Debian Linux-6.1 vulnerabilities

CVE-2024-38541 [CRITICAL] CVE-2024-38541: linux - In the Linux kernel, the following vulnerability has been resolved: of: module:... In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after

CVE-2024-47685 [CRITICAL] CVE-2024-47685: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reje

CVE-2024-40935 [HIGH] CVE-2024-40935: linux - In the Linux kernel, the following vulnerability has been resolved: cachefiles:... In the Linux kernel, the following vulnerability has been resolved: cachefiles: flush all requests after setting CACHEFILES_DEAD In ondemand mode, when the daemon is processing an open request, if the kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write() will always return -EIO, so the daemon can't pass the copen to the kernel. Then the kernel proce

CVE-2024-46744 [HIGH] CVE-2024-46744: linux - In the Linux kernel, the following vulnerability has been resolved: Squashfs: s... In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a "KMSAN: uninit-value in pick_link" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to t

CVE-2024-50154 [HIGH] CVE-2024-50154: linux - In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: D... In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper

CVE-2024-47750 [HIGH] CVE-2024-47750: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: F... In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 Currently rsv_qp is freed before ib_unregister_device() is called on HIP08. During the time interval, users can still dereg MR and rsv_qp will be used in this process, leading to a UAF. Move the release of rsv_qp after calling ib_unregister_device() to f

CVE-2024-40906 [HIGH] CVE-2024-40906: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: A... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always stop health timer during driver removal Currently, if teardown_hca fails to execute during driver removal, mlx5 does not stop the health timer. Afterwards, mlx5 continue with driver teardown. This may lead to a UAF bug, which results in page fault Oops[1], since the health timer invok

CVE-2024-41058 [HIGH] CVE-2024-41058: linux - In the Linux kernel, the following vulnerability has been resolved: cachefiles:... In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in fscache_withdraw_volume() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370 Read of size 4 at addr ffff88810680b

CVE-2024-50059 [HIGH] CVE-2024-50059: linux - In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw... In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev function, then &sndev->check_link_status_work is bound with check_link_status_work. switchtec_ntb_link_notification may be calle

CVE-2024-44934 [HIGH] CVE-2024-44934: linux - In the Linux kernel, the following vulnerability has been resolved: net: bridge... In the Linux kernel, the following vulnerability has been resolved: net: bridge: mcast: wait for previous gc cycles when removing port syzbot hit a use-after-free[1] which is caused because the bridge doesn't make sure that all previous garbage has been collected when removing a port. What happens is: CPU 1 CPU 2 start gc cycle remove port acquire gc lock first wait f

CVE-2024-42120 [HIGH] CVE-2024-42120: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check pipe offset before setting vblank pipe_ctx has a size of MAX_PIPES so checking its index before accessing the array. This fixes an OVERRUN issue reported by Coverity. Scope: local bookworm: resolved (fixed in 6.1.98-1) bullseye: resolved (fixed in 5.10.223-1) forky: resolved (fi

CVE-2024-42271 [HIGH] CVE-2024-42271: linux - In the Linux kernel, the following vulnerability has been resolved: net/iucv: f... In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and sw

CVE-2024-43830 [HIGH] CVE-2024-43830: linux - In the Linux kernel, the following vulnerability has been resolved: leds: trigg... In the Linux kernel, the following vulnerability has been resolved: leds: trigger: Unregister sysfs attributes before calling deactivate() Triggers which have trigger specific sysfs attributes typically store related data in trigger-data allocated by the activate() callback and freed by the deactivate() callback. Calling device_remove_groups() after calling deactivate

CVE-2024-40989 [HIGH] CVE-2024-40989: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: arm64:... In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Disassociate vcpus from redistributor region on teardown When tearing down a redistributor region, make sure we don't have any dangling pointer to that region stored in a vcpu. Scope: local bookworm: resolved (fixed in 6.1.99-1) bullseye: resolved forky: resolved (fixed in 6.9.7-1) sid: re

CVE-2024-53104 [HIGH] CVE-2024-53104: linux - In the Linux kernel, the following vulnerability has been resolved: media: uvcv... In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming. Scope: local bookworm: resolved (fixed in 6.1.119-1) bull

CVE-2024-42284 [HIGH] CVE-2024-42284: linux - In the Linux kernel, the following vulnerability has been resolved: tipc: Retur... In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address. Scope: local bookworm:

CVE-2024-53194 [HIGH] CVE-2024-53194: linux - In the Linux kernel, the following vulnerability has been resolved: PCI: Fix us... In the Linux kernel, the following vulnerability has been resolved: PCI: Fix use-after-free of slot->bus on hot remove Dennis reports a boot crash on recent Lenovo laptops with a USB4 dock. Since commit 0fc70886569c ("thunderbolt: Reset USB4 v2 host router") and commit 59a54c5f3dbd ("thunderbolt: Reset topology created by the boot firmware"), USB4 v2 and v1 Host Route

CVE-2024-49986 [HIGH] CVE-2024-49986: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors x86_android_tablet_remove() frees the pdevs[] array, so it should not be used after calling x86_android_tablet_remove(). When platform_device_register() fails, store the pdevs[x] PTR_ERR() value into the local r

CVE-2024-49861 [HIGH] CVE-2024-49861: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix he... In the Linux kernel, the following vulnerability has been resolved: bpf: Fix helper writes to read-only maps Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT} as arguments. In check_func_arg() when the argum

CVE-2024-56581 [HIGH] CVE-2024-56581: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: ref-... In the Linux kernel, the following vulnerability has been resolved: btrfs: ref-verify: fix use-after-free after invalid ref action At btrfs_ref_tree_mod() after we successfully inserted the new ref entry (local variable 'ref') into the respective block entry's rbtree (local variable 'be'), if we find an unexpected action of BTRFS_DROP_DELAYED_REF, we error out and fre