Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-0534
Vulnerability from csaf_certbund
Published
2024-03-03 23:00
Modified
2024-07-24 22:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein lokaler Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um einen Denial-of-Service-Zustand herbeizuführen oder einen nicht spezifizierten Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein lokaler Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0534 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0534.json" }, { "category": "self", "summary": "WID-SEC-2024-0534 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0534" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0855-1 vom 2024-03-12", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018151.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0900-1 vom 2024-03-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018167.html" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030141-CVE-2021-47069-5797@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030141-CVE-2021-47070-0525@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030141-CVE-2021-47071-cd46@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030141-CVE-2021-47072-52d4@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030142-CVE-2021-47073-704a@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030142-CVE-2021-47074-46a7@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030142-CVE-2021-47075-8d12@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030142-CVE-2021-47076-a6b6@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030142-CVE-2021-47077-994b@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030142-CVE-2021-47078-71f9@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030142-CVE-2021-47079-3934@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030142-CVE-2021-47080-eb20@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030143-CVE-2021-47081-e590@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030251-CVE-2023-52518-bcfa@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030252-CVE-2022-48627-c7bf@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030252-CVE-2023-52559-680e@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030252-CVE-2023-52560-c3de@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030253-CVE-2023-52561-89b2@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030253-CVE-2023-52563-269f@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030253-CVE-2023-52564-88cb@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030254-CVE-2023-52565-07ce@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030254-CVE-2023-52566-69f0@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030254-CVE-2023-52567-38c1@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030255-CVE-2023-52568-b5c6@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030255-CVE-2023-52569-a9c1@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030255-CVE-2023-52570-0789@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030255-CVE-2023-52571-087e@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030255-CVE-2024-26621-9300@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030256-CVE-2023-52572-2b92@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030256-CVE-2023-52573-531c@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030256-CVE-2023-52574-a423@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030256-CVE-2023-52575-34bf@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030257-CVE-2023-52576-7ee2@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030257-CVE-2023-52577-2638@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030257-CVE-2023-52578-50cb@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030257-CVE-2023-52579-af56@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030258-CVE-2023-52580-c37e@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030258-CVE-2023-52581-2165@gregkh/" }, { "category": "external", "summary": "CVE Announce auf lore.kernel.org vom 2024-03-03", "url": "http://lore.kernel.org/linux-cve-announce/2024030258-CVE-2023-52582-07c8@gregkh/" }, { "category": "external", "summary": "RedHat Bugzilla vom 2024-03-03", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267507" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-86jx-fj9h-9hp8" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-f8jx-pmvg-jgfh" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-fh4f-4w54-vgrf" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-h234-f9wp-jpmr" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-hr4c-2jrx-4v7g" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-j6qg-38wf-82gm" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-mvcc-fjcm-33jm" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-mx24-9c8c-52xx" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-r9r6-c43w-4hr8" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-vhp7-fvvc-gp4m" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-vvwp-xfww-2qhh" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-w2cg-jcf6-hrgr" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-x9q8-72p3-mmvx" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-xc3g-cm27-mcmg" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-03", "url": "https://github.com/advisories/GHSA-xqf9-qrgq-fxfv" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0856-1 vom 2024-03-13", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018155.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0857-1 vom 2024-03-13", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018154.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0900-2 vom 2024-03-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018182.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0975-1 vom 2024-03-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018186.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0925-1 vom 2024-03-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018205.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0976-1 vom 2024-03-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018185.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0926-1 vom 2024-03-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018204.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0977-1 vom 2024-03-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018210.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1320-1 vom 2024-04-16", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018372.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1322-1 vom 2024-04-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018374.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1321-1 vom 2024-04-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018375.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1322-2 vom 2024-04-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018377.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1332-1 vom 2024-04-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018376.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1332-2 vom 2024-04-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018378.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1454-1 vom 2024-04-26", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018431.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1466-1 vom 2024-04-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018438.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:2394 vom 2024-04-30", "url": "https://access.redhat.com/errata/RHSA-2024:2394" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1480-1 vom 2024-04-30", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018444.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1490-1 vom 2024-05-03", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018445.html" }, { "category": "external", "summary": "Dell Security Advisory DSA-2024-198 vom 2024-05-08", "url": "https://www.dell.com/support/kbdoc/000224827/dsa-2024-=" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1645-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018527.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1646-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018526.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1642-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018530.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1643-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018529.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1648-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018524.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1650-1 vom 2024-05-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018533.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1659-1 vom 2024-05-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018538.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6778-1 vom 2024-05-16", "url": "https://ubuntu.com/security/notices/USN-6778-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6777-1 vom 2024-05-16", "url": "https://ubuntu.com/security/notices/USN-6777-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6777-2 vom 2024-05-20", "url": "https://ubuntu.com/security/notices/USN-6777-2" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1648-2 vom 2024-05-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018572.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6777-3 vom 2024-05-22", "url": "https://ubuntu.com/security/notices/USN-6777-3" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:2950 vom 2024-05-22", "url": "https://access.redhat.com/errata/RHSA-2024:2950" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3138 vom 2024-05-22", "url": "https://access.redhat.com/errata/RHSA-2024:3138" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6777-4 vom 2024-05-23", "url": "https://ubuntu.com/security/notices/USN-6777-4" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3462 vom 2024-05-29", "url": "https://access.redhat.com/errata/RHSA-2024:3462" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1870-1 vom 2024-05-30", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018634.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3530 vom 2024-05-31", "url": "https://access.redhat.com/errata/RHSA-2024:3530" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3528 vom 2024-05-31", "url": "https://access.redhat.com/errata/RHSA-2024:3528" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3529 vom 2024-05-31", "url": "https://access.redhat.com/errata/RHSA-2024:3529" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3618 vom 2024-06-05", "url": "https://access.redhat.com/errata/RHSA-2024:3618" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3627 vom 2024-06-05", "url": "https://access.redhat.com/errata/RHSA-2024:3627" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-3618 vom 2024-06-06", "url": "https://linux.oracle.com/errata/ELSA-2024-3618.html" }, { "category": "external", "summary": "IBM Security Bulletin 7156774 vom 2024-06-07", "url": "https://www.ibm.com/support/pages/node/7156774" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1979-1 vom 2024-06-11", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018685.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1983-1 vom 2024-06-11", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018700.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3810 vom 2024-06-11", "url": "https://access.redhat.com/errata/RHSA-2024:3810" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6831-1 vom 2024-06-12", "url": "https://ubuntu.com/security/notices/USN-6831-1" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2010-1 vom 2024-06-12", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018711.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2183-1 vom 2024-06-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018808.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2184-1 vom 2024-06-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018807.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2185-1 vom 2024-06-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018809.html" }, { "category": "external", "summary": "Debian Security Advisory DLA-3840 vom 2024-06-27", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4211 vom 2024-07-02", "url": "https://access.redhat.com/errata/RHSA-2024:4211" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-4211 vom 2024-07-03", "url": "https://linux.oracle.com/errata/ELSA-2024-4211.html" }, { "category": "external", "summary": "Dell Security Advisory DSA-2024-022 vom 2024-07-03", "url": "https://www.dell.com/support/kbdoc/de-de/000226633/dsa-2024-022-security-update-for-dell-networker-vproxy-multiple-component-vulnerabilities" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6867-1 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6867-1" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4352 vom 2024-07-08", "url": "https://access.redhat.com/errata/RHSA-2024:4352" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4321 vom 2024-07-10", "url": "https://access.redhat.com/errata/RHSA-2024:4321" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6896-1 vom 2024-07-12", "url": "https://ubuntu.com/security/notices/USN-6896-1" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4533 vom 2024-07-15", "url": "https://access.redhat.com/errata/RHSA-2024:4533" }, { "category": "external", "summary": "Rocky Linux Security Advisory RLSA-2024:4211 vom 2024-07-15", "url": "https://errata.build.resf.org/RLSA-2024:4211" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4554 vom 2024-07-16", "url": "https://access.redhat.com/errata/RHSA-2024:4554" }, { "category": "external", "summary": "Rocky Linux Security Advisory RLSA-2024:4352 vom 2024-07-15", "url": "https://errata.build.resf.org/RLSA-2024:4352" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6896-2 vom 2024-07-16", "url": "https://ubuntu.com/security/notices/USN-6896-2" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4583 vom 2024-07-17", "url": "https://access.redhat.com/errata/RHSA-2024:4583" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6896-3 vom 2024-07-17", "url": "https://ubuntu.com/security/notices/USN-6896-3" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-4583 vom 2024-07-19", "url": "https://linux.oracle.com/errata/ELSA-2024-4583.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4631 vom 2024-07-18", "url": "https://access.redhat.com/errata/RHSA-2024:4631" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6896-4 vom 2024-07-19", "url": "https://ubuntu.com/security/notices/USN-6896-4" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6896-5 vom 2024-07-23", "url": "https://ubuntu.com/security/notices/USN-6896-5" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4823 vom 2024-07-24", "url": "https://access.redhat.com/errata/RHSA-2024:4823" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4831 vom 2024-07-24", "url": "https://access.redhat.com/errata/RHSA-2024:4831" } ], "source_lang": "en-US", "title": "Linux Kernel: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-07-24T22:00:00.000+00:00", "generator": { "date": "2024-07-25T08:36:01.156+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-0534", "initial_release_date": "2024-03-03T23:00:00.000+00:00", "revision_history": [ { "date": "2024-03-03T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-03-12T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-03-14T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-03-17T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-03-24T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-16T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-18T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-21T22:00:00.000+00:00", "number": "8", "summary": "Doppelte Eintragung korrigiert" }, { "date": "2024-04-28T22:00:00.000+00:00", "number": "9", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-29T22:00:00.000+00:00", "number": "10", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-01T22:00:00.000+00:00", "number": "11", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-02T22:00:00.000+00:00", "number": "12", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-07T22:00:00.000+00:00", "number": "13", "summary": "Neue Updates von Dell aufgenommen" }, { "date": "2024-05-14T22:00:00.000+00:00", "number": "14", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-15T22:00:00.000+00:00", "number": "15", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-16T22:00:00.000+00:00", "number": "16", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-05-20T22:00:00.000+00:00", "number": "17", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-05-21T22:00:00.000+00:00", "number": "18", "summary": "Neue Updates von SUSE und Ubuntu aufgenommen" }, { "date": "2024-05-23T22:00:00.000+00:00", "number": "19", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-05-28T22:00:00.000+00:00", "number": "20", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-05-30T22:00:00.000+00:00", "number": "21", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-06-02T22:00:00.000+00:00", "number": "22", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-06-04T22:00:00.000+00:00", "number": "23", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-06-06T22:00:00.000+00:00", "number": "24", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2024-06-09T22:00:00.000+00:00", "number": "25", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-06-10T22:00:00.000+00:00", "number": "26", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-06-11T22:00:00.000+00:00", "number": "27", "summary": "Neue Updates von SUSE und Red Hat aufgenommen" }, { "date": "2024-06-12T22:00:00.000+00:00", "number": "28", "summary": "Neue Updates von Ubuntu und SUSE aufgenommen" }, { "date": "2024-06-24T22:00:00.000+00:00", "number": "29", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-06-27T22:00:00.000+00:00", "number": "30", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2024-07-01T22:00:00.000+00:00", "number": "31", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-07-02T22:00:00.000+00:00", "number": "32", "summary": "Neue Updates von Oracle Linux und Dell aufgenommen" }, { "date": "2024-07-03T22:00:00.000+00:00", "number": "33", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-07-07T22:00:00.000+00:00", "number": "34", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-07-10T22:00:00.000+00:00", "number": "35", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-07-14T22:00:00.000+00:00", "number": "36", "summary": "Neue Updates von Ubuntu und Red Hat aufgenommen" }, { "date": "2024-07-15T22:00:00.000+00:00", "number": "37", "summary": "Neue Updates von Rocky Enterprise Software Foundation und Red Hat aufgenommen" }, { "date": "2024-07-16T22:00:00.000+00:00", "number": "38", "summary": "Neue Updates von Ubuntu und Red Hat aufgenommen" }, { "date": "2024-07-17T22:00:00.000+00:00", "number": "39", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-07-18T22:00:00.000+00:00", "number": "40", "summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen" }, { "date": "2024-07-22T22:00:00.000+00:00", "number": "41", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-07-24T22:00:00.000+00:00", "number": "42", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "42" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "virtual", "product": { "name": "Dell NetWorker virtual", "product_id": "T034583", "product_identification_helper": { "cpe": "cpe:/a:dell:networker:virtual" } } }, { "category": "product_version_range", "name": "\u003c19.11", "product": { "name": "Dell NetWorker \u003c19.11", "product_id": "T035785", "product_identification_helper": { "cpe": "cpe:/a:dell:networker:19.11" } } } ], "category": "product_name", "name": "NetWorker" } ], "category": "vendor", "name": "Dell" }, { "branches": [ { "category": "product_name", "name": "EMC Avamar", "product": { "name": "EMC Avamar", "product_id": "T014381", "product_identification_helper": { "cpe": "cpe:/a:emc:avamar:-" } } } ], "category": "vendor", "name": "EMC" }, { "branches": [ { "category": "product_name", "name": "IBM QRadar SIEM", "product": { "name": "IBM QRadar SIEM", "product_id": "T021415", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:-" } } } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "Open Source Linux Kernel", "product": { "name": "Open Source Linux Kernel", "product_id": "T033208", "product_identification_helper": { "cpe": "cpe:/o:linux:linux_kernel:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "RESF Rocky Linux", "product": { "name": "RESF Rocky Linux", "product_id": "T032255", "product_identification_helper": { "cpe": "cpe:/o:resf:rocky_linux:-" } } } ], "category": "vendor", "name": "RESF" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-47069", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47069" }, { "cve": "CVE-2021-47070", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47070" }, { "cve": "CVE-2021-47071", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47071" }, { "cve": "CVE-2021-47072", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47072" }, { "cve": "CVE-2021-47073", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47073" }, { "cve": "CVE-2021-47074", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47074" }, { "cve": "CVE-2021-47075", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47075" }, { "cve": "CVE-2021-47076", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47076" }, { "cve": "CVE-2021-47077", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47077" }, { "cve": "CVE-2021-47078", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47078" }, { "cve": "CVE-2021-47079", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47079" }, { "cve": "CVE-2021-47080", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47080" }, { "cve": "CVE-2021-47081", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2021-47081" }, { "cve": "CVE-2022-48627", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2022-48627" }, { "cve": "CVE-2022-48628", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2022-48628" }, { "cve": "CVE-2023-52505", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52505" }, { "cve": "CVE-2023-52518", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52518" }, { "cve": "CVE-2023-52519", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52519" }, { "cve": "CVE-2023-52520", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52520" }, { "cve": "CVE-2023-52521", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52521" }, { "cve": "CVE-2023-52522", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52522" }, { "cve": "CVE-2023-52523", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52523" }, { "cve": "CVE-2023-52524", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52524" }, { "cve": "CVE-2023-52525", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52525" }, { "cve": "CVE-2023-52526", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52526" }, { "cve": "CVE-2023-52527", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52527" }, { "cve": "CVE-2023-52528", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52528" }, { "cve": "CVE-2023-52529", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52529" }, { "cve": "CVE-2023-52531", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52531" }, { "cve": "CVE-2023-52532", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52532" }, { "cve": "CVE-2023-52559", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52559" }, { "cve": "CVE-2023-52560", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52560" }, { "cve": "CVE-2023-52561", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52561" }, { "cve": "CVE-2023-52562", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52562" }, { "cve": "CVE-2023-52563", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52563" }, { "cve": "CVE-2023-52564", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52564" }, { "cve": "CVE-2023-52565", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52565" }, { "cve": "CVE-2023-52566", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52566" }, { "cve": "CVE-2023-52567", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52567" }, { "cve": "CVE-2023-52568", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52568" }, { "cve": "CVE-2023-52569", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52569" }, { "cve": "CVE-2023-52570", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52570" }, { "cve": "CVE-2023-52571", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52571" }, { "cve": "CVE-2023-52572", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52572" }, { "cve": "CVE-2023-52573", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52573" }, { "cve": "CVE-2023-52574", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52574" }, { "cve": "CVE-2023-52575", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52575" }, { "cve": "CVE-2023-52576", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52576" }, { "cve": "CVE-2023-52577", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52577" }, { "cve": "CVE-2023-52578", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52578" }, { "cve": "CVE-2023-52579", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52579" }, { "cve": "CVE-2023-52580", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52580" }, { "cve": "CVE-2023-52581", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52581" }, { "cve": "CVE-2023-52582", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2023-52582" }, { "cve": "CVE-2024-26621", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie btrfs, nvmet oder dccp aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen \u0027Denial of Service\u0027-Zustand auszul\u00f6sen und einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "T014381", "2951", "T002207", "T033208", "67646", "T000126", "T021415", "T034583", "T004914", "T032255", "T035785" ] }, "release_date": "2024-03-03T23:00:00Z", "title": "CVE-2024-26621" } ] }
cve-2021-47073
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios
init_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems
where the Dell WMI interface is supported. While exit_dell_smbios_wmi()
unregisters it unconditionally, this leads to the following oops:
[ 175.722921] ------------[ cut here ]------------
[ 175.722925] Unexpected driver unregister!
[ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40
...
[ 175.723089] Call Trace:
[ 175.723094] cleanup_module+0x5/0xedd [dell_smbios]
...
[ 175.723148] ---[ end trace 064c34e1ad49509d ]---
Make the unregister happen on the same condition the register happens
to fix this.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1a258e670434f404a4500b65ba1afea2c2b29bba Version: 1a258e670434f404a4500b65ba1afea2c2b29bba Version: 1a258e670434f404a4500b65ba1afea2c2b29bba Version: 1a258e670434f404a4500b65ba1afea2c2b29bba Version: 1a258e670434f404a4500b65ba1afea2c2b29bba |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-47073", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T22:11:59.293322Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:13:23.078Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.704Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/75cfc833da4a2111106d4c134e93e0c7f41e35e7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6fa78a6b9a3beb676a010dc489c1257f7e432525" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0cf036a0d325200e6c27b90908e51195bbc557b1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8d746ea7c687bab060a2c05a35c449302406cd52" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3a53587423d25c87af4b4126a806a0575104b45e" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/platform/x86/dell/dell-smbios-wmi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "75cfc833da4a2111106d4c134e93e0c7f41e35e7", "status": "affected", "version": "1a258e670434f404a4500b65ba1afea2c2b29bba", "versionType": "git" }, { "lessThan": "6fa78a6b9a3beb676a010dc489c1257f7e432525", "status": "affected", "version": "1a258e670434f404a4500b65ba1afea2c2b29bba", "versionType": "git" }, { "lessThan": "0cf036a0d325200e6c27b90908e51195bbc557b1", "status": "affected", "version": "1a258e670434f404a4500b65ba1afea2c2b29bba", "versionType": "git" }, { "lessThan": "8d746ea7c687bab060a2c05a35c449302406cd52", "status": "affected", "version": "1a258e670434f404a4500b65ba1afea2c2b29bba", "versionType": "git" }, { "lessThan": "3a53587423d25c87af4b4126a806a0575104b45e", "status": "affected", "version": "1a258e670434f404a4500b65ba1afea2c2b29bba", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/platform/x86/dell/dell-smbios-wmi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.15" }, { "lessThan": "4.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.192", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.122", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.40", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios\n\ninit_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems\nwhere the Dell WMI interface is supported. While exit_dell_smbios_wmi()\nunregisters it unconditionally, this leads to the following oops:\n\n[ 175.722921] ------------[ cut here ]------------\n[ 175.722925] Unexpected driver unregister!\n[ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40\n...\n[ 175.723089] Call Trace:\n[ 175.723094] cleanup_module+0x5/0xedd [dell_smbios]\n...\n[ 175.723148] ---[ end trace 064c34e1ad49509d ]---\n\nMake the unregister happen on the same condition the register happens\nto fix this." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:44.949Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/75cfc833da4a2111106d4c134e93e0c7f41e35e7" }, { "url": "https://git.kernel.org/stable/c/6fa78a6b9a3beb676a010dc489c1257f7e432525" }, { "url": "https://git.kernel.org/stable/c/0cf036a0d325200e6c27b90908e51195bbc557b1" }, { "url": "https://git.kernel.org/stable/c/8d746ea7c687bab060a2c05a35c449302406cd52" }, { "url": "https://git.kernel.org/stable/c/3a53587423d25c87af4b4126a806a0575104b45e" } ], "title": "platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47073", "datePublished": "2024-03-01T21:15:11.466Z", "dateReserved": "2024-02-29T22:33:44.297Z", "dateUpdated": "2024-12-19T07:34:44.949Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-48628
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:04
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: drop messages from MDS when unmounting
When unmounting all the dirty buffers will be flushed and after
the last osd request is finished the last reference of the i_count
will be released. Then it will flush the dirty cap/snap to MDSs,
and the unmounting won't wait the possible acks, which will ihold
the inodes when updating the metadata locally but makes no sense
any more, of this. This will make the evict_inodes() to skip these
inodes.
