Linux Kernel Security Vulnerabilities

CVE-2024-36884

In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Use the correct type in nvidia_smmu_context_fault() This was missed because of the function pointer indirection. nvidia_smmu_context_fault() is also installed as a irq function, and the'void *' was changed to a stru...

CVE-2024-36885

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor() Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit aBUG() on startup: kernel BUG at include/linux/scatterlist.h:187!invalid opcode: 0000 [#1] PREE...

CVE-2024-36886

In the Linux kernel, the following vulnerability has been resolved: tipc: fix UAF in error path Sam Page (sam4k) working with Trend Micro Zero Day Initiative reporteda UAF in the tipc_buf_append() error path: BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0linux/net/core/skbuff....

CVE-2024-36887

In the Linux kernel, the following vulnerability has been resolved: e1000e: change usleep_range to udelay in PHY mdic access This is a partial revert of commit 6dbdd4de0362 ("e1000e: Workaroundfor sporadic MDI error on Meteor Lake systems"). The referenced commitused usleep_range inside the PHY acc...

CVE-2024-36888

In the Linux kernel, the following vulnerability has been resolved: workqueue: Fix selection of wake_cpu in kick_pool() With cpu_possible_mask=0-63 and cpu_online_mask=0-7 the followingkernel oops was observed: smp: Bringing up secondary CPUs ...smp: Brought up 1 node, 8 CPUsUnable to handle kernel...

CVE-2024-36889

In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_nxt is properly initialized on connect Christoph reported a splat hinting at a corrupted snd_una: WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005Modules...

CVE-2024-36890

In the Linux kernel, the following vulnerability has been resolved: mm/slab: make __free(kfree) accept error pointers Currently, if an automatically freed allocation is an error pointer thatwill lead to a crash. An example of this is in wm831x_gpio_dbg_show(). 171 char *label __free(kfree) = gpioch...

CVE-2024-36891

In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix mas_empty_area_rev() null pointer dereference Currently the code calls mas_start() followed by mas_data_end() if themaple state is MA_START, but mas_start() may return with the maple statenode == NULL. This will lea...

CVE-2024-36892

In the Linux kernel, the following vulnerability has been resolved: mm/slub: avoid zeroing outside-object freepointer for single free Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeingseparately") splits single and bulk object freeing in two functionsslab_free() and slab_free_bulk...

CVE-2024-36893

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: Check for port partner validity before consuming it typec_register_partner() does not guarantee partner registrationto always succeed. In the event of failure, port->partner is setto the error value or NULL. Gi...

CVE-2024-36894

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeuepending USB requests submitted to the UDC. There is a scenario where theFFS applicatio...

CVE-2024-36895

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: use correct buffer size when parsing configfs lists This commit fixes uvc gadget support on 32-bit platforms. Commit 0df28607c5cb ("usb: gadget: uvc: Generalise helper functions forreuse") introduced a helper func...

CVE-2024-36896

In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix access violation during port device removal Testing with KASAN and syzkaller revealed a bug in port.c:disable_store():usb_hub_to_struct_hub() can return NULL if the hub that the port belongs tois concurrently removed...

CVE-2024-36897

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Atom Integrated System Info v2_2 for DCN35 New request from KMD/VBIOS in order to support new UMA carveoutmodel. This fixes a null dereference from accessingCtx->dc_bios->integrated_info while it was NULL. DA...

CVE-2024-36898

In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: fix uninitialised kfifo If a line is requested with debounce, and that results in debouncingin software, and the line is subsequently reconfigured to enable edgedetection then the allocation of the kfifo to contain e...

CVE-2024-36899

In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device fileis being closed by invoking gpio_chrdev_release(), watched_lines is freedby bitmap_free(), but t...

CVE-2024-36900

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when devlink reload during initialization The devlink reload process will access the hardware resources,but the register operation is done before the hardware is initialized.So, processing the devlink re...

CVE-2024-36901

In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev()returns NULL in ip6_output(). Most places in IPv6 stackdeal with a NULL idev just fine, but not here. syzbot reported: general...

CVE-2024-36902

In the Linux kernel, the following vulnerability has been resolved: ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() syzbot is able to trigger the following crash [1],caused by unsafe ip6_dst_idev() use. Indeed ip6_dst_idev() can return NULL, and must always be checked. [1] O...

CVE-2024-36903

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix potential uninit-value access in __ip6_make_skb() As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in__ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flagsinstead of testing HDR...

CVE-2024-36904

In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique()with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation fortimewait hashdan...

CVE-2024-36905

In the Linux kernel, the following vulnerability has been resolved: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets TCP_SYN_RECV state is really special, it is only used bycross-syn connections, mostly used by fuzzers. In the following crash [1], syzbot managed to trigger a divideby zer...

CVE-2024-36906

In the Linux kernel, the following vulnerability has been resolved: ARM: 9381/1: kasan: clear stale stack poison We found below OOB crash: [ 33.452494] ==================================================================[ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+...

CVE-2024-36908

In the Linux kernel, the following vulnerability has been resolved: blk-iocost: do not WARN if iocg was already offlined In iocg_pay_debt(), warn is triggered if 'active_list' is empty, whichis intended to confirm iocg is active when it has debt. However, warncan be triggered during a blkcg or disk...

