{"schema_version":"1.7.2","id":"OESA-2024-2258","modified":"2024-10-18T11:09:23Z","published":"2024-10-18T11:09:23Z","upstream":["CVE-2021-47382","CVE-2022-48893","CVE-2024-35825","CVE-2024-35969","CVE-2024-36005","CVE-2024-36031","CVE-2024-36270","CVE-2024-36880","CVE-2024-36915","CVE-2024-36934","CVE-2024-36946","CVE-2024-38546","CVE-2024-38560","CVE-2024-38611","CVE-2024-38613","CVE-2024-38659","CVE-2024-39292","CVE-2024-39494","CVE-2024-40932","CVE-2024-40988","CVE-2024-41019","CVE-2024-41040","CVE-2024-41041","CVE-2024-41048","CVE-2024-41049","CVE-2024-41063","CVE-2024-41069","CVE-2024-41080","CVE-2024-41090","CVE-2024-41091","CVE-2024-42067","CVE-2024-42086","CVE-2024-42097","CVE-2024-42115","CVE-2024-42129","CVE-2024-42228","CVE-2024-42283","CVE-2024-42290","CVE-2024-42306","CVE-2024-42309","CVE-2024-42313","CVE-2024-42322","CVE-2024-43823","CVE-2024-43830","CVE-2024-43840","CVE-2024-43855","CVE-2024-43872","CVE-2024-43892","CVE-2024-43893","CVE-2024-44940","CVE-2024-44954","CVE-2024-44998","CVE-2024-45006","CVE-2024-45026","CVE-2024-46676","CVE-2024-46719","CVE-2024-46754","CVE-2024-46770","CVE-2024-46795","CVE-2024-46819","CVE-2024-46826","CVE-2024-46828","CVE-2024-46840","CVE-2024-46848","CVE-2024-46854","CVE-2024-46855","CVE-2024-46858","CVE-2024-47658","CVE-2024-47664","CVE-2024-47670","CVE-2024-47671","CVE-2024-47672"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/qeth: fix deadlock during failing recovery\r\n\r\nCommit 0b9902c1fcc5 (\u0026quot;s390/qeth: fix deadlock during recovery\u0026quot;) removed\ntaking discipline_mutex inside qeth_do_reset(), fixing potential\ndeadlocks. An error path was missed though, that still takes\ndiscipline_mutex and thus has the original deadlock potential.\r\n\r\nIntermittent deadlocks were seen when a qeth channel path is configured\noffline, causing a race between qeth_do_reset and ccwgroup_remove.\nCall qeth_set_offline() directly in the qeth_do_reset() error case and\nthen a new variant of ccwgroup_set_offline(), without taking\ndiscipline_mutex.(CVE-2021-47382)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/i915/gt: Cleanup partial engine discovery failures\r\n\r\nIf we abort driver initialisation in the middle of gt/engine discovery,\nsome engines will be fully setup and some not. Those incompletely setup\nengines only have \u0026apos;engine-\u0026gt;release == NULL\u0026apos; and so will leak any of the\ncommon objects allocated.\r\n\r\nv2:\n - Drop the destroy_pinned_context() helper for now.  It\u0026apos;s not really\n   worth it with just a single callsite at the moment.  (Janusz)(CVE-2022-48893)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: ncm: Fix handling of zero block length packets\r\n\r\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\nset to 65536, it has been observed that we receive short packets,\nwhich come at interval of 5-10 seconds sometimes and have block\nlength zero but still contain 1-2 valid datagrams present.\r\n\r\nAccording to the NCM spec:\r\n\r\n\u0026quot;If wBlockLength = 0x0000, the block is terminated by a\nshort packet. In this case, the USB transfer must still\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\nand the size is a multiple of wMaxPacketSize for the\ngiven pipe, then no ZLP shall be sent.\r\n\r\nwBlockLength= 0x0000 must be used with extreme care, because\nof the possibility that the host and device may get out of\nsync, and because of test issues.\r\n\r\nwBlockLength = 0x0000 allows the sender to reduce latency by\nstarting to send a very large NTB, and then shortening it when\nthe sender discovers that there’s not sufficient data to justify\nsending a large NTB\u0026quot;\r\n\r\nHowever, there is a potential issue with the current implementation,\nas it checks for the occurrence of multiple NTBs in a single\ngiveback by verifying if the leftover bytes to be processed is zero\nor not. If the block length reads zero, we would process the same\nNTB infintely because the leftover bytes is never zero and it leads\nto a crash. Fix this by bailing out if block length reads zero.(CVE-2024-35825)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\r\n\r\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\r\n\r\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(\u0026amp;ifp-\u0026gt;addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\r\n\r\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\r\n\r\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n   reference count drops to zero and kfree_rcu is scheduled.\r\n\r\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n   (in6_ifa_hold).\r\n\r\n4. The rcu is unlocked and the entry is freed.\r\n\r\n5. The freed entry is returned.\r\n\r\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\r\n\r\n[   41.506330] refcount_t: addition on 0; use-after-free.\n[   41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[   41.507413] Modules linked in: veth bridge stp llc\n[   41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[   41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[   41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[   41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 \u0026lt;0f\u0026gt; 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[   41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[   41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[   41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[   41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[   41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[   41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[   41.514086] FS:  00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[   41.514726] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[   41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[   41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[   41.516799] Call Trace:\n[   41.517037]  \u0026lt;TASK\u0026gt;\n[   41.517249]  ? __warn+0x7b/0x120\n[   41.517535]  ? refcount_warn_saturate+0xa5/0x130\n[   41.517923]  ? report_bug+0x164/0x190\n[   41.518240]  ? handle_bug+0x3d/0x70\n[   41.518541]  ? exc_invalid_op+0x17/0x70\n[   41.520972]  ? asm_exc_invalid_op+0x1a/0x20\n[   41.521325]  ? refcount_warn_saturate+0xa5/0x130\n[   41.521708]  ipv6_get_ifaddr+0xda/0xe0\n[   41.522035]  inet6_rtm_getaddr+0x342/0x3f0\n[   41.522376]  ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[   41.522758]  rtnetlink_rcv_msg+0x334/0x3d0\n[   41.523102]  ? netlink_unicast+0x30f/0x390\n[   41.523445]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[   41.523832]  netlink_rcv_skb+0x53/0x100\n[   41.524157]  netlink_unicast+0x23b/0x390\n[   41.524484]  netlink_sendmsg+0x1f2/0x440\n[   41.524826]  __sys_sendto+0x1d8/0x1f0\n[   41.525145]  __x64_sys_sendto+0x1f/0x30\n[   41.525467]  do_syscall_64+0xa5/0x1b0\n[   41.525794]  entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[   41.526213] RIP: 0033:0x7fbc4cfcea9a\n[   41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 \u0026lt;48\u0026gt; 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[   41.527942] RSP: 002b:00007f\n---truncated---(CVE-2024-35969)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\r\n\r\nCheck for table dormant flag otherwise netdev release event path tries\nto unregister an already unregistered hook.\r\n\r\n[524854.857999] ------------[ cut here ]------------\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\n[524854.858869] Workqueue: netns cleanup_net\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff \u0026lt;0f\u0026gt; 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\n[524854.858971] FS:  0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[524854.858982] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\n[524854.859000] Call Trace:\n[524854.859006]  \u0026lt;TASK\u0026gt;\n[524854.859013]  ? __warn+0x9f/0x1a0\n[524854.859027]  ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859044]  ? report_bug+0x1b1/0x1e0\n[524854.859060]  ? handle_bug+0x3c/0x70\n[524854.859071]  ? exc_invalid_op+0x17/0x40\n[524854.859083]  ? asm_exc_invalid_op+0x1a/0x20\n[524854.859100]  ? __nf_unregister_net_hook+0x6a/0x260\n[524854.859116]  ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859135]  nf_tables_netdev_event+0x337/0x390 [nf_tables]\n[524854.859304]  ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859461]  ? packet_notifier+0xb3/0x360\n[524854.859476]  ? _raw_spin_unlock_irqrestore+0x11/0x40\n[524854.859489]  ? dcbnl_netdevice_event+0x35/0x140\n[524854.859507]  ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859661]  notifier_call_chain+0x7d/0x140\n[524854.859677]  unregister_netdevice_many_notify+0x5e1/0xae0(CVE-2024-36005)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkeys: Fix overwrite of key expiration on instantiation\r\n\r\nThe expiry time of a key is unconditionally overwritten during\ninstantiation, defaulting to turn it permanent. This causes a problem\nfor DNS resolution as the expiration set by user-space is overwritten to\nTIME64_MAX, disabling further DNS updates. Fix this by restoring the\ncondition that key_set_expiry is only called when the pre-parser sets a\nspecific expiry.(CVE-2024-36031)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: tproxy: bail out if IP has been disabled on the device\r\n\r\nsyzbot reports:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n[..]\nRIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62\nCall Trace:\n nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]\n nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168\r\n\r\n__in_dev_get_rcu() can return NULL, so check for this.(CVE-2024-36270)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: qca: add missing firmware sanity checks\r\n\r\nAdd the missing sanity checks when parsing the firmware files before\ndownloading them to avoid accessing and corrupting memory beyond the\nvmalloced buffer.(CVE-2024-36880)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: llcp: fix nfc_llcp_setsockopt() unsafe copies\r\n\r\nsyzbot reported unsafe calls to copy_from_sockptr() [1]\r\n\r\nUse copy_safe_from_sockptr() instead.\r\n\r\n[1]\r\n\r\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\nRead of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078\r\n\r\nCPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \u0026lt;TASK\u0026gt;\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n  copy_from_sockptr include/linux/sockptr.h:55 [inline]\n  nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\n  do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfd/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7f7fac07fd89\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89\nRDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000(CVE-2024-36915)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbna: ensure the copied buf is NUL terminated\r\n\r\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don\u0026apos;t\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\ninstead of memdup_user.(CVE-2024-36934)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphonet: fix rtm_phonet_notify() skb allocation\r\n\r\nfill_route() stores three components in the skb:\r\n\r\n- struct rtmsg\n- RTA_DST (u8)\n- RTA_OIF (u32)\r\n\r\nTherefore, rtm_phonet_notify() should use\r\n\r\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\nnla_total_size(1) +\nnla_total_size(4)(CVE-2024-36946)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: vc4: Fix possible null pointer dereference\r\n\r\nIn vc4_hdmi_audio_init() of_get_address() may return\nNULL which is later dereferenced. Fix this bug by adding NULL check.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38546)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bfa: Ensure the copied buf is NUL terminated\r\n\r\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don\u0026apos;t\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul instead\nof memdup_user.(CVE-2024-38560)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: i2c: et8ek8: Don\u0026apos;t strip remove function when driver is builtin\r\n\r\nUsing __exit for the remove function results in the remove callback\nbeing discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets\nunbound (e.g. using sysfs or hotplug), the driver is just removed\nwithout the cleanup being performed. This results in resource leaks. Fix\nit by compiling in the remove callback unconditionally.\r\n\r\nThis also fixes a W=1 modpost warning:\r\n\r\n\tWARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -\u0026gt; et8ek8_remove (section: .exit.text)(CVE-2024-38611)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nm68k: Fix spinlock race in kernel thread creation\r\n\r\nContext switching does take care to retain the correct lock owner across\nthe switch from \u0026apos;prev\u0026apos; to \u0026apos;next\u0026apos; tasks.  This does rely on interrupts\nremaining disabled for the entire duration of the switch.\r\n\r\nThis condition is guaranteed for normal process creation and context\nswitching between already running processes, because both \u0026apos;prev\u0026apos; and\n\u0026apos;next\u0026apos; already have interrupts disabled in their saved copies of the\nstatus register.\r\n\r\nThe situation is different for newly created kernel threads.  The status\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\nUpon restoring the \u0026apos;next\u0026apos; thread\u0026apos;s status register in switch_to() aka\nresume(), interrupts then become enabled prematurely.  resume() then\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\nlock is released (see finish_task_switch() and finish_lock_switch()).\r\n\r\nA timer interrupt calling scheduler_tick() before the lock is released\nin finish_task_switch() will find the lock already taken, with the\ncurrent task as lock owner.  This causes a spinlock recursion warning as\nreported by Guenter Roeck.\r\n\r\nAs far as I can ascertain, this race has been opened in commit\n533e6903bea0 (\u0026quot;m68k: split ret_from_fork(), simplify kernel_thread()\u0026quot;)\nbut I haven\u0026apos;t done a detailed study of kernel history so it may well\npredate that commit.\r\n\r\nInterrupts cannot be disabled in the saved status register copy for\nkernel threads (init will complain about interrupts disabled when\nfinally starting user space).  Disable interrupts temporarily when\nswitching the tasks\u0026apos; register sets in resume().\r\n\r\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\n- this leaves enough of a race for the \u0026apos;spinlock recursion\u0026apos; warning to\nstill be observed.\r\n\r\nTested on ARAnyM and qemu (Quadra 800 emulation).(CVE-2024-38613)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nenic: Validate length of nl attributes in enic_set_vf_port\r\n\r\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\nis of length PORT_PROFILE_MAX and that the nl attributes\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\nusing the policy is for the max size of the attributes and not on exact\nsize so the length of these attributes might be less than the sizes that\nenic_set_vf_port expects. This might cause an out of bands\nread access in the memcpys of the data of these\nattributes in enic_set_vf_port.(CVE-2024-38659)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\num: Add winch to winch_handlers before registering winch IRQ\r\n\r\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\r\n\r\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\r\n\r\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails.(CVE-2024-39292)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nima: Fix use-after-free on a dentry\u0026apos;s dname.name\r\n\r\n-\u0026gt;d_name.name can change on rename and the earlier value can be freed;\nthere are conditions sufficient to stabilize it (-\u0026gt;d_lock on dentry,\n-\u0026gt;d_lock on its parent, -\u0026gt;i_rwsem exclusive on the parent\u0026apos;s inode,\nrename_lock), but none of those are met at any of the sites. Take a stable\nsnapshot of the name instead.(CVE-2024-39494)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/exynos/vidi: fix memory leak in .get_modes()\r\n\r\nThe duplicated EDID is never freed. Fix it.(CVE-2024-40932)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: fix UBSAN warning in kv_dpm.c\r\n\r\nAdds bounds check for sumo_vid_mapping_entry.(CVE-2024-40988)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Validate ff offset\r\n\r\nThis adds sanity checks for ff offset. There is a check\non rt-\u0026gt;first_free at first, but walking through by ff\nwithout any check. If the second ff is a large offset.\nWe may encounter an out-of-bound read.(CVE-2024-41019)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: Fix UAF when resolving a clash\r\n\r\nKASAN reports the following UAF:\r\n\r\n BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n Read of size 1 at addr ffff888c07603600 by task handler130/6469\r\n\r\n Call Trace:\n  \u0026lt;IRQ\u0026gt;\n  dump_stack_lvl+0x48/0x70\n  print_address_description.constprop.0+0x33/0x3d0\n  print_report+0xc0/0x2b0\n  kasan_report+0xd0/0x120\n  __asan_load1+0x6c/0x80\n  tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n  tcf_ct_act+0x886/0x1350 [act_ct]\n  tcf_action_exec+0xf8/0x1f0\n  fl_classify+0x355/0x360 [cls_flower]\n  __tcf_classify+0x1fd/0x330\n  tcf_classify+0x21c/0x3c0\n  sch_handle_ingress.constprop.0+0x2c5/0x500\n  __netif_receive_skb_core.constprop.0+0xb25/0x1510\n  __netif_receive_skb_list_core+0x220/0x4c0\n  netif_receive_skb_list_internal+0x446/0x620\n  napi_complete_done+0x157/0x3d0\n  gro_cell_poll+0xcf/0x100\n  __napi_poll+0x65/0x310\n  net_rx_action+0x30c/0x5c0\n  __do_softirq+0x14f/0x491\n  __irq_exit_rcu+0x82/0xc0\n  irq_exit_rcu+0xe/0x20\n  common_interrupt+0xa1/0xb0\n  \u0026lt;/IRQ\u0026gt;\n  \u0026lt;TASK\u0026gt;\n  asm_common_interrupt+0x27/0x40\r\n\r\n Allocated by task 6469:\n  kasan_save_stack+0x38/0x70\n  kasan_set_track+0x25/0x40\n  kasan_save_alloc_info+0x1e/0x40\n  __kasan_krealloc+0x133/0x190\n  krealloc+0xaa/0x130\n  nf_ct_ext_add+0xed/0x230 [nf_conntrack]\n  tcf_ct_act+0x1095/0x1350 [act_ct]\n  tcf_action_exec+0xf8/0x1f0\n  fl_classify+0x355/0x360 [cls_flower]\n  __tcf_classify+0x1fd/0x330\n  tcf_classify+0x21c/0x3c0\n  sch_handle_ingress.constprop.0+0x2c5/0x500\n  __netif_receive_skb_core.constprop.0+0xb25/0x1510\n  __netif_receive_skb_list_core+0x220/0x4c0\n  netif_receive_skb_list_internal+0x446/0x620\n  napi_complete_done+0x157/0x3d0\n  gro_cell_poll+0xcf/0x100\n  __napi_poll+0x65/0x310\n  net_rx_action+0x30c/0x5c0\n  __do_softirq+0x14f/0x491\r\n\r\n Freed by task 6469:\n  kasan_save_stack+0x38/0x70\n  kasan_set_track+0x25/0x40\n  kasan_save_free_info+0x2b/0x60\n  ____kasan_slab_free+0x180/0x1f0\n  __kasan_slab_free+0x12/0x30\n  slab_free_freelist_hook+0xd2/0x1a0\n  __kmem_cache_free+0x1a2/0x2f0\n  kfree+0x78/0x120\n  nf_conntrack_free+0x74/0x130 [nf_conntrack]\n  nf_ct_destroy+0xb2/0x140 [nf_conntrack]\n  __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]\n  nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]\n  __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]\n  tcf_ct_act+0x12ad/0x1350 [act_ct]\n  tcf_action_exec+0xf8/0x1f0\n  fl_classify+0x355/0x360 [cls_flower]\n  __tcf_classify+0x1fd/0x330\n  tcf_classify+0x21c/0x3c0\n  sch_handle_ingress.constprop.0+0x2c5/0x500\n  __netif_receive_skb_core.constprop.0+0xb25/0x1510\n  __netif_receive_skb_list_core+0x220/0x4c0\n  netif_receive_skb_list_internal+0x446/0x620\n  napi_complete_done+0x157/0x3d0\n  gro_cell_poll+0xcf/0x100\n  __napi_poll+0x65/0x310\n  net_rx_action+0x30c/0x5c0\n  __do_softirq+0x14f/0x491\r\n\r\nThe ct may be dropped if a clash has been resolved but is still passed to\nthe tcf_ct_flow_table_process_conn function for further usage. This issue\ncan be fixed by retrieving ct from skb again after confirming conntrack.