Security Vulnerabilities - CVEs Published In December 2024
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: fix a memleak issue when driver is removed
Running "modprobe amdgpu" the second time (followed by a modprobe -r
amdgpu) causes a call trace like:
[ 845.212163] Memory manager not clean during takedown.
[ 845.212170] WARNING: CPU: 4 PID: 2481 at drivers/gpu/drm/drm_mm.c:999 drm_mm_takedown+0x2b/0x40
[ 845.212177] Modules linked in: amdgpu(OE-) amddrm_ttm_helper(OE) amddrm_buddy(OE) amdxcp(OE) amd_sched(OE) drm_exec drm_suballoc_helper drm_display_helper i2c_algo_bit amdttm(OE) amdkcl(OE) cec rc_core sunrpc qrtr intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi edac_mce_amd snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_usb_audio snd_hda_codec snd_usbmidi_lib kvm_amd snd_hda_core snd_ump mc snd_hwdep kvm snd_pcm snd_seq_midi snd_seq_midi_event irqbypass crct10dif_pclmul snd_rawmidi polyval_clmulni polyval_generic ghash_clmulni_intel sha256_ssse3 sha1_ssse3 snd_seq aesni_intel crypto_simd snd_seq_device cryptd snd_timer mfd_aaeon asus_nb_wmi eeepc_wmi joydev asus_wmi snd ledtrig_audio sparse_keymap ccp wmi_bmof input_leds k10temp i2c_piix4 platform_profile rapl soundcore gpio_amdpt mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid ahci xhci_pci igc crc32_pclmul libahci xhci_pci_renesas video
[ 845.212284] wmi [last unloaded: amddrm_ttm_helper(OE)]
[ 845.212290] CPU: 4 PID: 2481 Comm: modprobe Tainted: G W OE 6.8.0-31-generic #31-Ubuntu
[ 845.212296] RIP: 0010:drm_mm_takedown+0x2b/0x40
[ 845.212300] Code: 1f 44 00 00 48 8b 47 38 48 83 c7 38 48 39 f8 75 09 31 c0 31 ff e9 90 2e 86 00 55 48 c7 c7 d0 f6 8e 8a 48 89 e5 e8 f5 db 45 ff <0f> 0b 5d 31 c0 31 ff e9 74 2e 86 00 66 0f 1f 84 00 00 00 00 00 90
[ 845.212302] RSP: 0018:ffffb11302127ae0 EFLAGS: 00010246
[ 845.212305] RAX: 0000000000000000 RBX: ffff92aa5020fc08 RCX: 0000000000000000
[ 845.212307] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 845.212309] RBP: ffffb11302127ae0 R08: 0000000000000000 R09: 0000000000000000
[ 845.212310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004
[ 845.212312] R13: ffff92aa50200000 R14: ffff92aa5020fb10 R15: ffff92aa5020faa0
[ 845.212313] FS: 0000707dd7c7c080(0000) GS:ffff92b93de00000(0000) knlGS:0000000000000000
[ 845.212316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 845.212318] CR2: 00007d48b0aee200 CR3: 0000000115a58000 CR4: 0000000000f50ef0
[ 845.212320] PKRU: 55555554
[ 845.212321] Call Trace:
[ 845.212323] <TASK>
[ 845.212328] ? show_regs+0x6d/0x80
[ 845.212333] ? __warn+0x89/0x160
[ 845.212339] ? drm_mm_takedown+0x2b/0x40
[ 845.212344] ? report_bug+0x17e/0x1b0
[ 845.212350] ? handle_bug+0x51/0xa0
[ 845.212355] ? exc_invalid_op+0x18/0x80
[ 845.212359] ? asm_exc_invalid_op+0x1b/0x20
[ 845.212366] ? drm_mm_takedown+0x2b/0x40
[ 845.212371] amdgpu_gtt_mgr_fini+0xa9/0x130 [amdgpu]
[ 845.212645] amdgpu_ttm_fini+0x264/0x340 [amdgpu]
[ 845.212770] amdgpu_bo_fini+0x2e/0xc0 [amdgpu]
[ 845.212894] gmc_v12_0_sw_fini+0x2a/0x40 [amdgpu]
[ 845.213036] amdgpu_device_fini_sw+0x11a/0x590 [amdgpu]
[ 845.213159] amdgpu_driver_release_kms+0x16/0x40 [amdgpu]
[ 845.213302] devm_drm_dev_init_release+0x5e/0x90
[ 845.213305] devm_action_release+0x12/0x30
[ 845.213308] release_nodes+0x42/0xd0
[ 845.213311] devres_release_all+0x97/0xe0
[ 845.213314] device_unbind_cleanup+0x12/0x80
[ 845.213317] device_release_driver_internal+0x230/0x270
[ 845.213319] ? srso_alias_return_thunk+0x5/0xfbef5
This is caused by lost memory during early init phase. First time driver
is removed, memory is freed but when second time the driver is inserted,
VBIOS dmub is not active, since the PSP policy is to retain the driver
loaded version on subsequent warm boots. Hence, communication with VBIOS
DMUB fails.
