Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2024-0488
Vulnerability from csaf_certbund
Published
2024-02-26 23:00
Modified
2024-06-11 22:00
Summary
Linux Kernel: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0488 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0488.json" }, { "category": "self", "summary": "WID-SEC-2024-0488 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0488" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0855-1 vom 2024-03-12", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018151.html" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022732-CVE-2021-46921-91dc@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022736-CVE-2021-46922-39b5@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022745-CVE-2021-46923-a1ec@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022748-CVE-2021-46924-3483@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022748-CVE-2021-46925-c422@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022748-CVE-2021-46926-9967@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022749-CVE-2021-46927-ae70@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022749-CVE-2021-46928-068d@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022749-CVE-2021-46929-9369@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022749-CVE-2021-46930-99ca@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46931-a468@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46932-3a36@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46934-79c8@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022751-CVE-2021-46935-f8f4@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022751-CVE-2021-46936-2f8a@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-02-26", "url": "http://lore.kernel.org/linux-cve-announce/2024022751-CVE-2021-46937-3ae8@gregkh/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0900-1 vom 2024-03-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018167.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0857-1 vom 2024-03-13", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018154.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0856-1 vom 2024-03-13", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018155.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0858-1 vom 2024-03-13", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018153.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0910-1 vom 2024-03-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018181.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0900-2 vom 2024-03-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018182.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0976-1 vom 2024-03-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018185.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0925-1 vom 2024-03-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018205.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0926-1 vom 2024-03-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018204.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0975-1 vom 2024-03-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018186.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0977-1 vom 2024-03-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018210.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1320-1 vom 2024-04-16", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018372.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1321-1 vom 2024-04-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018375.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1322-1 vom 2024-04-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018374.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1332-1 vom 2024-04-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018376.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1332-2 vom 2024-04-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018378.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1322-2 vom 2024-04-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018377.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6739-1 vom 2024-04-19", "url": "https://ubuntu.com/security/notices/USN-6739-1" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1454-1 vom 2024-04-26", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018431.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1466-1 vom 2024-04-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018438.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1480-1 vom 2024-04-30", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018444.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1490-1 vom 2024-05-03", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018445.html" }, { "category": "external", "summary": "Dell Security Advisory DSA-2024-198 vom 2024-05-08", "url": "https://www.dell.com/support/kbdoc/000224827/dsa-2024-=" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3618 vom 2024-06-05", "url": "https://access.redhat.com/errata/RHSA-2024:3618" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3627 vom 2024-06-05", "url": "https://access.redhat.com/errata/RHSA-2024:3627" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-3618 vom 2024-06-06", "url": "https://linux.oracle.com/errata/ELSA-2024-3618.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1979-1 vom 2024-06-11", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018685.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1983-1 vom 2024-06-11", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018700.html" } ], "source_lang": "en-US", "title": "Linux Kernel: Mehrere Schwachstellen erm\u00f6glichen nicht spezifizierten Angriff", "tracking": { "current_release_date": "2024-06-11T22:00:00.000+00:00", "generator": { "date": "2024-06-12T08:09:47.771+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-0488", "initial_release_date": "2024-02-26T23:00:00.000+00:00", "revision_history": [ { "date": "2024-02-26T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-03-12T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-03-14T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-03-17T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-03-24T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-16T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-18T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-21T22:00:00.000+00:00", "number": "8", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-04-28T22:00:00.000+00:00", "number": "9", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-29T22:00:00.000+00:00", "number": "10", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-01T22:00:00.000+00:00", "number": "11", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-02T22:00:00.000+00:00", "number": "12", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-07T22:00:00.000+00:00", "number": "13", "summary": "Neue Updates von Dell aufgenommen" }, { "date": "2024-06-04T22:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-06-06T22:00:00.000+00:00", "number": "15", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2024-06-10T22:00:00.000+00:00", "number": "16", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-06-11T22:00:00.000+00:00", "number": "17", "summary": "Neue Updates von SUSE aufgenommen" } ], "status": "final", "version": "17" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "virtual", "product": { "name": "Dell NetWorker virtual", "product_id": "T034583", "product_identification_helper": { "cpe": "cpe:/a:dell:networker:virtual" } } } ], "category": "product_name", "name": "NetWorker" } ], "category": "vendor", "name": "Dell" }, { "branches": [ { "category": "product_name", "name": "EMC Avamar", "product": { "name": "EMC Avamar", "product_id": "T014381", "product_identification_helper": { "cpe": "cpe:/a:emc:avamar:-" } } } ], "category": "vendor", "name": "EMC" }, { "branches": [ { "category": "product_name", "name": "Open Source Linux Kernel", "product": { "name": "Open Source Linux Kernel", "product_id": "T033107", "product_identification_helper": { "cpe": "cpe:/o:linux:linux_kernel:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-46921", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46921" }, { "cve": "CVE-2021-46922", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46922" }, { "cve": "CVE-2021-46923", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46923" }, { "cve": "CVE-2021-46924", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46924" }, { "cve": "CVE-2021-46925", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46925" }, { "cve": "CVE-2021-46926", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46926" }, { "cve": "CVE-2021-46927", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46927" }, { "cve": "CVE-2021-46928", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46928" }, { "cve": "CVE-2021-46929", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46929" }, { "cve": "CVE-2021-46930", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46930" }, { "cve": "CVE-2021-46931", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46931" }, { "cve": "CVE-2021-46932", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46932" }, { "cve": "CVE-2021-46933", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46933" }, { "cve": "CVE-2021-46934", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46934" }, { "cve": "CVE-2021-46935", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46935" }, { "cve": "CVE-2021-46936", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46936" }, { "cve": "CVE-2021-46937", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese sind auf verschiedene Fehler in mehreren Komponenten zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T014381", "T002207", "67646", "T000126", "T033107", "T034583", "T004914" ] }, "release_date": "2024-02-26T23:00:00Z", "title": "CVE-2021-46937" } ] }
cve-2021-46922
Vulnerability from cvelistv5
Published
2024-02-27 09:36
Modified
2024-12-19 07:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KEYS: trusted: Fix TPM reservation for seal/unseal
The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for seal
and unseal operations") was correct on the mailing list:
https://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/
But somehow got rebased so that the tpm_try_get_ops() in
tpm2_seal_trusted() got lost. This causes an imbalanced put of the
TPM ops and causes oopses on TIS based hardware.
This fix puts back the lost tpm_try_get_ops()
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46922", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-25T16:00:18.491671Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-25T16:00:29.336Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.976Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bf84ef2dd2ccdcd8f2658476d34b51455f970ce4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/39c8d760d44cb3fa0d67e8cd505df81cf4d80999" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9d5171eab462a63e2fbebfccf6026e92be018f20" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "security/keys/trusted-keys/trusted_tpm2.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "bf84ef2dd2ccdcd8f2658476d34b51455f970ce4", "status": "affected", "version": "67118bb78d72aab5b831f054a74ae856339a1974", "versionType": "git" }, { "lessThan": "39c8d760d44cb3fa0d67e8cd505df81cf4d80999", "status": "affected", "version": "498b8fc1cdc13b57b02dd28544b18323900fae10", "versionType": "git" }, { "lessThan": "9d5171eab462a63e2fbebfccf6026e92be018f20", "status": "affected", "version": "8c657a0590de585b1115847c17b34a58025f2f4b", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "security/keys/trusted-keys/trusted_tpm2.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5.10.33", "status": "affected", "version": "5.10.20", "versionType": "semver" }, { "lessThan": "5.11.17", "status": "affected", "version": "5.11.3", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix TPM reservation for seal/unseal\n\nThe original patch 8c657a0590de (\"KEYS: trusted: Reserve TPM for seal\nand unseal operations\") was correct on the mailing list:\n\nhttps://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/\n\nBut somehow got rebased so that the tpm_try_get_ops() in\ntpm2_seal_trusted() got lost. This causes an imbalanced put of the\nTPM ops and causes oopses on TIS based hardware.\n\nThis fix puts back the lost tpm_try_get_ops()" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:31:52.449Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/bf84ef2dd2ccdcd8f2658476d34b51455f970ce4" }, { "url": "https://git.kernel.org/stable/c/39c8d760d44cb3fa0d67e8cd505df81cf4d80999" }, { "url": "https://git.kernel.org/stable/c/9d5171eab462a63e2fbebfccf6026e92be018f20" } ], "title": "KEYS: trusted: Fix TPM reservation for seal/unseal", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46922", "datePublished": "2024-02-27T09:36:27.145Z", "dateReserved": "2024-02-25T13:45:52.719Z", "dateUpdated": "2024-12-19T07:31:52.449Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46925
Vulnerability from cvelistv5
Published
2024-02-27 09:43
Modified
2024-12-19 07:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix kernel panic caused by race of smc_sock
A crash occurs when smc_cdc_tx_handler() tries to access smc_sock
but smc_release() has already freed it.
[ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88
[ 4570.696048] #PF: supervisor write access in kernel mode
[ 4570.696728] #PF: error_code(0x0002) - not-present page
[ 4570.697401] PGD 0 P4D 0
[ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI
[ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111
[ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0
[ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30
<...>
[ 4570.711446] Call Trace:
[ 4570.711746] <IRQ>
[ 4570.711992] smc_cdc_tx_handler+0x41/0xc0
[ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560
[ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10
[ 4570.713489] tasklet_action_common.isra.17+0x66/0x140
[ 4570.714083] __do_softirq+0x123/0x2f4
[ 4570.714521] irq_exit_rcu+0xc4/0xf0
[ 4570.714934] common_interrupt+0xba/0xe0
Though smc_cdc_tx_handler() checked the existence of smc connection,
smc_release() may have already dismissed and released the smc socket
before smc_cdc_tx_handler() further visits it.
smc_cdc_tx_handler() |smc_release()
if (!conn) |
|
|smc_cdc_tx_dismiss_slots()
| smc_cdc_tx_dismisser()
|
|sock_put(&smc->sk) <- last sock_put,
| smc_sock freed
bh_lock_sock(&smc->sk) (panic) |
To make sure we won't receive any CDC messages after we free the
smc_sock, add a refcount on the smc_connection for inflight CDC
message(posted to the QP but haven't received related CQE), and
don't release the smc_connection until all the inflight CDC messages
haven been done, for both success or failed ones.