If encrypt is enabled the kernel generate a warning when removing
the encrypt keys when the skipped inodes still hold the keyring:
WARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0
CPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1
Hardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015
RIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0
RSP: 0018:ffffc9000b277e28 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00
RDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000
RBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000
R10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40
R13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000
FS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
generic_shutdown_super+0x47/0x120
kill_anon_super+0x14/0x30
ceph_kill_sb+0x36/0x90 [ceph]
deactivate_locked_super+0x29/0x60
cleanup_mnt+0xb8/0x140
task_work_run+0x67/0xb0
exit_to_user_mode_prepare+0x23d/0x240
syscall_exit_to_user_mode+0x25/0x60
do_syscall_64+0x40/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd83dc39e9b
Later the kernel will crash when iput() the inodes and dereferencing
the "sb->s_master_keys", which has been released by the
generic_shutdown_super().
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2022-48628", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-21T16:14:21.087994Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-21T16:14:33.364Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-03T15:17:55.568Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/89744b64914426cbabceb3d8a149176b5dafdfb5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/47f82395f04a976d4fa97de7f2acffa1c1096571" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e3dfcab2080dc1f9a4b09cc1327361bc2845bfcd" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ceph/caps.c", "fs/ceph/mds_client.c", "fs/ceph/mds_client.h", "fs/ceph/quota.c", "fs/ceph/snap.c", "fs/ceph/super.c", "fs/ceph/super.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "89744b64914426cbabceb3d8a149176b5dafdfb5", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "47f82395f04a976d4fa97de7f2acffa1c1096571", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e3dfcab2080dc1f9a4b09cc1327361bc2845bfcd", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ceph/caps.c", "fs/ceph/mds_client.c", "fs/ceph/mds_client.h", "fs/ceph/quota.c", "fs/ceph/snap.c", "fs/ceph/super.c", "fs/ceph/super.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: drop messages from MDS when unmounting\n\nWhen unmounting all the dirty buffers will be flushed and after\nthe last osd request is finished the last reference of the i_count\nwill be released. Then it will flush the dirty cap/snap to MDSs,\nand the unmounting won\u0027t wait the possible acks, which will ihold\nthe inodes when updating the metadata locally but makes no sense\nany more, of this. This will make the evict_inodes() to skip these\ninodes.\n\nIf encrypt is enabled the kernel generate a warning when removing\nthe encrypt keys when the skipped inodes still hold the keyring:\n\nWARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0\nCPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1\nHardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015\nRIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0\nRSP: 0018:ffffc9000b277e28 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00\nRDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000\nRBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000\nR10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40\nR13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000\nFS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\ngeneric_shutdown_super+0x47/0x120\nkill_anon_super+0x14/0x30\nceph_kill_sb+0x36/0x90 [ceph]\ndeactivate_locked_super+0x29/0x60\ncleanup_mnt+0xb8/0x140\ntask_work_run+0x67/0xb0\nexit_to_user_mode_prepare+0x23d/0x240\nsyscall_exit_to_user_mode+0x25/0x60\ndo_syscall_64+0x40/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fd83dc39e9b\n\nLater the kernel will crash when iput() the inodes and dereferencing\nthe \"sb-\u003es_master_keys\", which has been released by the\ngeneric_shutdown_super()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:04:37.352Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/89744b64914426cbabceb3d8a149176b5dafdfb5" }, { "url": "https://git.kernel.org/stable/c/47f82395f04a976d4fa97de7f2acffa1c1096571" }, { "url": "https://git.kernel.org/stable/c/e3dfcab2080dc1f9a4b09cc1327361bc2845bfcd" } ], "title": "ceph: drop messages from MDS when unmounting", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2022-48628", "datePublished": "2024-03-02T21:52:14.626Z", "dateReserved": "2024-02-25T13:44:28.314Z", "dateUpdated": "2024-12-19T08:04:37.352Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52523
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages
sent from one TCP socket (s1) to actually egress from another TCP
socket (s2):
tcp_bpf_sendmsg(s1) // = sk_prot->sendmsg
tcp_bpf_send_verdict(s1) // __SK_REDIRECT case
tcp_bpf_sendmsg_redir(s2)
tcp_bpf_push_locked(s2)
tcp_bpf_push(s2)
tcp_rate_check_app_limited(s2) // expects tcp_sock
tcp_sendmsg_locked(s2) // ditto
There is a hard-coded assumption in the call-chain, that the egress
socket (s2) is a TCP socket.
However in commit 122e6c79efe1 ("sock_map: Update sock type checks for
UDP") we have enabled redirects to non-TCP sockets. This was done for the
sake of BPF sk_skb programs. There was no indention to support sk_msg
send-to-egress use case.
As a result, attempts to send-to-egress through a non-TCP socket lead to a
crash due to invalid downcast from sock to tcp_sock:
BUG: kernel NULL pointer dereference, address: 000000000000002f
...
Call Trace:
<TASK>
? show_regs+0x60/0x70
? __die+0x1f/0x70
? page_fault_oops+0x80/0x160
? do_user_addr_fault+0x2d7/0x800
? rcu_is_watching+0x11/0x50
? exc_page_fault+0x70/0x1c0
? asm_exc_page_fault+0x27/0x30
? tcp_tso_segs+0x14/0xa0
tcp_write_xmit+0x67/0xce0
__tcp_push_pending_frames+0x32/0xf0
tcp_push+0x107/0x140
tcp_sendmsg_locked+0x99f/0xbb0
tcp_bpf_push+0x19d/0x3a0
tcp_bpf_sendmsg_redir+0x55/0xd0
tcp_bpf_send_verdict+0x407/0x550
tcp_bpf_sendmsg+0x1a1/0x390
inet_sendmsg+0x6a/0x70
sock_sendmsg+0x9d/0xc0
? sockfd_lookup_light+0x12/0x80
__sys_sendto+0x10e/0x160
? syscall_enter_from_user_mode+0x20/0x60
? __this_cpu_preempt_check+0x13/0x20
? lockdep_hardirqs_on+0x82/0x110
__x64_sys_sendto+0x1f/0x30
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg
program to prevent the crash. When attempted, user will receive an EACCES
error from send/sendto/sendmsg() syscall.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52523", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T15:32:59.403562Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:22:46.142Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.665Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bc8b89b6963803a123f64aa9494155a037b3d728" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ded6e448028f0f91b6af35985afca01fa02a9089" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b80e31baa43614e086a9d29dc1151932b1bd7fc5" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/core/sock_map.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "bc8b89b6963803a123f64aa9494155a037b3d728", "status": "affected", "version": "122e6c79efe1c25816118aca9cfabe54e99c2432", "versionType": "git" }, { "lessThan": "b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2", "status": "affected", "version": "122e6c79efe1c25816118aca9cfabe54e99c2432", "versionType": "git" }, { "lessThan": "ded6e448028f0f91b6af35985afca01fa02a9089", "status": "affected", "version": "122e6c79efe1c25816118aca9cfabe54e99c2432", "versionType": "git" }, { "lessThan": "b80e31baa43614e086a9d29dc1151932b1bd7fc5", "status": "affected", "version": "122e6c79efe1c25816118aca9cfabe54e99c2432", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/core/sock_map.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.13" }, { "lessThan": "5.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.135", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets\n\nWith a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages\nsent from one TCP socket (s1) to actually egress from another TCP\nsocket (s2):\n\ntcp_bpf_sendmsg(s1)\t\t// = sk_prot-\u003esendmsg\n tcp_bpf_send_verdict(s1)\t// __SK_REDIRECT case\n tcp_bpf_sendmsg_redir(s2)\n tcp_bpf_push_locked(s2)\n\ttcp_bpf_push(s2)\n\t tcp_rate_check_app_limited(s2) // expects tcp_sock\n\t tcp_sendmsg_locked(s2)\t // ditto\n\nThere is a hard-coded assumption in the call-chain, that the egress\nsocket (s2) is a TCP socket.\n\nHowever in commit 122e6c79efe1 (\"sock_map: Update sock type checks for\nUDP\") we have enabled redirects to non-TCP sockets. This was done for the\nsake of BPF sk_skb programs. There was no indention to support sk_msg\nsend-to-egress use case.\n\nAs a result, attempts to send-to-egress through a non-TCP socket lead to a\ncrash due to invalid downcast from sock to tcp_sock:\n\n BUG: kernel NULL pointer dereference, address: 000000000000002f\n ...\n Call Trace:\n \u003cTASK\u003e\n ? show_regs+0x60/0x70\n ? __die+0x1f/0x70\n ? page_fault_oops+0x80/0x160\n ? do_user_addr_fault+0x2d7/0x800\n ? rcu_is_watching+0x11/0x50\n ? exc_page_fault+0x70/0x1c0\n ? asm_exc_page_fault+0x27/0x30\n ? tcp_tso_segs+0x14/0xa0\n tcp_write_xmit+0x67/0xce0\n __tcp_push_pending_frames+0x32/0xf0\n tcp_push+0x107/0x140\n tcp_sendmsg_locked+0x99f/0xbb0\n tcp_bpf_push+0x19d/0x3a0\n tcp_bpf_sendmsg_redir+0x55/0xd0\n tcp_bpf_send_verdict+0x407/0x550\n tcp_bpf_sendmsg+0x1a1/0x390\n inet_sendmsg+0x6a/0x70\n sock_sendmsg+0x9d/0xc0\n ? sockfd_lookup_light+0x12/0x80\n __sys_sendto+0x10e/0x160\n ? syscall_enter_from_user_mode+0x20/0x60\n ? __this_cpu_preempt_check+0x13/0x20\n ? lockdep_hardirqs_on+0x82/0x110\n __x64_sys_sendto+0x1f/0x30\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nReject selecting a non-TCP sockets as redirect target from a BPF sk_msg\nprogram to prevent the crash. When attempted, user will receive an EACCES\nerror from send/sendto/sendmsg() syscall." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:25.802Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/bc8b89b6963803a123f64aa9494155a037b3d728" }, { "url": "https://git.kernel.org/stable/c/b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2" }, { "url": "https://git.kernel.org/stable/c/ded6e448028f0f91b6af35985afca01fa02a9089" }, { "url": "https://git.kernel.org/stable/c/b80e31baa43614e086a9d29dc1151932b1bd7fc5" } ], "title": "bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52523", "datePublished": "2024-03-02T21:52:30.351Z", "dateReserved": "2024-02-20T12:30:33.317Z", "dateUpdated": "2024-12-19T08:21:25.802Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52525
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
Only skip the code path trying to access the rfc1042 headers when the
buffer is too small, so the driver can still process packets without
rfc1042 headers.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f517c97fc129995de77dd06aa5a74f909ebf568f Version: 8824aa4ab62c800f75d96f48e1883a5f56ec5869 Version: 29eca8b7863d1d7de6c5b746b374e3487d14f154 Version: 3fe3923d092e22d87d1ed03e2729db444b8c1331 Version: 7c54b6fc39eb1aac51cf2945f8a25e2a47fdca02 Version: 3975e21d4d01efaf0296ded40d11c06589c49245 Version: 650d1bc02fba7b42f476d8b6643324abac5921ed Version: 11958528161731c58e105b501ed60b83a91ea941 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52525", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T22:09:59.772787Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:22:08.743Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.670Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/71b1d2b57f145c8469aa9346f0fd57bf59b2b89c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/16cc18b9080892d1a0200a38e36ae52e464bc555" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b8e260654a29de872e7cb85387d8ab8974694e8e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/10a18c8bac7f60d32b7af22da03b66f350beee38" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5afb996349cb6d1f14d6ba9aaa7aed3bd82534f6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6b706286473db4fd54b5f869faa67f4a8cb18e99" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/be2ff39b1504c5359f4a083c1cfcad21d666e216" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/aef7a0300047e7b4707ea0411dc9597cba108fc8" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/marvell/mwifiex/sta_rx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "71b1d2b57f145c8469aa9346f0fd57bf59b2b89c", "status": "affected", "version": "f517c97fc129995de77dd06aa5a74f909ebf568f", "versionType": "git" }, { "lessThan": "16cc18b9080892d1a0200a38e36ae52e464bc555", "status": "affected", "version": "8824aa4ab62c800f75d96f48e1883a5f56ec5869", "versionType": "git" }, { "lessThan": "b8e260654a29de872e7cb85387d8ab8974694e8e", "status": "affected", "version": "29eca8b7863d1d7de6c5b746b374e3487d14f154", "versionType": "git" }, { "lessThan": "10a18c8bac7f60d32b7af22da03b66f350beee38", "status": "affected", "version": "3fe3923d092e22d87d1ed03e2729db444b8c1331", "versionType": "git" }, { "lessThan": "5afb996349cb6d1f14d6ba9aaa7aed3bd82534f6", "status": "affected", "version": "7c54b6fc39eb1aac51cf2945f8a25e2a47fdca02", "versionType": "git" }, { "lessThan": "6b706286473db4fd54b5f869faa67f4a8cb18e99", "status": "affected", "version": "3975e21d4d01efaf0296ded40d11c06589c49245", "versionType": "git" }, { "lessThan": "be2ff39b1504c5359f4a083c1cfcad21d666e216", "status": "affected", "version": "650d1bc02fba7b42f476d8b6643324abac5921ed", "versionType": "git" }, { "lessThan": "aef7a0300047e7b4707ea0411dc9597cba108fc8", "status": "affected", "version": "11958528161731c58e105b501ed60b83a91ea941", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/marvell/mwifiex/sta_rx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4.14.327", "status": "affected", "version": "4.14.326", "versionType": "semver" }, { "lessThan": "4.19.296", "status": "affected", "version": "4.19.295", "versionType": "semver" }, { "lessThan": "5.4.258", "status": "affected", "version": "5.4.257", "versionType": "semver" }, { "lessThan": "5.10.198", "status": "affected", "version": "5.10.195", "versionType": "semver" }, { "lessThan": "5.15.135", "status": "affected", "version": "5.15.132", "versionType": "semver" }, { "lessThan": "6.1.57", "status": "affected", "version": "6.1.53", "versionType": "semver" }, { "lessThan": "6.5.7", "status": "affected", "version": "6.5.3", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet\n\nOnly skip the code path trying to access the rfc1042 headers when the\nbuffer is too small, so the driver can still process packets without\nrfc1042 headers." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:28.163Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/71b1d2b57f145c8469aa9346f0fd57bf59b2b89c" }, { "url": "https://git.kernel.org/stable/c/16cc18b9080892d1a0200a38e36ae52e464bc555" }, { "url": "https://git.kernel.org/stable/c/b8e260654a29de872e7cb85387d8ab8974694e8e" }, { "url": "https://git.kernel.org/stable/c/10a18c8bac7f60d32b7af22da03b66f350beee38" }, { "url": "https://git.kernel.org/stable/c/5afb996349cb6d1f14d6ba9aaa7aed3bd82534f6" }, { "url": "https://git.kernel.org/stable/c/6b706286473db4fd54b5f869faa67f4a8cb18e99" }, { "url": "https://git.kernel.org/stable/c/be2ff39b1504c5359f4a083c1cfcad21d666e216" }, { "url": "https://git.kernel.org/stable/c/aef7a0300047e7b4707ea0411dc9597cba108fc8" } ], "title": "wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52525", "datePublished": "2024-03-02T21:52:31.638Z", "dateReserved": "2024-02-20T12:30:33.317Z", "dateUpdated": "2024-12-19T08:21:28.163Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52528
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
syzbot reported the following uninit-value access issue:
=====================================================
BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]
BUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482
CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x21c/0x280 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]
smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482
usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737
usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374
really_probe+0xf20/0x20b0 drivers/base/dd.c:529
driver_probe_device+0x293/0x390 drivers/base/dd.c:701
__device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
__device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032
usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241
usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272
really_probe+0xf20/0x20b0 drivers/base/dd.c:529
driver_probe_device+0x293/0x390 drivers/base/dd.c:701
__device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
__device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554
hub_port_connect drivers/usb/core/hub.c:5208 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]
port_event drivers/usb/core/hub.c:5494 [inline]
hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576
process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
kthread+0x551/0x590 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
Local variable ----buf.i87@smsc75xx_bind created at:
__smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]
smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482
__smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]
smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482
This issue is caused because usbnet_read_cmd() reads less bytes than requested
(zero byte in the reproducer). In this case, 'buf' is not properly filled.
