Debian Linux-6.1 vulnerabilities

CVE-2024-45010 [MEDIUM] CVE-2024-45010: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ... In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only mark 'subflow' endp as available Adding the following warning ... WARN_ON_ONCE(msk->pm.local_addr_used == 0) ... before decrementing the local_addr_used counter helped to find a bug when running the "remove single address" subtest from the mptcp_join.sh selftests. Removing a 'signal'

CVE-2024-26595 [MEDIUM] CVE-2024-26595: linux - In the Linux kernel, the following vulnerability has been resolved: mlxsw: spec... In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after failing to attach the region to an ACL group, we hit a NULL pointer dereference upon 'region->group->tcam' [1]. Fix by retrieving the 'tcam' pointer using mlx

CVE-2024-49958 [MEDIUM] CVE-2024-49958: linux - In the Linux kernel, the following vulnerability has been resolved: ocfs2: rese... In the Linux kernel, the following vulnerability has been resolved: ocfs2: reserve space for inline xattr before attaching reflink tree One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner

CVE-2024-45828 [MEDIUM] CVE-2024-45828: linux - In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i... In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Mask ring interrupts before ring stop request Bus cleanup path in DMA mode may trigger a RING_OP_STAT interrupt when the ring is being stopped. Depending on timing between ring stop request completion, interrupt handler removal and code execution this may lead to a NULL pointer de

CVE-2024-39507 [MEDIUM] CVE-2024-39507: linux - In the Linux kernel, the following vulnerability has been resolved: net: hns3: ... In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash problem in concurrent scenario When link status change, the nic driver need to notify the roce driver to handle this event, but at this time, the roce driver may uninit, then cause kernel crash. To fix the problem, when link status change, need to check whether the roce r

CVE-2024-50295 [MEDIUM] CVE-2024-50295: linux - In the Linux kernel, the following vulnerability has been resolved: net: arc: f... In the Linux kernel, the following vulnerability has been resolved: net: arc: fix the device for dma_map_single/dma_unmap_single The ndev->dev and pdev->dev aren't the same device, use ndev->dev.parent which has dma_mask, ndev->dev.parent is just pdev->dev. Or it would cause the following issue: [ 39.933526] ------------[ cut here ]------------ [ 39.938414] WARNING:

CVE-2024-56683 [MEDIUM] CVE-2024-56683: linux - In the Linux kernel, the following vulnerability has been resolved: drm/vc4: hd... In the Linux kernel, the following vulnerability has been resolved: drm/vc4: hdmi: Avoid hang with debug registers when suspended Trying to read /sys/kernel/debug/dri/1/hdmi1_regs when the hdmi is disconnected results in a fatal system hang. This is due to the pm suspend code disabling the dvp clock. That is just a gate of the 108MHz clock in DVP_HT_RPI_MISC_CONFIG,

CVE-2024-46742 [MEDIUM] CVE-2024-46742: linux - In the Linux kernel, the following vulnerability has been resolved: smb/server:... In the Linux kernel, the following vulnerability has been resolved: smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open() null-ptr-deref will occur when (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) and parse_lease_state() return NULL. Fix this by check if 'lease_ctx_info' is NULL. Additionally, remove the redundant parentheses in parse_durable_handl

CVE-2024-57916 [MEDIUM] CVE-2024-57916: linux - In the Linux kernel, the following vulnerability has been resolved: misc: micro... In the Linux kernel, the following vulnerability has been resolved: misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling Resolve kernel panic caused by improper handling of IRQs while accessing GPIO values. This is done by replacing generic_handle_irq with handle_nested_irq. Scope: local bookworm: resolved (fixed in 6.1.128-1) bullseye: resolved

CVE-2024-56549 [MEDIUM] CVE-2024-56549: linux - In the Linux kernel, the following vulnerability has been resolved: cachefiles:... In the Linux kernel, the following vulnerability has been resolved: cachefiles: Fix NULL pointer dereference in object->file At present, the object->file has the NULL pointer dereference problem in ondemand-mode. The root cause is that the allocated fd and object->file lifetime are inconsistent, and the user-space invocation to anon_fd uses object->file. Following i

