Debian Linux-6.1 vulnerabilities

CVE-2024-40978 [HIGH] CVE-2024-40978: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: qedi:... In the Linux kernel, the following vulnerability has been resolved: scsi: qedi: Fix crash while reading debugfs attribute The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly on a __user pointer, which results into the crash. To fix this issue, use a small local stack buffer for sprintf() and then call simple_read_from_buffer(), which in turns ma

CVE-2024-58007 [HIGH] CVE-2024-58007: linux - In the Linux kernel, the following vulnerability has been resolved: soc: qcom: ... In the Linux kernel, the following vulnerability has been resolved: soc: qcom: socinfo: Avoid out of bounds read of serial number On MSM8916 devices, the serial number exposed in sysfs is constant and does not change across individual devices. It's always: db410c:/sys/devices/soc0$ cat serial_number 2644893864 The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8)

CVE-2024-42280 [HIGH] CVE-2024-42280: linux - In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix ... In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp). Scope: local bookworm: resolved (fixed in 6.1.106-1) bullseye: resolved (fixed in 5.10.226-1) forky: resolved (fixed in 6.10.3-1) sid: resolved (fixed in 6.10.3-1) trixie: resolved (fixed in 6.10.3-1)

CVE-2024-50131 [HIGH] CVE-2024-50131: linux - In the Linux kernel, the following vulnerability has been resolved: tracing: Co... In the Linux kernel, the following vulnerability has been resolved: tracing: Consider the NULL character when validating the event length strlen() returns a string length excluding the null byte. If the string length equals to the maximum buffer length, the buffer will have no space for the NULL terminating character. This commit checks this condition and returns fail

CVE-2024-50276 [HIGH] CVE-2024-50276: linux - In the Linux kernel, the following vulnerability has been resolved: net: vertex... In the Linux kernel, the following vulnerability has been resolved: net: vertexcom: mse102x: Fix possible double free of TX skb The scope of the TX skb is wider than just mse102x_tx_frame_spi(), so in case the TX skb room needs to be expanded, we should free the the temporary skb instead of the original skb. Otherwise the original TX skb pointer would be freed again i

CVE-2024-53156 [HIGH] CVE-2024-53156: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k... In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() I found the following bug in my fuzzer: UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51 index 255 is out of range for type 'htc_endpoint [22]' CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6

CVE-2024-49924 [HIGH] CVE-2024-49924: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: pxaf... In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafb_task() In the pxafb_probe function, it calls the pxafb_init_fbinfo function, after which &fbi->task is associated with pxafb_task. Moreover, within this pxafb_init_fbinfo function, the pxafb_blank function within the &pxafb_ops struct is capable of sc

CVE-2024-53057 [HIGH] CVE-2024-53057: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that m

CVE-2024-47745 [HIGH] CVE-2024-47745: linux - In the Linux kernel, the following vulnerability has been resolved: mm: call th... In the Linux kernel, the following vulnerability has been resolved: mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will act

CVE-2024-46852 [HIGH] CVE-2024-46852: linux - In the Linux kernel, the following vulnerability has been resolved: dma-buf: he... In the Linux kernel, the following vulnerability has been resolved: dma-buf: heaps: Fix off-by-one in CMA heap fault handler Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps: Don't track CMA dma-buf pages under RssFile") it was possible to obtain a mapping larger than the buffer size via mremap and bypass the overflow check in dma_buf_mmap_interna

CVE-2024-53173 [HIGH] CVE-2024-53173: linux - In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fi... In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fix a use-after-free problem in the asynchronous open() Yang Erkun reports that when two threads are opening files at the same time, and are forced to abort before a reply is seen, then the call to nfs_release_seqid() in nfs4_opendata_free() can result in a use-after-free of the pointer to th

CVE-2024-50247 [HIGH] CVE-2024-50247: linux - In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: C... In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Check if more than chunk-size bytes are written A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off. Scope: local bookworm: resolved (fixed in 6.1.119-1) bullseye: resolved forky: resolved (fixed in 6.11.7-1) sid

CVE-2024-50127 [HIGH] CVE-2024-50127: linux - In the Linux kernel, the following vulnerability has been resolved: net: sched:... In the Linux kernel, the following vulnerability has been resolved: net: sched: fix use-after-free in taprio_change() In 'taprio_change()', 'admin' pointer may become dangling due to sched switch / removal caused by 'advance_sched()', and critical section protected by 'q->current_entry_lock' is too small to prevent from such a scenario (which causes use-after-free det

CVE-2024-57896 [HIGH] CVE-2024-57896: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: flus... In the Linux kernel, the following vulnerability has been resolved: btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount During the unmount path, at close_ctree(), we first stop the cleaner kthread, using kthread_stop() which frees the associated task_struct, and then stop and destroy all the work queues. However after we stopped the clea

CVE-2024-50269 [HIGH] CVE-2024-50269: linux - In the Linux kernel, the following vulnerability has been resolved: usb: musb: ... In the Linux kernel, the following vulnerability has been resolved: usb: musb: sunxi: Fix accessing an released usb phy Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on exit") will cause that usb phy @glue->xceiv is accessed after released. 1) register platform driver @sunxi_musb_driver // get the usb phy @glue->xceiv sunxi_musb_probe() -> devm_us

CVE-2024-35866 [HIGH] CVE-2024-35866: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_dump_full_key() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resolved forky: resolved (fixed in 6.8.9-1) sid: resolved (fixed in 6.8.9-1) trixie: resolved (fixed in 6

CVE-2024-40902 [HIGH] CVE-2024-40902: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: xattr:... In the Linux kernel, the following vulnerability has been resolved: jfs: xattr: fix buffer overflow for invalid xattr When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all

CVE-2024-42148 [HIGH] CVE-2024-42148: linux - In the Linux kernel, the following vulnerability has been resolved: bnx2x: Fix ... In the Linux kernel, the following vulnerability has been resolved: bnx2x: Fix multiple UBSAN array-index-out-of-bounds Fix UBSAN warnings that occur when using a system with 32 physical cpu cores or more, or when the user defines a number of Ethernet queues greater than or equal to FP_SB_MAX_E1x using the num_queues module parameter. Currently there is a read/write o

CVE-2024-49900 [HIGH] CVE-2024-49900: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: Fix un... In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uninit-value access of new_ea in ea_buffer syzbot reports that lzo1x_1_do_compress is using uninit-value: ===================================================== BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 ... Uninit was stored to memory at: ea_put

CVE-2024-49989 [HIGH] CVE-2024-49989: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix double free issue during amdgpu module unload Flexible endpoints use DIGs from available inflexible endpoints, so only the encoders of inflexible links need to be freed. Otherwise, a double free issue may occur when unloading the amdgpu module. [ 279.190523] RIP: 0010:__slab_free+