This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads
less bytes than requested.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d0cad871703b898a442e4049c532ec39168e5b57 Version: d0cad871703b898a442e4049c532ec39168e5b57 Version: d0cad871703b898a442e4049c532ec39168e5b57 Version: d0cad871703b898a442e4049c532ec39168e5b57 Version: d0cad871703b898a442e4049c532ec39168e5b57 Version: d0cad871703b898a442e4049c532ec39168e5b57 Version: d0cad871703b898a442e4049c532ec39168e5b57 Version: d0cad871703b898a442e4049c532ec39168e5b57 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.625Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f213b0f76d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e9c65989920f7c28775ec4e0c11b483910fb67b8" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-52528", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:56:40.232002Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:39.789Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/usb/smsc75xx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3e0af6eec1789fd11934164a7f4dbcad979855a4", "status": "affected", "version": "d0cad871703b898a442e4049c532ec39168e5b57", "versionType": "git" }, { "lessThan": "2a36d9e2995c8c3c3f179aab1215a69cff06cbed", "status": "affected", "version": "d0cad871703b898a442e4049c532ec39168e5b57", "versionType": "git" }, { "lessThan": "310f1c92f65ad905b7e81fe14de82d979ebbd825", "status": "affected", "version": "d0cad871703b898a442e4049c532ec39168e5b57", "versionType": "git" }, { "lessThan": "30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5", "status": "affected", "version": "d0cad871703b898a442e4049c532ec39168e5b57", "versionType": "git" }, { "lessThan": "cda10784a176d7192f08ecb518f777a4e9575812", "status": "affected", "version": "d0cad871703b898a442e4049c532ec39168e5b57", "versionType": "git" }, { "lessThan": "9ffc5018020fe646795a8dc1203224b8f776dc09", "status": "affected", "version": "d0cad871703b898a442e4049c532ec39168e5b57", "versionType": "git" }, { "lessThan": "4931e80da9463b03bfe42be54a9a19f213b0f76d", "status": "affected", "version": "d0cad871703b898a442e4049c532ec39168e5b57", "versionType": "git" }, { "lessThan": "e9c65989920f7c28775ec4e0c11b483910fb67b8", "status": "affected", "version": "d0cad871703b898a442e4049c532ec39168e5b57", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/usb/smsc75xx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.34" }, { "lessThan": "2.6.34", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.327", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.296", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.258", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.198", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.135", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\n\nsyzbot reported the following uninit-value access issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\n\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, \u0027buf\u0027 is not properly filled.\n\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:31.616Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4" }, { "url": "https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed" }, { "url": "https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825" }, { "url": "https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5" }, { "url": "https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812" }, { "url": "https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09" }, { "url": "https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f213b0f76d" }, { "url": "https://git.kernel.org/stable/c/e9c65989920f7c28775ec4e0c11b483910fb67b8" } ], "title": "net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52528", "datePublished": "2024-03-02T21:52:33.554Z", "dateReserved": "2024-02-20T12:30:33.318Z", "dateUpdated": "2024-12-19T08:21:31.616Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52565
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Fix OOB read
If the index provided by the user is bigger than the mask size, we might do
an out of bound read.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.865Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/09635bf4cdd4adf2160198a6041bcc7ca46c0558" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8bcf70d787f7d53a3b85ad394f926cfef3eed023" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/41ebaa5e0eebea4c3bac96b72f9f8ae0d77c0bdb" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-52565", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:56:29.446061Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:36.805Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/media/usb/uvc/uvc_ctrl.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "09635bf4cdd4adf2160198a6041bcc7ca46c0558", "status": "affected", "version": "367703c3ec4f72208b8cae14310b8a2c955ec565", "versionType": "git" }, { "lessThan": "8bcf70d787f7d53a3b85ad394f926cfef3eed023", "status": "affected", "version": "40140eda661ea4be219ef194a4f43b7b5e3bbd27", "versionType": "git" }, { "lessThan": "41ebaa5e0eebea4c3bac96b72f9f8ae0d77c0bdb", "status": "affected", "version": "40140eda661ea4be219ef194a4f43b7b5e3bbd27", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/media/usb/uvc/uvc_ctrl.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix OOB read\n\nIf the index provided by the user is bigger than the mask size, we might do\nan out of bound read." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:44.527Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/09635bf4cdd4adf2160198a6041bcc7ca46c0558" }, { "url": "https://git.kernel.org/stable/c/8bcf70d787f7d53a3b85ad394f926cfef3eed023" }, { "url": "https://git.kernel.org/stable/c/41ebaa5e0eebea4c3bac96b72f9f8ae0d77c0bdb" } ], "title": "media: uvcvideo: Fix OOB read", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52565", "datePublished": "2024-03-02T21:59:37.505Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-12-19T08:21:44.527Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52524
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: llcp: Add lock when modifying device list
The device list needs its associated lock held when modifying it, or the
list could become corrupted, as syzbot discovered.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: dd6ff3f3862709ab1a12566e73b9d6a9b8f6e548 Version: 96f2c6f272ec04083d828de46285a7d7b17d1aad Version: fc8429f8d86801f092fbfbd257c3af821ac0dcd3 Version: 425d9d3a92df7d96b3cfb7ee5c240293a21cbde3 Version: 6709d4b7bc2e079241fdef15d1160581c5261c10 Version: 6709d4b7bc2e079241fdef15d1160581c5261c10 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52524", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T20:30:07.758768Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:00.826Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.704Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/191d87a19cf1005ecf41e1ae08d74e17379e8391" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/dba849cc98113b145c6e720122942c00b8012bdb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4837a192f6d06d5bb2f3f47d6ce5353ab69bf86b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7562780e32b84196731d57dd24563546fcf6d082" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/29c16c2bf5866326d5fbc4a537b3997fcac23391" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/dfc7f7a988dad34c3bf4c053124fb26aa6c5f916" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/nfc/llcp_core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "191d87a19cf1005ecf41e1ae08d74e17379e8391", "status": "affected", "version": "dd6ff3f3862709ab1a12566e73b9d6a9b8f6e548", "versionType": "git" }, { "lessThan": "dba849cc98113b145c6e720122942c00b8012bdb", "status": "affected", "version": "96f2c6f272ec04083d828de46285a7d7b17d1aad", "versionType": "git" }, { "lessThan": "4837a192f6d06d5bb2f3f47d6ce5353ab69bf86b", "status": "affected", "version": "fc8429f8d86801f092fbfbd257c3af821ac0dcd3", "versionType": "git" }, { "lessThan": "7562780e32b84196731d57dd24563546fcf6d082", "status": "affected", "version": "425d9d3a92df7d96b3cfb7ee5c240293a21cbde3", "versionType": "git" }, { "lessThan": "29c16c2bf5866326d5fbc4a537b3997fcac23391", "status": "affected", "version": "6709d4b7bc2e079241fdef15d1160581c5261c10", "versionType": "git" }, { "lessThan": "dfc7f7a988dad34c3bf4c053124fb26aa6c5f916", "status": "affected", "version": "6709d4b7bc2e079241fdef15d1160581c5261c10", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/nfc/llcp_core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.5" }, { "lessThan": "6.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.258", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.198", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.135", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: llcp: Add lock when modifying device list\n\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:26.973Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/191d87a19cf1005ecf41e1ae08d74e17379e8391" }, { "url": "https://git.kernel.org/stable/c/dba849cc98113b145c6e720122942c00b8012bdb" }, { "url": "https://git.kernel.org/stable/c/4837a192f6d06d5bb2f3f47d6ce5353ab69bf86b" }, { "url": "https://git.kernel.org/stable/c/7562780e32b84196731d57dd24563546fcf6d082" }, { "url": "https://git.kernel.org/stable/c/29c16c2bf5866326d5fbc4a537b3997fcac23391" }, { "url": "https://git.kernel.org/stable/c/dfc7f7a988dad34c3bf4c053124fb26aa6c5f916" } ], "title": "net: nfc: llcp: Add lock when modifying device list", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52524", "datePublished": "2024-03-02T21:52:30.995Z", "dateReserved": "2024-02-20T12:30:33.317Z", "dateUpdated": "2024-12-19T08:21:26.973Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52579
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ "containers": { "cna": { "providerMetadata": { "dateUpdated": "2024-03-04T16:02:53.698Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "rejectedReasons": [ { "lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority." } ] } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52579", "datePublished": "2024-03-02T21:59:46.545Z", "dateRejected": "2024-03-04T16:02:53.698Z", "dateReserved": "2024-03-02T21:55:42.569Z", "dateUpdated": "2024-03-04T16:02:53.698Z", "state": "REJECTED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }
cve-2023-52570
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()
Inject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in
kobject_add_internal() in kobject_init_and_add() in mdev_type_add()
in parent_create_sysfs_files(), it will return 0 and probe successfully.
And when rmmod mdpy.ko, the mdpy_dev_exit() will call
mdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized
parent->types[i] in parent_remove_sysfs_files(), and it will cause
below null-ptr-deref.
If mdev_type_add() fails, return the error code and kset_unregister()
to fix the issue.
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__kobject_del+0x62/0x1c0
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0
DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea
DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
<TASK>
? die_addr+0x3d/0xa0
? exc_general_protection+0x144/0x220
? asm_exc_general_protection+0x22/0x30
? __kobject_del+0x62/0x1c0
kobject_del+0x32/0x50
parent_remove_sysfs_files+0xd6/0x170 [mdev]
mdev_unregister_parent+0xfb/0x190 [mdev]
? mdev_register_parent+0x270/0x270 [mdev]
? find_module_all+0x9d/0xe0
mdpy_dev_exit+0x17/0x63 [mdpy]
__do_sys_delete_module.constprop.0+0x2fa/0x4b0
? module_flags+0x300/0x300
? __fput+0x4e7/0xa00
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fbc813221b7
Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7
RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58
RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000
R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870
R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0
</TASK>
Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 0000000000000000 ]---
RIP: 0010:__kobject_del+0x62/0x1c0
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
FS: 00007fbc81981540(0000) GS:ffff888119d00000(000
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52570", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T15:46:34.702017Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:48.078Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.897Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/52093779b1830ac184a23848d971f06404cf513e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c777b11d34e0f47dbbc4b018ef65ad030f2b283a" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/vfio/mdev/mdev_sysfs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4", "status": "affected", "version": "da44c340c4fe9d9653ae84fa6a60f406bafcffce", "versionType": "git" }, { "lessThan": "52093779b1830ac184a23848d971f06404cf513e", "status": "affected", "version": "da44c340c4fe9d9653ae84fa6a60f406bafcffce", "versionType": "git" }, { "lessThan": "c777b11d34e0f47dbbc4b018ef65ad030f2b283a", "status": "affected", "version": "da44c340c4fe9d9653ae84fa6a60f406bafcffce", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/vfio/mdev/mdev_sysfs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.1" }, { "lessThan": "6.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()\n\nInject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in\nkobject_add_internal() in kobject_init_and_add() in mdev_type_add()\nin parent_create_sysfs_files(), it will return 0 and probe successfully.\nAnd when rmmod mdpy.ko, the mdpy_dev_exit() will call\nmdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized\nparent-\u003etypes[i] in parent_remove_sysfs_files(), and it will cause\nbelow null-ptr-deref.\n\nIf mdev_type_add() fails, return the error code and kset_unregister()\nto fix the issue.\n\n general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:__kobject_del+0x62/0x1c0\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0\n DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea\n DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n ? die_addr+0x3d/0xa0\n ? exc_general_protection+0x144/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? __kobject_del+0x62/0x1c0\n kobject_del+0x32/0x50\n parent_remove_sysfs_files+0xd6/0x170 [mdev]\n mdev_unregister_parent+0xfb/0x190 [mdev]\n ? mdev_register_parent+0x270/0x270 [mdev]\n ? find_module_all+0x9d/0xe0\n mdpy_dev_exit+0x17/0x63 [mdpy]\n __do_sys_delete_module.constprop.0+0x2fa/0x4b0\n ? module_flags+0x300/0x300\n ? __fput+0x4e7/0xa00\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fbc813221b7\n Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7\n RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58\n RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000\n R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870\n R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0\n \u003c/TASK\u003e\n Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]\n Dumping ftrace buffer:\n (ftrace buffer empty)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:__kobject_del+0x62/0x1c0\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(000\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:50.840Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4" }, { "url": "https://git.kernel.org/stable/c/52093779b1830ac184a23848d971f06404cf513e" }, { "url": "https://git.kernel.org/stable/c/c777b11d34e0f47dbbc4b018ef65ad030f2b283a" } ], "title": "vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52570", "datePublished": "2024-03-02T21:59:40.724Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-12-19T08:21:50.840Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52527
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
Including the transhdrlen in length is a problem when the packet is
partially filled (e.g. something like send(MSG_MORE) happened previously)
when appending to an IPv4 or IPv6 packet as we don't want to repeat the
transport header or account for it twice. This can happen under some
circumstances, such as splicing into an L2TP socket.
The symptom observed is a warning in __ip6_append_data():
WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800
that occurs when MSG_SPLICE_PAGES is used to append more data to an already
partially occupied skbuff. The warning occurs when 'copy' is larger than
the amount of data in the message iterator. This is because the requested
length includes the transport header length when it shouldn't. This can be
triggered by, for example:
sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);
bind(sfd, ...); // ::1
connect(sfd, ...); // ::1 port 7
send(sfd, buffer, 4100, MSG_MORE);
sendfile(sfd, dfd, NULL, 1024);
Fix this by only adding transhdrlen into the length if the write queue is
empty in l2tp_ip6_sendmsg(), analogously to how UDP does things.
l2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds
the UDP packet itself.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a32e0eec7042b21ccb52896cf715e3e2641fed93 Version: a32e0eec7042b21ccb52896cf715e3e2641fed93 Version: a32e0eec7042b21ccb52896cf715e3e2641fed93 Version: a32e0eec7042b21ccb52896cf715e3e2641fed93 Version: a32e0eec7042b21ccb52896cf715e3e2641fed93 Version: a32e0eec7042b21ccb52896cf715e3e2641fed93 Version: a32e0eec7042b21ccb52896cf715e3e2641fed93 Version: a32e0eec7042b21ccb52896cf715e3e2641fed93 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52527", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-07T20:08:11.890861Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:47.261Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.760Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0e0e28fd" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/l2tp/l2tp_ip6.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7626b9fed53092aa2147978070e610ecb61af844", "status": "affected", "version": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "versionType": "git" }, { "lessThan": "559d697c5d072593d22b3e0bd8b8081108aeaf59", "status": "affected", "version": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "versionType": "git" }, { "lessThan": "1fc793d68d50dee4782ef2e808913d5dd880bcc6", "status": "affected", "version": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "versionType": "git" }, { "lessThan": "96b2e1090397217839fcd6c9b6d8f5d439e705ed", "status": "affected", "version": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "versionType": "git" }, { "lessThan": "cd1189956393bf850b2e275e37411855d3bd86bb", "status": "affected", "version": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "versionType": "git" }, { "lessThan": "f6a7182179c0ed788e3755ee2ed18c888ddcc33f", "status": "affected", "version": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "versionType": "git" }, { "lessThan": "fe80658c08e3001c80c5533cd41abfbb0e0e28fd", "status": "affected", "version": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "versionType": "git" }, { "lessThan": "9d4c75800f61e5d75c1659ba201b6c0c7ead3070", "status": "affected", "version": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/l2tp/l2tp_ip6.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.5" }, { "lessThan": "3.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.327", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.296", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.258", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.198", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.135", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()\n\nIncluding the transhdrlen in length is a problem when the packet is\npartially filled (e.g. something like send(MSG_MORE) happened previously)\nwhen appending to an IPv4 or IPv6 packet as we don\u0027t want to repeat the\ntransport header or account for it twice. This can happen under some\ncircumstances, such as splicing into an L2TP socket.\n\nThe symptom observed is a warning in __ip6_append_data():\n\n WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800\n\nthat occurs when MSG_SPLICE_PAGES is used to append more data to an already\npartially occupied skbuff. The warning occurs when \u0027copy\u0027 is larger than\nthe amount of data in the message iterator. This is because the requested\nlength includes the transport header length when it shouldn\u0027t. This can be\ntriggered by, for example:\n\n sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);\n bind(sfd, ...); // ::1\n connect(sfd, ...); // ::1 port 7\n send(sfd, buffer, 4100, MSG_MORE);\n sendfile(sfd, dfd, NULL, 1024);\n\nFix this by only adding transhdrlen into the length if the write queue is\nempty in l2tp_ip6_sendmsg(), analogously to how UDP does things.\n\nl2tp_ip_sendmsg() looks like it won\u0027t suffer from this problem as it builds\nthe UDP packet itself." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:30.444Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844" }, { "url": "https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59" }, { "url": "https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6" }, { "url": "https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed" }, { "url": "https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb" }, { "url": "https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f" }, { "url": "https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0e0e28fd" }, { "url": "https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070" } ], "title": "ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52527", "datePublished": "2024-03-02T21:52:32.890Z", "dateReserved": "2024-02-20T12:30:33.318Z", "dateUpdated": "2024-12-19T08:21:30.444Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52576
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()
The code calling ima_free_kexec_buffer() runs long after the memblock
allocator has already been torn down, potentially resulting in a use
after free in memblock_isolate_range().
With KASAN or KFENCE, this use after free will result in a BUG
from the idle task, and a subsequent kernel panic.
Switch ima_free_kexec_buffer() over to memblock_free_late() to avoid
that bug.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-52576", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-24T14:52:41.445700Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-01T15:52:22.842Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.880Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/eef16bfdb212da60f5144689f2967fb25b051a2b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d2dfbc0e3b7a04c2d941421a958dc31c897fb204" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/34cf99c250d5cd2530b93a57b0de31d3aaf8685b" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/x86/kernel/setup.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "eef16bfdb212da60f5144689f2967fb25b051a2b", "status": "affected", "version": "fee3ff99bc67604fba77f19da0106f3ec52b1956", "versionType": "git" }, { "lessThan": "d2dfbc0e3b7a04c2d941421a958dc31c897fb204", "status": "affected", "version": "fee3ff99bc67604fba77f19da0106f3ec52b1956", "versionType": "git" }, { "lessThan": "34cf99c250d5cd2530b93a57b0de31d3aaf8685b", "status": "affected", "version": "fee3ff99bc67604fba77f19da0106f3ec52b1956", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/x86/kernel/setup.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.13" }, { "lessThan": "5.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()\n\nThe code calling ima_free_kexec_buffer() runs long after the memblock\nallocator has already been torn down, potentially resulting in a use\nafter free in memblock_isolate_range().\n\nWith KASAN or KFENCE, this use after free will result in a BUG\nfrom the idle task, and a subsequent kernel panic.\n\nSwitch ima_free_kexec_buffer() over to memblock_free_late() to avoid\nthat bug." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:56.680Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/eef16bfdb212da60f5144689f2967fb25b051a2b" }, { "url": "https://git.kernel.org/stable/c/d2dfbc0e3b7a04c2d941421a958dc31c897fb204" }, { "url": "https://git.kernel.org/stable/c/34cf99c250d5cd2530b93a57b0de31d3aaf8685b" } ], "title": "x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52576", "datePublished": "2024-03-02T21:59:44.545Z", "dateReserved": "2024-03-02T21:55:42.568Z", "dateUpdated": "2024-12-19T08:21:56.680Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52581
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:22
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix memleak when more than 255 elements expired
When more than 255 elements expired we're supposed to switch to a new gc
container structure.
This never happens: u8 type will wrap before reaching the boundary
and nft_trans_gc_space() always returns true.
This means we recycle the initial gc container structure and
lose track of the elements that came before.
While at it, don't deref 'gc' after we've passed it to call_rcu.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8da1b048f9a501d3d7d38c188ba09d7d0d5b8c27 Version: bbdb3b65aa91aa0a32b212f27780b28987f2d94f Version: 448be0774882f95a74fa5eb7519761152add601b Version: d19e8bf3ea4114dd21fc35da21f398203d7f7df1 Version: ea3eb9f2192e4fc33b795673e56c97a21987f868 Version: 5f68718b34a531a556f2f50300ead2862278da26 Version: 5f68718b34a531a556f2f50300ead2862278da26 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-52581", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T20:19:37.141289Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-07T14:54:23.969Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:21.164Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7cf055b43756b10aa2b851c927c940f5ed652125" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a995a68e8a3b48533e47c856865d109a1f1a9d01" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/09c85f2d21ab6b5acba31a037985b13e8e6565b8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ef99506eaf1dc31feff1adfcfd68bc5535a22171" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7e5d732e6902eb6a37b35480796838a145ae5f07" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4aea243b6853d06c1d160a9955b759189aa02b14" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cf5000a7787cbc10341091d37245a42c119d26c5" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/net/netfilter/nf_tables.h", "net/netfilter/nf_tables_api.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7cf055b43756b10aa2b851c927c940f5ed652125", "status": "affected", "version": "8da1b048f9a501d3d7d38c188ba09d7d0d5b8c27", "versionType": "git" }, { "lessThan": "a995a68e8a3b48533e47c856865d109a1f1a9d01", "status": "affected", "version": "bbdb3b65aa91aa0a32b212f27780b28987f2d94f", "versionType": "git" }, { "lessThan": "09c85f2d21ab6b5acba31a037985b13e8e6565b8", "status": "affected", "version": "448be0774882f95a74fa5eb7519761152add601b", "versionType": "git" }, { "lessThan": "ef99506eaf1dc31feff1adfcfd68bc5535a22171", "status": "affected", "version": "d19e8bf3ea4114dd21fc35da21f398203d7f7df1", "versionType": "git" }, { "lessThan": "7e5d732e6902eb6a37b35480796838a145ae5f07", "status": "affected", "version": "ea3eb9f2192e4fc33b795673e56c97a21987f868", "versionType": "git" }, { "lessThan": "4aea243b6853d06c1d160a9955b759189aa02b14", "status": "affected", "version": "5f68718b34a531a556f2f50300ead2862278da26", "versionType": "git" }, { "lessThan": "cf5000a7787cbc10341091d37245a42c119d26c5", "status": "affected", "version": "5f68718b34a531a556f2f50300ead2862278da26", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/net/netfilter/nf_tables.h", "net/netfilter/nf_tables_api.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.5" }, { "lessThan": "6.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak when more than 255 elements expired\n\nWhen more than 255 elements expired we\u0027re supposed to switch to a new gc\ncontainer structure.\n\nThis never happens: u8 type will wrap before reaching the boundary\nand nft_trans_gc_space() always returns true.\n\nThis means we recycle the initial gc container structure and\nlose track of the elements that came before.\n\nWhile at it, don\u0027t deref \u0027gc\u0027 after we\u0027ve passed it to call_rcu." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:22:01.432Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7cf055b43756b10aa2b851c927c940f5ed652125" }, { "url": "https://git.kernel.org/stable/c/a995a68e8a3b48533e47c856865d109a1f1a9d01" }, { "url": "https://git.kernel.org/stable/c/09c85f2d21ab6b5acba31a037985b13e8e6565b8" }, { "url": "https://git.kernel.org/stable/c/ef99506eaf1dc31feff1adfcfd68bc5535a22171" }, { "url": "https://git.kernel.org/stable/c/7e5d732e6902eb6a37b35480796838a145ae5f07" }, { "url": "https://git.kernel.org/stable/c/4aea243b6853d06c1d160a9955b759189aa02b14" }, { "url": "https://git.kernel.org/stable/c/cf5000a7787cbc10341091d37245a42c119d26c5" } ], "title": "netfilter: nf_tables: fix memleak when more than 255 elements expired", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52581", "datePublished": "2024-03-02T21:59:47.856Z", "dateReserved": "2024-03-02T21:55:42.569Z", "dateUpdated": "2024-12-19T08:22:01.432Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52521
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ "containers": { "cna": { "providerMetadata": { "dateUpdated": "2024-03-05T22:23:15.078Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "rejectedReasons": [ { "lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority." } ] } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52521", "datePublished": "2024-03-02T21:52:29.058Z", "dateRejected": "2024-03-05T22:23:15.078Z", "dateReserved": "2024-02-20T12:30:33.317Z", "dateUpdated": "2024-03-05T22:23:15.078Z", "state": "REJECTED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }
cve-2023-52561
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved
Adding a reserved memory region for the framebuffer memory
(the splash memory region set up by the bootloader).