Using refcount on CDC messages brings another problem: when the link
is going to be destroyed, smcr_link_clear() will reset the QP, which
then remove all the pending CQEs related to the QP in the CQ. To make
sure all the CQEs will always come back so the refcount on the
smc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced
by smc_ib_modify_qp_error().
And remove the timeout in smc_wr_tx_wait_no_pending_sends() since we
need to wait for all pending WQEs done, or we may encounter use-after-
free when handling CQEs.
For IB device removal routine, we need to wait for all the QPs on that
device been destroyed before we can destroy CQs on the device, or
the refcount on smc_connection won't reach 0 and smc_sock cannot be
released.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2021-46925", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T14:30:40.812518Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-29T13:48:24.020Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.919Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e8a5988a85c719ce7205cb00dcf0716dcf611332" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b85f751d71ae8e2a15e9bda98852ea9af35282eb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/349d43127dac00c15231e8ffbcaabd70f7b0e544" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/smc/smc.h", "net/smc/smc_cdc.c", "net/smc/smc_cdc.h", "net/smc/smc_core.c", "net/smc/smc_ib.c", "net/smc/smc_ib.h", "net/smc/smc_wr.c", "net/smc/smc_wr.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e8a5988a85c719ce7205cb00dcf0716dcf611332", "status": "affected", "version": "5f08318f617b05b6ee389d8bd174c7af921ebf19", "versionType": "git" }, { "lessThan": "b85f751d71ae8e2a15e9bda98852ea9af35282eb", "status": "affected", "version": "5f08318f617b05b6ee389d8bd174c7af921ebf19", "versionType": "git" }, { "lessThan": "349d43127dac00c15231e8ffbcaabd70f7b0e544", "status": "affected", "version": "5f08318f617b05b6ee389d8bd174c7af921ebf19", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/smc/smc.h", "net/smc/smc_cdc.c", "net/smc/smc_cdc.h", "net/smc/smc_core.c", "net/smc/smc_ib.c", "net/smc/smc_ib.h", "net/smc/smc_wr.c", "net/smc/smc_wr.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.11" }, { "lessThan": "4.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix kernel panic caused by race of smc_sock\n\nA crash occurs when smc_cdc_tx_handler() tries to access smc_sock\nbut smc_release() has already freed it.\n\n[ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88\n[ 4570.696048] #PF: supervisor write access in kernel mode\n[ 4570.696728] #PF: error_code(0x0002) - not-present page\n[ 4570.697401] PGD 0 P4D 0\n[ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111\n[ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0\n[ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30\n\u003c...\u003e\n[ 4570.711446] Call Trace:\n[ 4570.711746] \u003cIRQ\u003e\n[ 4570.711992] smc_cdc_tx_handler+0x41/0xc0\n[ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560\n[ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10\n[ 4570.713489] tasklet_action_common.isra.17+0x66/0x140\n[ 4570.714083] __do_softirq+0x123/0x2f4\n[ 4570.714521] irq_exit_rcu+0xc4/0xf0\n[ 4570.714934] common_interrupt+0xba/0xe0\n\nThough smc_cdc_tx_handler() checked the existence of smc connection,\nsmc_release() may have already dismissed and released the smc socket\nbefore smc_cdc_tx_handler() further visits it.\n\nsmc_cdc_tx_handler() |smc_release()\nif (!conn) |\n |\n |smc_cdc_tx_dismiss_slots()\n | smc_cdc_tx_dismisser()\n |\n |sock_put(\u0026smc-\u003esk) \u003c- last sock_put,\n | smc_sock freed\nbh_lock_sock(\u0026smc-\u003esk) (panic) |\n\nTo make sure we won\u0027t receive any CDC messages after we free the\nsmc_sock, add a refcount on the smc_connection for inflight CDC\nmessage(posted to the QP but haven\u0027t received related CQE), and\ndon\u0027t release the smc_connection until all the inflight CDC messages\nhaven been done, for both success or failed ones.\n\nUsing refcount on CDC messages brings another problem: when the link\nis going to be destroyed, smcr_link_clear() will reset the QP, which\nthen remove all the pending CQEs related to the QP in the CQ. To make\nsure all the CQEs will always come back so the refcount on the\nsmc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced\nby smc_ib_modify_qp_error().\nAnd remove the timeout in smc_wr_tx_wait_no_pending_sends() since we\nneed to wait for all pending WQEs done, or we may encounter use-after-\nfree when handling CQEs.\n\nFor IB device removal routine, we need to wait for all the QPs on that\ndevice been destroyed before we can destroy CQs on the device, or\nthe refcount on smc_connection won\u0027t reach 0 and smc_sock cannot be\nreleased." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:31:55.978Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e8a5988a85c719ce7205cb00dcf0716dcf611332" }, { "url": "https://git.kernel.org/stable/c/b85f751d71ae8e2a15e9bda98852ea9af35282eb" }, { "url": "https://git.kernel.org/stable/c/349d43127dac00c15231e8ffbcaabd70f7b0e544" } ], "title": "net/smc: fix kernel panic caused by race of smc_sock", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46925", "datePublished": "2024-02-27T09:43:55.445Z", "dateReserved": "2024-02-25T13:45:52.719Z", "dateUpdated": "2024-12-19T07:31:55.978Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46932
Vulnerability from cvelistv5
Published
2024-02-27 09:44
Modified
2024-12-19 07:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: appletouch - initialize work before device registration
Syzbot has reported warning in __flush_work(). This warning is caused by
work->func == NULL, which means missing work initialization.
This may happen, since input_dev->close() calls
cancel_work_sync(&dev->work), but dev->work initalization happens _after_
input_register_device() call.
So this patch moves dev->work initialization before registering input
device
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5a6eb676d3bc4d7a6feab200a92437b62ad298da Version: 5a6eb676d3bc4d7a6feab200a92437b62ad298da Version: 5a6eb676d3bc4d7a6feab200a92437b62ad298da Version: 5a6eb676d3bc4d7a6feab200a92437b62ad298da Version: 5a6eb676d3bc4d7a6feab200a92437b62ad298da Version: 5a6eb676d3bc4d7a6feab200a92437b62ad298da Version: 5a6eb676d3bc4d7a6feab200a92437b62ad298da Version: 5a6eb676d3bc4d7a6feab200a92437b62ad298da |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46932", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T16:12:57.763250Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:22:01.591Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.851Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d2cb2bf39a6d17ef4bdc0e59c1a35cf5751ad8f4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d1962f263a176f493400b8f91bfbf2bfedce951e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/292d2ac61fb0d9276a0f7b7ce4f50426f2a1c99f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a02e1404e27855089d2b0a0acc4652c2ce65fe46" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/975774ea7528b489930b76a77ffc4d5379b95ff2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9f329d0d6c91142cf0ad08d23c72dd195db2633c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e79ff8c68acb1eddf709d3ac84716868f2a91012" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9f3ccdc3f6ef10084ceb3a47df0961bec6196fd0" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/input/mouse/appletouch.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d2cb2bf39a6d17ef4bdc0e59c1a35cf5751ad8f4", "status": "affected", "version": "5a6eb676d3bc4d7a6feab200a92437b62ad298da", "versionType": "git" }, { "lessThan": "d1962f263a176f493400b8f91bfbf2bfedce951e", "status": "affected", "version": "5a6eb676d3bc4d7a6feab200a92437b62ad298da", "versionType": "git" }, { "lessThan": "292d2ac61fb0d9276a0f7b7ce4f50426f2a1c99f", "status": "affected", "version": "5a6eb676d3bc4d7a6feab200a92437b62ad298da", "versionType": "git" }, { "lessThan": "a02e1404e27855089d2b0a0acc4652c2ce65fe46", "status": "affected", "version": "5a6eb676d3bc4d7a6feab200a92437b62ad298da", "versionType": "git" }, { "lessThan": "975774ea7528b489930b76a77ffc4d5379b95ff2", "status": "affected", "version": "5a6eb676d3bc4d7a6feab200a92437b62ad298da", "versionType": "git" }, { "lessThan": "9f329d0d6c91142cf0ad08d23c72dd195db2633c", "status": "affected", "version": "5a6eb676d3bc4d7a6feab200a92437b62ad298da", "versionType": "git" }, { "lessThan": "e79ff8c68acb1eddf709d3ac84716868f2a91012", "status": "affected", "version": "5a6eb676d3bc4d7a6feab200a92437b62ad298da", "versionType": "git" }, { "lessThan": "9f3ccdc3f6ef10084ceb3a47df0961bec6196fd0", "status": "affected", "version": "5a6eb676d3bc4d7a6feab200a92437b62ad298da", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/input/mouse/appletouch.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.23" }, { "lessThan": "2.6.23", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.4.*", "status": "unaffected", "version": "4.4.298", "versionType": "semver" }, { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.296", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.261", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.224", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.170", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: appletouch - initialize work before device registration\n\nSyzbot has reported warning in __flush_work(). This warning is caused by\nwork-\u003efunc == NULL, which means missing work initialization.\n\nThis may happen, since input_dev-\u003eclose() calls\ncancel_work_sync(\u0026dev-\u003ework), but dev-\u003ework initalization happens _after_\ninput_register_device() call.\n\nSo this patch moves dev-\u003ework initialization before registering input\ndevice" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:32:04.021Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d2cb2bf39a6d17ef4bdc0e59c1a35cf5751ad8f4" }, { "url": "https://git.kernel.org/stable/c/d1962f263a176f493400b8f91bfbf2bfedce951e" }, { "url": "https://git.kernel.org/stable/c/292d2ac61fb0d9276a0f7b7ce4f50426f2a1c99f" }, { "url": "https://git.kernel.org/stable/c/a02e1404e27855089d2b0a0acc4652c2ce65fe46" }, { "url": "https://git.kernel.org/stable/c/975774ea7528b489930b76a77ffc4d5379b95ff2" }, { "url": "https://git.kernel.org/stable/c/9f329d0d6c91142cf0ad08d23c72dd195db2633c" }, { "url": "https://git.kernel.org/stable/c/e79ff8c68acb1eddf709d3ac84716868f2a91012" }, { "url": "https://git.kernel.org/stable/c/9f3ccdc3f6ef10084ceb3a47df0961bec6196fd0" } ], "title": "Input: appletouch - initialize work before device registration", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46932", "datePublished": "2024-02-27T09:44:00.108Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:32:04.021Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46936
Vulnerability from cvelistv5
Published
2024-02-27 09:44
Modified
2024-12-19 07:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix use-after-free in tw_timer_handler
A real world panic issue was found as follow in Linux 5.4.
