LSN-0111-1

It was discovered that the watch_queue event notification system contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service or escalate their privileges.)(CVE-2022-0995)

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifsdebugfilesprocshow() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.)(CVE-2024-26928)

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2isvalidleasebreak() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.)(CVE-2024-35864)

In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero- initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report.)(CVE-2024-50302)

In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: prevent the risk of out of memory access The dvbdev contains a static variable used to store dvb minors. The behavior of it depends if CONFIGDVBDYNAMICMINORS is set or not. When not set, dvbregisterdevice() won't check for boundaries, as it will rely that a previous call to dvbregisteradapter() would already be enforcing it. On a similar way, dvbdevice_open() uses the assumption that the register functions already did the needed checks. This can be fragile if some device ends using different calls. This also generate warnings on static check analysers like Coverity. So, add explicit guards to prevent potential risk of OOM issues.)(CVE-2024-53063)

In the Linux kernel, the following vulnerability has been resolved: jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree When the value of lp is 0 at the beginning of the for loop, it will become negative in the next assignment and we should bail out.)(CVE-2024-56595)

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcgunpinonline() blkcgunpinonline() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcgparent(blkcg) but it was calling that after blkcgdestroyblkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcgunpinonline+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwbrelease cgwbreleaseworkfn Call Trace: <TASK> dumpstacklvl+0x27/0x80 printreport+0x151/0x710 kasanreport+0xc0/0x100 blkcgunpinonline+0x15a/0x270 cgwbreleaseworkfn+0x194/0x480 processscheduledworks+0x71b/0xe20 workerthread+0x82a/0xbd0 kthread+0x242/0x2c0 retfromfork+0x33/0x70 retfromforkasm+0x1a/0x30 </TASK> ... Freed by task 1944: kasansavetrack+0x2b/0x70 kasansavefreeinfo+0x3c/0x50 _kasanslabfree+0x33/0x50 kfree+0x10c/0x330 cssfreerworkfn+0xe6/0xb30 processscheduledworks+0x71b/0xe20 workerthread+0x82a/0xbd0 kthread+0x242/0x2c0 retfromfork+0x33/0x70 retfromforkasm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcgunpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's.)(CVE-2024-56672)

In the Linux kernel, the following vulnerability has been resolved: drm/dpmst: Ensure mstprimary pointer is valid in drmdpmsthandleupreq() While receiving an MST up request message from one thread in drmdpmsthandleupreq(), the MST topology could be removed from another thread via drmdpmsttopologymgrsetmst(false), freeing mstprimary and setting drmdpmsttopologymgr::mstprimary to NULL. This could lead to a NULL deref/use-after-free of mstprimary in drmdpmsthandleupreq(). Avoid the above by holding a reference for mstprimary in drmdpmsthandleupreq() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails.)(CVE-2024-57798)