It fixes a kernel panic (arm-smmu: Unhandled context fault
at this particular memory region) reported on DB845c running
v5.10.y.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-52561", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T20:27:01.427325Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-04T17:37:37.131Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.853Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/dc1ab6577475b0460ba4261cd9caec37bd62ca0b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/82dacd0ca0d9640723824026d6fdf773c02de1d2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/110e70fccce4f22b53986ae797d665ffb1950aa6" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/arm64/boot/dts/qcom/sdm845-db845c.dts" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "dc1ab6577475b0460ba4261cd9caec37bd62ca0b", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "82dacd0ca0d9640723824026d6fdf773c02de1d2", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "110e70fccce4f22b53986ae797d665ffb1950aa6", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/arm64/boot/dts/qcom/sdm845-db845c.dts" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\n\nAdding a reserved memory region for the framebuffer memory\n(the splash memory region set up by the bootloader).\n\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\nat this particular memory region) reported on DB845c running\nv5.10.y." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:39.641Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/dc1ab6577475b0460ba4261cd9caec37bd62ca0b" }, { "url": "https://git.kernel.org/stable/c/82dacd0ca0d9640723824026d6fdf773c02de1d2" }, { "url": "https://git.kernel.org/stable/c/110e70fccce4f22b53986ae797d665ffb1950aa6" } ], "title": "arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52561", "datePublished": "2024-03-02T21:59:34.865Z", "dateReserved": "2024-03-02T21:55:42.566Z", "dateUpdated": "2024-12-19T08:21:39.641Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52563
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/meson: fix memory leak on ->hpd_notify callback
The EDID returned by drm_bridge_get_edid() needs to be freed.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.849Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/66cb6d74f5a1b6eafe3370b56bf2cb575a91acbc" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ee335e0094add7fc2c7034e0534e1920d61d2078" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/43b63e088887a8b82750e16762f77100ffa76cba" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/099f0af9d98231bb74956ce92508e87cbcb896be" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-52563", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:56:32.678323Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:37.258Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/meson/meson_encoder_hdmi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "66cb6d74f5a1b6eafe3370b56bf2cb575a91acbc", "status": "affected", "version": "e098989a9219f4456047f9b0e8c44f03e29a843e", "versionType": "git" }, { "lessThan": "ee335e0094add7fc2c7034e0534e1920d61d2078", "status": "affected", "version": "0af5e0b41110e2da872030395231ab19c45be931", "versionType": "git" }, { "lessThan": "43b63e088887a8b82750e16762f77100ffa76cba", "status": "affected", "version": "0af5e0b41110e2da872030395231ab19c45be931", "versionType": "git" }, { "lessThan": "099f0af9d98231bb74956ce92508e87cbcb896be", "status": "affected", "version": "0af5e0b41110e2da872030395231ab19c45be931", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/meson/meson_encoder_hdmi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.17" }, { "lessThan": "5.17", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.134", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: fix memory leak on -\u003ehpd_notify callback\n\nThe EDID returned by drm_bridge_get_edid() needs to be freed." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:42.216Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/66cb6d74f5a1b6eafe3370b56bf2cb575a91acbc" }, { "url": "https://git.kernel.org/stable/c/ee335e0094add7fc2c7034e0534e1920d61d2078" }, { "url": "https://git.kernel.org/stable/c/43b63e088887a8b82750e16762f77100ffa76cba" }, { "url": "https://git.kernel.org/stable/c/099f0af9d98231bb74956ce92508e87cbcb896be" } ], "title": "drm/meson: fix memory leak on -\u003ehpd_notify callback", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52563", "datePublished": "2024-03-02T21:59:36.220Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-12-19T08:21:42.216Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52575
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ "containers": { "cna": { "providerMetadata": { "dateUpdated": "2024-04-24T21:51:03.172Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "rejectedReasons": [ { "lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority." } ] } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52575", "datePublished": "2024-03-02T21:59:43.915Z", "dateRejected": "2024-04-24T21:51:03.172Z", "dateReserved": "2024-03-02T21:55:42.568Z", "dateUpdated": "2024-04-24T21:51:03.172Z", "state": "REJECTED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }
cve-2023-52562
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()
After the commit in Fixes:, if a module that created a slab cache does not
release all of its allocated objects before destroying the cache (at rmmod
time), we might end up releasing the kmem_cache object without removing it
from the slab_caches list thus corrupting the list as kmem_cache_destroy()
ignores the return value from shutdown_cache(), which in turn never removes
the kmem_cache object from slabs_list in case __kmem_cache_shutdown() fails
to release all of the cache's slabs.
This is easily observable on a kernel built with CONFIG_DEBUG_LIST=y
as after that ill release the system will immediately trip on list_add,
or list_del, assertions similar to the one shown below as soon as another
kmem_cache gets created, or destroyed:
[ 1041.213632] list_del corruption. next->prev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268)
[ 1041.219165] ------------[ cut here ]------------
[ 1041.221517] kernel BUG at lib/list_debug.c:62!
[ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G B W OE 6.5.0 #15
[ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023
[ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0
Another quick way to trigger this issue, in a kernel with CONFIG_SLUB=y,
is to set slub_debug to poison the released objects and then just run
cat /proc/slabinfo after removing the module that leaks slab objects,
in which case the kernel will panic:
[ 50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI
[ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G B W OE 6.5.0 #15
[ 50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023
[ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0
This patch fixes this issue by properly checking shutdown_cache()'s
return value before taking the kmem_cache_release() branch.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.744Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a5569bb187521432f509b69dda7d29f78b2d38b0" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/51988be187b041e5355245957b0b9751fa382e0d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/46a9ea6681907a3be6b6b0d43776dccc62cad6cf" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-52562", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:56:36.342316Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:39.395Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/slab_common.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a5569bb187521432f509b69dda7d29f78b2d38b0", "status": "affected", "version": "0495e337b7039191dfce6e03f5f830454b1fae6b", "versionType": "git" }, { "lessThan": "51988be187b041e5355245957b0b9751fa382e0d", "status": "affected", "version": "0495e337b7039191dfce6e03f5f830454b1fae6b", "versionType": "git" }, { "lessThan": "46a9ea6681907a3be6b6b0d43776dccc62cad6cf", "status": "affected", "version": "0495e337b7039191dfce6e03f5f830454b1fae6b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/slab_common.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.0" }, { "lessThan": "6.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()\n\nAfter the commit in Fixes:, if a module that created a slab cache does not\nrelease all of its allocated objects before destroying the cache (at rmmod\ntime), we might end up releasing the kmem_cache object without removing it\nfrom the slab_caches list thus corrupting the list as kmem_cache_destroy()\nignores the return value from shutdown_cache(), which in turn never removes\nthe kmem_cache object from slabs_list in case __kmem_cache_shutdown() fails\nto release all of the cache\u0027s slabs.\n\nThis is easily observable on a kernel built with CONFIG_DEBUG_LIST=y\nas after that ill release the system will immediately trip on list_add,\nor list_del, assertions similar to the one shown below as soon as another\nkmem_cache gets created, or destroyed:\n\n [ 1041.213632] list_del corruption. next-\u003eprev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268)\n [ 1041.219165] ------------[ cut here ]------------\n [ 1041.221517] kernel BUG at lib/list_debug.c:62!\n [ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G B W OE 6.5.0 #15\n [ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n [ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0\n\nAnother quick way to trigger this issue, in a kernel with CONFIG_SLUB=y,\nis to set slub_debug to poison the released objects and then just run\ncat /proc/slabinfo after removing the module that leaks slab objects,\nin which case the kernel will panic:\n\n [ 50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI\n [ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G B W OE 6.5.0 #15\n [ 50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n [ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0\n\nThis patch fixes this issue by properly checking shutdown_cache()\u0027s\nreturn value before taking the kmem_cache_release() branch." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:41.008Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a5569bb187521432f509b69dda7d29f78b2d38b0" }, { "url": "https://git.kernel.org/stable/c/51988be187b041e5355245957b0b9751fa382e0d" }, { "url": "https://git.kernel.org/stable/c/46a9ea6681907a3be6b6b0d43776dccc62cad6cf" } ], "title": "mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52562", "datePublished": "2024-03-02T21:59:35.568Z", "dateReserved": "2024-03-02T21:55:42.566Z", "dateUpdated": "2024-12-19T08:21:41.008Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52578
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: use DEV_STATS_INC()
syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]
This function can run from multiple cpus without mutual exclusion.
Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
Handles updates to dev->stats.tx_dropped while we are at it.
[1]
BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish
read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:
br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
br_nf_hook_thresh+0x1ed/0x220
br_nf_pre_routing_finish_ipv6+0x50f/0x540
NF_HOOK include/linux/netfilter.h:304 [inline]
br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
__netif_receive_skb_one_core net/core/dev.c:5521 [inline]
__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
process_backlog+0x21f/0x380 net/core/dev.c:5965
__napi_poll+0x60/0x3b0 net/core/dev.c:6527
napi_poll net/core/dev.c:6594 [inline]
net_rx_action+0x32b/0x750 net/core/dev.c:6727
__do_softirq+0xc1/0x265 kernel/softirq.c:553
run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
kthread+0x1d7/0x210 kernel/kthread.c:388
ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:
br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
br_nf_hook_thresh+0x1ed/0x220
br_nf_pre_routing_finish_ipv6+0x50f/0x540
NF_HOOK include/linux/netfilter.h:304 [inline]
br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
__netif_receive_skb_one_core net/core/dev.c:5521 [inline]
__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
process_backlog+0x21f/0x380 net/core/dev.c:5965
__napi_poll+0x60/0x3b0 net/core/dev.c:6527
napi_poll net/core/dev.c:6594 [inline]
net_rx_action+0x32b/0x750 net/core/dev.c:6727
__do_softirq+0xc1/0x265 kernel/softirq.c:553
do_softirq+0x5e/0x90 kernel/softirq.c:454
__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356
batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
worker_thread+0x525/0x730 kernel/workqueue.c:2784
kthread+0x1d7/0x210 kernel/kthread.c:388
ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
value changed: 0x00000000000d7190 -> 0x00000000000d7191
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1c29fc4989bc2a3838b2837adc12b8aeb0feeede Version: 1c29fc4989bc2a3838b2837adc12b8aeb0feeede Version: 1c29fc4989bc2a3838b2837adc12b8aeb0feeede Version: 1c29fc4989bc2a3838b2837adc12b8aeb0feeede Version: 1c29fc4989bc2a3838b2837adc12b8aeb0feeede Version: 1c29fc4989bc2a3838b2837adc12b8aeb0feeede Version: 1c29fc4989bc2a3838b2837adc12b8aeb0feeede |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52578", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T19:38:46.923888Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:22:50.080Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:21.190Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/bridge/br_forward.c", "net/bridge/br_input.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d2346e6beb699909ca455d9d20c4e577ce900839", "status": "affected", "version": "1c29fc4989bc2a3838b2837adc12b8aeb0feeede", "versionType": "git" }, { "lessThan": "ad8d39c7b437fcdab7208a6a56c093d222c008d5", "status": "affected", "version": "1c29fc4989bc2a3838b2837adc12b8aeb0feeede", "versionType": "git" }, { "lessThan": "04cc361f029c14dd067ad180525c7392334c9bfd", "status": "affected", "version": "1c29fc4989bc2a3838b2837adc12b8aeb0feeede", "versionType": "git" }, { "lessThan": "8bc97117b51d68d5cea8f5351cca2d8c4153f394", "status": "affected", "version": "1c29fc4989bc2a3838b2837adc12b8aeb0feeede", "versionType": "git" }, { "lessThan": "89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2", "status": "affected", "version": "1c29fc4989bc2a3838b2837adc12b8aeb0feeede", "versionType": "git" }, { "lessThan": "f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa", "status": "affected", "version": "1c29fc4989bc2a3838b2837adc12b8aeb0feeede", "versionType": "git" }, { "lessThan": "44bdb313da57322c9b3c108eb66981c6ec6509f4", "status": "affected", "version": "1c29fc4989bc2a3838b2837adc12b8aeb0feeede", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/bridge/br_forward.c", "net/bridge/br_input.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.17" }, { "lessThan": "2.6.17", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.296", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.258", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.198", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.134", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: use DEV_STATS_INC()\n\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\n\nAdopt SMP safe DEV_STATS_INC() to update dev-\u003estats fields.\n\nHandles updates to dev-\u003estats.tx_dropped while we are at it.\n\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nvalue changed: 0x00000000000d7190 -\u003e 0x00000000000d7191\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:58.964Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839" }, { "url": "https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5" }, { "url": "https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd" }, { "url": "https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394" }, { "url": "https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2" }, { "url": "https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa" }, { "url": "https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4" } ], "title": "net: bridge: use DEV_STATS_INC()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52578", "datePublished": "2024-03-02T21:59:45.921Z", "dateReserved": "2024-03-02T21:55:42.569Z", "dateUpdated": "2024-12-19T08:21:58.964Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47078
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Clear all QP fields if creation failed
rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly
created ones, but in case rxe_qp_from_init() failed it was filled with
garbage and caused tot the following error.
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55
RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800
R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000
FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_sub_and_test include/linux/refcount.h:283 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
kref_put include/linux/kref.h:64 [inline]
rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805
execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327
rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391
kref_put include/linux/kref.h:65 [inline]
rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425
_ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline]
ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231
ib_create_qp include/rdma/ib_verbs.h:3644 [inline]
create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920
ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline]
ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092
add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717
enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331
ib_register_device drivers/infiniband/core/device.c:1413 [inline]
ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365
rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147
rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247
rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503
rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline]
rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250
nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555
rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195
rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259
netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
sock_sendmsg_nosec net/socket.c:654 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:674
____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
___sys_sendmsg+0xf3/0x170 net/socket.c:2404
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2021-47078", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-06T15:32:35.393910Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-31T14:21:09.508Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.601Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c65391dd9f0a47617e96e38bd27e277cbe1c40b0" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6a8086a42dfbf548a42bf2ae4faa291645c72c66" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f3783c415bf6d2ead3d7aa2c38802bbe10723646" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a62225d951d77eb20208fed8fc199e0c9b1df08b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2ee4d79c364914989c80de382c0b1a7259a7e4b3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/03344e843ab6dd3b3f2cadfb65ed910590856c70" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/67f29896fdc83298eed5a6576ff8f9873f709228" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/infiniband/sw/rxe/rxe_qp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c65391dd9f0a47617e96e38bd27e277cbe1c40b0", "status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "versionType": "git" }, { "lessThan": "6a8086a42dfbf548a42bf2ae4faa291645c72c66", "status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "versionType": "git" }, { "lessThan": "f3783c415bf6d2ead3d7aa2c38802bbe10723646", "status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "versionType": "git" }, { "lessThan": "a62225d951d77eb20208fed8fc199e0c9b1df08b", "status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "versionType": "git" }, { "lessThan": "2ee4d79c364914989c80de382c0b1a7259a7e4b3", "status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "versionType": "git" }, { "lessThan": "03344e843ab6dd3b3f2cadfb65ed910590856c70", "status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "versionType": "git" }, { "lessThan": "67f29896fdc83298eed5a6576ff8f9873f709228", "status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/infiniband/sw/rxe/rxe_qp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.8" }, { "lessThan": "4.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.270", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.234", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.192", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.122", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.40", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Clear all QP fields if creation failed\n\nrxe_qp_do_cleanup() relies on valid pointer values in QP for the properly\ncreated ones, but in case rxe_qp_from_init() failed it was filled with\ngarbage and caused tot the following error.\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28\n Modules linked in:\n CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28\n Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 \u003c0f\u003e 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55\n RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67\n RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\n R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800\n R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000\n FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n __refcount_sub_and_test include/linux/refcount.h:283 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n kref_put include/linux/kref.h:64 [inline]\n rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805\n execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327\n rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391\n kref_put include/linux/kref.h:65 [inline]\n rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425\n _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline]\n ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231\n ib_create_qp include/rdma/ib_verbs.h:3644 [inline]\n create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920\n ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline]\n ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092\n add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717\n enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331\n ib_register_device drivers/infiniband/core/device.c:1413 [inline]\n ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365\n rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147\n rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247\n rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503\n rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline]\n rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250\n nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555\n rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338\n netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927\n sock_sendmsg_nosec net/socket.c:654 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:674\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2404\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433\n do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47\n entry_SYSCALL_64_after_hwframe+0\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:50.557Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c65391dd9f0a47617e96e38bd27e277cbe1c40b0" }, { "url": "https://git.kernel.org/stable/c/6a8086a42dfbf548a42bf2ae4faa291645c72c66" }, { "url": "https://git.kernel.org/stable/c/f3783c415bf6d2ead3d7aa2c38802bbe10723646" }, { "url": "https://git.kernel.org/stable/c/a62225d951d77eb20208fed8fc199e0c9b1df08b" }, { "url": "https://git.kernel.org/stable/c/2ee4d79c364914989c80de382c0b1a7259a7e4b3" }, { "url": "https://git.kernel.org/stable/c/03344e843ab6dd3b3f2cadfb65ed910590856c70" }, { "url": "https://git.kernel.org/stable/c/67f29896fdc83298eed5a6576ff8f9873f709228" } ], "title": "RDMA/rxe: Clear all QP fields if creation failed", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47078", "datePublished": "2024-03-01T21:15:14.679Z", "dateReserved": "2024-02-29T22:33:44.297Z", "dateUpdated": "2024-12-19T07:34:50.557Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52569
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: remove BUG() after failure to insert delayed dir index item
Instead of calling BUG() when we fail to insert a delayed dir index item
into the delayed node's tree, we can just release all the resources we
have allocated/acquired before and return the error to the caller. This is
fine because all existing call chains undo anything they have done before
calling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending
snapshots in the transaction commit path).
So remove the BUG() call and do proper error handling.
This relates to a syzbot report linked below, but does not fix it because
it only prevents hitting a BUG(), it does not fix the issue where somehow
we attempt to use twice the same index number for different index items.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52569", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T15:57:36.904349Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:06.916Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.855Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/39c4a9522db0072570d602e9b365119e17fb9f4f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d10fd53393cc5de4b9cf1a4b8f9984f0a037aa51" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/delayed-inode.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "39c4a9522db0072570d602e9b365119e17fb9f4f", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d10fd53393cc5de4b9cf1a4b8f9984f0a037aa51", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/btrfs/delayed-inode.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: remove BUG() after failure to insert delayed dir index item\n\nInstead of calling BUG() when we fail to insert a delayed dir index item\ninto the delayed node\u0027s tree, we can just release all the resources we\nhave allocated/acquired before and return the error to the caller. This is\nfine because all existing call chains undo anything they have done before\ncalling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending\nsnapshots in the transaction commit path).\n\nSo remove the BUG() call and do proper error handling.\n\nThis relates to a syzbot report linked below, but does not fix it because\nit only prevents hitting a BUG(), it does not fix the issue where somehow\nwe attempt to use twice the same index number for different index items." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:49.679Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/39c4a9522db0072570d602e9b365119e17fb9f4f" }, { "url": "https://git.kernel.org/stable/c/d10fd53393cc5de4b9cf1a4b8f9984f0a037aa51" }, { "url": "https://git.kernel.org/stable/c/2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9" } ], "title": "btrfs: remove BUG() after failure to insert delayed dir index item", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52569", "datePublished": "2024-03-02T21:59:40.081Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-12-19T08:21:49.679Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52571
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: rk817: Fix node refcount leak
Dan Carpenter reports that the Smatch static checker warning has found
that there is another refcount leak in the probe function. While
of_node_put() was added in one of the return paths, it should in
fact be added for ALL return paths that return an error and at driver
removal time.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-52571", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T20:24:56.961928Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T16:42:26.167Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.874Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fe6406238d5a24e9fb0286c71edd67b99d8db58d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/70326b46b6a043f7e7404b2ff678b033c06d6577" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/488ef44c068e79752dba8eda0b75f524f111a695" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/power/supply/rk817_charger.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "fe6406238d5a24e9fb0286c71edd67b99d8db58d", "status": "affected", "version": "7d1e3961725e69774871b081a065c2b3640c5f0e", "versionType": "git" }, { "lessThan": "70326b46b6a043f7e7404b2ff678b033c06d6577", "status": "affected", "version": "54c03bfd094fb74f9533a9c28250219afe182382", "versionType": "git" }, { "lessThan": "488ef44c068e79752dba8eda0b75f524f111a695", "status": "affected", "version": "54c03bfd094fb74f9533a9c28250219afe182382", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/power/supply/rk817_charger.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.2" }, { "lessThan": "6.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: rk817: Fix node refcount leak\n\nDan Carpenter reports that the Smatch static checker warning has found\nthat there is another refcount leak in the probe function. While\nof_node_put() was added in one of the return paths, it should in\nfact be added for ALL return paths that return an error and at driver\nremoval time." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:51.972Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/fe6406238d5a24e9fb0286c71edd67b99d8db58d" }, { "url": "https://git.kernel.org/stable/c/70326b46b6a043f7e7404b2ff678b033c06d6577" }, { "url": "https://git.kernel.org/stable/c/488ef44c068e79752dba8eda0b75f524f111a695" } ], "title": "power: supply: rk817: Fix node refcount leak", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52571", "datePublished": "2024-03-02T21:59:41.348Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-12-19T08:21:51.972Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52567
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: 8250_port: Check IRQ data before use
In case the leaf driver wants to use IRQ polling (irq = 0) and
IIR register shows that an interrupt happened in the 8250 hardware
the IRQ data can be NULL. In such a case we need to skip the wake
event as we came to this path from the timer interrupt and quite
likely system is already awake.