(CVE-2024-41040)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().\r\n\r\nsyzkaller triggered the warning [0] in udp_v4_early_demux().\r\n\r\nIn udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount\nof the looked-up sk and use sock_pfree() as skb-\u0026gt;destructor, so we check\nSOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace\nperiod.\r\n\r\nCurrently, SOCK_RCU_FREE is flagged for a bound socket after being put\ninto the hash table.  Moreover, the SOCK_RCU_FREE check is done too early\nin udp_v[46]_early_demux() and sk_lookup(), so there could be a small race\nwindow:\r\n\r\n  CPU1                                 CPU2\n  ----                                 ----\n  udp_v4_early_demux()                 udp_lib_get_port()\n  |                                    |- hlist_add_head_rcu()\n  |- sk = __udp4_lib_demux_lookup()    |\n  |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));\n                                       `- sock_set_flag(sk, SOCK_RCU_FREE)\r\n\r\nWe had the same bug in TCP and fixed it in commit 871019b22d1b (\u0026quot;net:\nset SOCK_RCU_FREE before inserting socket into hashtable\u0026quot;).\r\n\r\nLet\u0026apos;s apply the same fix for UDP.\r\n\r\n[0]:\nWARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nModules linked in:\nCPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nCode: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe \u0026lt;0f\u0026gt; 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52\nRSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c\nRDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001\nRBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680\nR13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e\nFS:  00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nPKRU: 55555554\nCall Trace:\n \u0026lt;TASK\u0026gt;\n ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349\n ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624\n __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738\n netif_receive_skb_internal net/core/dev.c:5824 [inline]\n netif_receive_skb+0x271/0x300 net/core/dev.c:5884\n tun_rx_batched drivers/net/tun.c:1549 [inline]\n tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002\n tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x76f/0x8d0 fs/read_write.c:590\n ksys_write+0xbf/0x190 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x41/0x50 fs/read_write.c:652\n x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7fc44a68bc1f\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 \u0026lt;48\u0026gt; 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48\nRSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f\nR\n---truncated---(CVE-2024-41041)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nskmsg: Skip zero length skb in sk_msg_recvmsg\r\n\r\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\nplatform, the following kernel panic occurs:\r\n\r\n  [...]\n  Oops[#1]:\n  CPU: 22 PID: 2824 Comm: test_progs Tainted: G           OE  6.10.0-rc2+ #18\n  Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\n     ... ...\n     ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\n    ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\n   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n   PRMD: 0000000c (PPLV0 +PIE +PWE)\n   EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n  ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n   BADV: 0000000000000040\n   PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\n  Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\n  Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\n  Stack : ...\n  Call Trace:\n  [\u0026lt;9000000004162774\u0026gt;] copy_page_to_iter+0x74/0x1c0\n  [\u0026lt;90000000048bf6c0\u0026gt;] sk_msg_recvmsg+0x120/0x560\n  [\u0026lt;90000000049f2b90\u0026gt;] tcp_bpf_recvmsg_parser+0x170/0x4e0\n  [\u0026lt;90000000049aae34\u0026gt;] inet_recvmsg+0x54/0x100\n  [\u0026lt;900000000481ad5c\u0026gt;] sock_recvmsg+0x7c/0xe0\n  [\u0026lt;900000000481e1a8\u0026gt;] __sys_recvfrom+0x108/0x1c0\n  [\u0026lt;900000000481e27c\u0026gt;] sys_recvfrom+0x1c/0x40\n  [\u0026lt;9000000004c076ec\u0026gt;] do_syscall+0x8c/0xc0\n  [\u0026lt;9000000003731da4\u0026gt;] handle_syscall+0xc4/0x160\n  Code: ...\n  ---[ end trace 0000000000000000 ]---\n  Kernel panic - not syncing: Fatal exception\n  Kernel relocated by 0x3510000\n   .text @ 0x9000000003710000\n   .data @ 0x9000000004d70000\n   .bss  @ 0x9000000006469400\n  ---[ end Kernel panic - not syncing: Fatal exception ]---\n  [...]\r\n\r\nThis crash happens every time when running sockmap_skb_verdict_shutdown\nsubtest in sockmap_basic.\r\n\r\nThis crash is because a NULL pointer is passed to page_address() in the\nsk_msg_recvmsg(). Due to the different implementations depending on the\narchitecture, page_address(NULL) will trigger a panic on Loongarch\nplatform but not on x86 platform. So this bug was hidden on x86 platform\nfor a while, but now it is exposed on Loongarch platform. The root cause\nis that a zero length skb (skb-\u0026gt;len == 0) was put on the queue.\r\n\r\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\ninvoked in test_sockmap_skb_verdict_shutdown():\r\n\r\n\tshutdown(p1, SHUT_WR);\r\n\r\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\nsge is queued into ingress_msg list.\r\n\r\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\nto kmap_local_page() and to page_address(), then kernel panics.\r\n\r\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\nif copy is zero, that means it\u0026apos;s a zero length skb, skip invoking\ncopy_page_to_iter(). We are using the EFAULT return triggered by\ncopy_page_to_iter to check for is_fin in tcp_bpf.c.(CVE-2024-41048)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfilelock: fix potential use-after-free in posix_lock_inode\r\n\r\nLight Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().\nThe request pointer had been changed earlier to point to a lock entry\nthat was added to the inode\u0026apos;s list. However, before the tracepoint could\nfire, another task raced in and freed that lock.\r\n\r\nFix this by moving the tracepoint inside the spinlock, which should\nensure that this doesn\u0026apos;t happen.(CVE-2024-41049)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: hci_core: cancel all works upon hci_unregister_dev()\r\n\r\nsyzbot is reporting that calling hci_release_dev() from hci_error_reset()\ndue to hci_dev_put() from hci_error_reset() can cause deadlock at\ndestroy_workqueue(), for hci_error_reset() is called from\nhdev-\u0026gt;req_workqueue which destroy_workqueue() needs to flush.\r\n\r\nWe need to make sure that hdev-\u0026gt;{rx_work,cmd_work,tx_work} which are\nqueued into hdev-\u0026gt;workqueue and hdev-\u0026gt;{power_on,error_reset} which are\nqueued into hdev-\u0026gt;req_workqueue are no longer running by the moment\r\n\r\n       destroy_workqueue(hdev-\u0026gt;workqueue);\n       destroy_workqueue(hdev-\u0026gt;req_workqueue);\r\n\r\nare called from hci_release_dev().\r\n\r\nCall cancel_work_sync() on these work items from hci_unregister_dev()\nas soon as hdev-\u0026gt;list is removed from hci_dev_list.(CVE-2024-41063)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: topology: Fix references to freed memory\r\n\r\nMost users after parsing a topology file, release memory used by it, so\nhaving pointer references directly into topology file contents is wrong.\nUse devm_kmemdup(), to allocate memory as needed.(CVE-2024-41069)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring: fix possible deadlock in io_register_iowq_max_workers()\r\n\r\nThe io_register_iowq_max_workers() function calls io_put_sq_data(),\nwhich acquires the sqd-\u0026gt;lock without releasing the uring_lock.\nSimilar to the commit 009ad9f0c6ee (\u0026quot;io_uring: drop ctx-\u0026gt;uring_lock\nbefore acquiring sqd-\u0026gt;lock\u0026quot;), this can lead to a potential deadlock\nsituation.\r\n\r\nTo resolve this issue, the uring_lock is released before calling\nio_put_sq_data(), and then it is re-acquired after the function call.