Debian Linux-6.1 vulnerabilities

CVE-2024-56693 [HIGH] CVE-2024-56693: linux - In the Linux kernel, the following vulnerability has been resolved: brd: defer ... In the Linux kernel, the following vulnerability has been resolved: brd: defer automatic disk creation until module initialization succeeds My colleague Wupeng found the following problems during fault injection: BUG: unable to handle page fault for address: fffffbfff809d073 PGD 6e648067 P4D 123ec8067 PUD 123ec4067 PMD 100e38067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP

CVE-2024-46731 [HIGH] CVE-2024-46731: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm:... In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fix the Out-of-bounds read warning using index i - 1U may beyond element index for mc_data[] when i = 0. Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: resolved (fixed in 5.10.226-1) forky: resolved (fixed in 6.10.9-1) sid: resolved (fixed in 6.10.9-1) trixie: resolved (fix

CVE-2024-49903 [HIGH] CVE-2024-49903: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: Fix ua... In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uaf in dbFreeBits [syzbot reported] ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Read of size

CVE-2024-57980 [HIGH] CVE-2024-57980: linux - In the Linux kernel, the following vulnerability has been resolved: media: uvcv... In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix double free in error path If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the

CVE-2024-49997 [HIGH] CVE-2024-49997: linux - In the Linux kernel, the following vulnerability has been resolved: net: ethern... In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix memory disclosure When applying padding, the buffer is not zeroed, which results in memory disclosure. The mentioned data is observed on the wire. This patch uses skb_put_padto() to pad Ethernet frames properly. The mentioned function zeroes the expanded buffer. In case

CVE-2024-41073 [HIGH] CVE-2024-41073: linux - In the Linux kernel, the following vulnerability has been resolved: nvme: avoid... In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned. Scope: local bookworm: resolved (fixed in 6.1.106-1) bullseye: resolved (f

CVE-2024-56663 [HIGH] CVE-2024-56663: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: nl802... In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one Since the netlink attribute range validation provides inclusive checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. One crash stack for demonstration: ===============

CVE-2024-53213 [HIGH] CVE-2024-53213: linux - In the Linux kernel, the following vulnerability has been resolved: net: usb: l... In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: Fix double free issue with interrupt buffer allocation In lan78xx_probe(), the buffer `buf` was being freed twice: once implicitly through `usb_free_urb(dev->urb_intr)` with the `URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused a double free issue. To resolve

CVE-2024-46746 [HIGH] CVE-2024-46746: linux - In the Linux kernel, the following vulnerability has been resolved: HID: amd_sf... In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash

CVE-2024-53096 [HIGH] CVE-2024-53096: linux - In the Linux kernel, the following vulnerability has been resolved: mm: resolve... In the Linux kernel, the following vulnerability has been resolved: mm: resolve faulty mmap_region() error path behaviour The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from try

CVE-2024-56615 [HIGH] CVE-2024-56615: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: fix OO... In the Linux kernel, the following vulnerability has been resolved: bpf: fix OOB devmap writes when deleting elements Jordy reported issue against XSKMAP which also applies to DEVMAP - the index used for accessing map entry, due to being a signed integer, causes the OOB writes. Fix is simple as changing the type from int to u32, however, when compared to XSKMAP case,

CVE-2024-50242 [HIGH] CVE-2024-50242: linux - In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: A... In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Additional check in ntfs_file_release Scope: local bookworm: resolved (fixed in 6.1.119-1) bullseye: resolved forky: resolved (fixed in 6.11.7-1) sid: resolved (fixed in 6.11.7-1) trixie: resolved (fixed in 6.11.7-1)

CVE-2024-46740 [HIGH] CVE-2024-46740: linux - In the Linux kernel, the following vulnerability has been resolved: binder: fix... In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size

CVE-2024-43882 [HIGH] CVE-2024-43882: linux - In the Linux kernel, the following vulnerability has been resolved: exec: Fix T... In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode,

CVE-2024-50180 [HIGH] CVE-2024-50180: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: sisf... In the Linux kernel, the following vulnerability has been resolved: fbdev: sisfb: Fix strbuf array overflow The values of the variables xres and yres are placed in strbuf. These variables are obtained from strbuf1. The strbuf1 array contains digit characters and a space if the array contains non-digit characters. Then, when executing sprintf(strbuf, "%ux%ux8", xres, y

CVE-2024-42136 [HIGH] CVE-2024-42136: linux - In the Linux kernel, the following vulnerability has been resolved: cdrom: rear... In the Linux kernel, the following vulnerability has been resolved: cdrom: rearrange last_media_change check to avoid unintentional overflow When running syzkaller with the newly reintroduced signed integer wrap sanitizer we encounter this splat: [ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33 [ 366.021089] -9223372036854775808 - 34632

CVE-2024-56765 [HIGH] CVE-2024-56765: linux - In the Linux kernel, the following vulnerability has been resolved: powerpc/pse... In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/vas: Add close() callback in vas_vm_ops struct The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window

CVE-2024-43858 [HIGH] CVE-2024-43858: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: Fix ar... In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree Scope: local bookworm: resolved (fixed in 6.1.106-1) bullseye: resolved (fixed in 5.10.226-1) forky: resolved (fixed in 6.10.3-1) sid: resolved (fixed in 6.10.3-1) trixie: resolved (fixed in 6.10.3-1)

CVE-2024-42292 [HIGH] CVE-2024-42292: linux - In the Linux kernel, the following vulnerability has been resolved: kobject_uev... In the Linux kernel, the following vulnerability has been resolved: kobject_uevent: Fix OOB access within zap_modalias_env() zap_modalias_env() wrongly calculates size of memory block to move, so will cause OOB memory access issue if variable MODALIAS is not the last one within its @env parameter, fixed by correcting size to memmove. Scope: local bookworm: resolved (f

CVE-2024-53203 [HIGH] CVE-2024-53203: linux - In the Linux kernel, the following vulnerability has been resolved: usb: typec:... In the Linux kernel, the following vulnerability has been resolved: usb: typec: fix potential array underflow in ucsi_ccg_sync_control() The "command" variable can be controlled by the user via debugfs. The worry is that if con_index is zero then "&uc->ucsi->connector[con_index - 1]" would be an array underflow. Scope: local bookworm: resolved (fixed in 6.1.140-1) bul