Without this fix we have got an Oops:
serial8250: ttyS0 at I/O 0x3f8 (irq = 0, base_baud = 115200) is a 16550A
...
BUG: kernel NULL pointer dereference, address: 0000000000000010
RIP: 0010:serial8250_handle_irq+0x7c/0x240
Call Trace:
? serial8250_handle_irq+0x7c/0x240
? __pfx_serial8250_timeout+0x10/0x10
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: edfe57aedff4ecf3606533aabf8ecf7676c3c5d9 Version: 0bd49a043c7984c93c2a0af41222fb71c3986a4e Version: 572d48361aa0a6e6f16c1470e5407de183493d0c Version: d5d628fea5f6181809a9d61b04de6ade53277684 Version: 424cf29296354d7b9c6c038aaa7bb71782100851 Version: 727e92fe13e81c6088a88d83e466b2b1b553c4e3 Version: 0ba9e3a13c6adfa99e32b2576d20820ab10ad48a Version: 0ba9e3a13c6adfa99e32b2576d20820ab10ad48a |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52567", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-21T16:12:47.412833Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-21T16:12:54.742Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.694Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ee5732caaffba3a37e753fdb89b4958db9a61847" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c334650150c29234b0923476f51573ae1b2f252a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bf3c728e3692cc6d998874f0f27d433117348742" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e14afa4450cb7e4cf93e993a765801203d41d014" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2b837f13a818f96304736453ac53b66a70aaa4f2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e14f68a48fd445a083ac0750fafcb064df5f18f7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3345cc5f02f1fb4c4dcb114706f2210d879ab933" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cce7fc8b29961b64fadb1ce398dc5ff32a79643b" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/tty/serial/8250/8250_port.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ee5732caaffba3a37e753fdb89b4958db9a61847", "status": "affected", "version": "edfe57aedff4ecf3606533aabf8ecf7676c3c5d9", "versionType": "git" }, { "lessThan": "c334650150c29234b0923476f51573ae1b2f252a", "status": "affected", "version": "0bd49a043c7984c93c2a0af41222fb71c3986a4e", "versionType": "git" }, { "lessThan": "bf3c728e3692cc6d998874f0f27d433117348742", "status": "affected", "version": "572d48361aa0a6e6f16c1470e5407de183493d0c", "versionType": "git" }, { "lessThan": "e14afa4450cb7e4cf93e993a765801203d41d014", "status": "affected", "version": "d5d628fea5f6181809a9d61b04de6ade53277684", "versionType": "git" }, { "lessThan": "2b837f13a818f96304736453ac53b66a70aaa4f2", "status": "affected", "version": "424cf29296354d7b9c6c038aaa7bb71782100851", "versionType": "git" }, { "lessThan": "e14f68a48fd445a083ac0750fafcb064df5f18f7", "status": "affected", "version": "727e92fe13e81c6088a88d83e466b2b1b553c4e3", "versionType": "git" }, { "lessThan": "3345cc5f02f1fb4c4dcb114706f2210d879ab933", "status": "affected", "version": "0ba9e3a13c6adfa99e32b2576d20820ab10ad48a", "versionType": "git" }, { "lessThan": "cce7fc8b29961b64fadb1ce398dc5ff32a79643b", "status": "affected", "version": "0ba9e3a13c6adfa99e32b2576d20820ab10ad48a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/tty/serial/8250/8250_port.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.4" }, { "lessThan": "6.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.327", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.296", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.258", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.198", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.134", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_port: Check IRQ data before use\n\nIn case the leaf driver wants to use IRQ polling (irq = 0) and\nIIR register shows that an interrupt happened in the 8250 hardware\nthe IRQ data can be NULL. In such a case we need to skip the wake\nevent as we came to this path from the timer interrupt and quite\nlikely system is already awake.\n\nWithout this fix we have got an Oops:\n\n serial8250: ttyS0 at I/O 0x3f8 (irq = 0, base_baud = 115200) is a 16550A\n ...\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n RIP: 0010:serial8250_handle_irq+0x7c/0x240\n Call Trace:\n ? serial8250_handle_irq+0x7c/0x240\n ? __pfx_serial8250_timeout+0x10/0x10" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:47.336Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ee5732caaffba3a37e753fdb89b4958db9a61847" }, { "url": "https://git.kernel.org/stable/c/c334650150c29234b0923476f51573ae1b2f252a" }, { "url": "https://git.kernel.org/stable/c/bf3c728e3692cc6d998874f0f27d433117348742" }, { "url": "https://git.kernel.org/stable/c/e14afa4450cb7e4cf93e993a765801203d41d014" }, { "url": "https://git.kernel.org/stable/c/2b837f13a818f96304736453ac53b66a70aaa4f2" }, { "url": "https://git.kernel.org/stable/c/e14f68a48fd445a083ac0750fafcb064df5f18f7" }, { "url": "https://git.kernel.org/stable/c/3345cc5f02f1fb4c4dcb114706f2210d879ab933" }, { "url": "https://git.kernel.org/stable/c/cce7fc8b29961b64fadb1ce398dc5ff32a79643b" } ], "title": "serial: 8250_port: Check IRQ data before use", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52567", "datePublished": "2024-03-02T21:59:38.815Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-12-19T08:21:47.336Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47071
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
uio_hv_generic: Fix a memory leak in error handling paths
If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be
updated and 'hv_uio_cleanup()' in the error handling path will not be
able to free the corresponding buffer.
In such a case, we need to free the buffer explicitly.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-47071", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T14:40:01.877350Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:15:01.454Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.582Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cdd91637d4ef33e2be19a8e16e72e7d00c996d76" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d84b5e912212b05f6b5bde9f682046accfbe0354" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/53486c467e356e06aa37047c984fccd64d78c827" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3ee098f96b8b6c1a98f7f97915f8873164e6af9d" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/uio/uio_hv_generic.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "cdd91637d4ef33e2be19a8e16e72e7d00c996d76", "status": "affected", "version": "cdfa835c6e5e87d145f9f632b58843de97509f2b", "versionType": "git" }, { "lessThan": "d84b5e912212b05f6b5bde9f682046accfbe0354", "status": "affected", "version": "cdfa835c6e5e87d145f9f632b58843de97509f2b", "versionType": "git" }, { "lessThan": "53486c467e356e06aa37047c984fccd64d78c827", "status": "affected", "version": "cdfa835c6e5e87d145f9f632b58843de97509f2b", "versionType": "git" }, { "lessThan": "3ee098f96b8b6c1a98f7f97915f8873164e6af9d", "status": "affected", "version": "cdfa835c6e5e87d145f9f632b58843de97509f2b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/uio/uio_hv_generic.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.20" }, { "lessThan": "4.20", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.122", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.40", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Fix a memory leak in error handling paths\n\nIf \u0027vmbus_establish_gpadl()\u0027 fails, the (recv|send)_gpadl will not be\nupdated and \u0027hv_uio_cleanup()\u0027 in the error handling path will not be\nable to free the corresponding buffer.\n\nIn such a case, we need to free the buffer explicitly." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:42.731Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/cdd91637d4ef33e2be19a8e16e72e7d00c996d76" }, { "url": "https://git.kernel.org/stable/c/d84b5e912212b05f6b5bde9f682046accfbe0354" }, { "url": "https://git.kernel.org/stable/c/53486c467e356e06aa37047c984fccd64d78c827" }, { "url": "https://git.kernel.org/stable/c/3ee098f96b8b6c1a98f7f97915f8873164e6af9d" } ], "title": "uio_hv_generic: Fix a memory leak in error handling paths", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47071", "datePublished": "2024-03-01T21:15:10.052Z", "dateReserved": "2024-02-29T22:33:44.297Z", "dateUpdated": "2024-12-19T07:34:42.731Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47074
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-loop: fix memory leak in nvme_loop_create_ctrl()
When creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl()
fails, the loop ctrl should be freed before jumping to the "out" label.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.815Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9c980795ccd77e8abec33dd6fe28dfe1c4083e65" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/551ba08d4b7eb26f75758cdb9f15105b276517ad" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/03504e3b54cc8118cc26c064e60a0b00c2308708" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2021-47074", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-15T19:25:32.658990Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-15T19:25:40.122Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/nvme/target/loop.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "9c980795ccd77e8abec33dd6fe28dfe1c4083e65", "status": "affected", "version": "3a85a5de29ea779634ddfd768059e06196687aba", "versionType": "git" }, { "lessThan": "551ba08d4b7eb26f75758cdb9f15105b276517ad", "status": "affected", "version": "3a85a5de29ea779634ddfd768059e06196687aba", "versionType": "git" }, { "lessThan": "03504e3b54cc8118cc26c064e60a0b00c2308708", "status": "affected", "version": "3a85a5de29ea779634ddfd768059e06196687aba", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/nvme/target/loop.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.8" }, { "lessThan": "4.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.40", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-loop: fix memory leak in nvme_loop_create_ctrl()\n\nWhen creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl()\nfails, the loop ctrl should be freed before jumping to the \"out\" label." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:46.119Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/9c980795ccd77e8abec33dd6fe28dfe1c4083e65" }, { "url": "https://git.kernel.org/stable/c/551ba08d4b7eb26f75758cdb9f15105b276517ad" }, { "url": "https://git.kernel.org/stable/c/03504e3b54cc8118cc26c064e60a0b00c2308708" } ], "title": "nvme-loop: fix memory leak in nvme_loop_create_ctrl()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47074", "datePublished": "2024-03-01T21:15:12.095Z", "dateReserved": "2024-02-29T22:33:44.297Z", "dateUpdated": "2024-12-19T07:34:46.119Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52580
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:22
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/core: Fix ETH_P_1588 flow dissector
When a PTP ethernet raw frame with a size of more than 256 bytes followed
by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation
is wrong. For example: hdr->message_length takes the wrong value (0xffff)
and it does not replicate real header length. In this case, 'nhoff' value
was overridden and the PTP header was badly dissected. This leads to a
kernel crash.
net/core: flow_dissector
net/core flow dissector nhoff = 0x0000000e
net/core flow dissector hdr->message_length = 0x0000ffff
net/core flow dissector nhoff = 0x0001000d (u16 overflow)
...
skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88
skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Using the size of the ptp_header struct will allow the corrected
calculation of the nhoff value.
net/core flow dissector nhoff = 0x0000000e
net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header)
...
skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff
skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Kernel trace:
[ 74.984279] ------------[ cut here ]------------
[ 74.989471] kernel BUG at include/linux/skbuff.h:2440!
[ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1
[ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023
[ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130
[ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9
[ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297
[ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003
[ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300
[ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800
[ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010
[ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800
[ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000
[ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0
[ 75.121980] PKRU: 55555554
[ 75.125035] Call Trace:
[ 75.127792] <IRQ>
[ 75.130063] ? eth_get_headlen+0xa4/0xc0
[ 75.134472] igc_process_skb_fields+0xcd/0x150
[ 75.139461] igc_poll+0xc80/0x17b0
[ 75.143272] __napi_poll+0x27/0x170
[ 75.147192] net_rx_action+0x234/0x280
[ 75.151409] __do_softirq+0xef/0x2f4
[ 75.155424] irq_exit_rcu+0xc7/0x110
[ 75.159432] common_interrupt+0xb8/0xd0
[ 75.163748] </IRQ>
[ 75.166112] <TASK>
[ 75.168473] asm_common_interrupt+0x22/0x40
[ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350
[ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1
[ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202
[ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f
[ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20
[ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001
[ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980
[ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000
[ 75.245635] ?
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52580", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T15:52:44.572506Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:22:35.750Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:21.267Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f90a7b9586d72f907092078a9f394733ca502cc9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/488ea2a3e2666022f79abfdd7d12e8305fc27a40" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/48e105a2a1a10adc21c0ae717969f5e8e990ba48" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/75ad80ed88a182ab2ad5513e448cf07b403af5c3" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/core/flow_dissector.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f90a7b9586d72f907092078a9f394733ca502cc9", "status": "affected", "version": "4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6", "versionType": "git" }, { "lessThan": "488ea2a3e2666022f79abfdd7d12e8305fc27a40", "status": "affected", "version": "4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6", "versionType": "git" }, { "lessThan": "48e105a2a1a10adc21c0ae717969f5e8e990ba48", "status": "affected", "version": "4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6", "versionType": "git" }, { "lessThan": "75ad80ed88a182ab2ad5513e448cf07b403af5c3", "status": "affected", "version": "4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/core/flow_dissector.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.12" }, { "lessThan": "5.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.134", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/core: Fix ETH_P_1588 flow dissector\n\nWhen a PTP ethernet raw frame with a size of more than 256 bytes followed\nby a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation\nis wrong. For example: hdr-\u003emessage_length takes the wrong value (0xffff)\nand it does not replicate real header length. In this case, \u0027nhoff\u0027 value\nwas overridden and the PTP header was badly dissected. This leads to a\nkernel crash.\n\nnet/core: flow_dissector\nnet/core flow dissector nhoff = 0x0000000e\nnet/core flow dissector hdr-\u003emessage_length = 0x0000ffff\nnet/core flow dissector nhoff = 0x0001000d (u16 overflow)\n...\nskb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88\nskb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nUsing the size of the ptp_header struct will allow the corrected\ncalculation of the nhoff value.\n\nnet/core flow dissector nhoff = 0x0000000e\nnet/core flow dissector nhoff = 0x00000030 (sizeof ptp_header)\n...\nskb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff\nskb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\nskb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\nskb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nKernel trace:\n[ 74.984279] ------------[ cut here ]------------\n[ 74.989471] kernel BUG at include/linux/skbuff.h:2440!\n[ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1\n[ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023\n[ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130\n[ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab \u003c0f\u003e 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9\n[ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297\n[ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003\n[ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300\n[ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800\n[ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010\n[ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800\n[ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000\n[ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0\n[ 75.121980] PKRU: 55555554\n[ 75.125035] Call Trace:\n[ 75.127792] \u003cIRQ\u003e\n[ 75.130063] ? eth_get_headlen+0xa4/0xc0\n[ 75.134472] igc_process_skb_fields+0xcd/0x150\n[ 75.139461] igc_poll+0xc80/0x17b0\n[ 75.143272] __napi_poll+0x27/0x170\n[ 75.147192] net_rx_action+0x234/0x280\n[ 75.151409] __do_softirq+0xef/0x2f4\n[ 75.155424] irq_exit_rcu+0xc7/0x110\n[ 75.159432] common_interrupt+0xb8/0xd0\n[ 75.163748] \u003c/IRQ\u003e\n[ 75.166112] \u003cTASK\u003e\n[ 75.168473] asm_common_interrupt+0x22/0x40\n[ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350\n[ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 \u003c0f\u003e 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1\n[ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202\n[ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f\n[ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20\n[ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001\n[ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980\n[ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000\n[ 75.245635] ? \n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:22:00.251Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f90a7b9586d72f907092078a9f394733ca502cc9" }, { "url": "https://git.kernel.org/stable/c/488ea2a3e2666022f79abfdd7d12e8305fc27a40" }, { "url": "https://git.kernel.org/stable/c/48e105a2a1a10adc21c0ae717969f5e8e990ba48" }, { "url": "https://git.kernel.org/stable/c/75ad80ed88a182ab2ad5513e448cf07b403af5c3" } ], "title": "net/core: Fix ETH_P_1588 flow dissector", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52580", "datePublished": "2024-03-02T21:59:47.231Z", "dateReserved": "2024-03-02T21:55:42.569Z", "dateUpdated": "2024-12-19T08:22:00.251Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52574
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
team: fix null-ptr-deref when team device type is changed
Get a null-ptr-deref bug as follows with reproducer [1].
BUG: kernel NULL pointer dereference, address: 0000000000000228
...
RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]
...
Call Trace:
<TASK>
? __die+0x24/0x70
? page_fault_oops+0x82/0x150
? exc_page_fault+0x69/0x150
? asm_exc_page_fault+0x26/0x30
? vlan_dev_hard_header+0x35/0x140 [8021q]
? vlan_dev_hard_header+0x8e/0x140 [8021q]
neigh_connected_output+0xb2/0x100
ip6_finish_output2+0x1cb/0x520
? nf_hook_slow+0x43/0xc0
? ip6_mtu+0x46/0x80
ip6_finish_output+0x2a/0xb0
mld_sendpack+0x18f/0x250
mld_ifc_work+0x39/0x160
process_one_work+0x1e6/0x3f0
worker_thread+0x4d/0x2f0
? __pfx_worker_thread+0x10/0x10
kthread+0xe5/0x120
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
[1]
$ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}'
$ ip link add name t-dummy type dummy
$ ip link add link t-dummy name t-dummy.100 type vlan id 100
$ ip link add name t-nlmon type nlmon
$ ip link set t-nlmon master team0
$ ip link set t-nlmon nomaster
$ ip link set t-dummy up
$ ip link set team0 up
$ ip link set t-dummy.100 down
$ ip link set t-dummy.100 master team0
When enslave a vlan device to team device and team device type is changed
from non-ether to ether, header_ops of team device is changed to
vlan_header_ops. That is incorrect and will trigger null-ptr-deref
for vlan->real_dev in vlan_dev_hard_header() because team device is not
a vlan device.
Cache eth_header_ops in team_setup(), then assign cached header_ops to
header_ops of team net device when its type is changed from non-ether
to ether to fix the bug.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52574", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-06T20:45:03.463636Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:22:44.896Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.914Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/team/team.c", "include/linux/if_team.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1779eb51b9cc628cee551f252701a85a2a50a457", "status": "affected", "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a", "versionType": "git" }, { "lessThan": "a7fb47b9711101d2405b0eb1276fb1f9b9b270c7", "status": "affected", "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a", "versionType": "git" }, { "lessThan": "c5f6478686bb45f453031594ae19b6c9723a780d", "status": "affected", "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a", "versionType": "git" }, { "lessThan": "b44dd92e2afd89eb6e9d27616858e72a67bdc1a7", "status": "affected", "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a", "versionType": "git" }, { "lessThan": "cd05eec2ee0cc396813a32ef675634e403748255", "status": "affected", "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a", "versionType": "git" }, { "lessThan": "2f0acb0736ecc3eb85dc80ad2790d634dcb10b58", "status": "affected", "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a", "versionType": "git" }, { "lessThan": "cac50d9f5d876be32cb9aa21c74018468900284d", "status": "affected", "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a", "versionType": "git" }, { "lessThan": "492032760127251e5540a5716a70996bacf2a3fd", "status": "affected", "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/team/team.c", "include/linux/if_team.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.7" }, { "lessThan": "3.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.327", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.296", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.258", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.198", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.134", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix null-ptr-deref when team device type is changed\n\nGet a null-ptr-deref bug as follows with reproducer [1].\n\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n\n[1]\n$ teamd -t team0 -d -c \u0027{\"runner\": {\"name\": \"loadbalance\"}}\u0027\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\n\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan-\u003ereal_dev in vlan_dev_hard_header() because team device is not\na vlan device.\n\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:55.517Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457" }, { "url": "https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7" }, { "url": "https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d" }, { "url": "https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7" }, { "url": "https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255" }, { "url": "https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58" }, { "url": "https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d" }, { "url": "https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd" } ], "title": "team: fix null-ptr-deref when team device type is changed", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52574", "datePublished": "2024-03-02T21:59:43.271Z", "dateReserved": "2024-03-02T21:55:42.568Z", "dateUpdated": "2024-12-19T08:21:55.517Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52532
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mana: Fix TX CQE error handling
For an unknown TX CQE error type (probably from a newer hardware),
still free the SKB, update the queue tail, etc., otherwise the
accounting will be wrong.