Fix this by aborting further comm
---truncated---
CVSS Score
5.5
EPSS Score
0.0
Published
2024-12-27
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: fix use-after-free in device_for_each_child()
Syzbot has reported the following KASAN splat:
BUG: KASAN: slab-use-after-free in device_for_each_child+0x18f/0x1a0
Read of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980
CPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x190
? device_for_each_child+0x18f/0x1a0
print_report+0x13a/0x4cb
? __virt_addr_valid+0x5e/0x590
? __phys_addr+0xc6/0x150
? device_for_each_child+0x18f/0x1a0
kasan_report+0xda/0x110
? device_for_each_child+0x18f/0x1a0
? __pfx_dev_memalloc_noio+0x10/0x10
device_for_each_child+0x18f/0x1a0
? __pfx_device_for_each_child+0x10/0x10
pm_runtime_set_memalloc_noio+0xf2/0x180
netdev_unregister_kobject+0x1ed/0x270
unregister_netdevice_many_notify+0x123c/0x1d80
? __mutex_trylock_common+0xde/0x250
? __pfx_unregister_netdevice_many_notify+0x10/0x10
? trace_contention_end+0xe6/0x140
? __mutex_lock+0x4e7/0x8f0
? __pfx_lock_acquire.part.0+0x10/0x10
? rcu_is_watching+0x12/0xc0
? unregister_netdev+0x12/0x30
unregister_netdevice_queue+0x30d/0x3f0
? __pfx_unregister_netdevice_queue+0x10/0x10
? __pfx_down_write+0x10/0x10
unregister_netdev+0x1c/0x30
bnep_session+0x1fb3/0x2ab0
? __pfx_bnep_session+0x10/0x10
? __pfx_lock_release+0x10/0x10
? __pfx_woken_wake_function+0x10/0x10
? __kthread_parkme+0x132/0x200
? __pfx_bnep_session+0x10/0x10
? kthread+0x13a/0x370
? __pfx_bnep_session+0x10/0x10
kthread+0x2b7/0x370
? __pfx_kthread+0x10/0x10
ret_from_fork+0x48/0x80
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 4974:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0xaa/0xb0
__kmalloc_noprof+0x1d1/0x440
hci_alloc_dev_priv+0x1d/0x2820
__vhci_create_device+0xef/0x7d0
vhci_write+0x2c7/0x480
vfs_write+0x6a0/0xfc0
ksys_write+0x12f/0x260
do_syscall_64+0xc7/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 4979:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x4f/0x70
kfree+0x141/0x490
hci_release_dev+0x4d9/0x600
bt_host_release+0x6a/0xb0
device_release+0xa4/0x240
kobject_put+0x1ec/0x5a0
put_device+0x1f/0x30
vhci_release+0x81/0xf0
__fput+0x3f6/0xb30
task_work_run+0x151/0x250
do_exit+0xa79/0x2c30
do_group_exit+0xd5/0x2a0
get_signal+0x1fcd/0x2210
arch_do_signal_or_restart+0x93/0x780
syscall_exit_to_user_mode+0x140/0x290
do_syscall_64+0xd4/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
In 'hci_conn_del_sysfs()', 'device_unregister()' may be called when
an underlying (kobject) reference counter is greater than 1. This
means that reparenting (happened when the device is actually freed)
is delayed and, during that delay, parent controller device (hciX)
may be deleted. Since the latter may create a dangling pointer to
freed parent, avoid that scenario by reparenting to NULL explicitly.
CVSS Score
7.8
EPSS Score
0.0
Published
2024-12-27
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btmtk: adjust the position to init iso data anchor
MediaTek iso data anchor init should be moved to where MediaTek
claims iso data interface.
If there is an unexpected BT usb disconnect during setup flow,
it will cause a NULL pointer crash issue when releasing iso
anchor since the anchor wasn't been init yet. Adjust the position
to do iso data anchor init.