BUG: unable to handle page fault for address: ffffde49a863de28
PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0
RIP: 0010:tw_timer_handler+0x20/0x40
Call Trace:
<IRQ>
call_timer_fn+0x2b/0x120
run_timer_softirq+0x1ef/0x450
__do_softirq+0x10d/0x2b8
irq_exit+0xc7/0xd0
smp_apic_timer_interrupt+0x68/0x120
apic_timer_interrupt+0xf/0x20
This issue was also reported since 2017 in the thread [1],
unfortunately, the issue was still can be reproduced after fixing
DCCP.
The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net
namespace is destroyed since tcp_sk_ops is registered befrore
ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops
in the list of pernet_list. There will be a use-after-free on
net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net
if there are some inflight time-wait timers.
This bug is not introduced by commit f2bf415cfed7 ("mib: add net to
NET_ADD_STATS_BH") since the net_statistics is a global variable
instead of dynamic allocation and freeing. Actually, commit
61a7e26028b9 ("mib: put net statistics on struct net") introduces
the bug since it put net statistics on struct net and free it when
net namespace is destroyed.
Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug
and replace pr_crit() with panic() since continuing is meaningless
when init_ipv4_mibs() fails.
[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 61a7e26028b94805fd686a6dc9dbd9941f8f19b0 Version: 61a7e26028b94805fd686a6dc9dbd9941f8f19b0 Version: 61a7e26028b94805fd686a6dc9dbd9941f8f19b0 Version: 61a7e26028b94805fd686a6dc9dbd9941f8f19b0 Version: 61a7e26028b94805fd686a6dc9dbd9941f8f19b0 Version: 61a7e26028b94805fd686a6dc9dbd9941f8f19b0 Version: 61a7e26028b94805fd686a6dc9dbd9941f8f19b0 Version: 61a7e26028b94805fd686a6dc9dbd9941f8f19b0 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.878Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/15579e1301f856ad9385d720c9267c11032a5022" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e73164e89d1be561228a4534e1091369ee4ba41a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5c2fe20ad37ff56070ae0acb34152333976929b4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a8e1944b44f94f5c5f530e434c5eaee787254566" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fe5838c22b986c1190f1dce9aa09bf6a491c1a69" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2386e81a1d277f540e1285565c9d41d531bb69d4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/08eacbd141e2495d2fcdde84358a06c4f95cbb13" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2021-46936", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T16:01:57.788399Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:18.637Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/ipv4/af_inet.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "15579e1301f856ad9385d720c9267c11032a5022", "status": "affected", "version": "61a7e26028b94805fd686a6dc9dbd9941f8f19b0", "versionType": "git" }, { "lessThan": "e73164e89d1be561228a4534e1091369ee4ba41a", "status": "affected", "version": "61a7e26028b94805fd686a6dc9dbd9941f8f19b0", "versionType": "git" }, { "lessThan": "5c2fe20ad37ff56070ae0acb34152333976929b4", "status": "affected", "version": "61a7e26028b94805fd686a6dc9dbd9941f8f19b0", "versionType": "git" }, { "lessThan": "a8e1944b44f94f5c5f530e434c5eaee787254566", "status": "affected", "version": "61a7e26028b94805fd686a6dc9dbd9941f8f19b0", "versionType": "git" }, { "lessThan": "fe5838c22b986c1190f1dce9aa09bf6a491c1a69", "status": "affected", "version": "61a7e26028b94805fd686a6dc9dbd9941f8f19b0", "versionType": "git" }, { "lessThan": "2386e81a1d277f540e1285565c9d41d531bb69d4", "status": "affected", "version": "61a7e26028b94805fd686a6dc9dbd9941f8f19b0", "versionType": "git" }, { "lessThan": "08eacbd141e2495d2fcdde84358a06c4f95cbb13", "status": "affected", "version": "61a7e26028b94805fd686a6dc9dbd9941f8f19b0", "versionType": "git" }, { "lessThan": "e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0", "status": "affected", "version": "61a7e26028b94805fd686a6dc9dbd9941f8f19b0", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/ipv4/af_inet.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.27" }, { "lessThan": "2.6.27", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.4.*", "status": "unaffected", "version": "4.4.298", "versionType": "semver" }, { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.296", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.261", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.224", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.170", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix use-after-free in tw_timer_handler\n\nA real world panic issue was found as follow in Linux 5.4.\n\n BUG: unable to handle page fault for address: ffffde49a863de28\n PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0\n RIP: 0010:tw_timer_handler+0x20/0x40\n Call Trace:\n \u003cIRQ\u003e\n call_timer_fn+0x2b/0x120\n run_timer_softirq+0x1ef/0x450\n __do_softirq+0x10d/0x2b8\n irq_exit+0xc7/0xd0\n smp_apic_timer_interrupt+0x68/0x120\n apic_timer_interrupt+0xf/0x20\n\nThis issue was also reported since 2017 in the thread [1],\nunfortunately, the issue was still can be reproduced after fixing\nDCCP.\n\nThe ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net\nnamespace is destroyed since tcp_sk_ops is registered befrore\nipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops\nin the list of pernet_list. There will be a use-after-free on\nnet-\u003emib.net_statistics in tw_timer_handler after ipv4_mib_exit_net\nif there are some inflight time-wait timers.\n\nThis bug is not introduced by commit f2bf415cfed7 (\"mib: add net to\nNET_ADD_STATS_BH\") since the net_statistics is a global variable\ninstead of dynamic allocation and freeing. Actually, commit\n61a7e26028b9 (\"mib: put net statistics on struct net\") introduces\nthe bug since it put net statistics on struct net and free it when\nnet namespace is destroyed.\n\nMoving init_ipv4_mibs() to the front of tcp_init() to fix this bug\nand replace pr_crit() with panic() since continuing is meaningless\nwhen init_ipv4_mibs() fails.\n\n[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:32:08.575Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/15579e1301f856ad9385d720c9267c11032a5022" }, { "url": "https://git.kernel.org/stable/c/e73164e89d1be561228a4534e1091369ee4ba41a" }, { "url": "https://git.kernel.org/stable/c/5c2fe20ad37ff56070ae0acb34152333976929b4" }, { "url": "https://git.kernel.org/stable/c/a8e1944b44f94f5c5f530e434c5eaee787254566" }, { "url": "https://git.kernel.org/stable/c/fe5838c22b986c1190f1dce9aa09bf6a491c1a69" }, { "url": "https://git.kernel.org/stable/c/2386e81a1d277f540e1285565c9d41d531bb69d4" }, { "url": "https://git.kernel.org/stable/c/08eacbd141e2495d2fcdde84358a06c4f95cbb13" }, { "url": "https://git.kernel.org/stable/c/e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0" } ], "title": "net: fix use-after-free in tw_timer_handler", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46936", "datePublished": "2024-02-27T09:44:02.758Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:32:08.575Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46937
Vulnerability from cvelistv5
Published
2024-02-27 09:44
Modified
2024-12-19 07:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()'
DAMON debugfs interface increases the reference counts of 'struct pid's
for targets from the 'target_ids' file write callback
('dbgfs_target_ids_write()'), but decreases the counts only in DAMON
monitoring termination callback ('dbgfs_before_terminate()').
