Debian Linux-6.1 vulnerabilities

CVE-2024-47679 [MEDIUM] CVE-2024-47679: linux - In the Linux kernel, the following vulnerability has been resolved: vfs: fix ra... In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between evice_inodes() and find_inode()&iput() Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super

CVE-2024-44958 [MEDIUM] CVE-2024-44958: linux - In the Linux kernel, the following vulnerability has been resolved: sched/smt: ... In the Linux kernel, the following vulnerability has been resolved: sched/smt: Fix unbalance sched_smt_present dec/inc I got the following warn report while doing stress test: jump label: negative count! WARNING: CPU: 3 PID: 38 at kernel/jump_label.c:263 static_key_slow_try_dec+0x9d/0xb0 Call Trace: __static_key_slow_dec_cpuslocked+0x16/0x70 sched_cpu_deactivate+0x2

CVE-2024-50256 [MEDIUM] CVE-2024-50256: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilt

CVE-2024-42129 [MEDIUM] CVE-2024-42129: linux - In the Linux kernel, the following vulnerability has been resolved: leds: mlxre... In the Linux kernel, the following vulnerability has been resolved: leds: mlxreg: Use devm_mutex_init() for mutex initialization In this driver LEDs are registered using devm_led_classdev_register() so they are automatically unregistered after module's remove() is done. led_classdev_unregister() calls module's led_set_brightness() to turn off the LEDs and that callb

CVE-2024-43897 [MEDIUM] CVE-2024-43897: linux - In the Linux kernel, the following vulnerability has been resolved: net: drop b... In the Linux kernel, the following vulnerability has been resolved: net: drop bad gso csum_start and offset in virtio_net_hdr Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs afte

CVE-2024-36350 [MEDIUM] CVE-2024-36350: amd64-microcode - A transient execution vulnerability in some AMD processors may allow an attacker... A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 3.20251202.1) sid: resolved (fixed in 3.20251202.1) trixie: open

CVE-2024-56715 [MEDIUM] CVE-2024-56715: linux - In the Linux kernel, the following vulnerability has been resolved: ionic: Fix ... In the Linux kernel, the following vulnerability has been resolved: ionic: Fix netdev notifier unregister on failure If register_netdev() fails, then the driver leaks the netdev notifier. Fix this by calling ionic_lif_unregister() on register_netdev() failure. This will also call ionic_lif_unregister_phc() if it has already been registered. Scope: local bookworm: re

CVE-2024-47728 [MEDIUM] CVE-2024-47728: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Zero f... In the Linux kernel, the following vulnerability has been resolved: bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input arguments, zero the value for the case of an error as otherwise it could leak memory. For tracing, it is not needed given CAP_PERFMON can already read all kernel

CVE-2024-43908 [MEDIUM] CVE-2024-43908: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu:... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix the null pointer dereference to ras_manager Check ras_manager before using it Scope: local bookworm: resolved (fixed in 6.1.106-1) bullseye: resolved (fixed in 5.10.226-1) forky: resolved (fixed in 6.10.6-1) sid: resolved (fixed in 6.10.6-1) trixie: resolved (fixed in 6.10.6-1)

CVE-2024-40934 [MEDIUM] CVE-2024-40934: linux - In the Linux kernel, the following vulnerability has been resolved: HID: logite... In the Linux kernel, the following vulnerability has been resolved: HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Fix a memory leak on logi_dj_recv_send_report() error path. Scope: local bookworm: resolved (fixed in 6.1.99-1) bullseye: resolved (fixed in 5.10.221-1) forky: resolved (fixed in 6.9.7-1) sid: resolved (fixed in 6.9.7-1) trixie: r

CVE-2024-40972 [MEDIUM] CVE-2024-40972: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: do no... In the Linux kernel, the following vulnerability has been resolved: ext4: do not create EA inode under buffer lock ext4_xattr_set_entry() creates new EA inodes while holding buffer lock on the external xattr block. This is problematic as it nests all the allocation locking (which acquires locks on other buffers) under the buffer lock. This can even deadlock when the

CVE-2024-35956 [MEDIUM] CVE-2024-35956: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: qgro... In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Create subvolume, create snapshot and delete subvolume all use btrfs_subvolume_reserve_metadata() to reserve metadata for the changes done to the parent subvolume's fs tree, which cannot be mediated in the normal way via start_trans

CVE-2024-58010 [MEDIUM] CVE-2024-58010: linux - In the Linux kernel, the following vulnerability has been resolved: binfmt_flat... In the Linux kernel, the following vulnerability has been resolved: binfmt_flat: Fix integer overflow bug on 32 bit systems Most of these sizes and counts are capped at 256MB so the math doesn't result in an integer overflow. The "relocs" count needs to be checked as well. Otherwise on 32bit systems the calculation of "full_data" could be wrong. full_data = data_len

CVE-2024-50243 [MEDIUM] CVE-2024-50243: linux - In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: F... In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix general protection fault in run_is_mapped_full Fixed deleating of a non-resident attribute in ntfs_create_inode() rollback. Scope: local bookworm: resolved (fixed in 6.1.119-1) bullseye: resolved forky: resolved (fixed in 6.11.7-1) sid: resolved (fixed in 6.11.7-1) trixie: resolved (fi

CVE-2024-42238 [MEDIUM] CVE-2024-42238: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: c... In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Return error if block header overflows file Return an error from cs_dsp_power_up() if a block header is longer than the amount of data left in the file. The previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop while there was enough data left in the file for a valid re

CVE-2024-42311 [MEDIUM] CVE-2024-42311: linux - In the Linux kernel, the following vulnerability has been resolved: hfs: fix to... In the Linux kernel, the following vulnerability has been resolved: hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() Syzbot reports uninitialized value access issue as below: loop0: detected capacity change from 0 to 64 ===================================================== BUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sy

CVE-2024-56662 [MEDIUM] CVE-2024-56662: linux - In the Linux kernel, the following vulnerability has been resolved: acpi: nfit:... In the Linux kernel, the following vulnerability has been resolved: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl Fix an issue detected by syzbot with KASAN: BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/ core.c:416 [inline] BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459 The issue occurs i

CVE-2024-56625 [MEDIUM] CVE-2024-56625: linux - In the Linux kernel, the following vulnerability has been resolved: can: dev: c... In the Linux kernel, the following vulnerability has been resolved: can: dev: can_set_termination(): allow sleeping GPIOs In commit 6e86a1543c37 ("can: dev: provide optional GPIO based termination support") GPIO based termination support was added. For no particular reason that patch uses gpiod_set_value() to set the GPIO. This leads to the following warning, if the

CVE-2024-53233 [MEDIUM] CVE-2024-53233: linux - In the Linux kernel, the following vulnerability has been resolved: unicode: Fi... In the Linux kernel, the following vulnerability has been resolved: unicode: Fix utf8_load() error path utf8_load() requests the symbol "utf8_data_table" and then checks if the requested UTF-8 version is supported. If it's unsupported, it tries to put the data table using symbol_put(). If an unsupported version is requested, symbol_put() fails like this: kernel BUG

CVE-2024-56724 [MEDIUM] CVE-2024-56724: linux - In the Linux kernel, the following vulnerability has been resolved: mfd: intel_... In the Linux kernel, the following vulnerability has been resolved: mfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device While design wise the idea of converting the driver to use the hierarchy of the IRQ chips is correct, the implementation has (inherited) flaws. This was unveiled when platform_get_irq() had started WARN() on IRQ 0 that is supposed to be a Linu