Debian Linux-6.1 vulnerabilities

CVE-2024-57911 [HIGH] CVE-2024-57911: linux - In the Linux kernel, the following vulnerability has been resolved: iio: dummy:... In the Linux kernel, the following vulnerability has been resolved: iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer The 'data' array is allocated via kmalloc() and it is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new val

CVE-2024-42104 [HIGH] CVE-2024-42104: linux - In the Linux kernel, the following vulnerability has been resolved: nilfs2: add... In the Linux kernel, the following vulnerability has been resolved: nilfs2: add missing check for inode numbers on directory entries Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because

CVE-2024-50088 [HIGH] CVE-2024-50088: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ... In the Linux kernel, the following vulnerability has been resolved: btrfs: fix uninitialized pointer free in add_inode_ref() The add_inode_ref() function does not initialize the "name" struct when it is declared. If any of the following calls to "read_one_inode() returns NULL, dir = read_one_inode(root, parent_objectid); if (!dir) { ret = -ENOENT; goto out; } inode =

CVE-2024-49991 [HIGH] CVE-2024-49991: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd:... In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pass pointer reference to amdgpu_bo_unref to clear the correct pointer, otherwise amdgpu_bo_unref clear the local variable, the original pointer not set to NULL, this could cause use-after-free bug. Scope: local bookworm: resolved (fixed in 6.1

CVE-2024-57906 [HIGH] CVE-2024-57906: linux - In the Linux kernel, the following vulnerability has been resolved: iio: adc: t... In the Linux kernel, the following vulnerability has been resolved: iio: adc: ti-ads8688: fix information leak in triggered buffer The 'buffer' local array is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the array to zero before

CVE-2024-49936 [HIGH] CVE-2024-49936: linux - In the Linux kernel, the following vulnerability has been resolved: net/xen-net... In the Linux kernel, the following vulnerability has been resolved: net/xen-netback: prevent UAF in xenvif_flush_hash() During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next

CVE-2024-53059 [HIGH] CVE-2024-53059: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwi... In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() 1. The size of the response packet is not validated. 2. The response buffer is not freed. Resolve these issues by switching to iwl_mvm_send_cmd_status(), which handles both size validation and frees the buffer. Scope: local bookw

CVE-2024-44987 [HIGH] CVE-2024-44987: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: preve... In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()") Another pote

CVE-2024-40899 [HIGH] CVE-2024-40899: linux - In the Linux kernel, the following vulnerability has been resolved: cachefiles:... In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0 Write

CVE-2024-50278 [HIGH] CVE-2024-50278: linux - In the Linux kernel, the following vulnerability has been resolved: dm cache: f... In the Linux kernel, the following vulnerability has been resolved: dm cache: fix potential out-of-bounds access on the first resume Out-of-bounds access occurs if the fast device is expanded unexpectedly before the first-time resume of the cache table. This happens because expanding the fast device requires reloading the cache table for cache_create to allocate new i

CVE-2024-56619 [HIGH] CVE-2024-56619: linux - In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix... In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() Syzbot reported that when searching for records in a directory where the inode's i_size is corrupted and has a large value, memory access outside the folio/page range may occur, or a use-after-free bug may be detected if KASAN is

CVE-2024-50283 [HIGH] CVE-2024-50283: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp ksmbd_user_session_put should be called under smb3_preauth_hash_rsp(). It will avoid freeing session before calling smb3_preauth_hash_rsp(). Scope: local bookworm: resolved (fixed in 6.1.119-1) bullseye: resolved forky: resolved (fixed in 6.11.9-

CVE-2024-50055 [HIGH] CVE-2024-50055: linux - In the Linux kernel, the following vulnerability has been resolved: driver core... In the Linux kernel, the following vulnerability has been resolved: driver core: bus: Fix double free in driver API bus_register() For bus_register(), any error which happens after kset_register() will cause that @priv are freed twice, fixed by setting @priv with NULL after the first free. Scope: local bookworm: resolved (fixed in 6.1.123-1) bullseye: resolved (fixed

CVE-2024-40913 [HIGH] CVE-2024-40913: linux - In the Linux kernel, the following vulnerability has been resolved: cachefiles:... In the Linux kernel, the following vulnerability has been resolved: cachefiles: defer exposing anon_fd until after copy_to_user() succeeds After installing the anonymous fd, we can now see it in userland and close it. However, at this point we may not have gotten the reference count of the cache, but we will put it during colse fd, so this may cause a cache UAF. So gr

CVE-2024-50061 [HIGH] CVE-2024-50061: linux - In the Linux kernel, the following vulnerability has been resolved: i3c: master... In the Linux kernel, the following vulnerability has been resolved: i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work. If we remove the m

CVE-2024-50086 [HIGH] CVE-2024-50086: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix user-after-free from session log off There is racy issue between smb2 session log off and smb2 session setup. It will cause user-after-free from session log off. This add session_lock when setting SMB2_SESSION_EXPIRED and referece count to session struct not to free session while it is bein

CVE-2024-49966 [HIGH] CVE-2024-49966: linux - In the Linux kernel, the following vulnerability has been resolved: ocfs2: canc... In the Linux kernel, the following vulnerability has been resolved: ocfs2: cancel dqi_sync_work before freeing oinfo ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the end, if error occurs after successfully reading global quota, it will trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: ODEBUG: free active (active state 0) obje

CVE-2024-57792 [HIGH] CVE-2024-57792: linux - In the Linux kernel, the following vulnerability has been resolved: power: supp... In the Linux kernel, the following vulnerability has been resolved: power: supply: gpio-charger: Fix set charge current limits Fix set charge current limits for devices which allow to set the lowest charge current limit to be greater zero. If requested charge current limit is below lowest limit, the index equals current_limit_map_size which leads to accessing memory b

CVE-2024-40974 [HIGH] CVE-2024-40974: linux - In the Linux kernel, the following vulnerability has been resolved: powerpc/pse... In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Enforce hcall result buffer validity and size plpar_hcall(), plpar_hcall9(), and related functions expect callers to provide valid result buffers of certain minimum size. Currently this is communicated only through comments in the code and the compiler has no idea. For example, if I w

CVE-2024-47696 [HIGH] CVE-2024-47696: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: ... In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs"), the function flush_workqueue is invoked to flush the work queue iwcm_wq. But at that time, the work queue iwcm_wq was created via the functi