CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-41062 – bluetooth/l2cap: sync sock recv cb and release
https://notcve.org/view.php?id=CVE-2024-41062
In the Linux kernel, the following vulnerability has been resolved: bluetooth/l2cap: sync sock recv cb and release The problem occurs between the system call to close the sock and hci_rx_work, where the former releases the sock and the latter accesses it without lock protection. CPU0 CPU1 ---- ---- sock_close hci_rx_work l2cap_sock_release hci_acldata_packet l2cap_sock_kill l2cap_recv_frame sk_free l2cap_conless_channel l2cap_sock_recv_cb If hci_rx_work processes the data that needs to be received before the sock is closed, then everything is normal; Otherwise, the work thread may access the released sock when receiving data. Add a chan mutex in the rx callback of the sock to achieve synchronization between the sock release and recv cb. Sock is dead, so set chan data to NULL, avoid others use invalid sock pointer. • https://git.kernel.org/stable/c/605572e64cd9cebb05ed609d96cff05b50d18cdf https://git.kernel.org/stable/c/b803f30ea23e0968b6c8285c42adf0d862ab2bf6 https://git.kernel.org/stable/c/3b732449b78183d17178db40be3a4401cf3cd629 https://git.kernel.org/stable/c/89e856e124f9ae548572c56b1b70c2255705f8fe •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41061 – drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport
https://notcve.org/view.php?id=CVE-2024-41061
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport [Why] Potential out of bounds access in dml2_calculate_rq_and_dlg_params() because the value of out_lowest_state_idx used as an index for FCLKChangeSupport array can be greater than 1. [How] Currently dml2 core specifies identical values for all FCLKChangeSupport elements. Always use index 0 in the condition to avoid out of bounds access. • https://git.kernel.org/stable/c/94166fe12543fbef122ca2d093e794ea41073a85 https://git.kernel.org/stable/c/0ad4b4a2f6357c45fbe444ead1a929a0b4017d03 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-41060 – drm/radeon: check bo_va->bo is non-NULL before using it
https://notcve.org/view.php?id=CVE-2024-41060
In the Linux kernel, the following vulnerability has been resolved: drm/radeon: check bo_va->bo is non-NULL before using it The call to radeon_vm_clear_freed might clear bo_va->bo, so we have to check it before dereferencing it. • https://git.kernel.org/stable/c/a2b201f83971df03c8e81a480b2f2846ae8ce1a3 https://git.kernel.org/stable/c/a9100f17428cb733c4f6fbb132d98bed76318342 https://git.kernel.org/stable/c/f13c96e0e325a057c03f8a47734adb360e112efe https://git.kernel.org/stable/c/8a500b3a5f0a58c6f99039091fbd715f64f2f8af https://git.kernel.org/stable/c/6fb15dcbcf4f212930350eaee174bb60ed40a536 https://access.redhat.com/security/cve/CVE-2024-41060 https://bugzilla.redhat.com/show_bug.cgi?id=2300434 • CWE-20: Improper Input Validation •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-41059 – hfsplus: fix uninit-value in copy_name
https://notcve.org/view.php?id=CVE-2024-41059
In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value in copy_name [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. • https://git.kernel.org/stable/c/72805debec8f7aa342da194fe0ed7bc8febea335 https://git.kernel.org/stable/c/c733e24a61cbcff10f660041d6d84d32bb7e4cb4 https://git.kernel.org/stable/c/34f8efd2743f2d961e92e8e994de4c7a2f9e74a0 https://git.kernel.org/stable/c/d02d8c1dacafb28930c39e16d48e40bb6e4cbc70 https://git.kernel.org/stable/c/22999936b91ba545ce1fbbecae6895127945e91c https://git.kernel.org/stable/c/f08956d8e0f80fd0d4ad84ec917302bb2f3a9c6a https://git.kernel.org/stable/c/ad57dc2caf1e0a3c0a9904400fae7afbc9f74bb2 https://git.kernel.org/stable/c/0570730c16307a72f8241df12363f7660 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-41058 – cachefiles: fix slab-use-after-free in fscache_withdraw_volume()
https://notcve.org/view.php?id=CVE-2024-41058
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in fscache_withdraw_volume() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370 Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798 CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565 Call Trace: kasan_check_range+0xf6/0x1b0 fscache_withdraw_volume+0x2e1/0x370 cachefiles_withdraw_volume+0x31/0x50 cachefiles_withdraw_cache+0x3ad/0x900 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 Allocated by task 5820: __kmalloc+0x1df/0x4b0 fscache_alloc_volume+0x70/0x600 __fscache_acquire_volume+0x1c/0x610 erofs_fscache_register_volume+0x96/0x1a0 erofs_fscache_register_fs+0x49a/0x690 erofs_fc_fill_super+0x6c0/0xcc0 vfs_get_super+0xa9/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] Freed by task 5820: kfree+0xf1/0x2c0 fscache_put_volume.part.0+0x5cb/0x9e0 erofs_fscache_unregister_fs+0x157/0x1b0 erofs_kill_sb+0xd9/0x1c0 deactivate_locked_super+0xa3/0x100 vfs_get_super+0x105/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] ================================================================== Following is the process that triggers the issue: mount failed | daemon exit ------------------------------------------------------------ deactivate_locked_super cachefiles_daemon_release erofs_kill_sb erofs_fscache_unregister_fs fscache_relinquish_volume __fscache_relinquish_volume fscache_put_volume(fscache_volume, fscache_volume_put_relinquish) zero = __refcount_dec_and_test(&fscache_volume->ref, &ref); cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache cachefiles_withdraw_volumes list_del_init(&volume->cache_link) fscache_free_volume(fscache_volume) cache->ops->free_volume cachefiles_free_volume list_del_init(&cachefiles_volume->cache_link); kfree(fscache_volume) cachefiles_withdraw_volume fscache_withdraw_volume fscache_volume->n_accesses // fscache_volume UAF !!! The fscache_volume in cache->volumes must not have been freed yet, but its reference count may be 0. So use the new fscache_try_get_volume() helper function try to get its reference count. If the reference count of fscache_volume is 0, fscache_put_volume() is freeing it, so wait for it to be removed from cache->volumes. If its reference count is not 0, call cachefiles_withdraw_volume() with reference count protection to avoid the above issue. • https://git.kernel.org/stable/c/fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3 https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003 https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36 •