\r\n\r\nThis change ensures that the locks are acquired in the correct\norder, preventing the possibility of a deadlock.(CVE-2024-41080)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntap: add missing verification for short frame\r\n\r\nThe cited commit missed to check against the validity of the frame length\nin the tap_get_user_xdp() path, which could cause a corrupted skb to be\nsent downstack. Even before the skb is transmitted, the\ntap_get_user_xdp()--\u0026gt;skb_set_network_header() may assume the size is more\nthan ETH_HLEN. Once transmitted, this could either cause out-of-bound\naccess beyond the actual length, or confuse the underlayer with incorrect\nor inconsistent header length in the skb metadata.\r\n\r\nIn the alternative path, tap_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted.\r\n\r\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tap_get_user() does.\r\n\r\nCVE: CVE-2024-41090(CVE-2024-41090)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntun: add missing verification for short frame\r\n\r\nThe cited commit missed to check against the validity of the frame length\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\ndownstack. Even before the skb is transmitted, the\ntun_xdp_one--\u0026gt;eth_type_trans() may access the Ethernet header although it\ncan be less than ETH_HLEN. Once transmitted, this could either cause\nout-of-bound access beyond the actual length, or confuse the underlayer\nwith incorrect or inconsistent header length in the skb metadata.\r\n\r\nIn the alternative path, tun_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted for\nIFF_TAP.\r\n\r\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tun_get_user() does.\r\n\r\nCVE: CVE-2024-41091(CVE-2024-41091)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Take return from set_memory_rox() into account with bpf_jit_binary_lock_ro()\r\n\r\nset_memory_rox() can fail, leaving memory unprotected.\r\n\r\nCheck return and bail out when bpf_jit_binary_lock_ro() returns\nan error.(CVE-2024-42067)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: chemical: bme680: Fix overflows in compensate() functions\r\n\r\nThere are cases in the compensate functions of the driver that\nthere could be overflows of variables due to bit shifting ops.\nThese implications were initially discussed here [1] and they\nwere mentioned in log message of Commit 1b3bd8592780 (\u0026quot;iio:\nchemical: Add support for Bosch BME680 sensor\u0026quot;).\r\n\r\n[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/(CVE-2024-42086)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: emux: improve patch ioctl data validation\r\n\r\nIn load_data(), make the validation of and skipping over the main info\nblock match that in load_guspatch().\r\n\r\nIn load_guspatch(), add checking that the specified patch length matches\nthe actually supplied data, like load_data() already did.(CVE-2024-42097)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njffs2: Fix potential illegal address access in jffs2_free_inode\r\n\r\nDuring the stress testing of the jffs2 file system,the following\nabnormal printouts were found:\n[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948\n[ 2430.649622] Mem abort info:\n[ 2430.649829]   ESR = 0x96000004\n[ 2430.650115]   EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2430.650564]   SET = 0, FnV = 0\n[ 2430.650795]   EA = 0, S1PTW = 0\n[ 2430.651032]   FSC = 0x04: level 0 translation fault\n[ 2430.651446] Data abort info:\n[ 2430.651683]   ISV = 0, ISS = 0x00000004\n[ 2430.652001]   CM = 0, WnR = 0\n[ 2430.652558] [0069696969696948] address between user and kernel address ranges\n[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33\n[ 2430.655008] Hardware name: linux,dummy-virt (DT)\n[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2430.656142] pc : kfree+0x78/0x348\n[ 2430.656630] lr : jffs2_free_inode+0x24/0x48\n[ 2430.657051] sp : ffff800009eebd10\n[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000\n[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000\n[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14\n[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000\n[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000\n[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19\n[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14\n[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302\n[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342\n[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000\n[ 2430.664217] Call trace:\n[ 2430.664528]  kfree+0x78/0x348\n[ 2430.664855]  jffs2_free_inode+0x24/0x48\n[ 2430.665233]  i_callback+0x24/0x50\n[ 2430.665528]  rcu_do_batch+0x1ac/0x448\n[ 2430.665892]  rcu_core+0x28c/0x3c8\n[ 2430.666151]  rcu_core_si+0x18/0x28\n[ 2430.666473]  __do_softirq+0x138/0x3cc\n[ 2430.666781]  irq_exit+0xf0/0x110\n[ 2430.667065]  handle_domain_irq+0x6c/0x98\n[ 2430.667447]  gic_handle_irq+0xac/0xe8\n[ 2430.667739]  call_on_irq_stack+0x28/0x54\nThe parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of\nthe jffs_inode_info structure. It was found that all variables in the jffs_inode_info\nstructure were 5a5a5a5a, except for the first member sem. It is suspected that these\nvariables are not initialized because they were set to 5a5a5a5a during memory testing,\nwhich is meant to detect uninitialized memory.The sem variable is initialized in the\nfunction jffs2_i_init_once, while other members are initialized in\nthe function jffs2_init_inode_info.\r\n\r\nThe function jffs2_init_inode_info is called after iget_locked,\nbut in the iget_locked function, the destroy_inode process is triggered,\nwhich releases the inode and consequently, the target member of the inode\nis not initialized.In concurrent high pressure scenarios, iget_locked\nmay enter the destroy_inode branch as described in the code.\r\n\r\nSince the destroy_inode functionality of jffs2 only releases the target,\nthe fix method is to set target to NULL in jffs2_i_init_once.(CVE-2024-42115)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nleds: mlxreg: Use devm_mutex_init() for mutex initialization\r\n\r\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module\u0026apos;s remove() is done.\nled_classdev_unregister() calls module\u0026apos;s led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module\u0026apos;s remove() so use devm API instead.(CVE-2024-42129)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc\r\n\r\nInitialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.\nV2: To really improve the handling we would actually\n   need to have a separate value of 0xffffffff.(Christian)(CVE-2024-42228)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nexthop: Initialize all fields in dumped nexthops\r\n\r\nstruct nexthop_grp contains two reserved fields that are not initialized by\nnla_put_nh_group(), and carry garbage. This can be observed e.g. with\nstrace (edited for clarity):\r\n\r\n    # ip nexthop add id 1 dev lo\n    # ip nexthop add id 101 group 1\n    # strace -e recvmsg ip nexthop get id 101\n    ...\n    recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},\n                 [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52\r\n\r\nThe fields are reserved and therefore not currently used. But as they are, they\nleak kernel memory, and the fact they are not just zero complicates repurposing\nof the fields for new ends. Initialize the full structure.(CVE-2024-42283)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nirqchip/imx-irqsteer: Handle runtime power management correctly\r\n\r\nThe power domain is automatically activated from clk_prepare(). However, on\ncertain platforms like i.MX8QM and i.MX8QXP, the power-on handling invokes\nsleeping functions, which triggers the \u0026apos;scheduling while atomic\u0026apos; bug in the\ncontext switch path during device probing:\r\n\r\n BUG: scheduling while atomic: kworker/u13:1/48/0x00000002\n Call trace:\n  __schedule_bug+0x54/0x6c\n  __schedule+0x7f0/0xa94\n  schedule+0x5c/0xc4\n  schedule_preempt_disabled+0x24/0x40\n  __mutex_lock.constprop.0+0x2c0/0x540\n  __mutex_lock_slowpath+0x14/0x20\n  mutex_lock+0x48/0x54\n  clk_prepare_lock+0x44/0xa0\n  clk_prepare+0x20/0x44\n  imx_irqsteer_resume+0x28/0xe0\n  pm_generic_runtime_resume+0x2c/0x44\n  __genpd_runtime_resume+0x30/0x80\n  genpd_runtime_resume+0xc8/0x2c0\n  __rpm_callback+0x48/0x1d8\n  rpm_callback+0x6c/0x78\n  rpm_resume+0x490/0x6b4\n  __pm_runtime_resume+0x50/0x94\n  irq_chip_pm_get+0x2c/0xa0\n  __irq_do_set_handler+0x178/0x24c\n  irq_set_chained_handler_and_data+0x60/0xa4\n  mxc_gpio_probe+0x160/0x4b0\r\n\r\nCure this by implementing the irq_bus_lock/sync_unlock() interrupt chip\ncallbacks and handle power management in them as they are invoked from\nnon-atomic context.\r\n\r\n[ tglx: Rewrote change log, added Fixes tag ](CVE-2024-42290)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nudf: Avoid using corrupted block bitmap buffer\r\n\r\nWhen the filesystem block bitmap is corrupted, we detect the corruption\nwhile loading the bitmap and fail the allocation with error. However the\nnext allocation from the same bitmap will notice the bitmap buffer is\nalready loaded and tries to allocate from the bitmap with mixed results\n(depending on the exact nature of the bitmap corruption). Fix the\nproblem by using BH_verified bit to indicate whether the bitmap is valid\nor not.