Also, TX errors can be triggered by injecting corrupted packets, so
replace the WARN_ONCE to ratelimited error logging.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52532", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T20:33:23.323404Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:22:59.938Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.762Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b67d7b1bfc46d05c1a58b172516454698e8d5004" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a910e0f6304726da30a212feecec65cb97ff7a80" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b2b000069a4c307b09548dc2243f31f3ca0eac9c" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/microsoft/mana/mana_en.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b67d7b1bfc46d05c1a58b172516454698e8d5004", "status": "affected", "version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f", "versionType": "git" }, { "lessThan": "a910e0f6304726da30a212feecec65cb97ff7a80", "status": "affected", "version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f", "versionType": "git" }, { "lessThan": "b2b000069a4c307b09548dc2243f31f3ca0eac9c", "status": "affected", "version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/microsoft/mana/mana_en.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.13" }, { "lessThan": "5.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.59", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix TX CQE error handling\n\nFor an unknown TX CQE error type (probably from a newer hardware),\nstill free the SKB, update the queue tail, etc., otherwise the\naccounting will be wrong.\n\nAlso, TX errors can be triggered by injecting corrupted packets, so\nreplace the WARN_ONCE to ratelimited error logging." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:36.230Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b67d7b1bfc46d05c1a58b172516454698e8d5004" }, { "url": "https://git.kernel.org/stable/c/a910e0f6304726da30a212feecec65cb97ff7a80" }, { "url": "https://git.kernel.org/stable/c/b2b000069a4c307b09548dc2243f31f3ca0eac9c" } ], "title": "net: mana: Fix TX CQE error handling", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52532", "datePublished": "2024-03-02T21:52:36.292Z", "dateReserved": "2024-02-20T12:30:33.319Z", "dateUpdated": "2024-12-19T08:21:36.230Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26621
Vulnerability from cvelistv5
Published
2024-03-02 21:31
Modified
2024-12-19 08:43
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: huge_memory: don't force huge page alignment on 32 bit
commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP
boundaries") caused two issues [1] [2] reported on 32 bit system or compat
userspace.
It doesn't make too much sense to force huge page alignment on 32 bit
system due to the constrained virtual address space.
[1] https://lore.kernel.org/linux-mm/d0a136a0-4a31-46bc-adf4-2db109a61672@kernel.org/
[2] https://lore.kernel.org/linux-mm/CAJuCfpHXLdQy1a2B6xN2d7quTYwg2OoZseYPZTRpU0eHHKD-sQ@mail.gmail.com/
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:07:19.592Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/87632bc9ecff5ded93433bc0fca428019bdd1cfe" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7432376c913381c5f24d373a87ff629bbde94b47" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4ef9ad19e17676b9ef071309bc62020e2373705d" }, { "tags": [ "x_transferred" ], "url": "https://zolutal.github.io/aslrnt/" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/08/3" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/08/5" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/08/4" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/08/6" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/08/7" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/08/8" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/09/1" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/10/5" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/10/7" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/10/8" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/11/4" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/11/5" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/11/7" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/12/3" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/13/2" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/13/7" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/15/2" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/15/1" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/1" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/2" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/29/2" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/07/30/2" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26621", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:56:53.851124Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:42.508Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/huge_memory.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "87632bc9ecff5ded93433bc0fca428019bdd1cfe", "status": "affected", "version": "1854bc6e2420472676c5c90d3d6b15f6cd640e40", "versionType": "git" }, { "lessThan": "6ea9aa8d97e6563676094cb35755884173269555", "status": "affected", "version": "1854bc6e2420472676c5c90d3d6b15f6cd640e40", "versionType": "git" }, { "lessThan": "7432376c913381c5f24d373a87ff629bbde94b47", "status": "affected", "version": "1854bc6e2420472676c5c90d3d6b15f6cd640e40", "versionType": "git" }, { "lessThan": "4ef9ad19e17676b9ef071309bc62020e2373705d", "status": "affected", "version": "1854bc6e2420472676c5c90d3d6b15f6cd640e40", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/huge_memory.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.18" }, { "lessThan": "5.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.46", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: huge_memory: don\u0027t force huge page alignment on 32 bit\n\ncommit efa7df3e3bb5 (\"mm: align larger anonymous mappings on THP\nboundaries\") caused two issues [1] [2] reported on 32 bit system or compat\nuserspace.\n\nIt doesn\u0027t make too much sense to force huge page alignment on 32 bit\nsystem due to the constrained virtual address space.\n\n[1] https://lore.kernel.org/linux-mm/d0a136a0-4a31-46bc-adf4-2db109a61672@kernel.org/\n[2] https://lore.kernel.org/linux-mm/CAJuCfpHXLdQy1a2B6xN2d7quTYwg2OoZseYPZTRpU0eHHKD-sQ@mail.gmail.com/" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:43:41.802Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/87632bc9ecff5ded93433bc0fca428019bdd1cfe" }, { "url": "https://git.kernel.org/stable/c/6ea9aa8d97e6563676094cb35755884173269555" }, { "url": "https://git.kernel.org/stable/c/7432376c913381c5f24d373a87ff629bbde94b47" }, { "url": "https://git.kernel.org/stable/c/4ef9ad19e17676b9ef071309bc62020e2373705d" } ], "title": "mm: huge_memory: don\u0027t force huge page alignment on 32 bit", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26621", "datePublished": "2024-03-02T21:31:49.158Z", "dateReserved": "2024-02-19T14:20:24.134Z", "dateUpdated": "2024-12-19T08:43:41.802Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47080
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Prevent divide-by-zero error triggered by the user
The user_entry_size is supplied by the user and later used as a
denominator to calculate number of entries. The zero supplied by the user
will trigger the following divide-by-zero error:
divide error: 0000 [#1] SMP KASAN PTI
CPU: 4 PID: 497 Comm: c_repro Not tainted 5.13.0-rc1+ #281
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_GID_TABLE+0x1b1/0x510
Code: 87 59 03 00 00 e8 9f ab 1e ff 48 8d bd a8 00 00 00 e8 d3 70 41 ff 44 0f b7 b5 a8 00 00 00 e8 86 ab 1e ff 31 d2 4c 89 f0 31 ff <49> f7 f5 48 89 d6 48 89 54 24 10 48 89 04 24 e8 1b ad 1e ff 48 8b
RSP: 0018:ffff88810416f828 EFLAGS: 00010246
RAX: 0000000000000008 RBX: 1ffff1102082df09 RCX: ffffffff82183f3d
RDX: 0000000000000000 RSI: ffff888105f2da00 RDI: 0000000000000000
RBP: ffff88810416fa98 R08: 0000000000000001 R09: ffffed102082df5f
R10: ffff88810416faf7 R11: ffffed102082df5e R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000008 R15: ffff88810416faf0
FS: 00007f5715efa740(0000) GS:ffff88811a700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000840 CR3: 000000010c2e0001 CR4: 0000000000370ea0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
? ib_uverbs_handler_UVERBS_METHOD_INFO_HANDLES+0x4b0/0x4b0
ib_uverbs_cmd_verbs+0x1546/0x1940
ib_uverbs_ioctl+0x186/0x240
__x64_sys_ioctl+0x38a/0x1220
do_syscall_64+0x3f/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-47080", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T20:26:31.423427Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:14:01.469Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:40.137Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/66ab7fcdac34b890017f04f391507ef5b2b89a13" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e6871b4270c05f8b212e7d98aee82b357972c80a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/54d87913f147a983589923c7f651f97de9af5be1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/infiniband/core/uverbs_std_types_device.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "66ab7fcdac34b890017f04f391507ef5b2b89a13", "status": "affected", "version": "9f85cbe50aa044a46f0a22fda323fa27b80c82da", "versionType": "git" }, { "lessThan": "e6871b4270c05f8b212e7d98aee82b357972c80a", "status": "affected", "version": "9f85cbe50aa044a46f0a22fda323fa27b80c82da", "versionType": "git" }, { "lessThan": "54d87913f147a983589923c7f651f97de9af5be1", "status": "affected", "version": "9f85cbe50aa044a46f0a22fda323fa27b80c82da", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/infiniband/core/uverbs_std_types_device.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.10" }, { "lessThan": "5.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.40", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Prevent divide-by-zero error triggered by the user\n\nThe user_entry_size is supplied by the user and later used as a\ndenominator to calculate number of entries. The zero supplied by the user\nwill trigger the following divide-by-zero error:\n\n divide error: 0000 [#1] SMP KASAN PTI\n CPU: 4 PID: 497 Comm: c_repro Not tainted 5.13.0-rc1+ #281\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_GID_TABLE+0x1b1/0x510\n Code: 87 59 03 00 00 e8 9f ab 1e ff 48 8d bd a8 00 00 00 e8 d3 70 41 ff 44 0f b7 b5 a8 00 00 00 e8 86 ab 1e ff 31 d2 4c 89 f0 31 ff \u003c49\u003e f7 f5 48 89 d6 48 89 54 24 10 48 89 04 24 e8 1b ad 1e ff 48 8b\n RSP: 0018:ffff88810416f828 EFLAGS: 00010246\n RAX: 0000000000000008 RBX: 1ffff1102082df09 RCX: ffffffff82183f3d\n RDX: 0000000000000000 RSI: ffff888105f2da00 RDI: 0000000000000000\n RBP: ffff88810416fa98 R08: 0000000000000001 R09: ffffed102082df5f\n R10: ffff88810416faf7 R11: ffffed102082df5e R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000008 R15: ffff88810416faf0\n FS: 00007f5715efa740(0000) GS:ffff88811a700000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000840 CR3: 000000010c2e0001 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? ib_uverbs_handler_UVERBS_METHOD_INFO_HANDLES+0x4b0/0x4b0\n ib_uverbs_cmd_verbs+0x1546/0x1940\n ib_uverbs_ioctl+0x186/0x240\n __x64_sys_ioctl+0x38a/0x1220\n do_syscall_64+0x3f/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:52.785Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/66ab7fcdac34b890017f04f391507ef5b2b89a13" }, { "url": "https://git.kernel.org/stable/c/e6871b4270c05f8b212e7d98aee82b357972c80a" }, { "url": "https://git.kernel.org/stable/c/54d87913f147a983589923c7f651f97de9af5be1" } ], "title": "RDMA/core: Prevent divide-by-zero error triggered by the user", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47080", "datePublished": "2024-03-01T21:15:15.942Z", "dateReserved": "2024-02-29T22:33:44.298Z", "dateUpdated": "2024-12-19T07:34:52.785Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52522
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix possible store tearing in neigh_periodic_work()
While looking at a related syzbot report involving neigh_periodic_work(),
I found that I forgot to add an annotation when deleting an
RCU protected item from a list.
Readers use rcu_deference(*np), we need to use either
rcu_assign_pointer() or WRITE_ONCE() on writer side
to prevent store tearing.
I use rcu_assign_pointer() to have lockdep support,
this was the choice made in neigh_flush_dev().
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 767e97e1e0db0d0f3152cd2f3bd3403596aedbad Version: 767e97e1e0db0d0f3152cd2f3bd3403596aedbad Version: 767e97e1e0db0d0f3152cd2f3bd3403596aedbad Version: 767e97e1e0db0d0f3152cd2f3bd3403596aedbad Version: 767e97e1e0db0d0f3152cd2f3bd3403596aedbad Version: 767e97e1e0db0d0f3152cd2f3bd3403596aedbad |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-52522", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T20:28:00.493037Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T19:54:03.263Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.631Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/95eabb075a5902f4c0834ab1fb12dc35730c05af" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2ea52a2fb8e87067e26bbab4efb8872639240eb0" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/147d89ee41434b97043c2dcb17a97dc151859baa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f82aac8162871e87027692b36af335a2375d4580" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a75152d233370362eebedb2643592e7c883cc9fc" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/25563b581ba3a1f263a00e8c9a97f5e7363be6fd" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/core/neighbour.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "95eabb075a5902f4c0834ab1fb12dc35730c05af", "status": "affected", "version": "767e97e1e0db0d0f3152cd2f3bd3403596aedbad", "versionType": "git" }, { "lessThan": "2ea52a2fb8e87067e26bbab4efb8872639240eb0", "status": "affected", "version": "767e97e1e0db0d0f3152cd2f3bd3403596aedbad", "versionType": "git" }, { "lessThan": "147d89ee41434b97043c2dcb17a97dc151859baa", "status": "affected", "version": "767e97e1e0db0d0f3152cd2f3bd3403596aedbad", "versionType": "git" }, { "lessThan": "f82aac8162871e87027692b36af335a2375d4580", "status": "affected", "version": "767e97e1e0db0d0f3152cd2f3bd3403596aedbad", "versionType": "git" }, { "lessThan": "a75152d233370362eebedb2643592e7c883cc9fc", "status": "affected", "version": "767e97e1e0db0d0f3152cd2f3bd3403596aedbad", "versionType": "git" }, { "lessThan": "25563b581ba3a1f263a00e8c9a97f5e7363be6fd", "status": "affected", "version": "767e97e1e0db0d0f3152cd2f3bd3403596aedbad", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/core/neighbour.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.37" }, { "lessThan": "2.6.37", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.258", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.198", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.135", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix possible store tearing in neigh_periodic_work()\n\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\n\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\n\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:24.532Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/95eabb075a5902f4c0834ab1fb12dc35730c05af" }, { "url": "https://git.kernel.org/stable/c/2ea52a2fb8e87067e26bbab4efb8872639240eb0" }, { "url": "https://git.kernel.org/stable/c/147d89ee41434b97043c2dcb17a97dc151859baa" }, { "url": "https://git.kernel.org/stable/c/f82aac8162871e87027692b36af335a2375d4580" }, { "url": "https://git.kernel.org/stable/c/a75152d233370362eebedb2643592e7c883cc9fc" }, { "url": "https://git.kernel.org/stable/c/25563b581ba3a1f263a00e8c9a97f5e7363be6fd" } ], "title": "net: fix possible store tearing in neigh_periodic_work()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52522", "datePublished": "2024-03-02T21:52:29.710Z", "dateReserved": "2024-02-20T12:30:33.317Z", "dateUpdated": "2024-12-19T08:21:24.532Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52531
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: Fix a memory corruption issue
A few lines above, space is kzalloc()'ed for:
sizeof(struct iwl_nvm_data) +
sizeof(struct ieee80211_channel) +
sizeof(struct ieee80211_rate)
'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine.
At the end of this structure, there is the 'channels' flex array.
Each element is of type 'struct ieee80211_channel'.
So only 1 element is allocated in this array.
When doing:
mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;
We point at the first element of the 'channels' flex array.
So this is fine.
However, when doing:
mvm->nvm_data->bands[0].bitrates =
(void *)((u8 *)mvm->nvm_data->channels + 1);
because of the "(u8 *)" cast, we add only 1 to the address of the beginning
of the flex array.
It is likely that we want point at the 'struct ieee80211_rate' allocated
just after.
Remove the spurious casting so that the pointer arithmetic works as
expected.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52531", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T19:38:20.613089Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:46.452Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.656Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7c8faa31080342aec4903c9acb20caf82fcca1ef" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6b3223449c959a8be94a1f042288059e40fcccb0" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f06cdd8d4ba5252986f51f80cc30263636397128" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/mvm/fw.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7c8faa31080342aec4903c9acb20caf82fcca1ef", "status": "affected", "version": "8ca151b568b67a7b72dcfc6ee6ea7c107ddd795c", "versionType": "git" }, { "lessThan": "6b3223449c959a8be94a1f042288059e40fcccb0", "status": "affected", "version": "8ca151b568b67a7b72dcfc6ee6ea7c107ddd795c", "versionType": "git" }, { "lessThan": "f06cdd8d4ba5252986f51f80cc30263636397128", "status": "affected", "version": "8ca151b568b67a7b72dcfc6ee6ea7c107ddd795c", "versionType": "git" }, { "lessThan": "8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d", "status": "affected", "version": "8ca151b568b67a7b72dcfc6ee6ea7c107ddd795c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/mvm/fw.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.9" }, { "lessThan": "3.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.135", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: Fix a memory corruption issue\n\nA few lines above, space is kzalloc()\u0027ed for:\n\tsizeof(struct iwl_nvm_data) +\n\tsizeof(struct ieee80211_channel) +\n\tsizeof(struct ieee80211_rate)\n\n\u0027mvm-\u003envm_data\u0027 is a \u0027struct iwl_nvm_data\u0027, so it is fine.\n\nAt the end of this structure, there is the \u0027channels\u0027 flex array.\nEach element is of type \u0027struct ieee80211_channel\u0027.\nSo only 1 element is allocated in this array.\n\nWhen doing:\n mvm-\u003envm_data-\u003ebands[0].channels = mvm-\u003envm_data-\u003echannels;\nWe point at the first element of the \u0027channels\u0027 flex array.\nSo this is fine.\n\nHowever, when doing:\n mvm-\u003envm_data-\u003ebands[0].bitrates =\n\t\t\t(void *)((u8 *)mvm-\u003envm_data-\u003echannels + 1);\nbecause of the \"(u8 *)\" cast, we add only 1 to the address of the beginning\nof the flex array.\n\nIt is likely that we want point at the \u0027struct ieee80211_rate\u0027 allocated\njust after.\n\nRemove the spurious casting so that the pointer arithmetic works as\nexpected." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:35.034Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7c8faa31080342aec4903c9acb20caf82fcca1ef" }, { "url": "https://git.kernel.org/stable/c/6b3223449c959a8be94a1f042288059e40fcccb0" }, { "url": "https://git.kernel.org/stable/c/f06cdd8d4ba5252986f51f80cc30263636397128" }, { "url": "https://git.kernel.org/stable/c/8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d" } ], "title": "wifi: iwlwifi: mvm: Fix a memory corruption issue", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52531", "datePublished": "2024-03-02T21:52:35.664Z", "dateReserved": "2024-02-20T12:30:33.319Z", "dateUpdated": "2024-12-19T08:21:35.034Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52573
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rds: Fix possible NULL-pointer dereference
In rds_rdma_cm_event_handler_cmn() check, if conn pointer exists
before dereferencing it as rdma_set_service_type() argument
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fd261ce6a30e01ad67c416e2c67e263024b3a6f9 Version: fd261ce6a30e01ad67c416e2c67e263024b3a6f9 Version: fd261ce6a30e01ad67c416e2c67e263024b3a6f9 Version: fd261ce6a30e01ad67c416e2c67e263024b3a6f9 Version: fd261ce6a30e01ad67c416e2c67e263024b3a6f9 Version: fd261ce6a30e01ad67c416e2c67e263024b3a6f9 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52573", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-25T19:52:45.818038Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-25T19:53:00.338Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.876Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/812da2a08dc5cc75fb71e29083ea20904510ac7a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f515112e833791001aaa8ab886af3ca78503617f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ea82139e6e3561100d38d14401d57c0ea93fc07e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/51fa66024a5eabf270164f2dc82a48ffb35a12e9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/069ac51c37a6f07a51f7134d8c34289075786a35" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f1d95df0f31048f1c59092648997686e3f7d9478" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/rds/rdma_transport.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "812da2a08dc5cc75fb71e29083ea20904510ac7a", "status": "affected", "version": "fd261ce6a30e01ad67c416e2c67e263024b3a6f9", "versionType": "git" }, { "lessThan": "f515112e833791001aaa8ab886af3ca78503617f", "status": "affected", "version": "fd261ce6a30e01ad67c416e2c67e263024b3a6f9", "versionType": "git" }, { "lessThan": "ea82139e6e3561100d38d14401d57c0ea93fc07e", "status": "affected", "version": "fd261ce6a30e01ad67c416e2c67e263024b3a6f9", "versionType": "git" }, { "lessThan": "51fa66024a5eabf270164f2dc82a48ffb35a12e9", "status": "affected", "version": "fd261ce6a30e01ad67c416e2c67e263024b3a6f9", "versionType": "git" }, { "lessThan": "069ac51c37a6f07a51f7134d8c34289075786a35", "status": "affected", "version": "fd261ce6a30e01ad67c416e2c67e263024b3a6f9", "versionType": "git" }, { "lessThan": "f1d95df0f31048f1c59092648997686e3f7d9478", "status": "affected", "version": "fd261ce6a30e01ad67c416e2c67e263024b3a6f9", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/rds/rdma_transport.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.1" }, { "lessThan": "5.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.258", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.198", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.134", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: Fix possible NULL-pointer dereference\n\nIn rds_rdma_cm_event_handler_cmn() check, if conn pointer exists\nbefore dereferencing it as rdma_set_service_type() argument\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:54.312Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/812da2a08dc5cc75fb71e29083ea20904510ac7a" }, { "url": "https://git.kernel.org/stable/c/f515112e833791001aaa8ab886af3ca78503617f" }, { "url": "https://git.kernel.org/stable/c/ea82139e6e3561100d38d14401d57c0ea93fc07e" }, { "url": "https://git.kernel.org/stable/c/51fa66024a5eabf270164f2dc82a48ffb35a12e9" }, { "url": "https://git.kernel.org/stable/c/069ac51c37a6f07a51f7134d8c34289075786a35" }, { "url": "https://git.kernel.org/stable/c/f1d95df0f31048f1c59092648997686e3f7d9478" } ], "title": "net: rds: Fix possible NULL-pointer dereference", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52573", "datePublished": "2024-03-02T21:59:42.627Z", "dateReserved": "2024-03-02T21:55:42.568Z", "dateUpdated": "2024-12-19T08:21:54.312Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52572
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix UAF in cifs_demultiplex_thread()
There is a UAF when xfstests on cifs:
BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160
Read of size 4 at addr ffff88810103fc08 by task cifsd/923
CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45
...