Therefore, when 'target_ids' file is repeatedly written without DAMON
monitoring start/termination, the reference count is not decreased and
therefore memory for the 'struct pid' cannot be freed. This commit
fixes this issue by decreasing the reference counts when 'target_ids' is
written.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46937", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T15:48:08.860920Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:22:00.927Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:43.028Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ffe4a1ba1a82c416a6b3a09d46594f6a885ae141" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ebb3f994dd92f8fb4d70c7541091216c1e10cb71" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/damon/dbgfs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ffe4a1ba1a82c416a6b3a09d46594f6a885ae141", "status": "affected", "version": "4bc05954d0076655cfaf6f0135585bdc20cd6b11", "versionType": "git" }, { "lessThan": "ebb3f994dd92f8fb4d70c7541091216c1e10cb71", "status": "affected", "version": "4bc05954d0076655cfaf6f0135585bdc20cd6b11", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/damon/dbgfs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/dbgfs: fix \u0027struct pid\u0027 leaks in \u0027dbgfs_target_ids_write()\u0027\n\nDAMON debugfs interface increases the reference counts of \u0027struct pid\u0027s\nfor targets from the \u0027target_ids\u0027 file write callback\n(\u0027dbgfs_target_ids_write()\u0027), but decreases the counts only in DAMON\nmonitoring termination callback (\u0027dbgfs_before_terminate()\u0027).\n\nTherefore, when \u0027target_ids\u0027 file is repeatedly written without DAMON\nmonitoring start/termination, the reference count is not decreased and\ntherefore memory for the \u0027struct pid\u0027 cannot be freed. This commit\nfixes this issue by decreasing the reference counts when \u0027target_ids\u0027 is\nwritten." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:32:09.723Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ffe4a1ba1a82c416a6b3a09d46594f6a885ae141" }, { "url": "https://git.kernel.org/stable/c/ebb3f994dd92f8fb4d70c7541091216c1e10cb71" } ], "title": "mm/damon/dbgfs: fix \u0027struct pid\u0027 leaks in \u0027dbgfs_target_ids_write()\u0027", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46937", "datePublished": "2024-02-27T09:44:03.421Z", "dateReserved": "2024-02-25T13:45:52.721Z", "dateUpdated": "2024-12-19T07:32:09.723Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46927
Vulnerability from cvelistv5
Published
2024-02-27 09:43
Modified
2024-12-19 07:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert
After commit 5b78ed24e8ec ("mm/pagemap: add mmap_assert_locked()
annotations to find_vma*()"), the call to get_user_pages() will trigger
the mmap assert.
static inline void mmap_assert_locked(struct mm_struct *mm)
{
lockdep_assert_held(&mm->mmap_lock);
VM_BUG_ON_MM(!rwsem_is_locked(&mm->mmap_lock), mm);
}
[ 62.521410] kernel BUG at include/linux/mmap_lock.h:156!
...........................................................
[ 62.538938] RIP: 0010:find_vma+0x32/0x80
...........................................................
[ 62.605889] Call Trace:
[ 62.608502] <TASK>
[ 62.610956] ? lock_timer_base+0x61/0x80
[ 62.614106] find_extend_vma+0x19/0x80
[ 62.617195] __get_user_pages+0x9b/0x6a0
[ 62.620356] __gup_longterm_locked+0x42d/0x450
[ 62.623721] ? finish_wait+0x41/0x80
[ 62.626748] ? __kmalloc+0x178/0x2f0
[ 62.629768] ne_set_user_memory_region_ioctl.isra.0+0x225/0x6a0 [nitro_enclaves]
[ 62.635776] ne_enclave_ioctl+0x1cf/0x6d7 [nitro_enclaves]
[ 62.639541] __x64_sys_ioctl+0x82/0xb0
[ 62.642620] do_syscall_64+0x3b/0x90
[ 62.645642] entry_SYSCALL_64_after_hwframe+0x44/0xae
Use get_user_pages_unlocked() when setting the enclave memory regions.
That's a similar pattern as mmap_read_lock() used together with
get_user_pages().
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46927", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T15:46:16.994467Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:22:00.781Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.860Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/90d2beed5e753805c5eab656b8d48257638fe543" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3a0152b219523227c2a62a0a122cf99608287176" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/virt/nitro_enclaves/ne_misc_dev.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "90d2beed5e753805c5eab656b8d48257638fe543", "status": "affected", "version": "5b78ed24e8ec48602c1d6f5a188e58d000c81e2b", "versionType": "git" }, { "lessThan": "3a0152b219523227c2a62a0a122cf99608287176", "status": "affected", "version": "5b78ed24e8ec48602c1d6f5a188e58d000c81e2b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/virt/nitro_enclaves/ne_misc_dev.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert\n\nAfter commit 5b78ed24e8ec (\"mm/pagemap: add mmap_assert_locked()\nannotations to find_vma*()\"), the call to get_user_pages() will trigger\nthe mmap assert.\n\nstatic inline void mmap_assert_locked(struct mm_struct *mm)\n{\n\tlockdep_assert_held(\u0026mm-\u003emmap_lock);\n\tVM_BUG_ON_MM(!rwsem_is_locked(\u0026mm-\u003emmap_lock), mm);\n}\n\n[ 62.521410] kernel BUG at include/linux/mmap_lock.h:156!\n...........................................................\n[ 62.538938] RIP: 0010:find_vma+0x32/0x80\n...........................................................\n[ 62.605889] Call Trace:\n[ 62.608502] \u003cTASK\u003e\n[ 62.610956] ? lock_timer_base+0x61/0x80\n[ 62.614106] find_extend_vma+0x19/0x80\n[ 62.617195] __get_user_pages+0x9b/0x6a0\n[ 62.620356] __gup_longterm_locked+0x42d/0x450\n[ 62.623721] ? finish_wait+0x41/0x80\n[ 62.626748] ? __kmalloc+0x178/0x2f0\n[ 62.629768] ne_set_user_memory_region_ioctl.isra.0+0x225/0x6a0 [nitro_enclaves]\n[ 62.635776] ne_enclave_ioctl+0x1cf/0x6d7 [nitro_enclaves]\n[ 62.639541] __x64_sys_ioctl+0x82/0xb0\n[ 62.642620] do_syscall_64+0x3b/0x90\n[ 62.645642] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nUse get_user_pages_unlocked() when setting the enclave memory regions.\nThat\u0027s a similar pattern as mmap_read_lock() used together with\nget_user_pages()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:31:58.212Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/90d2beed5e753805c5eab656b8d48257638fe543" }, { "url": "https://git.kernel.org/stable/c/3a0152b219523227c2a62a0a122cf99608287176" } ], "title": "nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46927", "datePublished": "2024-02-27T09:43:56.743Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:31:58.212Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46928
Vulnerability from cvelistv5
Published
2024-02-27 09:43
Modified
2024-12-19 07:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Clear stale IIR value on instruction access rights trap
When a trap 7 (Instruction access rights) occurs, this means the CPU
couldn't execute an instruction due to missing execute permissions on
the memory region. In this case it seems the CPU didn't even fetched
the instruction from memory and thus did not store it in the cr19 (IIR)
register before calling the trap handler. So, the trap handler will find
some random old stale value in cr19.
This patch simply overwrites the stale IIR value with a constant magic
"bad food" value (0xbaadf00d), in the hope people don't start to try to
understand the various random IIR values in trap 7 dumps.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46928", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T15:39:14.465510Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:21:04.116Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:43.059Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d01e9ce1af6116f812491d3d3873d204f10ae0b8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e96373f0a5f484bc1e193f9951dcb3adf24bf3f7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/484730e5862f6b872dca13840bed40fd7c60fa26" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/parisc/kernel/traps.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d01e9ce1af6116f812491d3d3873d204f10ae0b8", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e96373f0a5f484bc1e193f9951dcb3adf24bf3f7", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "484730e5862f6b872dca13840bed40fd7c60fa26", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/parisc/kernel/traps.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Clear stale IIR value on instruction access rights trap\n\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\ncouldn\u0027t execute an instruction due to missing execute permissions on\nthe memory region. In this case it seems the CPU didn\u0027t even fetched\nthe instruction from memory and thus did not store it in the cr19 (IIR)\nregister before calling the trap handler. So, the trap handler will find\nsome random old stale value in cr19.\n\nThis patch simply overwrites the stale IIR value with a constant magic\n\"bad food\" value (0xbaadf00d), in the hope people don\u0027t start to try to\nunderstand the various random IIR values in trap 7 dumps." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:31:59.313Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d01e9ce1af6116f812491d3d3873d204f10ae0b8" }, { "url": "https://git.kernel.org/stable/c/e96373f0a5f484bc1e193f9951dcb3adf24bf3f7" }, { "url": "https://git.kernel.org/stable/c/484730e5862f6b872dca13840bed40fd7c60fa26" } ], "title": "parisc: Clear stale IIR value on instruction access rights trap", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46928", "datePublished": "2024-02-27T09:43:57.390Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:31:59.313Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46933
Vulnerability from cvelistv5
Published
2024-02-27 09:44
Modified
2024-12-19 07:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
ffs_data_clear is indirectly called from both ffs_fs_kill_sb and
ffs_ep0_release, so it ends up being called twice when userland closes ep0
and then unmounts f_fs.
If userland provided an eventfd along with function's USB descriptors, it
ends up calling eventfd_ctx_put as many times, causing a refcount
underflow.
NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.
Also, set epfiles to NULL right after de-allocating it, for readability.
For completeness, ffs_data_clear actually ends up being called thrice, the
last call being before the whole ffs structure gets freed, so when this
specific sequence happens there is a second underflow happening (but not
being reported):
/sys/kernel/debug/tracing# modprobe usb_f_fs
/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter
/sys/kernel/debug/tracing# echo function > current_tracer
/sys/kernel/debug/tracing# echo 1 > tracing_on
(setup gadget, run and kill function userland process, teardown gadget)
/sys/kernel/debug/tracing# echo 0 > tracing_on
/sys/kernel/debug/tracing# cat trace
smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed
smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed
smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put
Warning output corresponding to above trace:
[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c
[ 1946.293094] refcount_t: underflow; use-after-free.