(CVE-2024-42306)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes\r\n\r\nIn psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.(CVE-2024-42309)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: venus: fix use after free in vdec_close\r\n\r\nThere appears to be a possible use after free with vdec_close().\nThe firmware will add buffer release work to the work queue through\nHFI callbacks as a normal part of decoding. Randomly closing the\ndecoder device from userspace during normal decoding can incur\na read after free for inst.\r\n\r\nFix it by cancelling the work in vdec_close.(CVE-2024-42313)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipvs: properly dereference pe in ip_vs_add_service\r\n\r\nUse pe directly to resolve sparse warning:\r\n\r\n  net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression(CVE-2024-42322)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()\r\n\r\nIf IORESOURCE_MEM is not provided in Device Tree due to\nany error, resource_list_first_type() will return NULL and\npci_parse_request_of_pci_ranges() will just emit a warning.\r\n\r\nThis will cause a NULL pointer dereference. Fix this bug by adding NULL\nreturn check.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-43823)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nleds: trigger: Unregister sysfs attributes before calling deactivate()\r\n\r\nTriggers which have trigger specific sysfs attributes typically store\nrelated data in trigger-data allocated by the activate() callback and\nfreed by the deactivate() callback.\r\n\r\nCalling device_remove_groups() after calling deactivate() leaves a window\nwhere the sysfs attributes show/store functions could be called after\ndeactivation and then operate on the just freed trigger-data.\r\n\r\nMove the device_remove_groups() call to before deactivate() to close\nthis race window.\r\n\r\nThis also makes the deactivation path properly do things in reverse order\nof the activation path which calls the activate() callback before calling\ndevice_add_groups().(CVE-2024-43830)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG\r\n\r\nWhen BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls\n__bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them\nthe struct bpf_tramp_image *im pointer as an argument in R0.\r\n\r\nThe trampoline generation code uses emit_addr_mov_i64() to emit\ninstructions for moving the bpf_tramp_image address into R0, but\nemit_addr_mov_i64() assumes the address to be in the vmalloc() space\nand uses only 48 bits. Because bpf_tramp_image is allocated using\nkzalloc(), its address can use more than 48-bits, in this case the\ntrampoline will pass an invalid address to __bpf_tramp_enter/exit()\ncausing a kernel crash.\r\n\r\nFix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64()\nas it can work with addresses that are greater than 48-bits.(CVE-2024-43840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd: fix deadlock between mddev_suspend and flush bio\r\n\r\nDeadlock occurs when mddev is being suspended while some flush bio is in\nprogress. It is a complex issue.\r\n\r\nT1. the first flush is at the ending stage, it clears \u0026apos;mddev-\u0026gt;flush_bio\u0026apos;\n    and tries to submit data, but is blocked because mddev is suspended\n    by T4.\nT2. the second flush sets \u0026apos;mddev-\u0026gt;flush_bio\u0026apos;, and attempts to queue\n    md_submit_flush_data(), which is already running (T1) and won\u0026apos;t\n    execute again if on the same CPU as T1.\nT3. the third flush inc active_io and tries to flush, but is blocked because\n    \u0026apos;mddev-\u0026gt;flush_bio\u0026apos; is not NULL (set by T2).\nT4. mddev_suspend() is called and waits for active_io dec to 0 which is inc\n    by T3.\r\n\r\n  T1\t\tT2\t\tT3\t\tT4\n  (flush 1)\t(flush 2)\t(third 3)\t(suspend)\n  md_submit_flush_data\n   mddev-\u0026gt;flush_bio = NULL;\n   .\n   .\t \tmd_flush_request\n   .\t  \t mddev-\u0026gt;flush_bio = bio\n   .\t  \t queue submit_flushes\n   .\t\t .\n   .\t\t .\t\tmd_handle_request\n   .\t\t .\t\t active_io + 1\n   .\t\t .\t\t md_flush_request\n   .\t\t .\t\t  wait !mddev-\u0026gt;flush_bio\n   .\t\t .\n   .\t\t .\t\t\t\tmddev_suspend\n   .\t\t .\t\t\t\t wait !active_io\n   .\t\t .\n   .\t\t submit_flushes\n   .\t\t queue_work md_submit_flush_data\n   .\t\t //md_submit_flush_data is already running (T1)\n   .\n   md_handle_request\n    wait resume\r\n\r\nThe root issue is non-atomic inc/dec of active_io during flush process.\nactive_io is dec before md_submit_flush_data is queued, and inc soon\nafter md_submit_flush_data() run.\n  md_flush_request\n    active_io + 1\n    submit_flushes\n      active_io - 1\n      md_submit_flush_data\n        md_handle_request\n        active_io + 1\n          make_request\n        active_io - 1\r\n\r\nIf active_io is dec after md_handle_request() instead of within\nsubmit_flushes(), make_request() can be called directly intead of\nmd_handle_request() in md_submit_flush_data(), and active_io will\nonly inc and dec once in the whole flush process. Deadlock will be\nfixed.\r\n\r\nAdditionally, the only difference between fixing the issue and before is\nthat there is no return error handling of make_request(). But after\nprevious patch cleaned md_write_start(), make_requst() only return error\nin raid5_make_request() by dm-raid, see commit 41425f96d7aa (\u0026quot;dm-raid456,\nmd/raid456: fix a deadlock for dm-raid456 while io concurrent with\nreshape)\u0026quot;. Since dm always splits data and flush operation into two\nseparate io, io size of flush submitted by dm always is 0, make_request()\nwill not be called in md_submit_flush_data(). To prevent future\nmodifications from introducing issues, add WARN_ON to ensure\nmake_request() no error is returned in this context.(CVE-2024-43855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/hns: Fix soft lockup under heavy CEQE load\r\n\r\nCEQEs are handled in interrupt handler currently. This may cause the\nCPU core staying in interrupt context too long and lead to soft lockup\nunder heavy load.\r\n\r\nHandle CEQEs in BH workqueue and set an upper limit for the number of\nCEQE handled by a single call of work handler.(CVE-2024-43872)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmemcg: protect concurrent access to mem_cgroup_idr\r\n\r\nCommit 73f576c04b94 (\u0026quot;mm: memcontrol: fix cgroup creation failure after\nmany small jobs\u0026quot;) decoupled the memcg IDs from the CSS ID space to fix the\ncgroup creation failures.  It introduced IDR to maintain the memcg ID\nspace.  The IDR depends on external synchronization mechanisms for\nmodifications.  For the mem_cgroup_idr, the idr_alloc() and idr_replace()\nhappen within css callback and thus are protected through cgroup_mutex\nfrom concurrent modifications.  However idr_remove() for mem_cgroup_idr\nwas not protected against concurrency and can be run concurrently for\ndifferent memcgs when they hit their refcnt to zero.  Fix that.\r\n\r\nWe have been seeing list_lru based kernel crashes at a low frequency in\nour fleet for a long time.  These crashes were in different part of\nlist_lru code including list_lru_add(), list_lru_del() and reparenting\ncode.  Upon further inspection, it looked like for a given object (dentry\nand inode), the super_block\u0026apos;s list_lru didn\u0026apos;t have list_lru_one for the\nmemcg of that object.  The initial suspicions were either the object is\nnot allocated through kmem_cache_alloc_lru() or somehow\nmemcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but\nreturned success.  No evidence were found for these cases.\r\n\r\nLooking more deeply, we started seeing situations where valid memcg\u0026apos;s id\nis not present in mem_cgroup_idr and in some cases multiple valid memcgs\nhave same id and mem_cgroup_idr is pointing to one of them.  So, the most\nreasonable explanation is that these situations can happen due to race\nbetween multiple idr_remove() calls or race between\nidr_alloc()/idr_replace() and idr_remove().  These races are causing\nmultiple memcgs to acquire the same ID and then offlining of one of them\nwould cleanup list_lrus on the system for all of them.  Later access from\nother memcgs to the list_lru cause crashes due to missing list_lru_one.(CVE-2024-43892)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: core: check uartclk for zero to avoid divide by zero\r\n\r\nCalling ioctl TIOCSSERIAL with an invalid baud_base can\nresult in uartclk being zero, which will result in a\ndivide by zero error in uart_get_divisor(). The check for\nuartclk being zero in uart_set_info() needs to be done\nbefore other settings are made as subsequent calls to\nioctl TIOCSSERIAL for the same port would be impacted if\nthe uartclk check was done where uartclk gets set.