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report+0x171/0x472
kasan_report+0xad/0x130
kasan_check_range+0x145/0x1a0
smb2_is_network_name_deleted+0x27/0x160
cifs_demultiplex_thread.cold+0x172/0x5a4
kthread+0x165/0x1a0
ret_from_fork+0x1f/0x30
</TASK>
Allocated by task 923:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
__kasan_slab_alloc+0x54/0x60
kmem_cache_alloc+0x147/0x320
mempool_alloc+0xe1/0x260
cifs_small_buf_get+0x24/0x60
allocate_buffers+0xa1/0x1c0
cifs_demultiplex_thread+0x199/0x10d0
kthread+0x165/0x1a0
ret_from_fork+0x1f/0x30
Freed by task 921:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_save_free_info+0x2a/0x40
____kasan_slab_free+0x143/0x1b0
kmem_cache_free+0xe3/0x4d0
cifs_small_buf_release+0x29/0x90
SMB2_negotiate+0x8b7/0x1c60
smb2_negotiate+0x51/0x70
cifs_negotiate_protocol+0xf0/0x160
cifs_get_smb_ses+0x5fa/0x13c0
mount_get_conns+0x7a/0x750
cifs_mount+0x103/0xd00
cifs_smb3_do_mount+0x1dd/0xcb0
smb3_get_tree+0x1d5/0x300
vfs_get_tree+0x41/0xf0
path_mount+0x9b3/0xdd0
__x64_sys_mount+0x190/0x1d0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The UAF is because:
mount(pid: 921) | cifsd(pid: 923)
-------------------------------|-------------------------------
| cifs_demultiplex_thread
SMB2_negotiate |
cifs_send_recv |
compound_send_recv |
smb_send_rqst |
wait_for_response |
wait_event_state [1] |
| standard_receive3
| cifs_handle_standard
| handle_mid
| mid->resp_buf = buf; [2]
| dequeue_mid [3]
KILL the process [4] |
resp_iov[i].iov_base = buf |
free_rsp_buf [5] |
| is_network_name_deleted [6]
| callback
1. After send request to server, wait the response until
mid->mid_state != SUBMITTED;
2. Receive response from server, and set it to mid;
3. Set the mid state to RECEIVED;
4. Kill the process, the mid state already RECEIVED, get 0;
5. Handle and release the negotiate response;
6. UAF.
It can be easily reproduce with add some delay in [3] - [6].
Only sync call has the problem since async call's callback is
executed in cifsd process.
Add an extra state to mark the mid state to READY before wakeup the
waitter, then it can get the resp safely.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52572", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T14:36:02.875226Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:18.290Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.848Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/client/cifsglob.h", "fs/smb/client/transport.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "908b3b5e97d25e879de3d1f172a255665491c2c3", "status": "affected", "version": "ec637e3ffb6b978143652477c7c5f96c9519b691", "versionType": "git" }, { "lessThan": "76569e3819e0bb59fc19b1b8688b017e627c268a", "status": "affected", "version": "ec637e3ffb6b978143652477c7c5f96c9519b691", "versionType": "git" }, { "lessThan": "d527f51331cace562393a8038d870b3e9916686f", "status": "affected", "version": "ec637e3ffb6b978143652477c7c5f96c9519b691", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/client/cifsglob.h", "fs/smb/client/transport.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.16" }, { "lessThan": "2.6.16", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix UAF in cifs_demultiplex_thread()\n\nThere is a UAF when xfstests on cifs:\n\n BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160\n Read of size 4 at addr ffff88810103fc08 by task cifsd/923\n\n CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45\n ...\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n print_report+0x171/0x472\n kasan_report+0xad/0x130\n kasan_check_range+0x145/0x1a0\n smb2_is_network_name_deleted+0x27/0x160\n cifs_demultiplex_thread.cold+0x172/0x5a4\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n \u003c/TASK\u003e\n\n Allocated by task 923:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_slab_alloc+0x54/0x60\n kmem_cache_alloc+0x147/0x320\n mempool_alloc+0xe1/0x260\n cifs_small_buf_get+0x24/0x60\n allocate_buffers+0xa1/0x1c0\n cifs_demultiplex_thread+0x199/0x10d0\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n\n Freed by task 921:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x40\n ____kasan_slab_free+0x143/0x1b0\n kmem_cache_free+0xe3/0x4d0\n cifs_small_buf_release+0x29/0x90\n SMB2_negotiate+0x8b7/0x1c60\n smb2_negotiate+0x51/0x70\n cifs_negotiate_protocol+0xf0/0x160\n cifs_get_smb_ses+0x5fa/0x13c0\n mount_get_conns+0x7a/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe UAF is because:\n\n mount(pid: 921) | cifsd(pid: 923)\n-------------------------------|-------------------------------\n | cifs_demultiplex_thread\nSMB2_negotiate |\n cifs_send_recv |\n compound_send_recv |\n smb_send_rqst |\n wait_for_response |\n wait_event_state [1] |\n | standard_receive3\n | cifs_handle_standard\n | handle_mid\n | mid-\u003eresp_buf = buf; [2]\n | dequeue_mid [3]\n KILL the process [4] |\n resp_iov[i].iov_base = buf |\n free_rsp_buf [5] |\n | is_network_name_deleted [6]\n | callback\n\n1. After send request to server, wait the response until\n mid-\u003emid_state != SUBMITTED;\n2. Receive response from server, and set it to mid;\n3. Set the mid state to RECEIVED;\n4. Kill the process, the mid state already RECEIVED, get 0;\n5. Handle and release the negotiate response;\n6. UAF.\n\nIt can be easily reproduce with add some delay in [3] - [6].\n\nOnly sync call has the problem since async call\u0027s callback is\nexecuted in cifsd process.\n\nAdd an extra state to mark the mid state to READY before wakeup the\nwaitter, then it can get the resp safely." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:53.131Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3" }, { "url": "https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a" }, { "url": "https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f" } ], "title": "cifs: Fix UAF in cifs_demultiplex_thread()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52572", "datePublished": "2024-03-02T21:59:41.980Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-12-19T08:21:53.131Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52505
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers
The protocol converter configuration registers PCC8, PCCC, PCCD
(implemented by the driver), as well as others, control protocol
converters from multiple lanes (each represented as a different
struct phy). So, if there are simultaneous calls to phy_set_mode_ext()
to lanes sharing the same PCC register (either for the "old" or for the
"new" protocol), corruption of the values programmed to hardware is
possible, because lynx_28g_rmw() has no locking.
Add a spinlock in the struct lynx_28g_priv shared by all lanes, and take
the global spinlock from the phy_ops :: set_mode() implementation. There
are no other callers which modify PCC registers.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52505", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-11T15:02:00.830027Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:17.026Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.376Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6f901f8448c6b25ed843796b114471d2a3fc5dfb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c2d7c79898b427d263c64a4841987eec131f2d4e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/139ad1143151a07be93bf741d4ea7c89e59f89ce" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/phy/freescale/phy-fsl-lynx-28g.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6f901f8448c6b25ed843796b114471d2a3fc5dfb", "status": "affected", "version": "8f73b37cf3fbda67ea1e579c3b5785da4e7aa2e3", "versionType": "git" }, { "lessThan": "c2d7c79898b427d263c64a4841987eec131f2d4e", "status": "affected", "version": "8f73b37cf3fbda67ea1e579c3b5785da4e7aa2e3", "versionType": "git" }, { "lessThan": "139ad1143151a07be93bf741d4ea7c89e59f89ce", "status": "affected", "version": "8f73b37cf3fbda67ea1e579c3b5785da4e7aa2e3", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/phy/freescale/phy-fsl-lynx-28g.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.18" }, { "lessThan": "5.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.59", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers\n\nThe protocol converter configuration registers PCC8, PCCC, PCCD\n(implemented by the driver), as well as others, control protocol\nconverters from multiple lanes (each represented as a different\nstruct phy). So, if there are simultaneous calls to phy_set_mode_ext()\nto lanes sharing the same PCC register (either for the \"old\" or for the\n\"new\" protocol), corruption of the values programmed to hardware is\npossible, because lynx_28g_rmw() has no locking.\n\nAdd a spinlock in the struct lynx_28g_priv shared by all lanes, and take\nthe global spinlock from the phy_ops :: set_mode() implementation. There\nare no other callers which modify PCC registers." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:06.937Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6f901f8448c6b25ed843796b114471d2a3fc5dfb" }, { "url": "https://git.kernel.org/stable/c/c2d7c79898b427d263c64a4841987eec131f2d4e" }, { "url": "https://git.kernel.org/stable/c/139ad1143151a07be93bf741d4ea7c89e59f89ce" } ], "title": "phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52505", "datePublished": "2024-03-02T21:52:19.215Z", "dateReserved": "2024-02-20T12:30:33.314Z", "dateUpdated": "2024-12-19T08:21:06.937Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52519
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
The EHL (Elkhart Lake) based platforms provide a OOB (Out of band)
service, which allows to wakup device when the system is in S5 (Soft-Off
state). This OOB service can be enabled/disabled from BIOS settings. When
enabled, the ISH device gets PME wake capability. To enable PME wakeup,
driver also needs to enable ACPI GPE bit.
On resume, BIOS will clear the wakeup bit. So driver need to re-enable it
in resume function to keep the next wakeup capability. But this BIOS
clearing of wakeup bit doesn't decrement internal OS GPE reference count,
so this reenabling on every resume will cause reference count to overflow.
So first disable and reenable ACPI GPE bit using acpi_disable_gpe().
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52519", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-21T16:13:47.131196Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-21T16:13:54.680Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.629Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8781fe259dd5a178fdd1069401bbd1437f9491c5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cdcc04e844a2d22d9d25cef1e8e504a174ea9f8f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/60fb3f054c99608ddb1f2466c07108da6292951e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8f02139ad9a7e6e5c05712f8c1501eebed8eacfd" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hid/intel-ish-hid/ipc/pci-ish.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8781fe259dd5a178fdd1069401bbd1437f9491c5", "status": "affected", "version": "2e23a70edabe933284f690dff49497fb6b82b0e5", "versionType": "git" }, { "lessThan": "cdcc04e844a2d22d9d25cef1e8e504a174ea9f8f", "status": "affected", "version": "2e23a70edabe933284f690dff49497fb6b82b0e5", "versionType": "git" }, { "lessThan": "60fb3f054c99608ddb1f2466c07108da6292951e", "status": "affected", "version": "2e23a70edabe933284f690dff49497fb6b82b0e5", "versionType": "git" }, { "lessThan": "8f02139ad9a7e6e5c05712f8c1501eebed8eacfd", "status": "affected", "version": "2e23a70edabe933284f690dff49497fb6b82b0e5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hid/intel-ish-hid/ipc/pci-ish.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.12" }, { "lessThan": "5.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.135", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit\n\nThe EHL (Elkhart Lake) based platforms provide a OOB (Out of band)\nservice, which allows to wakup device when the system is in S5 (Soft-Off\nstate). This OOB service can be enabled/disabled from BIOS settings. When\nenabled, the ISH device gets PME wake capability. To enable PME wakeup,\ndriver also needs to enable ACPI GPE bit.\n\nOn resume, BIOS will clear the wakeup bit. So driver need to re-enable it\nin resume function to keep the next wakeup capability. But this BIOS\nclearing of wakeup bit doesn\u0027t decrement internal OS GPE reference count,\nso this reenabling on every resume will cause reference count to overflow.\n\nSo first disable and reenable ACPI GPE bit using acpi_disable_gpe()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:22.214Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8781fe259dd5a178fdd1069401bbd1437f9491c5" }, { "url": "https://git.kernel.org/stable/c/cdcc04e844a2d22d9d25cef1e8e504a174ea9f8f" }, { "url": "https://git.kernel.org/stable/c/60fb3f054c99608ddb1f2466c07108da6292951e" }, { "url": "https://git.kernel.org/stable/c/8f02139ad9a7e6e5c05712f8c1501eebed8eacfd" } ], "title": "HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52519", "datePublished": "2024-03-02T21:52:27.816Z", "dateReserved": "2024-02-20T12:30:33.317Z", "dateUpdated": "2024-12-19T08:21:22.214Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47077
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qedf: Add pointer checks in qedf_update_link_speed()
The following trace was observed:
[ 14.042059] Call Trace:
[ 14.042061] <IRQ>
[ 14.042068] qedf_link_update+0x144/0x1f0 [qedf]
[ 14.042117] qed_link_update+0x5c/0x80 [qed]
[ 14.042135] qed_mcp_handle_link_change+0x2d2/0x410 [qed]
[ 14.042155] ? qed_set_ptt+0x70/0x80 [qed]
[ 14.042170] ? qed_set_ptt+0x70/0x80 [qed]
[ 14.042186] ? qed_rd+0x13/0x40 [qed]
[ 14.042205] qed_mcp_handle_events+0x437/0x690 [qed]
[ 14.042221] ? qed_set_ptt+0x70/0x80 [qed]
[ 14.042239] qed_int_sp_dpc+0x3a6/0x3e0 [qed]
[ 14.042245] tasklet_action_common.isra.14+0x5a/0x100
[ 14.042250] __do_softirq+0xe4/0x2f8
[ 14.042253] irq_exit+0xf7/0x100
[ 14.042255] do_IRQ+0x7f/0xd0
[ 14.042257] common_interrupt+0xf/0xf
[ 14.042259] </IRQ>
API qedf_link_update() is getting called from QED but by that time
shost_data is not initialised. This results in a NULL pointer dereference
when we try to dereference shost_data while updating supported_speeds.
Add a NULL pointer check before dereferencing shost_data.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.828Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a6362a737572f66051deb7637f3f77ddf7a4402f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/11014efcec378bb0050a6cf08eaf375e3693400a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/73578af92a0fae6609b955fcc9113e50e413c80f" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2021-47077", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:56:57.690041Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:44.268Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/scsi/qedf/qedf_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a6362a737572f66051deb7637f3f77ddf7a4402f", "status": "affected", "version": "61d8658b4a435eac729966cc94cdda077a8df5cd", "versionType": "git" }, { "lessThan": "11014efcec378bb0050a6cf08eaf375e3693400a", "status": "affected", "version": "61d8658b4a435eac729966cc94cdda077a8df5cd", "versionType": "git" }, { "lessThan": "73578af92a0fae6609b955fcc9113e50e413c80f", "status": "affected", "version": "61d8658b4a435eac729966cc94cdda077a8df5cd", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/scsi/qedf/qedf_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.11" }, { "lessThan": "4.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.40", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Add pointer checks in qedf_update_link_speed()\n\nThe following trace was observed:\n\n [ 14.042059] Call Trace:\n [ 14.042061] \u003cIRQ\u003e\n [ 14.042068] qedf_link_update+0x144/0x1f0 [qedf]\n [ 14.042117] qed_link_update+0x5c/0x80 [qed]\n [ 14.042135] qed_mcp_handle_link_change+0x2d2/0x410 [qed]\n [ 14.042155] ? qed_set_ptt+0x70/0x80 [qed]\n [ 14.042170] ? qed_set_ptt+0x70/0x80 [qed]\n [ 14.042186] ? qed_rd+0x13/0x40 [qed]\n [ 14.042205] qed_mcp_handle_events+0x437/0x690 [qed]\n [ 14.042221] ? qed_set_ptt+0x70/0x80 [qed]\n [ 14.042239] qed_int_sp_dpc+0x3a6/0x3e0 [qed]\n [ 14.042245] tasklet_action_common.isra.14+0x5a/0x100\n [ 14.042250] __do_softirq+0xe4/0x2f8\n [ 14.042253] irq_exit+0xf7/0x100\n [ 14.042255] do_IRQ+0x7f/0xd0\n [ 14.042257] common_interrupt+0xf/0xf\n [ 14.042259] \u003c/IRQ\u003e\n\nAPI qedf_link_update() is getting called from QED but by that time\nshost_data is not initialised. This results in a NULL pointer dereference\nwhen we try to dereference shost_data while updating supported_speeds.\n\nAdd a NULL pointer check before dereferencing shost_data." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:49.457Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a6362a737572f66051deb7637f3f77ddf7a4402f" }, { "url": "https://git.kernel.org/stable/c/11014efcec378bb0050a6cf08eaf375e3693400a" }, { "url": "https://git.kernel.org/stable/c/73578af92a0fae6609b955fcc9113e50e413c80f" } ], "title": "scsi: qedf: Add pointer checks in qedf_update_link_speed()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47077", "datePublished": "2024-03-01T21:15:14.030Z", "dateReserved": "2024-02-29T22:33:44.297Z", "dateUpdated": "2024-12-19T07:34:49.457Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47076
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Return CQE error if invalid lkey was supplied
RXE is missing update of WQE status in LOCAL_WRITE failures. This caused
the following kernel panic if someone sent an atomic operation with an
explicitly wrong lkey.
[leonro@vm ~]$ mkt test
test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ...
WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe]
Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core
CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe]
Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff
RSP: 0018:ffff8880158af090 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652
RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210
RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b
R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8
R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c
FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rxe_do_task+0x130/0x230 [rdma_rxe]
rxe_rcv+0xb11/0x1df0 [rdma_rxe]
rxe_loopback+0x157/0x1e0 [rdma_rxe]
rxe_responder+0x5532/0x7620 [rdma_rxe]
rxe_do_task+0x130/0x230 [rdma_rxe]
rxe_rcv+0x9c8/0x1df0 [rdma_rxe]
rxe_loopback+0x157/0x1e0 [rdma_rxe]
rxe_requester+0x1efd/0x58c0 [rdma_rxe]
rxe_do_task+0x130/0x230 [rdma_rxe]
rxe_post_send+0x998/0x1860 [rdma_rxe]
ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs]
ib_uverbs_write+0x847/0xc80 [ib_uverbs]
vfs_write+0x1c5/0x840
ksys_write+0x176/0x1d0
do_syscall_64+0x3f/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-47076", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-07T17:09:55.049735Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:14:42.532Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.793Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/abe31d25facdb9109fe2cf69890748295291570c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/dc07628bd2bbc1da768e265192c28ebd301f509d" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/infiniband/sw/rxe/rxe_comp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "abe31d25facdb9109fe2cf69890748295291570c", "status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "versionType": "git" }, { "lessThan": "dc07628bd2bbc1da768e265192c28ebd301f509d", "status": "affected", "version": "8700e3e7c4857d28ebaa824509934556da0b3e76", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/infiniband/sw/rxe/rxe_comp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.8" }, { "lessThan": "4.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Return CQE error if invalid lkey was supplied\n\nRXE is missing update of WQE status in LOCAL_WRITE failures. This caused\nthe following kernel panic if someone sent an atomic operation with an\nexplicitly wrong lkey.\n\n[leonro@vm ~]$ mkt test\ntest_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ...\n WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe]\n Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core\n CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe]\n Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff \u003c0f\u003e 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff\n RSP: 0018:ffff8880158af090 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652\n RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210\n RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b\n R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8\n R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c\n FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_rcv+0xb11/0x1df0 [rdma_rxe]\n rxe_loopback+0x157/0x1e0 [rdma_rxe]\n rxe_responder+0x5532/0x7620 [rdma_rxe]\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_rcv+0x9c8/0x1df0 [rdma_rxe]\n rxe_loopback+0x157/0x1e0 [rdma_rxe]\n rxe_requester+0x1efd/0x58c0 [rdma_rxe]\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_post_send+0x998/0x1860 [rdma_rxe]\n ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs]\n ib_uverbs_write+0x847/0xc80 [ib_uverbs]\n vfs_write+0x1c5/0x840\n ksys_write+0x176/0x1d0\n do_syscall_64+0x3f/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:48.337Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/abe31d25facdb9109fe2cf69890748295291570c" }, { "url": "https://git.kernel.org/stable/c/dc07628bd2bbc1da768e265192c28ebd301f509d" } ], "title": "RDMA/rxe: Return CQE error if invalid lkey was supplied", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47076", "datePublished": "2024-03-01T21:15:13.395Z", "dateReserved": "2024-02-29T22:33:44.297Z", "dateUpdated": "2024-12-19T07:34:48.337Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47069
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry
do_mq_timedreceive calls wq_sleep with a stack local address. The
sender (do_mq_timedsend) uses this address to later call pipelined_send.
