snprintf. Detected using the static analysis tool - Svace. • https://git.kernel.org/stable/c/8b230ed8ec96c933047dd0625cf95f739e4939a6 https://git.kernel.org/stable/c/f121740f69eda4da2de9a20a6687a13593e72540 https://git.kernel.org/stable/c/c90b1cd7758fd4839909e838ae195d19f8065d76 https://git.kernel.org/stable/c/6ce46045f9b90d952602e2c0b8886cfadf860bf1 https://git.kernel.org/stable/c/6d20c4044ab4d0e6a99aa35853e66f0aed5589e3 https://git.kernel.org/stable/c/ab748dd10d8742561f2980fea08ffb4f0cacfdef https://git.kernel.org/stable/c/b0ff0cd0847b03c0a0abe20cfa900eabcfcb9e43 https://git.kernel.org/stable/c/e0f48f51d55fb187400e9787192eda09f •
CVE-2024-43819 – kvm: s390: Reject memory region operations for ucontrol VMs
https://notcve.org/view.php?id=CVE-2024-43819
In the Linux kernel, the following vulnerability has been resolved: kvm: s390: Reject memory region operations for ucontrol VMs This change rejects the KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM. This is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and would thus result in a null pointer dereference further in. Memory management needs to be performed in userspace and using the ioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP. Also improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2. [frankja@linux.ibm.com: commit message spelling fix, subject prefix fix] • https://git.kernel.org/stable/c/27e0393f15fc8bc855c6a888387ff5ffd2181089 https://git.kernel.org/stable/c/49c9945c054df4c22008e2bf87ca74d3e2507aa6 https://git.kernel.org/stable/c/7816e58967d0e6cadce05c8540b47ed027dc2499 •
CVE-2024-42322 – ipvs: properly dereference pe in ip_vs_add_service
https://notcve.org/view.php?id=CVE-2024-42322
In the Linux kernel, the following vulnerability has been resolved: ipvs: properly dereference pe in ip_vs_add_service Use pe directly to resolve sparse warning: net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression • https://git.kernel.org/stable/c/39b9722315364121c6e2524515a6e95d52287549 https://git.kernel.org/stable/c/3dd428039e06e1967ce294e2cd6342825aaaad77 https://git.kernel.org/stable/c/c420cd5d5bc6797f3a8824e7d74f38f0c286fca5 https://git.kernel.org/stable/c/cbd070a4ae62f119058973f6d2c984e325bce6e7 https://access.redhat.com/security/cve/CVE-2024-42322 https://bugzilla.redhat.com/show_bug.cgi?id=2305467 •