[ 17.137991] pc : usb_kill_anchored_urbs+0x60/0x168
[ 17.137998] lr : usb_kill_anchored_urbs+0x44/0x168
[ 17.137999] sp : ffffffc0890cb5f0
[ 17.138000] x29: ffffffc0890cb5f0 x28: ffffff80bb6c2e80
[ 17.144081] gpio gpiochip0: registered chardev handle for 1 lines
[ 17.148421] x27: 0000000000000000
[ 17.148422] x26: ffffffd301ff4298 x25: 0000000000000003 x24: 00000000000000f0
[ 17.148424] x23: 0000000000000000 x22: 00000000ffffffff x21: 0000000000000001
[ 17.148425] x20: ffffffffffffffd8 x19: ffffff80c0f25560 x18: 0000000000000000
[ 17.148427] x17: ffffffd33864e408 x16: ffffffd33808f7c8 x15: 0000000000200000
[ 17.232789] x14: e0cd73cf80ffffff x13: 50f2137c0a0338c9 x12: 0000000000000001
[ 17.239912] x11: 0000000080150011 x10: 0000000000000002 x9 : 0000000000000001
[ 17.247035] x8 : 0000000000000000 x7 : 0000000000008080 x6 : 8080000000000000
[ 17.254158] x5 : ffffffd33808ebc0 x4 : fffffffe033dcf20 x3 : 0000000080150011
[ 17.261281] x2 : ffffff8087a91400 x1 : 0000000000000000 x0 : ffffff80c0f25588
[ 17.268404] Call trace:
[ 17.270841] usb_kill_anchored_urbs+0x60/0x168
[ 17.275274] btusb_mtk_release_iso_intf+0x2c/0xd8 [btusb (HASH:5afe 6)]
[ 17.284226] btusb_mtk_disconnect+0x14/0x28 [btusb (HASH:5afe 6)]
[ 17.292652] btusb_disconnect+0x70/0x140 [btusb (HASH:5afe 6)]
[ 17.300818] usb_unbind_interface+0xc4/0x240
[ 17.305079] device_release_driver_internal+0x18c/0x258
[ 17.310296] device_release_driver+0x1c/0x30
[ 17.314557] bus_remove_device+0x140/0x160
[ 17.318643] device_del+0x1c0/0x330
[ 17.322121] usb_disable_device+0x80/0x180
[ 17.326207] usb_disconnect+0xec/0x300
[ 17.329948] hub_quiesce+0x80/0xd0
[ 17.333339] hub_disconnect+0x44/0x190
[ 17.337078] usb_unbind_interface+0xc4/0x240
[ 17.341337] device_release_driver_internal+0x18c/0x258
[ 17.346551] device_release_driver+0x1c/0x30
[ 17.350810] usb_driver_release_interface+0x70/0x88
[ 17.355677] proc_ioctl+0x13c/0x228
[ 17.359157] proc_ioctl_default+0x50/0x80
[ 17.363155] usbdev_ioctl+0x830/0xd08
[ 17.366808] __arm64_sys_ioctl+0x94/0xd0
[ 17.370723] invoke_syscall+0x6c/0xf8
[ 17.374377] el0_svc_common+0x84/0xe0
[ 17.378030] do_el0_svc+0x20/0x30
[ 17.381334] el0_svc+0x34/0x60
[ 17.384382] el0t_64_sync_handler+0x88/0xf0
[ 17.388554] el0t_64_sync+0x180/0x188
[ 17.392208] Code: f9400677 f100a2f4 54fffea0 d503201f (b8350288)
[ 17.398289] ---[ end trace 0000000000000000 ]---
CVSS Score
5.5
EPSS Score
0.0
Published
2024-12-27
In the Linux kernel, the following vulnerability has been resolved:
ALSA: 6fire: Release resources at card release
The current 6fire code tries to release the resources right after the
call of usb6fire_chip_abort(). But at this moment, the card object
might be still in use (as we're calling snd_card_free_when_closed()).
For avoid potential UAFs, move the release of resources to the card's
private_free instead of the manual call of usb6fire_chip_destroy() at
the USB disconnect callback.
