Debian Linux-6.1 vulnerabilities

CVE-2024-47748 [HIGH] CVE-2024-47748: linux - In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa:... In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: assign irq bypass producer token correctly We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not. Actually, we use the eventfd_ctx as the token so the life cycle of the token should be

CVE-2024-46673 [HIGH] CVE-2024-46673: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: aacra... In the Linux kernel, the following vulnerability has been resolved: scsi: aacraid: Fix double-free on probe failure aac_probe_one() calls hardware-specific init functions through the aac_driver_ident::init pointer, all of which eventually call down to aac_init_adapter(). If aac_init_adapter() fails after allocating memory for aac_dev::queues, it frees the memory but d

CVE-2024-56704 [HIGH] CVE-2024-56704: linux - In the Linux kernel, the following vulnerability has been resolved: 9p/xen: fix... In the Linux kernel, the following vulnerability has been resolved: 9p/xen: fix release of IRQ Kernel logs indicate an IRQ was double-freed. Pass correct device ID during IRQ release. [Dominique: remove confusing variable reset to 0] Scope: local bookworm: resolved (fixed in 6.1.123-1) bullseye: resolved (fixed in 5.10.234-1) forky: resolved (fixed in 6.12.3-1) sid: r

CVE-2024-56609 [HIGH] CVE-2024-56609: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88... In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb When removing kernel modules by: rmmod rtw88_8723cs rtw88_8703b rtw88_8723x rtw88_sdio rtw88_core Driver uses skb_queue_purge() to purge TX skb, but not report tx status causing "Have pending ack frames!" warning. Use ieee80211_purge_tx_queue

CVE-2024-47718 [HIGH] CVE-2024-47718: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88... In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: always wait for both firmware loading attempts In 'rtw_wait_firmware_completion()', always wait for both (regular and wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue 'ieee80211_free_hw()' when one of '

CVE-2024-44967 [HIGH] CVE-2024-44967: linux - In the Linux kernel, the following vulnerability has been resolved: drm/mgag200... In the Linux kernel, the following vulnerability has been resolved: drm/mgag200: Bind I2C lifetime to DRM device Managed cleanup with devm_add_action_or_reset() will release the I2C adapter when the underlying Linux device goes away. But the connector still refers to it, so this cleanup leaves behind a stale pointer in struct drm_connector.ddc. Bind the lifetime of th

CVE-2024-52332 [HIGH] CVE-2024-52332: linux - In the Linux kernel, the following vulnerability has been resolved: igb: Fix po... In the Linux kernel, the following vulnerability has been resolved: igb: Fix potential invalid memory access in igb_init_module() The pci_register_driver() can fail and when this happened, the dca_notifier needs to be unregistered, otherwise the dca_notifier can be called when igb fails to install, resulting to invalid memory access. Scope: local bookworm: resolved (f

CVE-2024-46818 [HIGH] CVE-2024-46818: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check gpio_id before used as array index [WHY & HOW] GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore should be checked in advance. This fixes 5 OVERRUN issues reported by Coverity. Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: resolved (fixed i

CVE-2024-58083 [HIGH] CVE-2024-58083: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: Explic... In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely t

CVE-2024-47698 [HIGH] CVE-2024-47698: linux - In the Linux kernel, the following vulnerability has been resolved: drivers: me... In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Ensure index in rtl2832_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt

CVE-2024-40956 [HIGH] CVE-2024-40956: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator w

CVE-2024-57849 [HIGH] CVE-2024-57849: linux - In the Linux kernel, the following vulnerability has been resolved: s390/cpum_s... In the Linux kernel, the following vulnerability has been resolved: s390/cpum_sf: Handle CPU hotplug remove during sampling CPU hotplug remove handling triggers the following function call sequence: CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu() ... CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu() The s390 CPUMF sampling CPU hotplug handler invokes: s390_pmu

CVE-2024-57925 [HIGH] CVE-2024-57925: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix a missing return value check bug In the smb2_send_interim_resp(), if ksmbd_alloc_work_struct() fails to allocate a node, it returns a NULL pointer to the in_work pointer. This can lead to an illegal memory write of in_work->response_buf when allocate_interim_rsp_buf() attempts to perform a

CVE-2024-50186 [HIGH] CVE-2024-50186: linux - In the Linux kernel, the following vulnerability has been resolved: net: explic... In the Linux kernel, the following vulnerability has been resolved: net: explicitly clear the sk pointer, when pf->create fails We have recently noticed the exact same KASAN splat as in commit 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket creation fails"). The problem is that commit did not fully address the problem, as some pf->create implementa

CVE-2024-40994 [HIGH] CVE-2024-40994: linux - In the Linux kernel, the following vulnerability has been resolved: ptp: fix in... In the Linux kernel, the following vulnerability has been resolved: ptp: fix integer overflow in max_vclocks_store On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc() to do the allocation to prevent this. Scope: local bookworm: resolved (fixed in 6.1.99-1) bullseye: resolved forky: resolved (fixed in 6.9.7-1) sid: resolved (fixed in 6.9.7-1) trixie: r

CVE-2024-47697 [HIGH] CVE-2024-47697: linux - In the Linux kernel, the following vulnerability has been resolved: drivers: me... In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Ensure index in rtl2830_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt

CVE-2024-42119 [HIGH] CVE-2024-42119: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip finding free audio for unknown engine_id [WHY] ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it also means it is uninitialized and does not need free audio. [HOW] Skip and return NULL. This fixes 2 OVERRUN issues reported by Coverity. Scope: local bookworm:

CVE-2024-50280 [HIGH] CVE-2024-50280: linux - In the Linux kernel, the following vulnerability has been resolved: dm cache: f... In the Linux kernel, the following vulnerability has been resolved: dm cache: fix flushing uninitialized delayed_work on cache_ctr error An unexpected WARN_ON from flush_work() may occur when cache creation fails, caused by destroying the uninitialized delayed_work waker in the error path of cache_create(). For example, the warning appears on the superblock checksum e

CVE-2024-56605 [HIGH] CVE-2024-56605: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-a

CVE-2024-49960 [HIGH] CVE-2024-49960: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: fix t... In the Linux kernel, the following vulnerability has been resolved: ext4: fix timer use-after-free on failed mount Syzbot has found an ODEBUG bug in ext4_fill_super The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi). When filesystem mounting fails,