Debian Linux-6.1 vulnerabilities

CVE-2024-44990 [MEDIUM] CVE-2024-44990: linux - In the Linux kernel, the following vulnerability has been resolved: bonding: fi... In the Linux kernel, the following vulnerability has been resolved: bonding: fix null pointer deref in bond_ipsec_offload_ok We must check if there is an active slave before dereferencing the pointer. Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: resolved (fixed in 5.10.226-1) forky: resolved (fixed in 6.10.7-1) sid: resolved (fixed in 6.10.7-1) tri

CVE-2024-39298 [MEDIUM] CVE-2024-39298: linux - In the Linux kernel, the following vulnerability has been resolved: mm/memory-f... In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix handling of dissolved but not taken off from buddy pages When I did memory failure tests recently, below panic occurs: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00 flags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff) raw: 06fffe0000000000 de

CVE-2024-56557 [MEDIUM] CVE-2024-56557: linux - In the Linux kernel, the following vulnerability has been resolved: iio: adc: a... In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer The AD7923 was updated to support devices with 8 channels, but the size of tx_buf and ring_xfer was not increased accordingly, leading to a potential buffer overflow in ad7923_update_scan_mode(). Scope: local bookworm: resolved (fixed in

CVE-2024-53229 [MEDIUM] CVE-2024-53229: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: F... In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the qp flush warnings in req When the qp is in error state, the status of WQEs in the queue should be set to error. Or else the following will appear. [ 920.617269] WARNING: CPU: 1 PID: 21 at drivers/infiniband/sw/rxe/rxe_comp.c:756 rxe_completer+0x989/0xcc0 [rdma_rxe] [ 920.617744] Mo

CVE-2024-49890 [MEDIUM] CVE-2024-49890: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm:... In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: ensure the fw_info is not null before using it This resolves the dereference null return value warning reported by Coverity. Scope: local bookworm: resolved (fixed in 6.1.115-1) bullseye: resolved (fixed in 5.10.234-1) forky: resolved (fixed in 6.11.4-1) sid: resolved (fixed in 6.11.4-1)

CVE-2024-42154 [MEDIUM] CVE-2024-42154: linux - In the Linux kernel, the following vulnerability has been resolved: tcp_metrics... In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated). Scope: local bookworm: resolved (fixed in 6.1.98-1

CVE-2024-26783 [MEDIUM] CVE-2024-26783: linux - In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: ... In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index With numa balancing on, when a numa system is running where a numa node doesn't have its local memory so it has no managed zones, the following oops has been observed. It's because wakeup_kswapd() is called with a wrong zone index,

CVE-2024-47709 [MEDIUM] CVE-2024-47709: linux - In the Linux kernel, the following vulnerability has been resolved: can: bcm: C... In the Linux kernel, the following vulnerability has been resolved: can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). syzbot reported a warning in bcm_release(). [0] The blamed change fixed another warning that is triggered when connect() is issued again for a socket whose connect()ed device has been unregistered. However, if the socket is just close()d w

CVE-2024-44982 [MEDIUM] CVE-2024-44982: linux - In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu... In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails If the dpu_format_populate_layout() fails, then FB is prepared, but not cleaned up. This ends up leaking the pin_count on the GEM object and causes a splat during DRM file closure: msm_obj->pin_count WARNING: CPU: 2 PID: 569 at drivers/gpu/

CVE-2024-49946 [MEDIUM] CVE-2024-49946: linux - In the Linux kernel, the following vulnerability has been resolved: ppp: do not... In the Linux kernel, the following vulnerability has been resolved: ppp: do not assume bh is held in ppp_channel_bridge_input() Networking receive path is usually handled from BH handler. However, some protocols need to acquire the socket lock, and packets might be stored in the socket backlog is the socket was owned by a user process. In this case, release_sock(),