\r\n\r\nOops: divide error: 0000  PREEMPT SMP KASAN PTI\nRIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580)\nCall Trace:\n \u0026lt;TASK\u0026gt;\nserial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576\n    drivers/tty/serial/8250/8250_port.c:2589)\nserial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502\n    drivers/tty/serial/8250/8250_port.c:2741)\nserial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862)\nuart_change_line_settings (./include/linux/spinlock.h:376\n    ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222)\nuart_port_startup (drivers/tty/serial/serial_core.c:342)\nuart_startup (drivers/tty/serial/serial_core.c:368)\nuart_set_info (drivers/tty/serial/serial_core.c:1034)\nuart_set_info_user (drivers/tty/serial/serial_core.c:1059)\ntty_set_serial (drivers/tty/tty_io.c:2637)\ntty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791)\n__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907\n    fs/ioctl.c:893 fs/ioctl.c:893)\ndo_syscall_64 (arch/x86/entry/common.c:52\n    (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\r\n\r\nRule: add(CVE-2024-43893)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfou: remove warn in gue_gro_receive on unsupported protocol\r\n\r\nDrop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is\nnot known or does not have a GRO handler.\r\n\r\nSuch a packet is easily constructed. Syzbot generates them and sets\noff this warning.\r\n\r\nRemove the warning as it is expected and not actionable.\r\n\r\nThe warning was previously reduced from WARN_ON to WARN_ON_ONCE in\ncommit 270136613bf7 (\u0026quot;fou: Do WARN_ON_ONCE in gue_gro_receive for bad\nproto callbacks\u0026quot;).(CVE-2024-44940)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: line6: Fix racy access to midibuf\r\n\r\nThere can be concurrent accesses to line6 midibuf from both the URB\ncompletion callback and the rawmidi API access.  This could be a cause\nof KMSAN warning triggered by syzkaller below (so put as reported-by\nhere).\r\n\r\nThis patch protects the midibuf call of the former code path with a\nspinlock for avoiding the possible races.(CVE-2024-44954)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\natm: idt77252: prevent use after free in dequeue_rx()\r\n\r\nWe can\u0026apos;t dereference \u0026quot;skb\u0026quot; after calling vcc-\u0026gt;push() because the skb\nis released.(CVE-2024-44998)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxhci: Fix Panther point NULL pointer deref at full-speed re-enumeration\r\n\r\nre-enumerating full-speed devices after a failed address device command\ncan trigger a NULL pointer dereference.\r\n\r\nFull-speed devices may need to reconfigure the endpoint 0 Max Packet Size\nvalue during enumeration. Usb core calls usb_ep0_reinit() in this case,\nwhich ends up calling xhci_configure_endpoint().\r\n\r\nOn Panther point xHC the xhci_configure_endpoint() function will\nadditionally check and reserve bandwidth in software. Other hosts do\nthis in hardware\r\n\r\nIf xHC address device command fails then a new xhci_virt_device structure\nis allocated as part of re-enabling the slot, but the bandwidth table\npointers are not set up properly here.\nThis triggers the NULL pointer dereference the next time usb_ep0_reinit()\nis called and xhci_configure_endpoint() tries to check and reserve\nbandwidth\r\n\r\n[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd\n[46710.713699] usb 3-1: Device not responding to setup address.\n[46710.917684] usb 3-1: Device not responding to setup address.\n[46711.125536] usb 3-1: device not accepting address 5, error -71\n[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[46711.125600] #PF: supervisor read access in kernel mode\n[46711.125603] #PF: error_code(0x0000) - not-present page\n[46711.125606] PGD 0 P4D 0\n[46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1\n[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.\n[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]\n[46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c\r\n\r\nFix this by making sure bandwidth table pointers are set up correctly\nafter a failed address device command, and additionally by avoiding\nchecking for bandwidth in cases like this where no actual endpoints are\nadded or removed, i.e. only context for default control endpoint 0 is\nevaluated.(CVE-2024-45006)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/dasd: fix error recovery leading to data corruption on ESE devices\r\n\r\nExtent Space Efficient (ESE) or thin provisioned volumes need to be\nformatted on demand during usual IO processing.\r\n\r\nThe dasd_ese_needs_format function checks for error codes that signal\nthe non existence of a proper track format.\r\n\r\nThe check for incorrect length is to imprecise since other error cases\nleading to transport of insufficient data also have this flag set.\nThis might lead to data corruption in certain error cases for example\nduring a storage server warmstart.\r\n\r\nFix by removing the check for incorrect length and replacing by\nexplicitly checking for invalid track format in transport mode.\r\n\r\nAlso remove the check for file protected since this is not a valid\nESE handling case.(CVE-2024-45026)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: pn533: Add poll mod list filling check\r\n\r\nIn case of im_protocols value is 1 and tm_protocols value is 0 this\ncombination successfully passes the check\n\u0026apos;if (!im_protocols \u0026amp;\u0026amp; !tm_protocols)\u0026apos; in the nfc_start_poll().\nBut then after pn533_poll_create_mod_list() call in pn533_start_poll()\npoll mod list will remain empty and dev-\u0026gt;poll_mod_count will remain 0\nwhich lead to division by zero.\r\n\r\nNormally no im protocol has value 1 in the mask, so this combination is\nnot expected by driver. But these protocol values actually come from\nuserspace via Netlink interface (NFC_CMD_START_POLL operation). So a\nbroken or malicious program may pass a message containing a \u0026quot;bad\u0026quot;\ncombination of protocol parameter values so that dev-\u0026gt;poll_mod_count\nis not incremented inside pn533_poll_create_mod_list(), thus leading\nto division by zero.\nCall trace looks like:\nnfc_genl_start_poll()\n  nfc_start_poll()\n    -\u0026gt;start_poll()\n    pn533_start_poll()\r\n\r\nAdd poll mod list filling check.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-46676)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: typec: ucsi: Fix null pointer dereference in trace\r\n\r\nucsi_register_altmode checks IS_ERR for the alt pointer and treats\nNULL as valid. When CONFIG_TYPEC_DP_ALTMODE is not enabled,\nucsi_register_displayport returns NULL which causes a NULL pointer\ndereference in trace. Rather than return NULL, call\ntypec_port_register_altmode to register DisplayPort alternate mode\nas a non-controllable mode when CONFIG_TYPEC_DP_ALTMODE is not enabled.(CVE-2024-46719)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Remove tst_run from lwt_seg6local_prog_ops.\r\n\r\nThe syzbot reported that the lwt_seg6 related BPF ops can be invoked\nvia bpf_test_run() without without entering input_action_end_bpf()\nfirst.\r\n\r\nMartin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL\nprobably didn\u0026apos;t work since it was introduced in commit 04d4b274e2a\n(\u0026quot;ipv6: sr: Add seg6local action End.BPF\u0026quot;). The reason is that the\nper-CPU variable seg6_bpf_srh_states::srh is never assigned in the self\ntest case but each BPF function expects it.\r\n\r\nRemove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.(CVE-2024-46754)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nice: Add netif_device_attach/detach into PF reset flow\r\n\r\nEthtool callbacks can be executed while reset is in progress and try to\naccess deleted resources, e.g. getting coalesce settings can result in a\nNULL pointer dereference seen below.\r\n\r\nReproduction steps:\nOnce the driver is fully initialized, trigger reset:\n\t# echo 1 \u0026gt; /sys/class/net/\u0026lt;interface\u0026gt;/device/reset\nwhen reset is in progress try to get coalesce settings using ethtool:\n\t# ethtool -c \u0026lt;interface\u0026gt;\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000020\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] PREEMPT SMP PTI\nCPU: 11 PID: 19713 Comm: ethtool Tainted: G S                 6.10.0-rc7+ #7\nRIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]\nRSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206\nRAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000\nR13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40\nFS:  00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0\nCall Trace:\n\u0026lt;TASK\u0026gt;\nice_get_coalesce+0x17/0x30 [ice]\ncoalesce_prepare_data+0x61/0x80\nethnl_default_doit+0xde/0x340\ngenl_family_rcv_msg_doit+0xf2/0x150\ngenl_rcv_msg+0x1b3/0x2c0\nnetlink_rcv_skb+0x5b/0x110\ngenl_rcv+0x28/0x40\nnetlink_unicast+0x19c/0x290\nnetlink_sendmsg+0x222/0x490\n__sys_sendto+0x1df/0x1f0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x82/0x160\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7faee60d8e27\r\n\r\nCalling netif_device_detach() before reset makes the net core not call\nthe driver when ethtool command is issued, the attempt to execute an\nethtool command during reset will result in the following message:\r\n\r\n    netlink error: No such device\r\n\r\ninstead of NULL pointer dereference. Once reset is done and\nice_rebuild() is executing, the netif_device_attach() is called to allow\nfor ethtool operations to occur again in a safe manner.(CVE-2024-46770)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: unset the binding mark of a reused connection\r\n\r\nSteve French reported null pointer dereference error from sha256 lib.