USN-7100-2: Linux kernel vulnerabilities

Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and Shweta Shinde discovered that the Confidential Computing framework in the Linux kernel for x86 platforms did not properly handle 32-bit emulation on TDX and SEV. An attacker with access to the VMM could use this to cause a deni...

kernel: Bluetooth: ISO: Check socket flag instead of hcon

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Check socket flag instead of hcon This fixes the following Smatch static checker warning: net/bluetooth/iso.c:1364 isosockrecvmsg error: we previously assumed 'pi-conn-hcon' could be null line 1359...

kernel: tty: fix out-of-bounds access in tty_driver_lookup_tty()

An out-of-bounds access was found in the TTY subsystem. When an invalid console device is specified on the kernel command line e.g., console=tty3270, the driver lookup returns a TTY struct with an invalid index, causing a crash during boot...

kernel: NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102

A flaw was found in the Linux kernel. A system error can be reliably replicated with specific filesystem settings, allowing an attacker to cause a denial of service...

kernel: md: Fix missing release of 'active_io' for flush

In the Linux kernel, the following vulnerability has been resolved: md: Fix missing release of 'activeio' for flush The Linux kernel CVE team has assigned CVE-2024-27023 to this issue. Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024050105-CVE-2024-27023-4810@gregkh/T...

kernel: md/dm-raid: don't call md_reap_sync_thread() directly

A flaw was found in the md/dm-raid subsystem in the Linux kernel. If mdreapsyncthread is called directly, it could lead to potential misuse or system instability...

kernel: thermal: of: fix double-free on unregistration

A flaw was found in the Linux kernel's thermal subsystem. A double-free vulnerability occurs during thermal zone device unregistration when using device tree OF bindings. The thermalofzoneregister function leaks the original tzp structure and double-frees the internal copy, which can lead to memo...

kernel: keys: Fix overwrite of key expiration on instantiation

In the Linux kernel, the following vulnerability has been resolved: keys: Fix overwrite of key expiration on instantiation The expiry time of a key is unconditionally overwritten during instantiation, defaulting to turn it permanent. This causes a problem for DNS resolution as the expiration set ...

kernel: dm-raid: really frozen sync_thread during suspend

A hang flaw was found in the Linux kernel’s Raid MD subsystem. This flaw allows a local user to crash the system...

kernel: block: fix request.queuelist usage in flush

A vulnerability was found in the Linux kernel's block subsystem, where the issue arises when the request queue list is not properly initialized for the first request in the PREFLUSH/POSTFLUSH sequences, leading to potential kernel crashes due to improper list manipulation...

kernel: wifi: nl80211: reject iftype change with mesh ID change

CVE-2024-27410 is a vulnerability in the Linux kernel’s Wi-Fi subsystem, affecting the nl80211 interface. The issue occurs when a mesh ID is set while simultaneously switching the interface to mesh mode, which can overwrite critical data in the wireless device's configuration. This can lead to...

kernel: clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe

In the Linux kernel, the following vulnerability has been resolved: clk: imx: clk-imx8mn: fix memory leak in imx8mnclocksprobe Use devmofiomap instead of ofiomap to automatically handle the unused ioremap region. If any error occurs, regions allocated by kzalloc will leak, but using devmkzalloc...

kernel: tty: add the option to have a tty reject a new ldisc

A vulnerability was found in the Linux kernel's TTY subsystem, where the option to reject a new ldisc was improperly implemented, which can lead to a situation where the conwrite routine is called while holding a spinlock, potentially causing a sleep operation in an invalid context...

kernel: block: fix deadlock between bd_link_disk_holder and partition scan

A flaw was found in the Linux kernel, where a deadlock can occur between bdlinkdiskholder and partition scan...

kernel: ASoC: SOF: Add some bounds checking to firmware data

A flaw was found in the Linux kernel. The following vulnerability has been resolved: ASoC: SOF: Add some bounds checking to firmware data...

kernel: packet: annotate data-races around ignore_outgoing

In the Linux kernel, the following vulnerability has been resolved: packet: annotate data-races around ignoreoutgoing ignoreoutgoing is read locklessly from devqueuexmitnit and packetgetsockopt Add appropriate READONCE/WRITEONCE annotations. syzbot reported: BUG: KCSAN: data-race in devqueuexmitn...

kernel: dma: fix call order in dmam_free_coherent

A vulnerability was found in the Linux kernel's dma subsystem in the dmamfreecoherent function where a race condition is possible between the calls to dmamfreecoherent and devresdestroy leading to a double entry in the devres list. This flaw could potentially lead to memory corruption or unexpect...

kernel: wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values

A vulnerability was found in the cfg80211 component in the Linux kernel, where a lack of proper range validation applied to the NL80211ATTRTXQQUANTUM can lead to a scenario where the userspace passes an extremely high value that the kernel is not designed to handle efficiently ex. 2^31. This can...

kernel: wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: handle 2x996 RU allocation in cfg80211calculatebitratehe Currently NL80211RATEINFOHERUALLOC2x996 is not handled in cfg80211calculatebitratehe, leading to below warning: kernel: invalid HE MCS: bw:6, ru:6 kernel:...

kernel: mmc: core: use sysfs_emit() instead of sprintf()

No description is available for this CVE...