CVE-2024-46857 [MEDIUM] CVE-2024-46857: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: F... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix bridge mode operations when there are no VFs Currently, trying to set the bridge mode attribute when numvfs=0 leads to a crash: bridge link set dev eth2 hwmode vepa [ 168.967392] BUG: kernel NULL pointer dereference, address: 0000000000000030 [...] [ 168.969989] RIP: 0010:mlx5_add_flow

CVE-2024-50096 [MEDIUM] CVE-2024-50096: linux - In the Linux kernel, the following vulnerability has been resolved: nouveau/dme... In the Linux kernel, the following vulnerability has been resolved: nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error The `nouveau_dmem_copy_one` function ensures that the copy push command is sent to the device firmware but does not track whether it was executed successfully. In the case of a copy error (e.g., firmware or hardware failure), the copy

CVE-2024-39505 [MEDIUM] CVE-2024-39505: linux - In the Linux kernel, the following vulnerability has been resolved: drm/komeda:... In the Linux kernel, the following vulnerability has been resolved: drm/komeda: check for error-valued pointer komeda_pipeline_get_state() may return an error-valued pointer, thus check the pointer for negative or null value before dereferencing. Scope: local bookworm: resolved (fixed in 6.1.99-1) bullseye: resolved (fixed in 5.10.221-1) forky: resolved (fixed in 6.

CVE-2024-43853 [MEDIUM] CVE-2024-43853: linux - In the Linux kernel, the following vulnerability has been resolved: cgroup/cpus... In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: Prevent UAF in proc_cpuset_show() An UAF can happen when /proc/cpuset is read as reported in [1]. This can be reproduced by the following methods: 1.add an mdelay(1000) before acquiring the cgroup_lock In the cgroup_path_ns function. 2.$cat /proc//cpuset repeatly. 3.$mount -t cgroup -

CVE-2024-47674 [MEDIUM] CVE-2024-47674: linux - In the Linux kernel, the following vulnerability has been resolved: mm: avoid l... In the Linux kernel, the following vulnerability has been resolved: mm: avoid leaving partial pfn mappings around in error case As Jann points out, PFN mappings are special, because unlike normal memory mappings, there is no lifetime information associated with the mapping - it is just a raw mapping of PFNs with no reference counting of a 'struct page'. That's all v

CVE-2024-47669 [MEDIUM] CVE-2024-47669: linux - In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix... In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 ("nilfs2: separate wait function from nilfs_segctor_write") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split

CVE-2024-56748 [MEDIUM] CVE-2024-56748: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: qedf:... In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb() Hook "qed_ops->common->sb_init = qed_sb_init" does not release the DMA memory sb_virt when it fails. Add dma_free_coherent() to free it. This is the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb(). Scope: local bookworm: reso

CVE-2024-50148 [MEDIUM] CVE-2024-50148: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bnep: fix wild-memory-access in proto_unregister There's issue as follows: KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f] CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W RIP: 0010:proto_unregister+0xee/0x400 Call Trace: __do_sys_delete_module+0x318/0x580 do_syscall_

CVE-2024-42296 [MEDIUM] CVE-2024-42296: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix r... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix return value of f2fs_convert_inline_inode() If device is readonly, make f2fs_convert_inline_inode() return EROFS instead of zero, otherwise it may trigger panic during writeback of inline inode's dirty page as below: f2fs_write_single_data_page+0xbb6/0x1e90 fs/f2fs/data.c:2888 f2fs_write_c

CVE-2024-53070 [MEDIUM] CVE-2024-53070: linux - In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: ... In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: fix fault at system suspend if device was already runtime suspended If the device was already runtime suspended then during system suspend we cannot access the device registers else it will crash. Also we cannot access any registers after dwc3_core_exit() on some platforms so move the dwc