CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46786 – fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF
https://notcve.org/view.php?id=CVE-2024-46786
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache m... • https://git.kernel.org/stable/c/12bb21a29c19aae50cfad4e2bb5c943108f34a7d •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-46785 – eventfs: Use list_del_rcu() for SRCU protected list variable
https://notcve.org/view.php?id=CVE-2024-46785
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo "p:kp submit_bio" > /sys/kernel/debug/traci... • https://git.kernel.org/stable/c/5dfb04100326f70e3b2d2872c2476ed20b804837 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-46784 – net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup
https://notcve.org/view.php?id=CVE-2024-46784
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? • https://git.kernel.org/stable/c/e1b5683ff62e7b328317aec08869495992053e9d •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-46783 – tcp_bpf: fix return value of tcp_bpf_sendmsg()
https://notcve.org/view.php?id=CVE-2024-46783
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <... • https://git.kernel.org/stable/c/4f738adba30a7cfc006f605707e7aee847ffefa0 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46782 – ila: call nf_unregister_net_hooks() sooner
https://notcve.org/view.php?id=CVE-2024-46782
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_looku... • https://git.kernel.org/stable/c/7f00feaf107645d95a6d87e99b4d141ac0a08efd •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46781 – nilfs2: fix missing cleanup on rollforward recovery error
https://notcve.org/view.php?id=CVE-2024-46781
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were... • https://git.kernel.org/stable/c/0f3e1c7f23f8a6f8224fa1d275381f6d9279ad4b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46780 – nilfs2: protect references to superblock parameters exposed in sysfs
https://notcve.org/view.php?id=CVE-2024-46780
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore "nilfs->ns_sem". Some sysfs attribute show methods read th... • https://git.kernel.org/stable/c/da7141fb78db915680616e15677539fc8140cf53 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46779 – drm/imagination: Free pvr_vm_gpuva after unlink
https://notcve.org/view.php?id=CVE-2024-46779
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the leaks occurs in a high-usage codepath (remapping or unmapping device memory) so they add up quickly. In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the l... • https://git.kernel.org/stable/c/ff5f643de0bf27874c4033cd57a0bd034b5c7d11 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46778 – drm/amd/display: Check UnboundedRequestEnabled's value
https://notcve.org/view.php?id=CVE-2024-46778
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value Calcula... • https://git.kernel.org/stable/c/4e2b49a85e7974d21364798c5d4aa8070aa864d9 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46777 – udf: Avoid excessive partition lengths
https://notcve.org/view.php?id=CVE-2024-46777
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap. In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for... • https://git.kernel.org/stable/c/c0c23130d38e8bc28e9ef581443de9b1fc749966 •