Debian Linux-6.1 vulnerabilities

CVE-2024-41074 [HIGH] CVE-2024-41074: linux - In the Linux kernel, the following vulnerability has been resolved: cachefiles:... In the Linux kernel, the following vulnerability has been resolved: cachefiles: Set object to close if ondemand_id < 0 in copen If copen is maliciously called in the user mode, it may delete the request corresponding to the random id. And the request may have not been read yet. Note that when the object is set to reopen, the open request will be done with the still re

CVE-2024-50246 [HIGH] CVE-2024-50246: linux - In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: A... In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add rough attr alloc_size check Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resolved forky: resolved (fixed in 6.11.7-1) sid: resolved (fixed in 6.11.7-1) trixie: resolved (fixed in 6.11.7-1)

CVE-2024-49883 [HIGH] CVE-2024-49883: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: aovid... In the Linux kernel, the following vulnerability has been resolved: ext4: aovid use-after-free in ext4_ext_insert_extent() As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and cause UAF. Below is a sample trace with dummy values: ext4_ext_insert_extent path = *ppath = 2000 ext

CVE-2024-53239 [HIGH] CVE-2024-53239: linux - In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire... In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: Release resources at card release The current 6fire code tries to release the resources right after the call of usb6fire_chip_abort(). But at this moment, the card object might be still in use (as we're calling snd_card_free_when_closed()). For avoid potential UAFs, move the release of re

CVE-2024-50193 [HIGH] CVE-2024-50193: linux - In the Linux kernel, the following vulnerability has been resolved: x86/entry_3... In the Linux kernel, the following vulnerability has been resolved: x86/entry_32: Clear CPU buffers after register restore in NMI return CPU buffers are currently cleared after call to exc_nmi, but before register state is restored. This may be okay for MDS mitigation but not for RDFS. Because RDFS mitigation requires CPU buffers to be cleared when registers don't hav

CVE-2024-53206 [HIGH] CVE-2024-53206: linux - In the Linux kernel, the following vulnerability has been resolved: tcp: Fix us... In the Linux kernel, the following vulnerability has been resolved: tcp: Fix use-after-free of nreq in reqsk_timer_handler(). The cited commit replaced inet_csk_reqsk_queue_drop_and_put() with __inet_csk_reqsk_queue_drop() and reqsk_put() in reqsk_timer_handler(). Then, oreq should be passed to reqsk_put() instead of req; otherwise use-after-free of nreq could happen

CVE-2024-53099 [HIGH] CVE-2024-53099: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Check ... In the Linux kernel, the following vulnerability has been resolved: bpf: Check validity of link->type in bpf_link_show_fdinfo() If a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing bpf_link_type_strs[link->type] may result in an out-of-bounds access. To spot such missed invocations early in the future, checking the validity of link->type in bpf_link_sh

CVE-2024-42086 [HIGH] CVE-2024-42086: linux - In the Linux kernel, the following vulnerability has been resolved: iio: chemic... In the Linux kernel, the following vulnerability has been resolved: iio: chemical: bme680: Fix overflows in compensate() functions There are cases in the compensate functions of the driver that there could be overflows of variables due to bit shifting ops. These implications were initially discussed here [1] and they were mentioned in log message of Commit 1b3bd859278

CVE-2024-53061 [HIGH] CVE-2024-53061: linux - In the Linux kernel, the following vulnerability has been resolved: media: s5p-... In the Linux kernel, the following vulnerability has been resolved: media: s5p-jpeg: prevent buffer overflows The current logic allows word to be less than 2. If this happens, there will be buffer overflows, as reported by smatch. Add extra checks to prevent it. While here, remove an unused word = 0 assignment. Scope: local bookworm: resolved (fixed in 6.1.119-1) bull

CVE-2024-49853 [HIGH] CVE-2024-49853: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: a... In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in OPTEE transport Channels can be shared between protocols, avoid freeing the same channel descriptors twice when unloading the stack. Scope: local bookworm: resolved (fixed in 6.1.115-1) bullseye: resolved forky: resolved (fixed in 6.11.2-1) sid: resolved (fixed i

CVE-2024-58055 [HIGH] CVE-2024-58055: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Don't free command immediately Don't prematurely free the command. Wait for the status completion of the sense status. It can be freed then. Otherwise we will double-free the command. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237-1) fork

CVE-2024-46713 [HIGH] CVE-2024-46713: linux - In the Linux kernel, the following vulnerability has been resolved: perf/aux: F... In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not

CVE-2024-46844 [HIGH] CVE-2024-46844: linux - In the Linux kernel, the following vulnerability has been resolved: um: line: a... In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I have encountered cases where it's still printed; initialize it in all possible cases in setup_one_line(). Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: resolved (fixed in 5.10.226-1) f

CVE-2024-53142 [HIGH] CVE-2024-53142: linux - In the Linux kernel, the following vulnerability has been resolved: initramfs: ... In the Linux kernel, the following vulnerability has been resolved: initramfs: avoid filename buffer overrun The initramfs filename field is defined in Documentation/driver-api/early-userspace/buffer-format.rst as: 37 cpio_file := ALGN(4) + cpio_header + filename + "\0" + ALGN(4) + data ... 55 ============= ================== ========================= 56 Field name Fi

CVE-2024-46782 [HIGH] CVE-2024-46782: linux - In the Linux kernel, the following vulnerability has been resolved: ila: call n... In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() met

CVE-2024-39502 [HIGH] CVE-2024-39502: linux - In the Linux kernel, the following vulnerability has been resolved: ionic: fix ... In the Linux kernel, the following vulnerability has been resolved: ionic: fix use after netif_napi_del() When queues are started, netif_napi_add() and napi_enable() are called. If there are 4 queues and only 3 queues are used for the current configuration, only 3 queues' napi should be registered and enabled. The ionic_qcq_enable() checks whether the .poll pointer is

CVE-2024-41000 [HIGH] CVE-2024-41000: linux - In the Linux kernel, the following vulnerability has been resolved: block/ioctl... In the Linux kernel, the following vulnerability has been resolved: block/ioctl: prefer different overflow check Running syzkaller with the newly reintroduced signed integer overflow sanitizer shows this report: [ 62.982337] ------------[ cut here ]------------ [ 62.985692] cgroup: Invalid name [ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46 [ 62

CVE-2024-41013 [HIGH] CVE-2024-41013: linux - In the Linux kernel, the following vulnerability has been resolved: xfs: don't ... In the Linux kernel, the following vulnerability has been resolved: xfs: don't walk off the end of a directory data block This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry to make sure don't stray beyond valid memory region. Before patching, the loop simply checks that the start offset of the dup and dep is within the range. So in a crafted imag

CVE-2024-42228 [HIGH] CVE-2024-42228: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu:... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian) Scope: local bookworm: resolved (fi

CVE-2024-43905 [MEDIUM] CVE-2024-43905: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm:... In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr Check return value and conduct null pointer handling to avoid null pointer dereference. Scope: local bookworm: resolved (fixed in 6.1.106-1) bullseye: resolved (fixed in 5.10.226-1) forky: resolved (fixed in 6.10.6-1) sid: resolved (fixed