Debian Linux-6.1 vulnerabilities

CVE-2024-40958 [HIGH] CVE-2024-40958: linux - In the Linux kernel, the following vulnerability has been resolved: netns: Make... In the Linux kernel, the following vulnerability has been resolved: netns: Make get_net_ns() handle zero refcount net Syzkaller hit a warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 Modules linked in: CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Har

CVE-2024-53171 [HIGH] CVE-2024-53171: linux - In the Linux kernel, the following vulnerability has been resolved: ubifs: auth... In the Linux kernel, the following vulnerability has been resolved: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit After an insertion in TNC, the tree might split and cause a node to change its `znode->parent`. A further deletion of other nodes in the tree (which also could free the nodes), the aforementioned node's `znode->cparent` could still poin

CVE-2024-50235 [HIGH] CVE-2024-50235: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80... In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: clear wdev->cqm_config pointer on free When we free wdev->cqm_config when unregistering, we also need to clear out the pointer since the same wdev/netdev may get re-registered in another network namespace, then destroyed later, running this code again, which results in a double-free. S

CVE-2024-47727 [HIGH] CVE-2024-47727: linux - In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fi... In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix "in-kernel MMIO" check TDX only supports kernel-initiated MMIO operations. The handle_mmio() function checks if the #VE exception occurred in the kernel and rejects the operation if it did not. However, userspace can deceive the kernel into performing MMIO on its behalf. For example, if u

CVE-2024-56614 [HIGH] CVE-2024-56614: linux - In the Linux kernel, the following vulnerability has been resolved: xsk: fix OO... In the Linux kernel, the following vulnerability has been resolved: xsk: fix OOB map writes when deleting elements Jordy says: " In the xsk_map_delete_elem function an unsigned integer (map->max_entries) is compared with a user-controlled signed integer (k). Due to implicit type conversion, a large unsigned value for map->max_entries can bypass the intended bounds che

CVE-2024-57912 [HIGH] CVE-2024-57912: linux - In the Linux kernel, the following vulnerability has been resolved: iio: pressu... In the Linux kernel, the following vulnerability has been resolved: iio: pressure: zpa2326: fix information leak in triggered buffer The 'sample' local struct is used to push data to user space from a triggered buffer, but it has a hole between the temperature and the timestamp (u32 pressure, u16 temperature, GAP, u64 timestamp). This hole is never initialized. Initia

CVE-2024-50234 [HIGH] CVE-2024-50234: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: iwleg... In the Linux kernel, the following vulnerability has been resolved: wifi: iwlegacy: Clear stale interrupts before resuming device iwl4965 fails upon resume from hibernation on my laptop. The reason seems to be a stale interrupt which isn't being cleared out before interrupts are enabled. We end up with a race beween the resume trying to bring things back up, and the r

CVE-2024-42159 [HIGH] CVE-2024-42159: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3m... In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed. Scope: local bookworm: resolved (fixed in 6.1.98-1) bullseye: resolved forky: resolved (fixed in 6.9.9-1) sid: resolved (fixed in 6.9.9-1) trixie: resolved (fixed

CVE-2024-56651 [HIGH] CVE-2024-56651: linux - In the Linux kernel, the following vulnerability has been resolved: can: hi311x... In the Linux kernel, the following vulnerability has been resolved: can: hi311x: hi3110_can_ist(): fix potential use-after-free The commit a22bd630cfff ("can: hi311x: do not report txerr and rxerr during bus-off") removed the reporting of rxerr and txerr even in case of correct operation (i. e. not bus-off). The error count information added to the CAN frame after net

CVE-2024-46865 [HIGH] CVE-2024-46865: linux - In the Linux kernel, the following vulnerability has been resolved: fou: fix in... In the Linux kernel, the following vulnerability has been resolved: fou: fix initialization of grc The grc must be initialize first. There can be a condition where if fou is NULL, goto out will be executed and grc would be used uninitialized. Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: resolved (fixed in 5.10.234-1) forky: resolved (fixed in 6.10.11

CVE-2024-56603 [HIGH] CVE-2024-56603: linux - In the Linux kernel, the following vulnerability has been resolved: net: af_can... In the Linux kernel, the following vulnerability has been resolved: net: af_can: do not leave a dangling sk pointer in can_create() On error can_create() frees the allocated sk object, but sock_init_data() has already attached it to the provided sock object. This will leave a dangling sk pointer in the sock object and may cause use-after-free later. Scope: local bookw

CVE-2024-35966 [HIGH] CVE-2024-35966: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: Fix not validating setsockopt user input syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockpt

CVE-2024-56595 [HIGH] CVE-2024-56595: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: add a ... In the Linux kernel, the following vulnerability has been resolved: jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree When the value of lp is 0 at the beginning of the for loop, it will become negative in the next assignment and we should bail out. Scope: local bookworm: resolved (fixed in 6.1.123-1) bullseye: resolved (fixed in 5.10.234-1) forky: res

CVE-2024-56558 [HIGH] CVE-2024-56558: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: make ... In the Linux kernel, the following vulnerability has been resolved: nfsd: make sure exp active before svc_export_show The function `e_show` was called with protection from RCU. This only ensures that `exp` will not be freed. Therefore, the reference count for `exp` can drop to zero, which will trigger a refcount use-after-free warning when `exp_get` is called. To reso

CVE-2024-50250 [HIGH] CVE-2024-50250: linux - In the Linux kernel, the following vulnerability has been resolved: fsdax: dax_... In the Linux kernel, the following vulnerability has been resolved: fsdax: dax_unshare_iter needs to copy entire blocks The code that copies data from srcmap to iomap in dax_unshare_iter is very very broken, which bfoster's recent fsx changes have exposed. If the pos and len passed to dax_file_unshare are not aligned to an fsblock boundary, the iter pos and length in

CVE-2024-57892 [HIGH] CVE-2024-57892: linux - In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix ... In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process,

CVE-2024-41096 [HIGH] CVE-2024-41096: linux - In the Linux kernel, the following vulnerability has been resolved: PCI/MSI: Fi... In the Linux kernel, the following vulnerability has been resolved: PCI/MSI: Fix UAF in msi_capability_init KFENCE reports the following UAF: BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488 Use-after-free read at 0x0000000024629571 (in kfence-#12): __pci_enable_msi_range+0x2c0/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors

CVE-2024-42302 [HIGH] CVE-2024-42302: linux - In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fi... In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred. To do s

CVE-2024-41039 [HIGH] CVE-2024-41039: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: c... In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix overflow checking of wmfw header Fix the checking that firmware file buffer is large enough for the wmfw header, to prevent overrunning the buffer. The original code tested that the firmware data buffer contained enough bytes for the sums of the size of the structs wmfw_header +

CVE-2024-49983 [HIGH] CVE-2024-49983: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: drop ... In the Linux kernel, the following vulnerability has been resolved: ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free When calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(), the 'ppath' is updated but it is the 'path' that is freed, thus potentially triggering a double-free in the following process: ext4_ext_replay_update_ex ppat