[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)
[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1
[ 1946.417950] Hardware name: BCM2835
[ 1946.425442] Backtrace:
[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)
[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c
[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)
[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)
[ 1946.482067] r5:c04a948c r4:c0a71dc8
[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)
[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04
[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)
[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0
[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)
[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])
[ 1946.582664] r5:c3b84c00 r4:c2695b00
[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])
[ 1946.609608] r5:bf54d014 r4:c2695b00
[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])
[ 1946.636217] r7:c0dfcb
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46933", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T15:36:00.689438Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:21:03.979Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:43.071Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/gadget/function/f_fs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f976dd7011150244a7ba820f2c331e9fb253befa", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "cc8c8028c21b2a3842a1e98e99e55028df275919", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "52500239e3f2d6fc77b6f58632a9fb98fe74ac09", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "33f6a0cbb7772146e1c11f38028fffbfed14728b", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "240fc586e83d645912accce081a48aa63a45f6ee", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "1c4ace3e6b8575745c50dca9e76e0021e697d645", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "ebef2aa29f370b5096c16020c104e393192ef684", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "b1e0887379422975f237d43d8839b751a6bcf154", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/gadget/function/f_fs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.0" }, { "lessThan": "4.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.4.*", "status": "unaffected", "version": "4.4.298", "versionType": "semver" }, { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.296", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.261", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.224", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.170", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.\n\nffs_data_clear is indirectly called from both ffs_fs_kill_sb and\nffs_ep0_release, so it ends up being called twice when userland closes ep0\nand then unmounts f_fs.\nIf userland provided an eventfd along with function\u0027s USB descriptors, it\nends up calling eventfd_ctx_put as many times, causing a refcount\nunderflow.\nNULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.\n\nAlso, set epfiles to NULL right after de-allocating it, for readability.\n\nFor completeness, ffs_data_clear actually ends up being called thrice, the\nlast call being before the whole ffs structure gets freed, so when this\nspecific sequence happens there is a second underflow happening (but not\nbeing reported):\n\n/sys/kernel/debug/tracing# modprobe usb_f_fs\n/sys/kernel/debug/tracing# echo ffs_data_clear \u003e set_ftrace_filter\n/sys/kernel/debug/tracing# echo function \u003e current_tracer\n/sys/kernel/debug/tracing# echo 1 \u003e tracing_on\n(setup gadget, run and kill function userland process, teardown gadget)\n/sys/kernel/debug/tracing# echo 0 \u003e tracing_on\n/sys/kernel/debug/tracing# cat trace\n smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear \u003c-ffs_data_closed\n smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear \u003c-ffs_data_closed\n smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear \u003c-ffs_data_put\n\nWarning output corresponding to above trace:\n[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c\n[ 1946.293094] refcount_t: underflow; use-after-free.\n[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)\n[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1\n[ 1946.417950] Hardware name: BCM2835\n[ 1946.425442] Backtrace:\n[ 1946.432048] [\u003cc08d60a0\u003e] (dump_backtrace) from [\u003cc08d62ec\u003e] (show_stack+0x20/0x24)\n[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c\n[ 1946.458412] [\u003cc08d62cc\u003e] (show_stack) from [\u003cc08d9ae0\u003e] (dump_stack+0x28/0x30)\n[ 1946.470380] [\u003cc08d9ab8\u003e] (dump_stack) from [\u003cc0123500\u003e] (__warn+0xe8/0x154)\n[ 1946.482067] r5:c04a948c r4:c0a71dc8\n[ 1946.490184] [\u003cc0123418\u003e] (__warn) from [\u003cc08d6948\u003e] (warn_slowpath_fmt+0xa0/0xe4)\n[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04\n[ 1946.517070] [\u003cc08d68ac\u003e] (warn_slowpath_fmt) from [\u003cc04a948c\u003e] (refcount_warn_saturate+0x110/0x15c)\n[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0\n[ 1946.546708] [\u003cc04a937c\u003e] (refcount_warn_saturate) from [\u003cc0380134\u003e] (eventfd_ctx_put+0x48/0x74)\n[ 1946.564476] [\u003cc03800ec\u003e] (eventfd_ctx_put) from [\u003cbf5464e8\u003e] (ffs_data_clear+0xd0/0x118 [usb_f_fs])\n[ 1946.582664] r5:c3b84c00 r4:c2695b00\n[ 1946.590668] [\u003cbf546418\u003e] (ffs_data_clear [usb_f_fs]) from [\u003cbf547cc0\u003e] (ffs_data_closed+0x9c/0x150 [usb_f_fs])\n[ 1946.609608] r5:bf54d014 r4:c2695b00\n[ 1946.617522] [\u003cbf547c24\u003e] (ffs_data_closed [usb_f_fs]) from [\u003cbf547da0\u003e] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])\n[ 1946.636217] r7:c0dfcb\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:32:05.163Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa" }, { "url": "https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919" }, { "url": "https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09" }, { "url": "https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b" }, { "url": "https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee" }, { "url": "https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645" }, { "url": "https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684" }, { "url": "https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154" } ], "title": "usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46933", "datePublished": "2024-02-27T09:44:00.758Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:32:05.163Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46929
Vulnerability from cvelistv5
Published
2024-02-27 09:43
Modified
2024-12-19 07:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: use call_rcu to free endpoint
This patch is to delay the endpoint free by calling call_rcu() to fix
another use-after-free issue in sctp_sock_dump():
BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
Call Trace:
__lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
__lock_sock+0x203/0x350 net/core/sock.c:2253
lock_sock_nested+0xfe/0x120 net/core/sock.c:2774
lock_sock include/net/sock.h:1492 [inline]
sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324
sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091
sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527
__inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049
inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065
netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244
__netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352
netlink_dump_start include/linux/netlink.h:216 [inline]
inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170
__sock_diag_cmd net/core/sock_diag.c:232 [inline]
sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263
netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477
sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274
This issue occurs when asoc is peeled off and the old sk is freed after
getting it by asoc->base.sk and before calling lock_sock(sk).
To prevent the sk free, as a holder of the sk, ep should be alive when
calling lock_sock(). This patch uses call_rcu() and moves sock_put and
ep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to
hold the ep under rcu_read_lock in sctp_transport_traverse_process().
If sctp_endpoint_hold() returns true, it means this ep is still alive
and we have held it and can continue to dump it; If it returns false,
it means this ep is dead and can be freed after rcu_read_unlock, and
we should skip it.
In sctp_sock_dump(), after locking the sk, if this ep is different from
tsp->asoc->ep, it means during this dumping, this asoc was peeled off
before calling lock_sock(), and the sk should be skipped; If this ep is
the same with tsp->asoc->ep, it means no peeloff happens on this asoc,
and due to lock_sock, no peeloff will happen either until release_sock.
Note that delaying endpoint free won't delay the port release, as the
port release happens in sctp_endpoint_destroy() before calling call_rcu().
Also, freeing endpoint by call_rcu() makes it safe to access the sk by
asoc->base.sk in sctp_assocs_seq_show() and sctp_rcv().
Thanks Jones to bring this issue up.
v1->v2:
- improve the changelog.
- add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab Version: d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab Version: d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab Version: d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab Version: d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab Version: d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.985Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8873140f95d4977bf37e4cf0d5c5e3f6e34cdd3e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/af6e6e58f7ebf86b4e7201694b1e4f3a62cbc3ec" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/831de271452b87657fcf8d715ee20519b79caef5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/769d14abd35e0e153b5149c3e1e989a9d719e3ff" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/75799e71df1da11394740b43ae5686646179561d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5ec7d18d1813a5bead0b495045606c93873aecbb" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2021-46929", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T16:02:00.945845Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:20.539Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/net/sctp/sctp.h", "include/net/sctp/structs.h", "net/sctp/diag.c", "net/sctp/endpointola.c", "net/sctp/socket.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8873140f95d4977bf37e4cf0d5c5e3f6e34cdd3e", "status": "affected", "version": "d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab", "versionType": "git" }, { "lessThan": "af6e6e58f7ebf86b4e7201694b1e4f3a62cbc3ec", "status": "affected", "version": "d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab", "versionType": "git" }, { "lessThan": "831de271452b87657fcf8d715ee20519b79caef5", "status": "affected", "version": "d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab", "versionType": "git" }, { "lessThan": "769d14abd35e0e153b5149c3e1e989a9d719e3ff", "status": "affected", "version": "d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab", "versionType": "git" }, { "lessThan": "75799e71df1da11394740b43ae5686646179561d", "status": "affected", "version": "d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab", "versionType": "git" }, { "lessThan": "5ec7d18d1813a5bead0b495045606c93873aecbb", "status": "affected", "version": "d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/net/sctp/sctp.h", "include/net/sctp/structs.h", "net/sctp/diag.c", "net/sctp/endpointola.c", "net/sctp/socket.