cve/published/2024/CVE-2024-49962.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49962: ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()

 ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0

 ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause
 NULL pointer dereference later.

 [ rjw: Subject and changelog edits ]

 The Linux kernel CVE team has assigned CVE-2024-49962 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 4.19.323 with commit 4669da66ebc5b09881487f30669b0fcdb462188e
 	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 5.4.285 with commit 402b4c6b7500c7cca6972d2456a4a422801035b5
 	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 5.10.227 with commit cbb67e245dacd02b5e1d82733892647df1523982
 	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 5.15.168 with commit 1c9b8775062f8d854a80caf186af57fc617d454c
 	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 6.1.113 with commit f282db38953ad71dd4f3f8877a4e1d37e580e30a
 	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 6.6.55 with commit 4588ea78d3904bebb613b0bb025669e75800f546
 	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 6.10.14 with commit a907c113a8b66972f15f084d7dff960207b1f71d
 	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 6.11.3 with commit ae5d4c7e76ba393d20366dfea1f39f24560ffb1d
 	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 6.12 with commit a5242874488eba2b9062985bf13743c029821330

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49962
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/acpi/acpica/dbconvert.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4669da66ebc5b09881487f30669b0fcdb462188e
 	https://git.kernel.org/stable/c/402b4c6b7500c7cca6972d2456a4a422801035b5
 	https://git.kernel.org/stable/c/cbb67e245dacd02b5e1d82733892647df1523982
 	https://git.kernel.org/stable/c/1c9b8775062f8d854a80caf186af57fc617d454c
 	https://git.kernel.org/stable/c/f282db38953ad71dd4f3f8877a4e1d37e580e30a
 	https://git.kernel.org/stable/c/4588ea78d3904bebb613b0bb025669e75800f546
 	https://git.kernel.org/stable/c/a907c113a8b66972f15f084d7dff960207b1f71d
 	https://git.kernel.org/stable/c/ae5d4c7e76ba393d20366dfea1f39f24560ffb1d
 	https://git.kernel.org/stable/c/a5242874488eba2b9062985bf13743c029821330
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49962: ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()

	ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0

	ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause
	NULL pointer dereference later.

	[ rjw: Subject and changelog edits ]

	The Linux kernel CVE team has assigned CVE-2024-49962 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 4.19.323 with commit 4669da66ebc5b09881487f30669b0fcdb462188e
	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 5.4.285 with commit 402b4c6b7500c7cca6972d2456a4a422801035b5
	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 5.10.227 with commit cbb67e245dacd02b5e1d82733892647df1523982
	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 5.15.168 with commit 1c9b8775062f8d854a80caf186af57fc617d454c
	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 6.1.113 with commit f282db38953ad71dd4f3f8877a4e1d37e580e30a
	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 6.6.55 with commit 4588ea78d3904bebb613b0bb025669e75800f546
	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 6.10.14 with commit a907c113a8b66972f15f084d7dff960207b1f71d
	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 6.11.3 with commit ae5d4c7e76ba393d20366dfea1f39f24560ffb1d
	Issue introduced in 4.4 with commit 9957510255724c1c746c9a6264c849e9fdd4cd24 and fixed in 6.12 with commit a5242874488eba2b9062985bf13743c029821330

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49962
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/acpi/acpica/dbconvert.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4669da66ebc5b09881487f30669b0fcdb462188e
	https://git.kernel.org/stable/c/402b4c6b7500c7cca6972d2456a4a422801035b5
	https://git.kernel.org/stable/c/cbb67e245dacd02b5e1d82733892647df1523982
	https://git.kernel.org/stable/c/1c9b8775062f8d854a80caf186af57fc617d454c
	https://git.kernel.org/stable/c/f282db38953ad71dd4f3f8877a4e1d37e580e30a
	https://git.kernel.org/stable/c/4588ea78d3904bebb613b0bb025669e75800f546
	https://git.kernel.org/stable/c/a907c113a8b66972f15f084d7dff960207b1f71d
	https://git.kernel.org/stable/c/ae5d4c7e76ba393d20366dfea1f39f24560ffb1d
	https://git.kernel.org/stable/c/a5242874488eba2b9062985bf13743c029821330