258 matches found
CVE-2024-26618
In the Linux kernel, the following vulnerability has been resolved: arm64/sme: Always exit sme_alloc() early with existing storage When sme_alloc() is called with existing storage and we are not flushing wewill always allocate new storage, both leaking the existing storage andcorrupting the state. ...
CVE-2023-52489
In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memoryregion with the system memory configuration where PFN's are such that[ZONE_NORMAL ZONE_DEVICE ZONE_N...
CVE-2023-52488
In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: convert from raw to noinc regmap functions for FIFO The SC16IS7XX IC supports a burst mode to access the FIFOs where theinitial register address is sent ($00), followed by all the FIFO datawithout having to resen...
CVE-2024-26643
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it tocollect elements from anonymous sets with timeouts while it is beingreleased from ...
CVE-2024-26620
In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: always filter entire AP matrix The vfio_ap_mdev_filter_matrix function is called whenever a new adapter ordomain is assigned to the mdev. The purpose of the function is to updatethe guest's AP configuration by filteri...
CVE-2023-52494
In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Add alignment check for event ring read pointer Though we do check the event ring read pointer by "is_valid_ring_ptr"to make sure it is in the buffer range, but there is another risk thepointer may be not aligned. S...
CVE-2023-52495
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink_altmode: fix port sanity check The PMIC GLINK altmode driver currently supports at most two ports. Fix the incomplete port sanity check on notifications to avoidaccessing and corrupting memory beyond the port ...
CVE-2024-26642
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this.Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.
CVE-2023-52486
In the Linux kernel, the following vulnerability has been resolved: drm: Don't unref the same fb many times by mistake due to deadlock handling If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()we proceed to unref the fb and then retry the whole thing from the top.But we forget ...
CVE-2023-52497
In the Linux kernel, the following vulnerability has been resolved: erofs: fix lz4 inplace decompression Currently EROFS can map another compressed buffer for inplacedecompression, that was used to handle the cases that some pages ofcompressed data are actually not in-place I/O. However, like most ...
CVE-2024-26621
In the Linux kernel, the following vulnerability has been resolved: mm: huge_memory: don't force huge page alignment on 32 bit commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THPboundaries") caused two issues [1] [2] reported on 32 bit system or compatuserspace. It doesn't make too muc...
CVE-2023-52490
In the Linux kernel, the following vulnerability has been resolved: mm: migrate: fix getting incorrect page mapping during page migration When running stress-ng testing, we found below kernel crash after a few hours: Unable to handle kernel NULL pointer dereference at virtual address 00000000000000...
CVE-2024-26610
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix a memory corruption iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means thatif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is inbytes, we'll write past the buffer.
CVE-2024-26619
In the Linux kernel, the following vulnerability has been resolved: riscv: Fix module loading free order Reverse order of kfree calls to resolve use-after-free error.
CVE-2024-26615
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproducedby following steps: run nginx/wrk test:smc_run nginxsmc_run wrk -t 16 -c 1000 -d -H 'Connection: C...
CVE-2024-26617
In the Linux kernel, the following vulnerability has been resolved: fs/proc/task_mmu: move mmu notification mechanism inside mm lock Move mmu notification mechanism inside mm lock to prevent race conditionin other components which depend on it. The notifier will invalidatememory range. Depending up...
CVE-2023-52498
In the Linux kernel, the following vulnerability has been resolved: PM: sleep: Fix possible deadlocks in core system-wide PM code It is reported that in low-memory situations the system-wide resume corecode deadlocks, because async_schedule_dev() executes its argumentfunction synchronously if it ca...
CVE-2024-26611
In the Linux kernel, the following vulnerability has been resolved: xsk: fix usage of multi-buffer BPF helpers for ZC XDP Currently when packet is shrunk via bpf_xdp_adjust_tail() and memorytype is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens: [1136314.192256] BUG: kernel NULL pointe...
CVE-2024-26616
In the Linux kernel, the following vulnerability has been resolved: btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned [BUG]There is a bug report that, on a ext4-converted btrfs, scrub leads tovarious problems, including: "unable to find chunk map" errorsBTRFS info (device vdb)...
CVE-2023-52493
In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Drop chan lock before queuing buffers Ensure read and write locks for the channel are not taken in succession bydropping the read lock from parse_xfer_event() such that a callback givento client can potentially queu...
CVE-2023-52491
In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound withmtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens inmtk_...
CVE-2023-52487
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix peer flow lists handling The cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUPflag when list of peer flows has become empty. However, if any concurrentuser holds a reference to a peer flow (for e...
CVE-2023-52587
In the Linux kernel, the following vulnerability has been resolved: IB/ipoib: Fix mcast list locking Releasing the priv->lock while iterating the priv->multicast_list inipoib_mcast_join_task() opens a window for ipoib_mcast_dev_flush() toremove the items while in the middle of iteration. If t...
CVE-2023-52583
In the Linux kernel, the following vulnerability has been resolved: ceph: fix deadlock or deadcode of misusing dget() The lock order is incorrect between denty and its parent, we shouldalways make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will...
CVE-2024-26614
In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the followingissue:pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!WARNING: CPU: 19 PID: 21160 at __pv_qu...
