Debian Linux vulnerabilities

CVE-2024-35969 [MEDIUM] CWE-770 CVE-2024-35969: In the Linux kernel, the following vulnerability has been resolved: ipv6: fix race condition betwee In the Linux kernel, the following vulnerability has been resolved: ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr Although ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it still means hlist_for_each_entry_rcu can return an item that got removed from the list. The memory itself of such item is not freed thanks to RCU

CVE-2024-35973 [MEDIUM] CWE-908 CVE-2024-35973: In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation i In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation in geneve[6]_xmit_skb syzbot is able to trigger an uninit-value in geneve_xmit() [1] Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol. If anything el

CVE-2024-35988 [MEDIUM] CVE-2024-35988: In the Linux kernel, the following vulnerability has been resolved: riscv: Fix TASK_SIZE on 64-bit In the Linux kernel, the following vulnerability has been resolved: riscv: Fix TASK_SIZE on 64-bit NOMMU On NOMMU, userspace memory can come from anywhere in physical RAM. The current definition of TASK_SIZE is wrong if any RAM exists above 4G, causing spurious failures in the userspace access routines.

CVE-2024-35996 [MEDIUM] CVE-2024-35996: In the Linux kernel, the following vulnerability has been resolved: cpu: Re-enable CPU mitigations In the Linux kernel, the following vulnerability has been resolved: cpu: Re-enable CPU mitigations by default for !X86 architectures Rename x86's to CPU_MITIGATIONS, define it in generic code, and force it on for all architectures exception x86. A recent commit to turn mitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta missed that "cpu_mit

CVE-2024-36005 [MEDIUM] CVE-2024-36005: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: honor tab In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: honor table dormant flag from netdev release event path Check for table dormant flag otherwise netdev release event path tries to unregister an already unregistered hook. [524854.857999] ------------[ cut here ]------------ [524854.858010] WARNING: CPU: 0 PID: 33865

CVE-2024-36007 [MEDIUM] CVE-2024-36007: In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix w In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix warning during rehash As previously explained, the rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the filters with the same priority) in the region and in each chunk iterating over all the filte

CVE-2024-35950 [MEDIUM] CVE-2024-35950: In the Linux kernel, the following vulnerability has been resolved: drm/client: Fully protect modes In the Linux kernel, the following vulnerability has been resolved: drm/client: Fully protect modes[] with dev->mode_config.mutex The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be

CVE-2024-36004 [MEDIUM] CVE-2024-36004: In the Linux kernel, the following vulnerability has been resolved: i40e: Do not use WQ_MEM_RECLAIM In the Linux kernel, the following vulnerability has been resolved: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue Issue reported by customer during SRIOV testing, call trace: When both i40e and the i40iw driver are loaded, a warning in check_flush_dependency is being triggered. This seems to be because of the i40e driver workqueue is allocated with t

CVE-2024-35867 [HIGH] CWE-416 CVE-2024-35867: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_stats_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

CVE-2024-35866 [HIGH] CWE-416 CVE-2024-35866: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_dump_full_key() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

CVE-2024-35905 [HIGH] CWE-129 CVE-2024-35905: In the Linux kernel, the following vulnerability has been resolved: bpf: Protect against int overfl In the Linux kernel, the following vulnerability has been resolved: bpf: Protect against int overflow for stack access size This patch re-introduces protection against the size of access to stack memory being negative; the access size can appear negative as a result of overflowing its signed int representation. This should not actually happen, as th

CVE-2024-35886 [HIGH] CWE-674 CVE-2024-35886: In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix infinite recursion in In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix infinite recursion in fib6_dump_done(). syzkaller reported infinite recursive calls of fib6_dump_done() during netlink socket destruction. [1] From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then the response was generated. The following recvmmsg() res

CVE-2024-35896 [HIGH] CWE-125 CVE-2024-35896: In the Linux kernel, the following vulnerability has been resolved: netfilter: validate user input In the Linux kernel, the following vulnerability has been resolved: netfilter: validate user input for expected length I got multiple syzbot reports showing old bugs exposed by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc in cgroup/{s,g}etsockopt") setsockopt() @optlen argument should be taken into account before copying data. BUG: KAS

CVE-2024-35871 [HIGH] CVE-2024-35871: In the Linux kernel, the following vulnerability has been resolved: riscv: process: Fix kernel gp l In the Linux kernel, the following vulnerability has been resolved: riscv: process: Fix kernel gp leakage childregs represents the registers which are active for the new thread in user context. For a kernel thread, childregs->gp is never used since the kernel gp is not touched by switch_to. For a user mode helper, the gp value can be observed in user space

CVE-2024-35910 [MEDIUM] CVE-2024-35910: In the Linux kernel, the following vulnerability has been resolved: tcp: properly terminate timers In the Linux kernel, the following vulnerability has been resolved: tcp: properly terminate timers for kernel sockets We had various syzbot reports about tcp timers firing after the corresponding netns has been dismantled. Fortunately Josef Bacik could trigger the issue more often, and could test a patch I wrote two years ago. When TCP sockets are closed

CVE-2024-35893 [MEDIUM] CWE-908 CVE-2024-35893: In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: prevent In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: prevent kernel-infoleak syzbot found that tcf_skbmod_dump() was copying four bytes from kernel stack to user space [1]. The issue here is that 'struct tc_skbmod' has a four bytes hole. We need to clear the structure before filling fields. [1] BUG: KMSAN: k

CVE-2024-35915 [MEDIUM] CWE-908 CVE-2024-35915: In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in n In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet syzbot reported the following uninit-value access issue [1][2]: nci_rx_work() parses and processes received packet. When the payload length is zero, each message type handler reads uninitialized payload and KMSAN detects

CVE-2024-35944 [MEDIUM] CVE-2024-35944: In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix memcpy() run-time war In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg" at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) WARNING: CPU: 0 PID: 1555 at drivers/mi

CVE-2024-35895 [MEDIUM] CWE-667 CVE-2024-35895: In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inve In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inversion deadlock in map delete elem syzkaller started using corpuses where a BPF tracing program deletes elements from a sockmap/sockhash map. Because BPF tracing programs can be invoked from any interrupt context, locks taken during a map_delete_elem

CVE-2024-35922 [MEDIUM] CWE-369 CVE-2024-35922: In the Linux kernel, the following vulnerability has been resolved: fbmon: prevent division by zero In the Linux kernel, the following vulnerability has been resolved: fbmon: prevent division by zero in fb_videomode_from_videomode() The expression htotal * vtotal can have a zero value on overflow. It is necessary to prevent division by zero like in fb_var_to_videomode(). Found by Linux Verification Center (linuxtesting.org) with Svace.