Debian Linux-6.1 vulnerabilities

CVE-2024-42277 [MEDIUM] CVE-2024-42277: linux - In the Linux kernel, the following vulnerability has been resolved: iommu: sprd... In the Linux kernel, the following vulnerability has been resolved: iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en In sprd_iommu_cleanup() before calling function sprd_iommu_hw_en() dom->sdev is equal to NULL, which leads to null dereference. Found by Linux Verification Center (linuxtesting.org) with SVACE. Scope: local bookworm: resolved (fixed in 6.1.106-1) bul

CVE-2024-50010 [MEDIUM] CVE-2024-50010: linux - In the Linux kernel, the following vulnerability has been resolved: exec: don't... In the Linux kernel, the following vulnerability has been resolved: exec: don't WARN for racy path_noexec check Both i_mode and noexec checks wrapped in WARN_ON stem from an artifact of the previous implementation. They used to legitimately check for the condition, but that got moved up in two commits: 633fb6ac3980 ("exec: move S_ISREG() check earlier") 0fd338b2d2cd

CVE-2024-46751 [MEDIUM] CVE-2024-46751: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: don'... In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message. Scope: local bookworm: resolved (fixed in 6.1.140-1) bullseye: resolved (fixed in 5.10.244-1) forky: r

CVE-2024-58061 [MEDIUM] CVE-2024-58061: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80... In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: prohibit deactivating all links In the internal API this calls this is a WARN_ON, but that should remain since internally we want to know about bugs that may cause this. Prevent deactivating all links in the debugfs write directly. Scope: local bookworm: resolved (fixed in 6.1.129-1)

CVE-2024-49955 [MEDIUM] CVE-2024-49955: linux - In the Linux kernel, the following vulnerability has been resolved: ACPI: batte... In the Linux kernel, the following vulnerability has been resolved: ACPI: battery: Fix possible crash when unregistering a battery hook When a battery hook returns an error when adding a new battery, then the battery hook is automatically unregistered. However the battery hook provider cannot know that, so it will later call battery_hook_unregister() on the already

CVE-2024-41080 [MEDIUM] CVE-2024-41080: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring: f... In the Linux kernel, the following vulnerability has been resolved: io_uring: fix possible deadlock in io_register_iowq_max_workers() The io_register_iowq_max_workers() function calls io_put_sq_data(), which acquires the sqd->lock without releasing the uring_lock. Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock before acquiring sqd->lock"), this

CVE-2024-46819 [MEDIUM] CVE-2024-46819: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu:... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: the warning dereferencing obj for nbio_v7_4 if ras_manager obj null, don't print NBIO err data Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: resolved (fixed in 5.10.226-1) forky: resolved (fixed in 6.10.9-1) sid: resolved (fixed in 6.10.9-1) trixie: resolved (fixed in 6.

CVE-2024-35870 [MEDIUM] CVE-2024-35870: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in smb2_reconnect_server() The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses(). This can happen when (a) the client has connection to the server but no session or (b) another

CVE-2024-50287 [MEDIUM] CVE-2024-50287: linux - In the Linux kernel, the following vulnerability has been resolved: media: v4l2... In the Linux kernel, the following vulnerability has been resolved: media: v4l2-tpg: prevent the risk of a division by zero As reported by Coverity, the logic at tpg_precalculate_line() blindly rescales the buffer even when scaled_witdh is equal to zero. If this ever happens, this will cause a division by zero. Instead, add a WARN_ON_ONCE() to trigger such cases and

CVE-2024-49954 [MEDIUM] CVE-2024-49954: linux - In the Linux kernel, the following vulnerability has been resolved: static_call... In the Linux kernel, the following vulnerability has been resolved: static_call: Replace pointless WARN_ON() in static_call_module_notify() static_call_module_notify() triggers a WARN_ON(), when memory allocation fails in __static_call_add_module(). That's not really justified, because the failure case must be correctly handled by the well known call chain and the e

CVE-2024-42131 [MEDIUM] CVE-2024-42131: linux - In the Linux kernel, the following vulnerability has been resolved: mm: avoid o... In the Linux kernel, the following vulnerability has been resolved: mm: avoid overflows in dirty throttling logic The dirty throttling logic is interspersed with assumptions that dirty limits in PAGE_SIZE units fit into 32-bit (so that various multiplications fit into 64-bits). If limits end up being larger, we will hit overflows, possible divisions by 0 etc. Fix th

CVE-2024-53063 [MEDIUM] CVE-2024-53063: linux - In the Linux kernel, the following vulnerability has been resolved: media: dvbd... In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: prevent the risk of out of memory access The dvbdev contains a static variable used to store dvb minors. The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set, dvb_register_device() won't check for boundaries, as it will rely that a previous call to dvb_r

CVE-2024-44968 [MEDIUM] CVE-2024-44968: linux - In the Linux kernel, the following vulnerability has been resolved: tick/broadc... In the Linux kernel, the following vulnerability has been resolved: tick/broadcast: Move per CPU pointer access into the atomic section The recent fix for making the take over of the broadcast timer more reliable retrieves a per CPU pointer in preemptible context. This went unnoticed as compilers hoist the access into the non-preemptible region where the pointer is

CVE-2024-56645 [MEDIUM] CVE-2024-56645: linux - In the Linux kernel, the following vulnerability has been resolved: can: j1939:... In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_session_new(): fix skb reference counting Since j1939_session_skb_queue() does an extra skb_get() for each new skb, do the same for the initial one in j1939_session_new() to avoid refcount underflow. [mkl: clean up commit message] Scope: local bookworm: resolved (fixed in 6.1.123-1

CVE-2024-50259 [MEDIUM] CVE-2024-50259: linux - In the Linux kernel, the following vulnerability has been resolved: netdevsim: ... In the Linux kernel, the following vulnerability has been resolved: netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() This was found by a static analyzer. We should not forget the trailing zero after copy_from_user() if we will further do some string operations, sscanf() in this case. Adding a trailing zero will ensure that

CVE-2024-39484 [MEDIUM] CVE-2024-39484: linux - In the Linux kernel, the following vulnerability has been resolved: mmc: davinc... In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performe

CVE-2024-41056 [MEDIUM] CVE-2024-41056: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: c... In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files Use strnlen() instead of strlen() on the algorithm and coefficient name string arrays in V1 wmfw files. In V1 wmfw files the name is a NUL-terminated string in a fixed-size array. cs_dsp should protect against overrunning the array if t

CVE-2024-46745 [MEDIUM] CVE-2024-46745: linux - In the Linux kernel, the following vulnerability has been resolved: Input: uinp... In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request i

CVE-2024-42288 [MEDIUM] CVE-2024-42288: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: qla2x... In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix for possible memory corruption Init Control Block is dereferenced incorrectly. Correctly dereference ICB Scope: local bookworm: resolved (fixed in 6.1.106-1) bullseye: resolved (fixed in 5.10.226-1) forky: resolved (fixed in 6.10.3-1) sid: resolved (fixed in 6.10.3-1) trixie: reso

CVE-2024-49961 [MEDIUM] CVE-2024-49961: linux - In the Linux kernel, the following vulnerability has been resolved: media: i2c:... In the Linux kernel, the following vulnerability has been resolved: media: i2c: ar0521: Use cansleep version of gpiod_set_value() If we use GPIO reset from I2C port expander, we must use *_cansleep() variant of GPIO functions. This was not done in ar0521_power_on()/ar0521_power_off() functions. Let's fix that. ------------[ cut here ]------------ WARNING: CPU: 0 PID