Debian Linux-6.1 vulnerabilities

CVE-2024-47684 [MEDIUM] CVE-2024-47684: linux - In the Linux kernel, the following vulnerability has been resolved: tcp: check ... In the Linux kernel, the following vulnerability has been resolved: tcp: check skb is non-NULL in tcp_rto_delta_us() We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic kernel that are running ceph and recently hit a null ptr dereference in tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also saw it getting

CVE-2024-50199 [MEDIUM] CVE-2024-50199: linux - In the Linux kernel, the following vulnerability has been resolved: mm/swapfile... In the Linux kernel, the following vulnerability has been resolved: mm/swapfile: skip HugeTLB pages for unuse_vma I got a bad pud error and lost a 1GB HugeTLB when calling swapoff. The problem can be reproduced by the following steps: 1. Allocate an anonymous 1GB HugeTLB and some other anonymous memory. 2. Swapout the above anonymous memory. 3. run swapoff and we wi

CVE-2024-56709 [MEDIUM] CVE-2024-56709: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring: c... In the Linux kernel, the following vulnerability has been resolved: io_uring: check if iowq is killed before queuing task work can be executed after the task has gone through io_uring termination, whether it's the final task_work run or the fallback path. In this case, task work will find ->io_wq being already killed and null'ed, which is a problem if it then tries

CVE-2024-49934 [MEDIUM] CVE-2024-49934: linux - In the Linux kernel, the following vulnerability has been resolved: fs/inode: P... In the Linux kernel, the following vulnerability has been resolved: fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name It's observed that a crash occurs during hot-remove a memory device, in which user is accessing the hugetlb. See calltrace as following: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 d

CVE-2024-53119 [MEDIUM] CVE-2024-53119: linux - In the Linux kernel, the following vulnerability has been resolved: virtio/vsoc... In the Linux kernel, the following vulnerability has been resolved: virtio/vsock: Fix accept_queue memory leak As the final stages of socket destruction may be delayed, it is possible that virtio_transport_recv_listen() will be called after the accept_queue has been flushed, but before the SOCK_DONE flag has been set. As a result, sockets enqueued after the flush wo

CVE-2024-53125 [MEDIUM] CVE-2024-53125: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: sync_l... In the Linux kernel, the following vulnerability has been resolved: bpf: sync_linked_regs() must preserve subreg_def Range propagation must not affect subreg_def marks, otherwise the following example is rewritten by verifier incorrectly when BPF_F_TEST_RND_HI32 flag is set: 0: call bpf_ktime_get_ns call bpf_ktime_get_ns 1: r0 &= 0x7fffffff after verifier r0 &= 0x7f

CVE-2024-57883 [MEDIUM] CVE-2024-57883: linux - In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb... In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: independent PMD page table shared count The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by t

CVE-2024-42068 [MEDIUM] CVE-2024-42068: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Take r... In the Linux kernel, the following vulnerability has been resolved: bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro() set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Scope: local bookworm: resolved (fixed in 6.1.98-1) bullseye: open forky: resolved (fixed in 6.9.8-1) sid: resolved

CVE-2024-47735 [MEDIUM] CVE-2024-47735: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: F... In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled Fix missuse of spin_lock_irq()/spin_unlock_irq() when spin_lock_irqsave()/spin_lock_irqrestore() was hold. This was discovered through the lock debugging, and the corresponding log is as follows: raw_local_irq_restore() called with IRQs

CVE-2024-56726 [MEDIUM] CVE-2024-56726: linux - In the Linux kernel, the following vulnerability has been resolved: octeontx2-p... In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in cn10k.c Add error pointer check after calling otx2_mbox_get_rsp(). Scope: local bookworm: resolved (fixed in 6.1.123-1) bullseye: resolved forky: resolved (fixed in 6.12.3-1) sid: resolved (fixed in 6.12.3-1) trixie: resolved (fixed in 6.12.3-1)

CVE-2024-42063 [MEDIUM] CVE-2024-42063: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Mark b... In the Linux kernel, the following vulnerability has been resolved: bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode syzbot reported uninit memory usages during map_{lookup,delete}_elem. ========== BUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline] BUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kerne

CVE-2024-53136 [MEDIUM] CVE-2024-53136: linux - In the Linux kernel, the following vulnerability has been resolved: mm: revert ... In the Linux kernel, the following vulnerability has been resolved: mm: revert "mm: shmem: fix data-race in shmem_getattr()" Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") as suggested by Chuck [1]. It is causing deadlocks when accessing tmpfs over NFS. As Hugh commented, "added just to silence a syzbot sanitizer splat: added where there has nev

CVE-2024-49962 [MEDIUM] CVE-2024-49962: linux - In the Linux kernel, the following vulnerability has been resolved: ACPICA: che... In the Linux kernel, the following vulnerability has been resolved: ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause NULL pointer dereference later. [ rjw: Subject and changelog edits ] Scope: local bookworm

CVE-2024-56727 [MEDIUM] CVE-2024-56727: linux - In the Linux kernel, the following vulnerability has been resolved: octeontx2-p... In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c Adding error pointer check after calling otx2_mbox_get_rsp(). Scope: local bookworm: resolved (fixed in 6.1.123-1) bullseye: resolved forky: resolved (fixed in 6.12.3-1) sid: resolved (fixed in 6.12.3-1) trixie: resolved (fixed in 6.12.3-

CVE-2024-42224 [MEDIUM] CVE-2024-42224: linux - In the Linux kernel, the following vulnerability has been resolved: net: dsa: m... In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO busses") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being

CVE-2024-53055 [MEDIUM] CVE-2024-53055: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwi... In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix 6 GHz scan construction If more than 255 colocated APs exist for the set of all APs found during 2.4/5 GHz scanning, then the 6 GHz scan construction will loop forever since the loop variable has type u8, which can never reach the number found when that's bigger than 255, and

CVE-2024-56769 [MEDIUM] CVE-2024-56769: linux - In the Linux kernel, the following vulnerability has been resolved: media: dvb-... In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Syzbot reports [1] an uninitialized value issue found by KMSAN in dib3000_read_reg(). Local u8 rb[2] is used in i2c_transfer() as a read buffer; in case that call fails, the buffer may end up with some undefined values. Since no

CVE-2024-42157 [MEDIUM] CVE-2024-42157: linux - In the Linux kernel, the following vulnerability has been resolved: s390/pkey: ... In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe sensitive data on failure Wipe sensitive data from stack also if the copy_to_user() fails. Scope: local bookworm: resolved (fixed in 6.1.98-1) bullseye: resolved (fixed in 5.10.223-1) forky: resolved (fixed in 6.9.9-1) sid: resolved (fixed in 6.9.9-1) trixie: resolved (fixed in 6.9.9

CVE-2024-44991 [MEDIUM] CVE-2024-44991: linux - In the Linux kernel, the following vulnerability has been resolved: tcp: preven... In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once from a task that failed to clone a new netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'fa

CVE-2024-46707 [MEDIUM] CVE-2024-46707: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: arm64:... In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 On a system with a GICv3, if a guest hasn't been configured with GICv3 and that the host is not capable of GICv2 emulation, a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2. We therefore try to emulate the SGI access, onl