CVE-2024-36909

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resu...

CVE-2024-36910

In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resulting memory is shared. Caller...

CVE-2024-36911

In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resulting memory is shared. Callers nee...

CVE-2024-36912

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resulting memory is ...

CVE-2024-36913

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resulting memor...

CVE-2024-36914

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip on writeback when it's not applicable [WHY]dynamic memory safety error detector (KASAN) catches and generates errormessages "BUG: KASAN: slab-out-of-bounds" as writeback connector does notsupport certain featu...

CVE-2024-36915

In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies syzbot reported unsafe calls to copy_from_sockptr() [1] Use copy_safe_from_sockptr() instead. [1] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h...

CVE-2024-36916

In the Linux kernel, the following vulnerability has been resolved: blk-iocost: avoid out of bounds shift UBSAN catches undefined behavior in blk-iocost, where sometimesiocg->delay is shifted right by a number that is too large,resulting in undefined behavior on some architectures. [ 186.556576]...

CVE-2024-36917

In the Linux kernel, the following vulnerability has been resolved: block: fix overflow in blk_ioctl_discard() There is no check for overflow of 'start + len' in blk_ioctl_discard().Hung task occurs if submit an discard ioctl with the following param:start = 0x80000000000ff000, len = 0x8000000000ff...

CVE-2024-36918

In the Linux kernel, the following vulnerability has been resolved: bpf: Check bloom filter map value size This patch adds a missing check to bloom filter creating, rejectingvalues above KMALLOC_MAX_SIZE. This brings the bloom map in line withmany other map types. The lack of this protection can ca...

CVE-2024-36919

In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload The session resources are used by FW and driver when session is offloaded,once session is uploaded these resources are not used. The lock is notrequired as th...

CVE-2024-36920

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Avoid memcpy field-spanning write WARNING When the "storcli2 show" command is executed for eHBA-9600, mpi3mr driverprints this WARNING message: memcpy: detected field-spanning write (size 128) of single field "bsg_rep...

CVE-2024-36921

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: guard against invalid STA ID on removal Guard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that wouldresult in out-of-bounds array accesses. This prevents issues should thedriver get into a bad state ...

CVE-2024-36922

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: read txq->read_ptr under lock If we read txq->read_ptr without lock, we can read the samevalue twice, then obtain the lock, and reclaim from thereto two different places, but crucially reclaim the sameentry twi...

CVE-2024-36923

In the Linux kernel, the following vulnerability has been resolved: fs/9p: fix uninitialized values during inode evict If an iget fails due to not being able to retrieve informationfrom the server then the inode structure is only partiallyinitialized. When the inode gets evicted, references tounini...

CVE-2024-36924

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() lpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes thehbalock. Thus, lpfc_worker_wake_up() should not be called while holding thehbalock to avoid p...

CVE-2024-36925

In the Linux kernel, the following vulnerability has been resolved: swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y Using restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunctionwith dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y) leads to the followingcrash when initialis...

CVE-2024-36926

In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: LPAR panics during boot up with a frozen PE At the time of LPAR boot up, partition firmware provides Open Firmwareproperty ibm,dma-window for the PE. This property is provided on the PCIbus the PE is attached...

CVE-2024-36927

In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix uninit-value access in __ip_make_skb() KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause arace condition. If calling setsock...

CVE-2024-36928

In the Linux kernel, the following vulnerability has been resolved: s390/qeth: Fix kernel panic after setting hsuid Symptom:When the hsuid attribute is set for the first time on an IQD Layer3device while the corresponding network interface is already UP,the kernel will try to execute a napi functio...

CVE-2024-36929

In the Linux kernel, the following vulnerability has been resolved: net: core: reject skb_copy(_expand) for fraglist GSO skbs SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they becomeinvalid. Return NULL if such an skb is passed to skb_copy orskb_copy_expand, in order to prevent a crash o...

CVE-2024-36930

In the Linux kernel, the following vulnerability has been resolved: spi: fix null pointer dereference within spi_sync If spi_sync() is called with the non-empty queue and the same spi_messageis then reused, the complete callback for the message remains set whilethe context is cleared, leading to a ...

CVE-2024-36931

In the Linux kernel, the following vulnerability has been resolved: s390/cio: Ensure the copied buf is NUL terminated Currently, we allocate a lbuf-sized kernel buffer and copy lbuf fromuserspace to that buffer. Later, we use scanf on this buffer but we don'tensure that the string is terminated ins...

CVE-2024-36932

In the Linux kernel, the following vulnerability has been resolved: thermal/debugfs: Prevent use-after-free from occurring after cdev removal Since thermal_debug_cdev_remove() does not run under cdev->lock, it canrun in parallel with thermal_debug_cdev_state_update() and it may freethe struct th...

CVE-2024-36933

In the Linux kernel, the following vulnerability has been resolved: nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). syzbot triggered various splats (see [0] and links) by a crafted GSOpacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols: ETH_P_802...

CVE-2024-36934

In the Linux kernel, the following vulnerability has been resolved: bna: ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes fromuserspace to that buffer. Later, we use sscanf on this buffer but we don'tensure that the string is terminated ins...