Debian Linux-6.1 vulnerabilities

CVE-2024-53146 [MEDIUM] CVE-2024-53146: linux - In the Linux kernel, the following vulnerability has been resolved: NFSD: Preve... In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent a potential integer overflow If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value.

CVE-2024-50062 [MEDIUM] CVE-2024-50062: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-s... In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-srv: Avoid null pointer deref during path establishment For RTRS path establishment, RTRS client initiates and completes con_num of connections. After establishing all its connections, the information is exchanged between the client and server through the info_req message. During this exch

CVE-2024-50201 [MEDIUM] CVE-2024-50201: linux - In the Linux kernel, the following vulnerability has been resolved: drm/radeon:... In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Fix encoder->possible_clones Include the encoder itself in its possible_clones bitmask. In the past nothing validated that drivers were populating possible_clones correctly, but that changed in commit 74d2aacbe840 ("drm: Validate encoder->possible_clones"). Looks like radeon never got th

CVE-2024-49949 [MEDIUM] CVE-2024-49949: linux - In the Linux kernel, the following vulnerability has been resolved: net: avoid ... In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO After commit 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") virtio_net_hdr_to_skb() had sanity check to detect malicious attempts from user space to cook a bad GSO packet. Then commit cf9acc90c80ec ("net:

CVE-2024-42289 [MEDIUM] CVE-2024-42289: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: qla2x... In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: During vport delete send async logout explicitly During vport delete, it is observed that during unload we hit a crash because of stale entries in outstanding command array. For all these stale I/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but I/Os could not comp

CVE-2024-47726 [MEDIUM] CVE-2024-47726: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix t... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to wait dio completion It should wait all existing dio write IOs before block removal, otherwise, previous direct write IO may overwrite data in the block which may be reused by other inode. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237-1) forky

CVE-2024-41035 [MEDIUM] CVE-2024-41035: linux - In the Linux kernel, the following vulnerability has been resolved: USB: core: ... In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor Syzbot has identified a bug in usbcore (see the Closes: tag below) caused by our assumption that the reserved bits in an endpoint descriptor's bEndpointAddress field will always be 0. As a result of the bug, the endpoi

CVE-2024-43835 [MEDIUM] CVE-2024-43835: linux - In the Linux kernel, the following vulnerability has been resolved: virtio_net:... In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix napi_skb_cache_put warning After the commit bdacf3e34945 ("net: Use nested-BH locking for napi_alloc_cache.") was merged, the following warning began to appear: WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0 __warn+0x12f/0x340 napi_skb_cache_put+0x82/0

CVE-2024-50258 [MEDIUM] CVE-2024-50258: linux - In the Linux kernel, the following vulnerability has been resolved: net: fix cr... In the Linux kernel, the following vulnerability has been resolved: net: fix crash when config small gso_max_size/gso_ipv4_max_size Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs

CVE-2024-50048 [MEDIUM] CVE-2024-50048: linux - In the Linux kernel, the following vulnerability has been resolved: fbcon: Fix ... In the Linux kernel, the following vulnerability has been resolved: fbcon: Fix a NULL pointer dereference issue in fbcon_putcs syzbot has found a NULL pointer dereference bug in fbcon. Here is the simplified C reproducer: struct param { uint8_t type; struct tiocl_selection ts; }; int main() { struct fb_con2fbmap con2fb; struct param param; int fd = open("/dev/fb1",

CVE-2024-42097 [MEDIUM] CVE-2024-42097: linux - In the Linux kernel, the following vulnerability has been resolved: ALSA: emux:... In the Linux kernel, the following vulnerability has been resolved: ALSA: emux: improve patch ioctl data validation In load_data(), make the validation of and skipping over the main info block match that in load_guspatch(). In load_guspatch(), add checking that the specified patch length matches the actually supplied data, like load_data() already did. Scope: local

CVE-2024-57902 [MEDIUM] CVE-2024-57902: linux - In the Linux kernel, the following vulnerability has been resolved: af_packet: ... In the Linux kernel, the following vulnerability has been resolved: af_packet: fix vlan_get_tci() vs MSG_PEEK Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found by syzbot. Rework vlan_get_tci() to not touch skb at all, so that it can be used from many cpus on the same skb. Add a const qualifier to skb argument. [1] skbuff: skb_under_panic: text:ffffff

CVE-2024-49994 [MEDIUM] CVE-2024-49994: linux - In the Linux kernel, the following vulnerability has been resolved: block: fix ... In the Linux kernel, the following vulnerability has been resolved: block: fix integer overflow in BLKSECDISCARD I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infini

CVE-2024-41048 [MEDIUM] CVE-2024-41048: linux - In the Linux kernel, the following vulnerability has been resolved: skmsg: Skip... In the Linux kernel, the following vulnerability has been resolved: skmsg: Skip zero length skb in sk_msg_recvmsg When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch platform, the following kernel panic occurs: [...] Oops[#1]: CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BI

CVE-2024-53172 [MEDIUM] CVE-2024-53172: linux - In the Linux kernel, the following vulnerability has been resolved: ubi: fastma... In the Linux kernel, the following vulnerability has been resolved: ubi: fastmap: Fix duplicate slab cache names while attaching Since commit 4c39529663b9 ("slab: Warn on duplicate cache names when DEBUG_VM=y"), the duplicate slab cache names can be detected and a kernel WARNING is thrown out. In UBI fast attaching process, alloc_ai() could be invoked twice with the

CVE-2024-49867 [MEDIUM] CVE-2024-49867: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: wait... In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at close_ctree(), we have the following steps in this order: 1) Park the cleaner kthread - this doesn't destroy the kthread, it basically halts its execution (wake ups against it work but do nothing); 2) We s

CVE-2024-56533 [MEDIUM] CVE-2024-56533: linux - In the Linux kernel, the following vulnerability has been resolved: ALSA: usx2y... In the Linux kernel, the following vulnerability has been resolved: ALSA: usx2y: Use snd_card_free_when_closed() at disconnection The USB disconnect callback is supposed to be short and not too-long waiting. OTOH, the current code uses snd_card_free() at disconnection, but this waits for the close of all used fds, hence it can take long. It eventually blocks the upp

CVE-2024-40976 [MEDIUM] CVE-2024-40976: linux - In the Linux kernel, the following vulnerability has been resolved: drm/lima: m... In the Linux kernel, the following vulnerability has been resolved: drm/lima: mask irqs in timeout path before hard reset There is a race condition in which a rendering job might take just long enough to trigger the drm sched job timeout handler but also still complete before the hard reset is done by the timeout handler. This runs into race conditions not expected

CVE-2024-53164 [MEDIUM] CVE-2024-53164: linux - In the Linux kernel, the following vulnerability has been resolved: net: sched:... In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ordering of qlen adjustment Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen _before_ a call to said function because otherwise it may fail to notify parent qdiscs when the child is about to become empty. Scope: local bookworm: resolved (fixed in 6.1.123-1) bu

CVE-2024-53680 [MEDIUM] CVE-2024-53680: linux - In the Linux kernel, the following vulnerability has been resolved: ipvs: fix U... In the Linux kernel, the following vulnerability has been resolved: ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() Under certain kernel configurations when building with Clang/LLVM, the compiler does not generate a return or jump as the terminator instruction for ip_vs_protocol_init(), triggering the following objtool warning during build ti