CVE-2024-26608
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix global oob in ksmbd_nl_policy Similar to a reported issue (check the commit b33fb5b801c6 ("net:qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer findsanother global out-of-bounds read for policy ksmbd_nl...
CVE-2023-52492
In the Linux kernel, the following vulnerability has been resolved: dmaengine: fix NULL pointer in channel unregistration function __dma_async_device_channel_register() can fail. In case of failure,chan->local is freed (with free_percpu()), and chan->local is nullified.When dma_async_device_u...
CVE-2024-26612
In the Linux kernel, the following vulnerability has been resolved: netfs, fscache: Prevent Oops in fscache_put_cache() This function dereferences "cache" and then checks if it'sIS_ERR_OR_NULL(). Check first, then dereference.
CVE-2021-47069
In the Linux kernel, the following vulnerability has been resolved: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry do_mq_timedreceive calls wq_sleep with a stack local address. Thesender (do_mq_timedsend) uses this address to later call pipelined_send. This leads to a very...
CVE-2021-47072
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix removed dentries still existing after log is synced When we move one inode from one directory to another and both the inodeand its previous parent directory were logged before, we are not supposedto have the dentry for t...
CVE-2024-26625
In the Linux kernel, the following vulnerability has been resolved: llc: call sock_orphan() at release time syzbot reported an interesting trace [1] caused by a stale sk->sk_wqpointer in a closed llc socket. In commit ff7b11aa481f ("net: socket: set sock->sk to NULL aftercalling proto_ops::re...
CVE-2024-26622
In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write()of long lines is requested, we need to fetch head->write_buf afterhead->io_sem is held. Otherwise, concur...
CVE-2023-52603
In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9index -2 is out of range for type '...
CVE-2023-52600
In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has beenreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurswhen rcu_core() calls jfs_free_node(). There...
CVE-2024-26626
In the Linux kernel, the following vulnerability has been resolved: ipmr: fix kernel panic when forwarding mcast packets The stacktrace was:[ 86.305548] BUG: kernel NULL pointer dereference, address: 0000000000000092[ 86.306815] #PF: supervisor read access in kernel mode[ 86.307717] #PF: error_code...
CVE-2023-52604
In the Linux kernel, the following vulnerability has been resolved: FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree Syzkaller reported the following issue: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')CPU: ...
CVE-2021-47079
In the Linux kernel, the following vulnerability has been resolved: platform/x86: ideapad-laptop: fix a NULL pointer dereference The third parameter of dytc_cql_command should not be NULL since it willbe dereferenced immediately.
CVE-2021-47081
In the Linux kernel, the following vulnerability has been resolved: habanalabs/gaudi: Fix a potential use after free in gaudi_memset_device_memory Our code analyzer reported a uaf. In gaudi_memset_device_memory, cb is get via hl_cb_kernel_create()with 2 refcount.If hl_cs_allocate_job() failed, the ...
CVE-2023-52601
In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in dbAdjTree Currently there is a bound check missing in the dbAdjTree whileaccessing the dmt_stree. To add the required check added the bool is_ctlwhich is required to determine the size as sugge...
CVE-2023-52585
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() Return invalid error code -EINVAL for invalid block id. Fixes the below: drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status...
CVE-2023-52620
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow timeout for anonymous sets Never used from userspace, disallow these parameters.
CVE-2024-26627
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler Inside scsi_eh_wakeup(), scsi_host_busy() is called & checked with hostlock every time for deciding if error handler kthread needs to be waken up. This can...
CVE-2023-52602
In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds Read in dtSearch Currently while searching for current page in the sorted entry tableof the page there is a out of bound access. Added a bound check to fixthe error. Dave:Set return code to -EIO
CVE-2023-52594
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bugoccurs when txs->cnt, data from a URB provided by a USB device, isbigger tha...
CVE-2023-52595
In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00: restart beacon queue when hardware reset When a hardware reset is triggered, all registers are reset, so allqueues are forced to stop in hardware interface. However, mac80211will not automatically stop the queue. If w...
CVE-2023-52614
In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size ofPAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exi...
CVE-2023-52606
In the Linux kernel, the following vulnerability has been resolved: powerpc/lib: Validate size for vector operations Some of the fp/vmx code in sstep.c assume a certain maximum size for theinstructions being emulated. The size of those operations however isdetermined separately in analyse_instr(). ...
CVE-2023-52619
In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Fix crash when setting number of cpus to an odd number When the number of cpu cores is adjusted to 7 or other odd numbers,the zone size will become an odd number.The address of the zone will become:addr of zone0 = BASEa...
CVE-2023-52615
In the Linux kernel, the following vulnerability has been resolved: hwrng: core - Fix page fault dead lock on mmap-ed hwrng There is a dead-lock in the hwrng device read path. This triggerswhen the user reads from /dev/hwrng into memory also mmap-ed from/dev/hwrng. The resulting page fault triggers...
CVE-2022-48627
In the Linux kernel, the following vulnerability has been resolved: vt: fix memory overlapping when deleting chars in the buffer A memory overlapping copy occurs when deleting a long line. This memoryoverlapping copy can cause data corruption when scr_memcpyw is optimizedto memcpy because memcpy do...