\ncifs.ko can send session setup requests on reused connection.\nIf reused connection is used for binding session, conn-\u0026gt;binding can\nstill remain true and generate_preauth_hash() will not set\nsess-\u0026gt;Preauth_HashValue and it will be NULL.\nIt is used as a material to create an encryption key in\nksmbd_gen_smb311_encryptionkey. -\u0026gt;Preauth_HashValue cause null pointer\ndereference error from crypto_shash_update().\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 8 PID: 429254 Comm: kworker/8:39\nHardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )\nWorkqueue: ksmbd-io handle_ksmbd_work [ksmbd]\nRIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]\n\u0026lt;TASK\u0026gt;\n? show_regs+0x6d/0x80\n? __die+0x24/0x80\n? page_fault_oops+0x99/0x1b0\n? do_user_addr_fault+0x2ee/0x6b0\n? exc_page_fault+0x83/0x1b0\n? asm_exc_page_fault+0x27/0x30\n? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]\n? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]\n? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]\n? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]\n_sha256_update+0x77/0xa0 [sha256_ssse3]\nsha256_avx2_update+0x15/0x30 [sha256_ssse3]\ncrypto_shash_update+0x1e/0x40\nhmac_update+0x12/0x20\ncrypto_shash_update+0x1e/0x40\ngenerate_key+0x234/0x380 [ksmbd]\ngenerate_smb3encryptionkey+0x40/0x1c0 [ksmbd]\nksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]\nntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]\nsmb2_sess_setup+0x952/0xaa0 [ksmbd]\n__process_request+0xa3/0x1d0 [ksmbd]\n__handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]\nhandle_ksmbd_work+0x2d/0xa0 [ksmbd]\nprocess_one_work+0x16c/0x350\nworker_thread+0x306/0x440\n? __pfx_worker_thread+0x10/0x10\nkthread+0xef/0x120\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x44/0x70\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1b/0x30\n\u0026lt;/TASK\u0026gt;(CVE-2024-46795)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: the warning dereferencing obj for nbio_v7_4\r\n\r\nif ras_manager obj null, don\u0026apos;t print NBIO err data(CVE-2024-46819)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nELF: fix kernel.randomize_va_space double read\r\n\r\nELF loader uses \u0026quot;randomize_va_space\u0026quot; twice. It is sysctl and can change\nat any moment, so 2 loads could see 2 different values in theory with\nunpredictable consequences.\r\n\r\nIssue exactly one load for consistent value across one exec.(CVE-2024-46826)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsched: sch_cake: fix bulk flow accounting logic for host fairness\r\n\r\nIn sch_cake, we keep track of the count of active bulk flows per host,\nwhen running in dst/src host fairness mode, which is used as the\nround-robin weight when iterating through flows. The count of active\nbulk flows is updated whenever a flow changes state.\r\n\r\nThis has a peculiar interaction with the hash collision handling: when a\nhash collision occurs (after the set-associative hashing), the state of\nthe hash bucket is simply updated to match the new packet that collided,\nand if host fairness is enabled, that also means assigning new per-host\nstate to the flow. For this reason, the bulk flow counters of the\nhost(s) assigned to the flow are decremented, before new state is\nassigned (and the counters, which may not belong to the same host\nanymore, are incremented again).\r\n\r\nBack when this code was introduced, the host fairness mode was always\nenabled, so the decrement was unconditional. When the configuration\nflags were introduced the *increment* was made conditional, but\nthe *decrement* was not. Which of course can lead to a spurious\ndecrement (and associated wrap-around to U16_MAX).\r\n\r\nAFAICT, when host fairness is disabled, the decrement and wrap-around\nhappens as soon as a hash collision occurs (which is not that common in\nitself, due to the set-associative hashing). However, in most cases this\nis harmless, as the value is only used when host fairness mode is\nenabled. So in order to trigger an array overflow, sch_cake has to first\nbe configured with host fairness disabled, and while running in this\nmode, a hash collision has to occur to cause the overflow. Then, the\nqdisc has to be reconfigured to enable host fairness, which leads to the\narray out-of-bounds because the wrapped-around value is retained and\nused as an array index. It seems that syzbot managed to trigger this,\nwhich is quite impressive in its own right.\r\n\r\nThis patch fixes the issue by introducing the same conditional check on\ndecrement as is used on increment.\r\n\r\nThe original bug predates the upstreaming of cake, but the commit listed\nin the Fixes tag touched that code, meaning that this patch won\u0026apos;t apply\nbefore that.(CVE-2024-46828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: clean up our handling of refs == 0 in snapshot delete\r\n\r\nIn reada we BUG_ON(refs == 0), which could be unkind since we aren\u0026apos;t\nholding a lock on the extent leaf and thus could get a transient\nincorrect answer.  In walk_down_proc we also BUG_ON(refs == 0), which\ncould happen if we have extent tree corruption.  Change that to return\n-EUCLEAN.  In do_walk_down() we catch this case and handle it correctly,\nhowever we return -EIO, which -EUCLEAN is a more appropriate error code.\nFinally in walk_up_proc we have the same BUG_ON(refs == 0), so convert\nthat to proper error handling.  Also adjust the error message so we can\nactually do something with the information.(CVE-2024-46840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/x86/intel: Limit the period on Haswell\r\n\r\nRunning the ltp test cve-2015-3290 concurrently reports the following\nwarnings.\r\n\r\nperfevents: irq loop stuck!\n  WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174\n  intel_pmu_handle_irq+0x285/0x370\n  Call Trace:\n   \u0026lt;NMI\u0026gt;\n   ? __warn+0xa4/0x220\n   ? intel_pmu_handle_irq+0x285/0x370\n   ? __report_bug+0x123/0x130\n   ? intel_pmu_handle_irq+0x285/0x370\n   ? __report_bug+0x123/0x130\n   ? intel_pmu_handle_irq+0x285/0x370\n   ? report_bug+0x3e/0xa0\n   ? handle_bug+0x3c/0x70\n   ? exc_invalid_op+0x18/0x50\n   ? asm_exc_invalid_op+0x1a/0x20\n   ? irq_work_claim+0x1e/0x40\n   ? intel_pmu_handle_irq+0x285/0x370\n   perf_event_nmi_handler+0x3d/0x60\n   nmi_handle+0x104/0x330\r\n\r\nThanks to Thomas Gleixner\u0026apos;s analysis, the issue is caused by the low\ninitial period (1) of the frequency estimation algorithm, which triggers\nthe defects of the HW, specifically erratum HSW11 and HSW143. (For the\ndetails, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/)\r\n\r\nThe HSW11 requires a period larger than 100 for the INST_RETIRED.ALL\nevent, but the initial period in the freq mode is 1. The erratum is the\nsame as the BDM11, which has been supported in the kernel. A minimum\nperiod of 128 is enforced as well on HSW.\r\n\r\nHSW143 is regarding that the fixed counter 1 may overcount 32 with the\nHyper-Threading is enabled. However, based on the test, the hardware\nhas more issues than it tells. Besides the fixed counter 1, the message\n\u0026apos;interrupt took too long\u0026apos; can be observed on any counter which was armed\nwith a period \u0026lt; 32 and two events expired in the same NMI. A minimum\nperiod of 32 is enforced for the rest of the events.\nThe recommended workaround code of the HSW143 is not implemented.\nBecause it only addresses the issue for the fixed counter. It brings\nextra overhead through extra MSR writing. No related overcounting issue\nhas been reported so far.(CVE-2024-46848)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: dpaa: Pad packets to ETH_ZLEN\r\n\r\nWhen sending packets under 60 bytes, up to three bytes of the buffer\nfollowing the data may be leaked. Avoid this by extending all packets to\nETH_ZLEN, ensuring nothing is leaked in the padding. This bug can be\nreproduced by running\r\n\r\n\t$ ping -s 11 destination(CVE-2024-46854)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_socket: fix sk refcount leaks\r\n\r\nWe must put \u0026apos;sk\u0026apos; reference before returning.(CVE-2024-46855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: pm: Fix uaf in __timer_delete_sync\r\n\r\nThere are two paths to access mptcp_pm_del_add_timer, result in a race\ncondition:\r\n\r\n     CPU1\t\t\t\tCPU2\n     ====                               ====\n     net_rx_action\n     napi_poll                          netlink_sendmsg\n     __napi_poll                        netlink_unicast\n     process_backlog                    netlink_unicast_kernel\n     __netif_receive_skb                genl_rcv\n     __netif_receive_skb_one_core       netlink_rcv_skb\n     NF_HOOK                            genl_rcv_msg\n     ip_local_deliver_finish            genl_family_rcv_msg\n     ip_protocol_deliver_rcu            genl_family_rcv_msg_doit\n     tcp_v4_rcv                         mptcp_pm_nl_flush_addrs_doit\n     tcp_v4_do_rcv                      mptcp_nl_remove_addrs_list\n     tcp_rcv_established                mptcp_pm_remove_addrs_and_subflows\n     tcp_data_queue                     remove_anno_list_by_saddr\n     mptcp_incoming_options             mptcp_pm_del_add_timer\n     mptcp_pm_del_add_timer             kfree(entry)\r\n\r\nIn remove_anno_list_by_saddr(running on CPU2), after leaving the critical\nzone protected by \u0026quot;pm.lock\u0026quot;, the entry will be released, which leads to the\noccurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).