CVSS Score
7.8
EPSS Score
0.0
Published
2024-12-27
In the Linux kernel, the following vulnerability has been resolved:
isofs: avoid memory leak in iocharset
A memleak was found as below:
unreferenced object 0xffff0000d10164d8 (size 8):
comm "pool-udisksd", pid 108217, jiffies 4295408555
hex dump (first 8 bytes):
75 74 66 38 00 cc cc cc utf8....
backtrace (crc de430d31):
[<ffff800081046e6c>] kmemleak_alloc+0xb8/0xc8
[<ffff8000803e6c3c>] __kmalloc_node_track_caller_noprof+0x380/0x474
[<ffff800080363b74>] kstrdup+0x70/0xfc
[<ffff80007bb3c6a4>] isofs_parse_param+0x228/0x2c0 [isofs]
[<ffff8000804d7f68>] vfs_parse_fs_param+0xf4/0x164
[<ffff8000804d8064>] vfs_parse_fs_string+0x8c/0xd4
[<ffff8000804d815c>] vfs_parse_monolithic_sep+0xb0/0xfc
[<ffff8000804d81d8>] generic_parse_monolithic+0x30/0x3c
[<ffff8000804d8bfc>] parse_monolithic_mount_data+0x40/0x4c
[<ffff8000804b6a64>] path_mount+0x6c4/0x9ec
[<ffff8000804b6e38>] do_mount+0xac/0xc4
[<ffff8000804b7494>] __arm64_sys_mount+0x16c/0x2b0
[<ffff80008002b8dc>] invoke_syscall+0x7c/0x104
[<ffff80008002ba44>] el0_svc_common.constprop.1+0xe0/0x104
[<ffff80008002ba94>] do_el0_svc+0x2c/0x38
[<ffff800081041108>] el0_svc+0x3c/0x1b8
The opt->iocharset is freed inside the isofs_fill_super function,
But there may be situations where it's not possible to
enter this function.
For example, in the get_tree_bdev_flags function,when
encountering the situation where "Can't mount, would change RO state,"
In such a case, isofs_fill_super will not have the opportunity
to be called,which means that opt->iocharset will not have the chance
to be freed,ultimately leading to a memory leak.
Let's move the memory freeing of opt->iocharset into
isofs_free_fc function.
CVSS Score
5.5
EPSS Score
0.0
Published
2024-12-27
In the Linux kernel, the following vulnerability has been resolved:
riscv: kvm: Fix out-of-bounds array access
In kvm_riscv_vcpu_sbi_init() the entry->ext_idx can contain an
out-of-bound index. This is used as a special marker for the base
extensions, that cannot be disabled. However, when traversing the
extensions, that special marker is not checked prior indexing the
array.
Add an out-of-bounds check to the function.
CVSS Score
7.8
EPSS Score
0.0
Published
2024-12-27
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost()
cpufreq_cpu_get_raw() may return NULL if the cpu is not in
policy->cpus cpu mask and it will cause null pointer dereference,
so check NULL for cppc_get_cpu_cost().
CVSS Score
5.5
EPSS Score
0.0
Published
2024-12-27
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw()
cpufreq_cpu_get_raw() may return NULL if the cpu is not in
policy->cpus cpu mask and it will cause null pointer dereference.
CVSS Score
5.5
EPSS Score
0.0
Published
2024-12-27
In the Linux kernel, the following vulnerability has been resolved:
iommu/s390: Implement blocking domain
This fixes a crash when surprise hot-unplugging a PCI device. This crash
happens because during hot-unplug __iommu_group_set_domain_nofail()
attaching the default domain fails when the platform no longer
recognizes the device as it has already been removed and we end up with
a NULL domain pointer and UAF. This is exactly the case referred to in
the second comment in __iommu_device_set_domain() and just as stated
there if we can instead attach the blocking domain the UAF is prevented
as this can handle the already removed device. Implement the blocking
domain to use this handling. With this change, the crash is fixed but
we still hit a warning attempting to change DMA ownership on a blocked
device.
CVSS Score
5.5
EPSS Score
0.0
Published
2024-12-27
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix file-backed mounts over FUSE
syzbot reported a null-ptr-deref in fuse_read_args_fill:
fuse_read_folio+0xb0/0x100 fs/fuse/file.c:905
filemap_read_folio+0xc6/0x2a0 mm/filemap.c:2367
do_read_cache_folio+0x263/0x5c0 mm/filemap.c:3825
read_mapping_folio include/linux/pagemap.h:1011 [inline]
erofs_bread+0x34d/0x7e0 fs/erofs/data.c:41
erofs_read_superblock fs/erofs/super.c:281 [inline]
erofs_fc_fill_super+0x2b9/0x2500 fs/erofs/super.c:625
Unlike most filesystems, some network filesystems and FUSE need
unavoidable valid `file` pointers for their read I/Os [1].
Anyway, those use cases need to be supported too.
[1] https://docs.kernel.org/filesystems/vfs.html
CVSS Score
5.5
EPSS Score
0.0
Published
2024-12-27