LSN-0116-1: Kernel Live Patch Security Notice
In the Linux kernel, the following vulnerability has been
resolved: net: atlantic: eliminate double free in error handling logic
Driver has a logic leak in ring data allocation/free, where aq_ring_free
could be called multiple times on same ring, if system is under stress and
got memory allocation error.
In the Linux kernel, the following vulnerability has been
resolved: sctp: properly validate chunk size in sctp_sf_ootb() A size
validation fix similar to that in Commit 50619dbf8db7 ('sctp: add size
validation when walking chunks') is also required in sctp_sf_ootb() to
address a crash reported by syzbot: BUG: KMSAN: uninit-value in
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_rcv+0x3831/0x3b20
net/sctp/input.c:243 sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233)(CVE-2024-50299).
In the Linux kernel, the following vulnerability has been
resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock
sources The current USB-audio driver code doesn't check bLength of each
descriptor at traversing for clock descriptors.
In the Linux kernel, the following vulnerability has been
resolved: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit
After an insertion in TNC, the tree might split and cause a node to change
its `znode->parent`.
In the Linux kernel, the following vulnerability has been
resolved: NFSD: Prevent NULL dereference in nfsd4_process_cb_update() @ses
is initialized to NULL.
In the Linux kernel, the following vulnerability has been
resolved: padata: fix UAF in padata_reorder A bug was found when run ltp
test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read
of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0
PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace:
dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0
print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0
padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0
process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling
'padata_find_next' in the 'padata_reorder' function, this issue could be
reproduced easily with ltp test (pcrypt_aead01).
In the Linux kernel, the following vulnerability has been
resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and
posix_cpu_timer_del() If an exiting non-autoreaping task has already passed
exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be
reaped by its parent or debugger right after unlock_task_sighand().