Debian Linux-6.1 vulnerabilities

CVE-2024-47686 [HIGH] CVE-2024-47686: linux - In the Linux kernel, the following vulnerability has been resolved: ep93xx: clo... In the Linux kernel, the following vulnerability has been resolved: ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() The psc->div[] array has psc->num_div elements. These values come from when we call clk_hw_register_div(). It's adc_divisors and ARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >= instead of > to prevent an out of bounds read

CVE-2024-56597 [HIGH] CVE-2024-56597: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: fix sh... In the Linux kernel, the following vulnerability has been resolved: jfs: fix shift-out-of-bounds in dbSplit When dmt_budmin is less than zero, it causes errors in the later stages. Added a check to return an error beforehand in dbAllocCtl itself. Scope: local bookworm: resolved (fixed in 6.1.123-1) bullseye: resolved (fixed in 5.10.234-1) forky: resolved (fixed in 6.1

CVE-2024-50286 [HIGH] CVE-2024-50286: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create There is a race condition between ksmbd_smb2_session_create and ksmbd_expire_session. This patch add missing sessions_table_lock while adding/deleting session from global session table. Scope: local bookworm: resolved (fixed in 6.1.119-1) bul

CVE-2024-42285 [HIGH] CVE-2024-42285: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: ... In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix a use-after-free related to destroying CM IDs iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with an existing struct iw_cm_id (cm_id) as follows: conn_id->cm_id.iw = cm_id; cm_id->context = conn_id; cm_id->cm_handler = cma_iw_handler; rdma_destroy_id() frees bot

CVE-2024-42160 [HIGH] CVE-2024-42160: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: check... In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code. Scope: local bookworm: resolved (fixed in 6.

CVE-2024-58002 [HIGH] CVE-2024-58002: linux - In the Linux kernel, the following vulnerability has been resolved: media: uvcv... In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Remove dangling pointers When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, an

CVE-2024-8805 [HIGH] CVE-2024-8805: linux - BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulner... BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the HID over GATT Profile. The issue results from th

CVE-2024-43900 [HIGH] CVE-2024-43900: linux - In the Linux kernel, the following vulnerability has been resolved: media: xc20... In the Linux kernel, the following vulnerability has been resolved: media: xc2028: avoid use-after-free in load_firmware_cb() syzkaller reported use-after-free in load_firmware_cb() [1]. The reason is because the module allocated a struct tuner in tuner_probe(), and then the module initialization failed, the struct tuner was released. A worker which created during mod

CVE-2024-42121 [HIGH] CVE-2024-42121: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check index msg_id before read or write [WHAT] msg_id is used as an array index and it cannot be a negative value, and therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1). [HOW] Check whether msg_id is valid before reading and setting. This fixes 4 OVERRUN issues reported by

CVE-2024-41014 [HIGH] CVE-2024-41014: linux - In the Linux kernel, the following vulnerability has been resolved: xfs: add bo... In the Linux kernel, the following vulnerability has been resolved: xfs: add bounds checking to xlog_recover_process_data There is a lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data. We can create a crafted image to trigger an out of bounds read by following these steps: 1) Mount an image of xfs, and do som

CVE-2024-56606 [HIGH] CVE-2024-56606: linux - In the Linux kernel, the following vulnerability has been resolved: af_packet: ... In the Linux kernel, the following vulnerability has been resolved: af_packet: avoid erroring out after sock_init_data() in packet_create() After sock_init_data() the allocated sk object is attached to the provided sock object. On error, packet_create() frees the sk object leaving the dangling pointer in the sock object on return. Some other code may try to use this p

CVE-2024-43839 [HIGH] CVE-2024-43839: linux - In the Linux kernel, the following vulnerability has been resolved: bna: adjust... In the Linux kernel, the following vulnerability has been resolved: bna: adjust 'name' buf size of bna_tcb and bna_ccb structures To have enough space to write all possible sprintf() args. Currently 'name' size is 16, but the first '%s' specifier may already need at least 16 characters, since 'bnad->netdev->name' is used there. For '%d' specifiers, assume that they re

CVE-2024-57900 [HIGH] CVE-2024-57900: linux - In the Linux kernel, the following vulnerability has been resolved: ila: serial... In the Linux kernel, the following vulnerability has been resolved: ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempted to fix a similar issue. Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. Add a mutex to make sure at most one t

CVE-2024-50164 [HIGH] CVE-2024-50164: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix ov... In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overloading of MEM_UNINIT's meaning Lonial reported an issue in the BPF verifier where check_mem_size_reg() has the following code: if (!tnum_is_const(reg->var_off)) /* For unprivileged variable accesses, disable raw * mode so that the program is required to * initialize all the memory that t

CVE-2024-50209 [HIGH] CVE-2024-50209: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_r... In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Add a check for memory allocation __alloc_pbl() can return error when memory allocation fails. Driver is not checking the status on one of the instances. Scope: local bookworm: resolved (fixed in 6.1.115-1) bullseye: resolved (fixed in 5.10.234-1) forky: resolved (fixed in 6.11.6-1) sid:

CVE-2024-42105 [HIGH] CVE-2024-42105: linux - In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix... In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix inode number range checks Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause prob

CVE-2024-44985 [HIGH] CVE-2024-44985: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: preve... In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible UAF in ip6_xmit() If skb_expand_head() returns NULL, skb has been freed and the associated dst/idev could also have been freed. We must use rcu_read_lock() to prevent a possible UAF. Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: resolved forky: resolved (fixed i

CVE-2024-43883 [HIGH] CVE-2024-43883: linux - In the Linux kernel, the following vulnerability has been resolved: usb: vhci-h... In the Linux kernel, the following vulnerability has been resolved: usb: vhci-hcd: Do not drop references before new references are gained At a few places the driver carries stale pointers to references that can still be used. Make sure that does not happen. This strictly speaking closes ZDI-CAN-22273, though there may be similar races in the driver. Scope: local book

CVE-2024-56664 [HIGH] CVE-2024-56664: linux - In the Linux kernel, the following vulnerability has been resolved: bpf, sockma... In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix race between element replace and close() Element replace (with a socket different from the one stored) may race with socket's close() link popping & unlinking. __sock_map_delete() unconditionally unrefs the (wrong) element: // set map[0] = s0 map_update_elem(map, 0, s0) // drop fd of

CVE-2024-44986 [HIGH] CVE-2024-44986: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: fix p... In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in ip6_finish_output2() If skb_expand_head() returns NULL, skb has been freed and associated dst/idev could also have been freed. We need to hold rcu_read_lock() to make sure the dst and associated idev are alive. Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: op