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.14" }, { "lessThan": "4.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.261", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.224", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.170", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: use call_rcu to free endpoint\n\nThis patch is to delay the endpoint free by calling call_rcu() to fix\nanother use-after-free issue in sctp_sock_dump():\n\n BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20\n Call Trace:\n __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218\n lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]\n _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168\n spin_lock_bh include/linux/spinlock.h:334 [inline]\n __lock_sock+0x203/0x350 net/core/sock.c:2253\n lock_sock_nested+0xfe/0x120 net/core/sock.c:2774\n lock_sock include/net/sock.h:1492 [inline]\n sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324\n sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091\n sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527\n __inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049\n inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065\n netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244\n __netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352\n netlink_dump_start include/linux/netlink.h:216 [inline]\n inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170\n __sock_diag_cmd net/core/sock_diag.c:232 [inline]\n sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263\n netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274\n\nThis issue occurs when asoc is peeled off and the old sk is freed after\ngetting it by asoc-\u003ebase.sk and before calling lock_sock(sk).\n\nTo prevent the sk free, as a holder of the sk, ep should be alive when\ncalling lock_sock(). This patch uses call_rcu() and moves sock_put and\nep free into sctp_endpoint_destroy_rcu(), so that it\u0027s safe to try to\nhold the ep under rcu_read_lock in sctp_transport_traverse_process().\n\nIf sctp_endpoint_hold() returns true, it means this ep is still alive\nand we have held it and can continue to dump it; If it returns false,\nit means this ep is dead and can be freed after rcu_read_unlock, and\nwe should skip it.\n\nIn sctp_sock_dump(), after locking the sk, if this ep is different from\ntsp-\u003easoc-\u003eep, it means during this dumping, this asoc was peeled off\nbefore calling lock_sock(), and the sk should be skipped; If this ep is\nthe same with tsp-\u003easoc-\u003eep, it means no peeloff happens on this asoc,\nand due to lock_sock, no peeloff will happen either until release_sock.\n\nNote that delaying endpoint free won\u0027t delay the port release, as the\nport release happens in sctp_endpoint_destroy() before calling call_rcu().\nAlso, freeing endpoint by call_rcu() makes it safe to access the sk by\nasoc-\u003ebase.sk in sctp_assocs_seq_show() and sctp_rcv().\n\nThanks Jones to bring this issue up.\n\nv1-\u003ev2:\n - improve the changelog.\n - add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:32:00.562Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8873140f95d4977bf37e4cf0d5c5e3f6e34cdd3e" }, { "url": "https://git.kernel.org/stable/c/af6e6e58f7ebf86b4e7201694b1e4f3a62cbc3ec" }, { "url": "https://git.kernel.org/stable/c/831de271452b87657fcf8d715ee20519b79caef5" }, { "url": "https://git.kernel.org/stable/c/769d14abd35e0e153b5149c3e1e989a9d719e3ff" }, { "url": "https://git.kernel.org/stable/c/75799e71df1da11394740b43ae5686646179561d" }, { "url": "https://git.kernel.org/stable/c/5ec7d18d1813a5bead0b495045606c93873aecbb" } ], "title": "sctp: use call_rcu to free endpoint", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46929", "datePublished": "2024-02-27T09:43:58.047Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:32:00.562Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46924
Vulnerability from cvelistv5
Published
2024-02-27 09:43
Modified
2024-12-19 07:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFC: st21nfca: Fix memory leak in device probe and remove
'phy->pending_skb' is alloced when device probe, but forgot to free
in the error handling path and remove path, this cause memory leak
as follows:
unreferenced object 0xffff88800bc06800 (size 512):
comm "8", pid 11775, jiffies 4295159829 (age 9.032s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450
[<00000000c93382b3>] kmalloc_reserve+0x37/0xd0
[<000000005fea522c>] __alloc_skb+0x124/0x380
[<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2
Fix it by freeing 'pending_skb' in error and remove.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 68957303f44a501af5cf37913208a2acaa6bcdf1 Version: 68957303f44a501af5cf37913208a2acaa6bcdf1 Version: 68957303f44a501af5cf37913208a2acaa6bcdf1 Version: 68957303f44a501af5cf37913208a2acaa6bcdf1 Version: 68957303f44a501af5cf37913208a2acaa6bcdf1 Version: 68957303f44a501af5cf37913208a2acaa6bcdf1 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46924", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T20:52:36.820473Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:22:03.300Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.982Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/38c3e320e7ff46f2dc67bc5045333e63d9f8918d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a1e0080a35a16ce3808f7040fe0c3a8fdb052349" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1cd4063dbc91cf7965d73a6a3855e2028cd4613b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e553265ea56482da5700f56319fda9ff53e7dcb4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/238920381b8925d070d32d73cd9ce52ab29896fe" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1b9dadba502234eea7244879b8d5d126bfaf9f0c" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/nfc/st21nfca/i2c.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "38c3e320e7ff46f2dc67bc5045333e63d9f8918d", "status": "affected", "version": "68957303f44a501af5cf37913208a2acaa6bcdf1", "versionType": "git" }, { "lessThan": "a1e0080a35a16ce3808f7040fe0c3a8fdb052349", "status": "affected", "version": "68957303f44a501af5cf37913208a2acaa6bcdf1", "versionType": "git" }, { "lessThan": "1cd4063dbc91cf7965d73a6a3855e2028cd4613b", "status": "affected", "version": "68957303f44a501af5cf37913208a2acaa6bcdf1", "versionType": "git" }, { "lessThan": "e553265ea56482da5700f56319fda9ff53e7dcb4", "status": "affected", "version": "68957303f44a501af5cf37913208a2acaa6bcdf1", "versionType": "git" }, { "lessThan": "238920381b8925d070d32d73cd9ce52ab29896fe", "status": "affected", "version": "68957303f44a501af5cf37913208a2acaa6bcdf1", "versionType": "git" }, { "lessThan": "1b9dadba502234eea7244879b8d5d126bfaf9f0c", "status": "affected", "version": "68957303f44a501af5cf37913208a2acaa6bcdf1", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/nfc/st21nfca/i2c.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.16" }, { "lessThan": "3.16", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.261", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.224", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.170", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: st21nfca: Fix memory leak in device probe and remove\n\n\u0027phy-\u003epending_skb\u0027 is alloced when device probe, but forgot to free\nin the error handling path and remove path, this cause memory leak\nas follows:\n\nunreferenced object 0xffff88800bc06800 (size 512):\n comm \"8\", pid 11775, jiffies 4295159829 (age 9.032s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c00000000d66c09ce\u003e] __kmalloc_node_track_caller+0x1ed/0x450\n [\u003c00000000c93382b3\u003e] kmalloc_reserve+0x37/0xd0\n [\u003c000000005fea522c\u003e] __alloc_skb+0x124/0x380\n [\u003c0000000019f29f9a\u003e] st21nfca_hci_i2c_probe+0x170/0x8f2\n\nFix it by freeing \u0027pending_skb\u0027 in error and remove." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:31:54.804Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/38c3e320e7ff46f2dc67bc5045333e63d9f8918d" }, { "url": "https://git.kernel.org/stable/c/a1e0080a35a16ce3808f7040fe0c3a8fdb052349" }, { "url": "https://git.kernel.org/stable/c/1cd4063dbc91cf7965d73a6a3855e2028cd4613b" }, { "url": "https://git.kernel.org/stable/c/e553265ea56482da5700f56319fda9ff53e7dcb4" }, { "url": "https://git.kernel.org/stable/c/238920381b8925d070d32d73cd9ce52ab29896fe" }, { "url": "https://git.kernel.org/stable/c/1b9dadba502234eea7244879b8d5d126bfaf9f0c" } ], "title": "NFC: st21nfca: Fix memory leak in device probe and remove", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46924", "datePublished": "2024-02-27T09:43:54.792Z", "dateReserved": "2024-02-25T13:45:52.719Z", "dateUpdated": "2024-12-19T07:31:54.804Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46926
Vulnerability from cvelistv5
Published
2024-02-27 09:43
Modified
2024-12-19 07:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: intel-sdw-acpi: harden detection of controller
The existing code currently sets a pointer to an ACPI handle before
checking that it's actually a SoundWire controller. This can lead to
issues where the graph walk continues and eventually fails, but the
pointer was set already.
This patch changes the logic so that the information provided to
the caller is set when a controller is found.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.895Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cce476954401e3421afafb25bbaa926050688b1d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/385f287f9853da402d94278e59f594501c1d1dad" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2021-46926", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T16:02:04.027406Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:24.369Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "sound/hda/intel-sdw-acpi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "cce476954401e3421afafb25bbaa926050688b1d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "385f287f9853da402d94278e59f594501c1d1dad", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "sound/hda/intel-sdw-acpi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: intel-sdw-acpi: harden detection of controller\n\nThe existing code currently sets a pointer to an ACPI handle before\nchecking that it\u0027s actually a SoundWire controller. This can lead to\nissues where the graph walk continues and eventually fails, but the\npointer was set already.\n\nThis patch changes the logic so that the information provided to\nthe caller is set when a controller is found." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:31:57.101Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/cce476954401e3421afafb25bbaa926050688b1d" }, { "url": "https://git.kernel.org/stable/c/385f287f9853da402d94278e59f594501c1d1dad" } ], "title": "ALSA: hda: intel-sdw-acpi: harden detection of controller", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46926", "datePublished": "2024-02-27T09:43:56.102Z", "dateReserved": "2024-02-25T13:45:52.719Z", "dateUpdated": "2024-12-19T07:31:57.101Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46931
Vulnerability from cvelistv5
Published
2024-02-27 09:43
Modified
2024-12-19 07:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Wrap the tx reporter dump callback to extract the sq
Function mlx5e_tx_reporter_dump_sq() casts its void * argument to struct
mlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actually
of type struct mlx5e_tx_timeout_ctx *.