\r\n\r\nKeeping a reference to add_timer inside the lock, and calling\nsk_stop_timer_sync() with this reference, instead of \u0026quot;entry-\u0026gt;add_timer\u0026quot;.\r\n\r\nMove list_del(\u0026amp;entry-\u0026gt;list) to mptcp_pm_del_add_timer and inside the pm lock,\ndo not directly access any members of the entry outside the pm lock, which\ncan avoid similar \u0026quot;entry-\u0026gt;x\u0026quot; uaf.(CVE-2024-46858)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: stm32/cryp - call finalize with bh disabled\r\n\r\nThe finalize operation in interrupt mode produce a produces a spinlock\nrecursion warning. The reason is the fact that BH must be disabled\nduring this process.(CVE-2024-47658)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware\r\n\r\nIf the value of max_speed_hz is 0, it may cause a division by zero\nerror in hisi_calc_effective_speed().\nThe value of max_speed_hz is provided by firmware.\nFirmware is generally considered as a trusted domain. However, as\ndivision by zero errors can cause system failure, for defense measure,\nthe value of max_speed is validated here. So 0 is regarded as invalid\nand an error code is returned.(CVE-2024-47664)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: add bounds checking to ocfs2_xattr_find_entry()\r\n\r\nAdd a paranoia check to make sure it doesn\u0026apos;t stray beyond valid memory\nregion containing ocfs2 xattr entries when scanning for a match.  It will\nprevent out-of-bound access in case of crafted images.(CVE-2024-47670)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: usbtmc: prevent kernel-usb-infoleak\r\n\r\nThe syzbot reported a kernel-usb-infoleak in usbtmc_write,\nwe need to clear the structure before filling fields.(CVE-2024-47671)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: mvm: don\u0026apos;t wait for tx queues if firmware is dead\r\n\r\nThere is a WARNING in iwl_trans_wait_tx_queues_empty() (that was\nrecently converted from just a message), that can be hit if we\nwait for TX queues to become empty after firmware died. Clearly,\nwe can\u0026apos;t expect anything from the firmware after it\u0026apos;s declared dead.\r\n\r\nDon\u0026apos;t call iwl_trans_wait_tx_queues_empty() in this case. While it could\nbe a good idea to stop the flow earlier, the flush functions do some\nmaintenance work that is not related to the firmware, so keep that part\nof the code running even when the firmware is not running.\r\n\r\n[edit commit message](CVE-2024-47672)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-232.0.0.131.oe2203sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","bpftool-debuginfo-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","kernel-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","kernel-debuginfo-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","kernel-debugsource-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","kernel-devel-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","kernel-headers-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","kernel-source-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","kernel-tools-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","kernel-tools-debuginfo-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","kernel-tools-devel-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","perf-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","perf-debuginfo-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","python3-perf-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm","python3-perf-debuginfo-5.10.0-232.0.0.131.oe2203sp4.aarch64.rpm"],"src":["kernel-5.10.0-232.0.0.131.oe2203sp4.src.rpm"],"x86_64":["bpftool-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","bpftool-debuginfo-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","kernel-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","kernel-debuginfo-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","kernel-debugsource-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","kernel-devel-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","kernel-headers-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","kernel-source-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","kernel-tools-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","kernel-tools-debuginfo-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","kernel-tools-devel-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","perf-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","perf-debuginfo-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","python3-perf-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm","python3-perf-debuginfo-5.10.0-232.0.0.131.oe2203sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2258"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47382"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48893"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35825"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35969"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36005"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36031"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36270"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36880"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36915"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36934"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36946"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38546"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38560"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38611"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38613"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38659"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39292"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39494"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40932"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40988"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41019"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41040"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41041"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41048"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41049"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41063"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41069"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41080"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41090"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41091"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42067"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42086"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42097"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42115"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42129"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42228"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42283"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42290"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42306"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42309"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42313"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42322"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43823"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43830"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43840"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43855"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43872"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43892"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43893"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-44940"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-44954"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-44998"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45006"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45026"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46676"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46719"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46754"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46770"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46795"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46819"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46826"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46828"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46840"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46848"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46854"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46855"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46858"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47658"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47664"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47670"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47671"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47672"}],"database_specific":{"severity":"Critical"}}