CVE-2024-50002 [MEDIUM] CVE-2024-50002: linux - In the Linux kernel, the following vulnerability has been resolved: static_call... In the Linux kernel, the following vulnerability has been resolved: static_call: Handle module init failure correctly in static_call_del_module() Module insertion invokes static_call_add_module() to initialize the static calls in a module. static_call_add_module() invokes __static_call_init(), which allocates a struct static_call_mod to either encapsulate the built-

CVE-2024-53241 [MEDIUM] CVE-2024-53241: linux - In the Linux kernel, the following vulnerability has been resolved: x86/xen: do... In the Linux kernel, the following vulnerability has been resolved: x86/xen: don't do PV iret hypercall through hypercall page Instead of jumping to the Xen hypercall page for doing the iret hypercall, directly code the required sequence in xen-asm.S. This is done in preparation of no longer using hypercall page at all, as it has shown to cause problems with specula

CVE-2024-45028 [MEDIUM] CVE-2024-45028: linux - In the Linux kernel, the following vulnerability has been resolved: mmc: mmc_te... In the Linux kernel, the following vulnerability has been resolved: mmc: mmc_test: Fix NULL dereference on allocation failure If the "test->highmem = alloc_pages()" allocation fails then calling __free_pages(test->highmem) will result in a NULL dereference. Also change the error code to -ENOMEM instead of returning success. Scope: local bookworm: resolved (fixed in

CVE-2024-43854 [MEDIUM] CVE-2024-43854: linux - In the Linux kernel, the following vulnerability has been resolved: block: init... In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI meta

CVE-2024-40981 [MEDIUM] CVE-2024-40981: linux - In the Linux kernel, the following vulnerability has been resolved: batman-adv:... In the Linux kernel, the following vulnerability has been resolved: batman-adv: bypass empty buckets in batadv_purge_orig_ref() Many syzbot reports are pointing to soft lockups in batadv_purge_orig_ref() [1] Root cause is unknown, but we can avoid spending too much time there and perhaps get more interesting reports. [1] watchdog: BUG: soft lockup - CPU#0 stuck for

CVE-2024-49977 [MEDIUM] CVE-2024-49977: linux - In the Linux kernel, the following vulnerability has been resolved: net: stmmac... In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Fix zero-division error when disabling tc cbs The commit b8c43360f6e4 ("net: stmmac: No need to calculate speed divider when offload is disabled") allows the "port_transmit_rate_kbps" to be set to a value of 0, which is then passed to the "div_s64" function when tc-cbs is disabled. This

CVE-2024-53210 [MEDIUM] CVE-2024-53210: linux - In the Linux kernel, the following vulnerability has been resolved: s390/iucv: ... In the Linux kernel, the following vulnerability has been resolved: s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() Passing MSG_PEEK flag to skb_recv_datagram() increments skb refcount (skb->users) and iucv_sock_recvmsg() does not decrement skb refcount at exit. This results in skb memory leak in skb_queue_purge() and WARN_ON in iucv_sock_destruct() d

CVE-2024-47707 [MEDIUM] CVE-2024-47707: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid... In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Blamed commit accidentally removed a check for rt->rt6i_idev being NULL, as spotted by syzbot: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref

CVE-2024-47705 [MEDIUM] CVE-2024-47705: linux - In the Linux kernel, the following vulnerability has been resolved: block: fix ... In the Linux kernel, the following vulnerability has been resolved: block: fix potential invalid pointer dereference in blk_add_partition The blk_add_partition() function initially used a single if-condition (IS_ERR(part)) to check for errors when adding a partition. This was modified to handle the specific case of -ENXIO separately, allowing the function to proceed

CVE-2024-46694 [MEDIUM] CVE-2024-46694: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid using null object of framebuffer Instead of using state->fb->obj[0] directly, get object from framebuffer by calling drm_gem_fb_get_obj() and return error code when object is null to avoid using null object of framebuffer. (cherry picked from commit 73dd0ad9e5dad53766ea3e63130