mlx5_core 0000:08:00.1 enp8s0f1: TX timeout detected
mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ: 0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans: 21565000
BUG: stack guard page was hit at 0000000093f1a2de (stack is 00000000b66ea0dc..000000004d932dae)
kernel stack overflow (page fault): 0000 [#1] SMP NOPTI
CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE 5.13.0_mlnx #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core]
RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180
[mlx5_core]
Call Trace:
mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core]
devlink_health_do_dump.part.91+0x71/0xd0
devlink_health_report+0x157/0x1b0
mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core]
? mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0
[mlx5_core]
? mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core]
? update_load_avg+0x19b/0x550
? set_next_entity+0x72/0x80
? pick_next_task_fair+0x227/0x340
? finish_task_switch+0xa2/0x280
mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core]
process_one_work+0x1de/0x3a0
worker_thread+0x2d/0x3c0
? process_one_work+0x3a0/0x3a0
kthread+0x115/0x130
? kthread_park+0x90/0x90
ret_from_fork+0x1f/0x30
--[ end trace 51ccabea504edaff ]---
RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
end Kernel panic - not syncing: Fatal exception
To fix this bug add a wrapper for mlx5e_tx_reporter_dump_sq() which
extracts the sq from struct mlx5e_tx_timeout_ctx and set it as the
TX-timeout-recovery flow dump callback.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46931", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-26T20:41:09.616105Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-26T20:41:36.460Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.989Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/73665165b64a8f3c5b3534009a69be55bb744f05" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/07f13d58a8ecc3baf9a488588fb38c5cb0db484f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/918fc3855a6507a200e9cf22c20be852c0982687" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "73665165b64a8f3c5b3534009a69be55bb744f05", "status": "affected", "version": "5f29458b77d51c104554575b73184c243930aa87", "versionType": "git" }, { "lessThan": "07f13d58a8ecc3baf9a488588fb38c5cb0db484f", "status": "affected", "version": "5f29458b77d51c104554575b73184c243930aa87", "versionType": "git" }, { "lessThan": "918fc3855a6507a200e9cf22c20be852c0982687", "status": "affected", "version": "5f29458b77d51c104554575b73184c243930aa87", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.7" }, { "lessThan": "5.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Wrap the tx reporter dump callback to extract the sq\n\nFunction mlx5e_tx_reporter_dump_sq() casts its void * argument to struct\nmlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actually\nof type struct mlx5e_tx_timeout_ctx *.\n\n mlx5_core 0000:08:00.1 enp8s0f1: TX timeout detected\n mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ: 0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans: 21565000\n BUG: stack guard page was hit at 0000000093f1a2de (stack is 00000000b66ea0dc..000000004d932dae)\n kernel stack overflow (page fault): 0000 [#1] SMP NOPTI\n CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE 5.13.0_mlnx #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core]\n RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180\n [mlx5_core]\n Call Trace:\n mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core]\n devlink_health_do_dump.part.91+0x71/0xd0\n devlink_health_report+0x157/0x1b0\n mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core]\n ? mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0\n [mlx5_core]\n ? mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core]\n ? update_load_avg+0x19b/0x550\n ? set_next_entity+0x72/0x80\n ? pick_next_task_fair+0x227/0x340\n ? finish_task_switch+0xa2/0x280\n mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core]\n process_one_work+0x1de/0x3a0\n worker_thread+0x2d/0x3c0\n ? process_one_work+0x3a0/0x3a0\n kthread+0x115/0x130\n ? kthread_park+0x90/0x90\n ret_from_fork+0x1f/0x30\n --[ end trace 51ccabea504edaff ]---\n RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180\n PKRU: 55555554\n Kernel panic - not syncing: Fatal exception\n Kernel Offset: disabled\n end Kernel panic - not syncing: Fatal exception\n\nTo fix this bug add a wrapper for mlx5e_tx_reporter_dump_sq() which\nextracts the sq from struct mlx5e_tx_timeout_ctx and set it as the\nTX-timeout-recovery flow dump callback." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:32:02.899Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/73665165b64a8f3c5b3534009a69be55bb744f05" }, { "url": "https://git.kernel.org/stable/c/07f13d58a8ecc3baf9a488588fb38c5cb0db484f" }, { "url": "https://git.kernel.org/stable/c/918fc3855a6507a200e9cf22c20be852c0982687" } ], "title": "net/mlx5e: Wrap the tx reporter dump callback to extract the sq", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46931", "datePublished": "2024-02-27T09:43:59.373Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:32:02.899Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46923
Vulnerability from cvelistv5
Published
2024-02-27 09:43
Modified
2024-12-19 07:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/mount_setattr: always cleanup mount_kattr
Make sure that finish_mount_kattr() is called after mount_kattr was
succesfully built in both the success and failure case to prevent
leaking any references we took when we built it. We returned early if
path lookup failed thereby risking to leak an additional reference we
took when building mount_kattr when an idmapped mount was requested.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46923", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T16:15:38.368509Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:22:08.089Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:43.009Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/47b5d0a7532d39e42a938f81e3904268145c341d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/012e332286e2bb9f6ac77d195f17e74b2963d663" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/namespace.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "47b5d0a7532d39e42a938f81e3904268145c341d", "status": "affected", "version": "9caccd41541a6f7d6279928d9f971f6642c361af", "versionType": "git" }, { "lessThan": "012e332286e2bb9f6ac77d195f17e74b2963d663", "status": "affected", "version": "9caccd41541a6f7d6279928d9f971f6642c361af", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/namespace.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.12" }, { "lessThan": "5.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/mount_setattr: always cleanup mount_kattr\n\nMake sure that finish_mount_kattr() is called after mount_kattr was\nsuccesfully built in both the success and failure case to prevent\nleaking any references we took when we built it. We returned early if\npath lookup failed thereby risking to leak an additional reference we\ntook when building mount_kattr when an idmapped mount was requested." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:31:53.617Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/47b5d0a7532d39e42a938f81e3904268145c341d" }, { "url": "https://git.kernel.org/stable/c/012e332286e2bb9f6ac77d195f17e74b2963d663" } ], "title": "fs/mount_setattr: always cleanup mount_kattr", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46923", "datePublished": "2024-02-27T09:43:54.159Z", "dateReserved": "2024-02-25T13:45:52.719Z", "dateUpdated": "2024-12-19T07:31:53.617Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46921
Vulnerability from cvelistv5
Published
2024-02-27 09:36
Modified
2024-12-19 07:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
locking/qrwlock: Fix ordering in queued_write_lock_slowpath()
While this code is executed with the wait_lock held, a reader can
acquire the lock without holding wait_lock. The writer side loops
checking the value with the atomic_cond_read_acquire(), but only truly
acquires the lock when the compare-and-exchange is completed
successfully which isn’t ordered. This exposes the window between the
acquire and the cmpxchg to an A-B-A problem which allows reads
following the lock acquisition to observe values speculatively before
the write lock is truly acquired.
We've seen a problem in epoll where the reader does a xchg while
holding the read lock, but the writer can see a value change out from
under it.
Writer | Reader
--------------------------------------------------------------------------------
ep_scan_ready_list() |
|- write_lock_irq() |
|- queued_write_lock_slowpath() |
|- atomic_cond_read_acquire() |
| read_lock_irqsave(&ep->lock, flags);
--> (observes value before unlock) | chain_epi_lockless()
| | epi->next = xchg(&ep->ovflist, epi);
| | read_unlock_irqrestore(&ep->lock, flags);
| |
| atomic_cmpxchg_relaxed() |
|-- READ_ONCE(ep->ovflist); |
A core can order the read of the ovflist ahead of the
atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire
semantics addresses this issue at which point the atomic_cond_read can
be switched to use relaxed semantics.
[peterz: use try_cmpxchg()]
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b519b56e378ee82caf9b079b04f5db87dedc3251 Version: b519b56e378ee82caf9b079b04f5db87dedc3251 Version: b519b56e378ee82caf9b079b04f5db87dedc3251 Version: b519b56e378ee82caf9b079b04f5db87dedc3251 Version: b519b56e378ee82caf9b079b04f5db87dedc3251 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46921", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T16:11:46.310286Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:22:01.427Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.848Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "kernel/locking/qrwlock.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5902f9453a313be8fe78cbd7e7ca9dba9319fc6e", "status": "affected", "version": "b519b56e378ee82caf9b079b04f5db87dedc3251", "versionType": "git" }, { "lessThan": "82808cc026811fbc3ecf0c0b267a12a339eead56", "status": "affected", "version": "b519b56e378ee82caf9b079b04f5db87dedc3251", "versionType": "git" }, { "lessThan": "82fa9ced35d88581cffa4a1c856fc41fca96d80a", "status": "affected", "version": "b519b56e378ee82caf9b079b04f5db87dedc3251", "versionType": "git" }, { "lessThan": "d558fcdb17139728347bccc60a16af3e639649d2", "status": "affected", "version": "b519b56e378ee82caf9b079b04f5db87dedc3251", "versionType": "git" }, { "lessThan": "84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896", "status": "affected", "version": "b519b56e378ee82caf9b079b04f5db87dedc3251", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "kernel/locking/qrwlock.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.15" }, { "lessThan": "4.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.189", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.115", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.33", "versionType": "semver" }, { "lessThanOrEqual": "5.11.*", "status": "unaffected", "version": "5.11.17", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/qrwlock: Fix ordering in queued_write_lock_slowpath()\n\nWhile this code is executed with the wait_lock held, a reader can\nacquire the lock without holding wait_lock. The writer side loops\nchecking the value with the atomic_cond_read_acquire(), but only truly\nacquires the lock when the compare-and-exchange is completed\nsuccessfully which isn\u2019t ordered. This exposes the window between the\nacquire and the cmpxchg to an A-B-A problem which allows reads\nfollowing the lock acquisition to observe values speculatively before\nthe write lock is truly acquired.\n\nWe\u0027ve seen a problem in epoll where the reader does a xchg while\nholding the read lock, but the writer can see a value change out from\nunder it.\n\n Writer | Reader\n --------------------------------------------------------------------------------\n ep_scan_ready_list() |\n |- write_lock_irq() |\n |- queued_write_lock_slowpath() |\n\t|- atomic_cond_read_acquire() |\n\t\t\t\t | read_lock_irqsave(\u0026ep-\u003elock, flags);\n --\u003e (observes value before unlock) | chain_epi_lockless()\n | | epi-\u003enext = xchg(\u0026ep-\u003eovflist, epi);\n | | read_unlock_irqrestore(\u0026ep-\u003elock, flags);\n | |\n | atomic_cmpxchg_relaxed() |\n |-- READ_ONCE(ep-\u003eovflist); |\n\nA core can order the read of the ovflist ahead of the\natomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire\nsemantics addresses this issue at which point the atomic_cond_read can\nbe switched to use relaxed semantics.\n\n[peterz: use try_cmpxchg()]" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:31:51.325Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e" }, { "url": "https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56" }, { "url": "https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a" }, { "url": "https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2" }, { "url": "https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896" } ], "title": "locking/qrwlock: Fix ordering in queued_write_lock_slowpath()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46921", "datePublished": "2024-02-27T09:36:26.461Z", "dateReserved": "2024-02-25T13:45:52.719Z", "dateUpdated": "2024-12-19T07:31:51.325Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46934
Vulnerability from cvelistv5
Published
2024-02-27 09:44
Modified
2024-12-19 07:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: validate user data in compat ioctl
Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
Userspace should not be able to trigger warnings, so this patch adds
validation checks for user data in compact ioctl to prevent reported
warnings
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7d5cb45655f2e9e37ef75d18f50c0072ef14a38b Version: 7d5cb45655f2e9e37ef75d18f50c0072ef14a38b Version: 7d5cb45655f2e9e37ef75d18f50c0072ef14a38b Version: 7d5cb45655f2e9e37ef75d18f50c0072ef14a38b Version: 7d5cb45655f2e9e37ef75d18f50c0072ef14a38b |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46934", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T16:18:35.081460Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:21:06.191Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.874Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/407c8708fb1bf2d4afc5337ef50635cf540c364b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9e4a3f47eff476097e0c7faac04d1831fc70237d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8d31cbab4c295d7010ebb729e9d02d0e9cece18f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f68599581067e8a5a8901ba9eb270b4519690e26" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bb436283e25aaf1533ce061605d23a9564447bdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/i2c/i2c-dev.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "407c8708fb1bf2d4afc5337ef50635cf540c364b", "status": "affected", "version": "7d5cb45655f2e9e37ef75d18f50c0072ef14a38b", "versionType": "git" }, { "lessThan": "9e4a3f47eff476097e0c7faac04d1831fc70237d", "status": "affected", "version": "7d5cb45655f2e9e37ef75d18f50c0072ef14a38b", "versionType": "git" }, { "lessThan": "8d31cbab4c295d7010ebb729e9d02d0e9cece18f", "status": "affected", "version": "7d5cb45655f2e9e37ef75d18f50c0072ef14a38b", "versionType": "git" }, { "lessThan": "f68599581067e8a5a8901ba9eb270b4519690e26", "status": "affected", "version": "7d5cb45655f2e9e37ef75d18f50c0072ef14a38b", "versionType": "git" }, { "lessThan": "bb436283e25aaf1533ce061605d23a9564447bdf", "status": "affected", "version": "7d5cb45655f2e9e37ef75d18f50c0072ef14a38b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/i2c/i2c-dev.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.15" }, { "lessThan": "4.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.224", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.170", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: validate user data in compat ioctl\n\nWrong user data may cause warning in i2c_transfer(), ex: zero msgs.\nUserspace should not be able to trigger warnings, so this patch adds\nvalidation checks for user data in compact ioctl to prevent reported\nwarnings" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:32:06.306Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/407c8708fb1bf2d4afc5337ef50635cf540c364b" }, { "url": "https://git.kernel.org/stable/c/9e4a3f47eff476097e0c7faac04d1831fc70237d" }, { "url": "https://git.kernel.org/stable/c/8d31cbab4c295d7010ebb729e9d02d0e9cece18f" }, { "url": "https://git.kernel.org/stable/c/f68599581067e8a5a8901ba9eb270b4519690e26" }, { "url": "https://git.kernel.org/stable/c/bb436283e25aaf1533ce061605d23a9564447bdf" } ], "title": "i2c: validate user data in compat ioctl", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46934", "datePublished": "2024-02-27T09:44:01.411Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:32:06.306Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46930
Vulnerability from cvelistv5
Published
2024-02-27 09:43
Modified
2024-12-19 07:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: mtu3: fix list_head check warning
This is caused by uninitialization of list_head.
BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
Call trace:
dump_backtrace+0x0/0x298
show_stack+0x24/0x34
dump_stack+0x130/0x1a8
print_address_description+0x88/0x56c
__kasan_report+0x1b8/0x2a0
kasan_report+0x14/0x20
__asan_load8+0x9c/0xa0
__list_del_entry_valid+0x34/0xe4
mtu3_req_complete+0x4c/0x300 [mtu3]
mtu3_gadget_stop+0x168/0x448 [mtu3]
usb_gadget_unregister_driver+0x204/0x3a0
unregister_gadget_item+0x44/0xa4
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46930", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T20:52:42.615834Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:22:03.494Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.987Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/585e2b244dda7ea733274e4b8fa27853d625d3bf" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3b6efe0b7ba03cc2acf0694b46d6ff33c5b4c295" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/249ddfbe00570d6dc76208e88017937d4d374c79" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/mtu3/mtu3_gadget.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "585e2b244dda7ea733274e4b8fa27853d625d3bf", "status": "affected", "version": "83374e035b6286731c5aa617844c7b724294c2a7", "versionType": "git" }, { "lessThan": "3b6efe0b7ba03cc2acf0694b46d6ff33c5b4c295", "status": "affected", "version": "83374e035b6286731c5aa617844c7b724294c2a7", "versionType": "git" }, { "lessThan": "249ddfbe00570d6dc76208e88017937d4d374c79", "status": "affected", "version": "83374e035b6286731c5aa617844c7b724294c2a7", "versionType": "git" }, { "lessThan": "8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf", "status": "affected", "version": "83374e035b6286731c5aa617844c7b724294c2a7", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/mtu3/mtu3_gadget.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.2" }, { "lessThan": "5.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.170", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: mtu3: fix list_head check warning\n\nThis is caused by uninitialization of list_head.\n\nBUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4\n\nCall trace:\ndump_backtrace+0x0/0x298\nshow_stack+0x24/0x34\ndump_stack+0x130/0x1a8\nprint_address_description+0x88/0x56c\n__kasan_report+0x1b8/0x2a0\nkasan_report+0x14/0x20\n__asan_load8+0x9c/0xa0\n__list_del_entry_valid+0x34/0xe4\nmtu3_req_complete+0x4c/0x300 [mtu3]\nmtu3_gadget_stop+0x168/0x448 [mtu3]\nusb_gadget_unregister_driver+0x204/0x3a0\nunregister_gadget_item+0x44/0xa4" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:32:01.697Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/585e2b244dda7ea733274e4b8fa27853d625d3bf" }, { "url": "https://git.kernel.org/stable/c/3b6efe0b7ba03cc2acf0694b46d6ff33c5b4c295" }, { "url": "https://git.kernel.org/stable/c/249ddfbe00570d6dc76208e88017937d4d374c79" }, { "url": "https://git.kernel.org/stable/c/8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf" } ], "title": "usb: mtu3: fix list_head check warning", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46930", "datePublished": "2024-02-27T09:43:58.710Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:32:01.697Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46935
Vulnerability from cvelistv5
Published
2024-02-27 09:44
Modified
2024-12-19 07:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
binder: fix async_free_space accounting for empty parcels
In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size.
Unfortunately, on the "free" side, the accounting of async_free_space
did not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or
less. These small transactions are uncommon, so this accounting issue
has gone undetected for several years.
The fix is to use "buffer_size" (the allocated buffer size) instead of
"size" (the logical buffer size) when updating the async_free_space
during the free operation. These are the same except for this
corner case of asynchronous transactions with payloads < 8 bytes.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 74310e06be4d74dcf67cd108366710dee5c576d5 Version: 74310e06be4d74dcf67cd108366710dee5c576d5 Version: 74310e06be4d74dcf67cd108366710dee5c576d5 Version: 74310e06be4d74dcf67cd108366710dee5c576d5 Version: 74310e06be4d74dcf67cd108366710dee5c576d5 Version: 74310e06be4d74dcf67cd108366710dee5c576d5 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46935", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T20:52:57.585284Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:22:03.611Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:43.010Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/android/binder_alloc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2d2df539d05205fd83c404d5f2dff48d36f9b495", "status": "affected", "version": "74310e06be4d74dcf67cd108366710dee5c576d5", "versionType": "git" }, { "lessThan": "7c7064402609aeb6fb11be1b4ec10673ff17b593", "status": "affected", "version": "74310e06be4d74dcf67cd108366710dee5c576d5", "versionType": "git" }, { "lessThan": "103b16a8c51f96d5fe063022869ea906c256e5da", "status": "affected", "version": "74310e06be4d74dcf67cd108366710dee5c576d5", "versionType": "git" }, { "lessThan": "1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4", "status": "affected", "version": "74310e06be4d74dcf67cd108366710dee5c576d5", "versionType": "git" }, { "lessThan": "17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff", "status": "affected", "version": "74310e06be4d74dcf67cd108366710dee5c576d5", "versionType": "git" }, { "lessThan": "cfd0d84ba28c18b531648c9d4a35ecca89ad9901", "status": "affected", "version": "74310e06be4d74dcf67cd108366710dee5c576d5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/android/binder_alloc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.14" }, { "lessThan": "4.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.261", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.224", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.170", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix async_free_space accounting for empty parcels\n\nIn 4.13, commit 74310e06be4d (\"android: binder: Move buffer out of area shared with user space\")\nfixed a kernel structure visibility issue. As part of that patch,\nsizeof(void *) was used as the buffer size for 0-length data payloads so\nthe driver could detect abusive clients sending 0-length asynchronous\ntransactions to a server by enforcing limits on async_free_size.\n\nUnfortunately, on the \"free\" side, the accounting of async_free_space\ndid not add the sizeof(void *) back. The result was that up to 8-bytes of\nasync_free_space were leaked on every async transaction of 8-bytes or\nless. These small transactions are uncommon, so this accounting issue\nhas gone undetected for several years.\n\nThe fix is to use \"buffer_size\" (the allocated buffer size) instead of\n\"size\" (the logical buffer size) when updating the async_free_space\nduring the free operation. These are the same except for this\ncorner case of asynchronous transactions with payloads \u003c 8 bytes." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:32:07.436Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495" }, { "url": "https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593" }, { "url": "https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da" }, { "url": "https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4" }, { "url": "https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff" }, { "url": "https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901" } ], "title": "binder: fix async_free_space accounting for empty parcels", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46935", "datePublished": "2024-02-27T09:44:02.071Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:32:07.436Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.