This leads to a very hard to trigger race where a do_mq_timedreceive
call might return and leave do_mq_timedsend to rely on an invalid
address, causing the following crash:
RIP: 0010:wake_q_add_safe+0x13/0x60
Call Trace:
__x64_sys_mq_timedsend+0x2a9/0x490
do_syscall_64+0x80/0x680
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f5928e40343
The race occurs as:
1. do_mq_timedreceive calls wq_sleep with the address of `struct
ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it
holds a valid `struct ext_wait_queue *` as long as the stack has not
been overwritten.
2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and
do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call
__pipelined_op.
3. Sender calls __pipelined_op::smp_store_release(&this->state,
STATE_READY). Here is where the race window begins. (`this` is
`ewq_addr`.)
4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it
will see `state == STATE_READY` and break.
5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed
to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's
stack. (Although the address may not get overwritten until another
function happens to touch it, which means it can persist around for an
indefinite time.)
6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a
`struct ext_wait_queue *`, and uses it to find a task_struct to pass to
the wake_q_add_safe call. In the lucky case where nothing has
overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct.
In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a
bogus address as the receiver's task_struct causing the crash.
do_mq_timedsend::__pipelined_op() should not dereference `this` after
setting STATE_READY, as the receiver counterpart is now free to return.
Change __pipelined_op to call wake_q_add_safe on the receiver's
task_struct returned by get_task_struct, instead of dereferencing `this`
which sits on the receiver's stack.
As Manfred pointed out, the race potentially also exists in
ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix
those in the same way.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-47069", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-21T16:15:09.996738Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-21T16:15:20.262Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.653Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4528c0c323085e645b8765913b4a7fd42cf49b65" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/807fa14536b26803b858da878b643be72952a097" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a11ddb37bf367e6b5239b95ca759e5389bb46048" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "ipc/mqueue.c", "ipc/msg.c", "ipc/sem.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4528c0c323085e645b8765913b4a7fd42cf49b65", "status": "affected", "version": "0d97a82ba830d89a1e541cc9cd11f1e38c28e416", "versionType": "git" }, { "lessThan": "807fa14536b26803b858da878b643be72952a097", "status": "affected", "version": "0d97a82ba830d89a1e541cc9cd11f1e38c28e416", "versionType": "git" }, { "lessThan": "a11ddb37bf367e6b5239b95ca759e5389bb46048", "status": "affected", "version": "0d97a82ba830d89a1e541cc9cd11f1e38c28e416", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "ipc/mqueue.c", "ipc/msg.c", "ipc/sem.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.6" }, { "lessThan": "5.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.40", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry\n\ndo_mq_timedreceive calls wq_sleep with a stack local address. The\nsender (do_mq_timedsend) uses this address to later call pipelined_send.\n\nThis leads to a very hard to trigger race where a do_mq_timedreceive\ncall might return and leave do_mq_timedsend to rely on an invalid\naddress, causing the following crash:\n\n RIP: 0010:wake_q_add_safe+0x13/0x60\n Call Trace:\n __x64_sys_mq_timedsend+0x2a9/0x490\n do_syscall_64+0x80/0x680\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n RIP: 0033:0x7f5928e40343\n\nThe race occurs as:\n\n1. do_mq_timedreceive calls wq_sleep with the address of `struct\n ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it\n holds a valid `struct ext_wait_queue *` as long as the stack has not\n been overwritten.\n\n2. `ewq_addr` gets added to info-\u003ee_wait_q[RECV].list in wq_add, and\n do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call\n __pipelined_op.\n\n3. Sender calls __pipelined_op::smp_store_release(\u0026this-\u003estate,\n STATE_READY). Here is where the race window begins. (`this` is\n `ewq_addr`.)\n\n4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it\n will see `state == STATE_READY` and break.\n\n5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed\n to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive\u0027s\n stack. (Although the address may not get overwritten until another\n function happens to touch it, which means it can persist around for an\n indefinite time.)\n\n6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a\n `struct ext_wait_queue *`, and uses it to find a task_struct to pass to\n the wake_q_add_safe call. In the lucky case where nothing has\n overwritten `ewq_addr` yet, `ewq_addr-\u003etask` is the right task_struct.\n In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a\n bogus address as the receiver\u0027s task_struct causing the crash.\n\ndo_mq_timedsend::__pipelined_op() should not dereference `this` after\nsetting STATE_READY, as the receiver counterpart is now free to return.\nChange __pipelined_op to call wake_q_add_safe on the receiver\u0027s\ntask_struct returned by get_task_struct, instead of dereferencing `this`\nwhich sits on the receiver\u0027s stack.\n\nAs Manfred pointed out, the race potentially also exists in\nipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix\nthose in the same way." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:40.475Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4528c0c323085e645b8765913b4a7fd42cf49b65" }, { "url": "https://git.kernel.org/stable/c/807fa14536b26803b858da878b643be72952a097" }, { "url": "https://git.kernel.org/stable/c/a11ddb37bf367e6b5239b95ca759e5389bb46048" } ], "title": "ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47069", "datePublished": "2024-03-01T21:15:08.598Z", "dateReserved": "2024-02-29T22:33:44.296Z", "dateUpdated": "2024-12-19T07:34:40.475Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52520
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: think-lmi: Fix reference leak
If a duplicate attribute is found using kset_find_obj(), a reference
to that attribute is returned which needs to be disposed accordingly
using kobject_put(). Move the setting name validation into a separate
function to allow for this change without having to duplicate the
cleanup code for this setting.
As a side note, a very similar bug was fixed in
commit 7295a996fdab ("platform/x86: dell-sysman: Fix reference leak"),
so it seems that the bug was copied from that driver.
Compile-tested only.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52520", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T19:38:10.734517Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:59.479Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.769Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/124cf0ea4b82e1444ec8c7420af4e7db5558c293" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/af21c9119a37cecb7ff27ce0c2f3cf721e9d0ec4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c6e3023579de8d33256771ac0745239029e81106" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/528ab3e605cabf2f9c9bd5944d3bfe15f6e94f81" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/platform/x86/think-lmi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "124cf0ea4b82e1444ec8c7420af4e7db5558c293", "status": "affected", "version": "1bcad8e510b27ad843315ab2c27ccf459e3acded", "versionType": "git" }, { "lessThan": "af21c9119a37cecb7ff27ce0c2f3cf721e9d0ec4", "status": "affected", "version": "1bcad8e510b27ad843315ab2c27ccf459e3acded", "versionType": "git" }, { "lessThan": "c6e3023579de8d33256771ac0745239029e81106", "status": "affected", "version": "1bcad8e510b27ad843315ab2c27ccf459e3acded", "versionType": "git" }, { "lessThan": "528ab3e605cabf2f9c9bd5944d3bfe15f6e94f81", "status": "affected", "version": "1bcad8e510b27ad843315ab2c27ccf459e3acded", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/platform/x86/think-lmi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.14" }, { "lessThan": "5.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.136", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.59", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix reference leak\n\nIf a duplicate attribute is found using kset_find_obj(), a reference\nto that attribute is returned which needs to be disposed accordingly\nusing kobject_put(). Move the setting name validation into a separate\nfunction to allow for this change without having to duplicate the\ncleanup code for this setting.\nAs a side note, a very similar bug was fixed in\ncommit 7295a996fdab (\"platform/x86: dell-sysman: Fix reference leak\"),\nso it seems that the bug was copied from that driver.\n\nCompile-tested only." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:23.346Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/124cf0ea4b82e1444ec8c7420af4e7db5558c293" }, { "url": "https://git.kernel.org/stable/c/af21c9119a37cecb7ff27ce0c2f3cf721e9d0ec4" }, { "url": "https://git.kernel.org/stable/c/c6e3023579de8d33256771ac0745239029e81106" }, { "url": "https://git.kernel.org/stable/c/528ab3e605cabf2f9c9bd5944d3bfe15f6e94f81" } ], "title": "platform/x86: think-lmi: Fix reference leak", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52520", "datePublished": "2024-03-02T21:52:28.434Z", "dateReserved": "2024-02-20T12:30:33.317Z", "dateUpdated": "2024-12-19T08:21:23.346Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52529
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: sony: Fix a potential memory leak in sony_probe()
If an error occurs after a successful usb_alloc_urb() call, usb_free_urb()
should be called.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-52529", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-06T16:05:55.774049Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-01T16:02:10.257Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.670Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bb0707fde7492121917fd9ddb43829e96ec0bb9e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f237b17611fa3501f43f12d1cb64323e10fdcb4f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f566efa7de1e35e6523f4acbaf85068a540be07d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e1cd4004cde7c9b694bbdd8def0e02288ee58c74" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hid/hid-sony.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "bb0707fde7492121917fd9ddb43829e96ec0bb9e", "status": "affected", "version": "fb1a79a6b6e1223ddb18f12aa35e36f832da2290", "versionType": "git" }, { "lessThan": "f237b17611fa3501f43f12d1cb64323e10fdcb4f", "status": "affected", "version": "fb1a79a6b6e1223ddb18f12aa35e36f832da2290", "versionType": "git" }, { "lessThan": "f566efa7de1e35e6523f4acbaf85068a540be07d", "status": "affected", "version": "fb1a79a6b6e1223ddb18f12aa35e36f832da2290", "versionType": "git" }, { "lessThan": "e1cd4004cde7c9b694bbdd8def0e02288ee58c74", "status": "affected", "version": "fb1a79a6b6e1223ddb18f12aa35e36f832da2290", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hid/hid-sony.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.14" }, { "lessThan": "5.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.135", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: sony: Fix a potential memory leak in sony_probe()\n\nIf an error occurs after a successful usb_alloc_urb() call, usb_free_urb()\nshould be called." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:32.748Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/bb0707fde7492121917fd9ddb43829e96ec0bb9e" }, { "url": "https://git.kernel.org/stable/c/f237b17611fa3501f43f12d1cb64323e10fdcb4f" }, { "url": "https://git.kernel.org/stable/c/f566efa7de1e35e6523f4acbaf85068a540be07d" }, { "url": "https://git.kernel.org/stable/c/e1cd4004cde7c9b694bbdd8def0e02288ee58c74" } ], "title": "HID: sony: Fix a potential memory leak in sony_probe()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52529", "datePublished": "2024-03-02T21:52:34.217Z", "dateReserved": "2024-02-20T12:30:33.318Z", "dateUpdated": "2024-12-19T08:21:32.748Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-48627
Vulnerability from cvelistv5
Published
2024-03-02 21:31
Modified
2024-12-19 08:04
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vt: fix memory overlapping when deleting chars in the buffer
A memory overlapping copy occurs when deleting a long line. This memory
overlapping copy can cause data corruption when scr_memcpyw is optimized
to memcpy because memcpy does not ensure its behavior if the destination
buffer overlaps with the source buffer. The line buffer is not always
broken, because the memcpy utilizes the hardware acceleration, whose
result is not deterministic.
Fix this problem by using replacing the scr_memcpyw with scr_memmovew.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 81732c3b2fede049a692e58a7ceabb6d18ffb18c Version: 81732c3b2fede049a692e58a7ceabb6d18ffb18c Version: 81732c3b2fede049a692e58a7ceabb6d18ffb18c Version: 81732c3b2fede049a692e58a7ceabb6d18ffb18c Version: 81732c3b2fede049a692e58a7ceabb6d18ffb18c Version: 81732c3b2fede049a692e58a7ceabb6d18ffb18c |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2022-48627", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-12T14:23:17.504508Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-29T15:49:13.255Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-03T15:17:55.441Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c8686c014b5e872ba7e334f33ca553f14446fc29" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/815be99d934e3292906536275f2b8d5131cdf52c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bfee93c9a6c395f9aa62268f1cedf64999844926" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/57964a5710252bc82fe22d9fa98c180c58c20244" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/14d2cc21ca622310babf373e3a8f0b40acfe8265" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/39cdb68c64d84e71a4a717000b6e5de208ee60cc" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/tty/vt/vt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c8686c014b5e872ba7e334f33ca553f14446fc29", "status": "affected", "version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c", "versionType": "git" }, { "lessThan": "815be99d934e3292906536275f2b8d5131cdf52c", "status": "affected", "version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c", "versionType": "git" }, { "lessThan": "bfee93c9a6c395f9aa62268f1cedf64999844926", "status": "affected", "version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c", "versionType": "git" }, { "lessThan": "57964a5710252bc82fe22d9fa98c180c58c20244", "status": "affected", "version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c", "versionType": "git" }, { "lessThan": "14d2cc21ca622310babf373e3a8f0b40acfe8265", "status": "affected", "version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c", "versionType": "git" }, { "lessThan": "39cdb68c64d84e71a4a717000b6e5de208ee60cc", "status": "affected", "version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/tty/vt/vt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.7" }, { "lessThan": "3.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.312", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.274", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.132", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.56", "versionType": "semver" }, { "lessThanOrEqual": "5.18.*", "status": "unaffected", "version": "5.18.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.19", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix memory overlapping when deleting chars in the buffer\n\nA memory overlapping copy occurs when deleting a long line. This memory\noverlapping copy can cause data corruption when scr_memcpyw is optimized\nto memcpy because memcpy does not ensure its behavior if the destination\nbuffer overlaps with the source buffer. The line buffer is not always\nbroken, because the memcpy utilizes the hardware acceleration, whose\nresult is not deterministic.\n\nFix this problem by using replacing the scr_memcpyw with scr_memmovew." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:04:36.213Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c8686c014b5e872ba7e334f33ca553f14446fc29" }, { "url": "https://git.kernel.org/stable/c/815be99d934e3292906536275f2b8d5131cdf52c" }, { "url": "https://git.kernel.org/stable/c/bfee93c9a6c395f9aa62268f1cedf64999844926" }, { "url": "https://git.kernel.org/stable/c/57964a5710252bc82fe22d9fa98c180c58c20244" }, { "url": "https://git.kernel.org/stable/c/14d2cc21ca622310babf373e3a8f0b40acfe8265" }, { "url": "https://git.kernel.org/stable/c/39cdb68c64d84e71a4a717000b6e5de208ee60cc" } ], "title": "vt: fix memory overlapping when deleting chars in the buffer", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2022-48627", "datePublished": "2024-03-02T21:31:48.383Z", "dateReserved": "2024-02-25T13:44:28.314Z", "dateUpdated": "2024-12-19T08:04:36.213Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52568
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race
The SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an
enclave and set secs.epc_page to NULL. The SECS page is used for EAUG
and ELDU in the SGX page fault handler. However, the NULL check for
secs.epc_page is only done for ELDU, not EAUG before being used.
Fix this by doing the same NULL check and reloading of the SECS page as
needed for both EAUG and ELDU.
The SECS page holds global enclave metadata. It can only be reclaimed
when there are no other enclave pages remaining. At that point,
virtually nothing can be done with the enclave until the SECS page is
paged back in.
An enclave can not run nor generate page faults without a resident SECS
page. But it is still possible for a #PF for a non-SECS page to race
with paging out the SECS page: when the last resident non-SECS page A
triggers a #PF in a non-resident page B, and then page A and the SECS
both are paged out before the #PF on B is handled.
Hitting this bug requires that race triggered with a #PF for EAUG.
Following is a trace when it happens.
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:sgx_encl_eaug_page+0xc7/0x210
Call Trace:
? __kmem_cache_alloc_node+0x16a/0x440
? xa_load+0x6e/0xa0
sgx_vma_fault+0x119/0x230
__do_fault+0x36/0x140
do_fault+0x12f/0x400
__handle_mm_fault+0x728/0x1110
handle_mm_fault+0x105/0x310
do_user_addr_fault+0x1ee/0x750
? __this_cpu_preempt_check+0x13/0x20
exc_page_fault+0x76/0x180
asm_exc_page_fault+0x27/0x30
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52568", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T19:38:35.489870Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:13.348Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.885Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/x86/kernel/cpu/sgx/encl.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "811ba2ef0cb6402672e64ba1419d6ef95aa3405d", "status": "affected", "version": "5a90d2c3f5ef87717e54572af8426aba6fdbdaa6", "versionType": "git" }, { "lessThan": "1348f7f15d7c7798456856bee74a4235c2da994e", "status": "affected", "version": "5a90d2c3f5ef87717e54572af8426aba6fdbdaa6", "versionType": "git" }, { "lessThan": "c6c2adcba50c2622ed25ba5d5e7f05f584711358", "status": "affected", "version": "5a90d2c3f5ef87717e54572af8426aba6fdbdaa6", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/x86/kernel/cpu/sgx/encl.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.0" }, { "lessThan": "6.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Resolves SECS reclaim vs. page fault for EAUG race\n\nThe SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an\nenclave and set secs.epc_page to NULL. The SECS page is used for EAUG\nand ELDU in the SGX page fault handler. However, the NULL check for\nsecs.epc_page is only done for ELDU, not EAUG before being used.\n\nFix this by doing the same NULL check and reloading of the SECS page as\nneeded for both EAUG and ELDU.\n\nThe SECS page holds global enclave metadata. It can only be reclaimed\nwhen there are no other enclave pages remaining. At that point,\nvirtually nothing can be done with the enclave until the SECS page is\npaged back in.\n\nAn enclave can not run nor generate page faults without a resident SECS\npage. But it is still possible for a #PF for a non-SECS page to race\nwith paging out the SECS page: when the last resident non-SECS page A\ntriggers a #PF in a non-resident page B, and then page A and the SECS\nboth are paged out before the #PF on B is handled.\n\nHitting this bug requires that race triggered with a #PF for EAUG.\nFollowing is a trace when it happens.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:sgx_encl_eaug_page+0xc7/0x210\nCall Trace:\n ? __kmem_cache_alloc_node+0x16a/0x440\n ? xa_load+0x6e/0xa0\n sgx_vma_fault+0x119/0x230\n __do_fault+0x36/0x140\n do_fault+0x12f/0x400\n __handle_mm_fault+0x728/0x1110\n handle_mm_fault+0x105/0x310\n do_user_addr_fault+0x1ee/0x750\n ? __this_cpu_preempt_check+0x13/0x20\n exc_page_fault+0x76/0x180\n asm_exc_page_fault+0x27/0x30" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:48.492Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d" }, { "url": "https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e" }, { "url": "https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358" } ], "title": "x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52568", "datePublished": "2024-03-02T21:59:39.451Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-12-19T08:21:48.492Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52518
Vulnerability from cvelistv5
Published
2024-03-02 21:54
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_codec: Fix leaking content of local_codecs
The following memory leak can be observed when the controller supports
codecs which are stored in local_codecs list but the elements are never
freed:
unreferenced object 0xffff88800221d840 (size 32):
comm "kworker/u3:0", pid 36, jiffies 4294898739 (age 127.060s)
hex dump (first 32 bytes):
f8 d3 02 03 80 88 ff ff 80 d8 21 02 80 88 ff ff ..........!.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffffb324f557>] __kmalloc+0x47/0x120
[<ffffffffb39ef37d>] hci_codec_list_add.isra.0+0x2d/0x160
[<ffffffffb39ef643>] hci_read_codec_capabilities+0x183/0x270
[<ffffffffb39ef9ab>] hci_read_supported_codecs+0x1bb/0x2d0
[<ffffffffb39f162e>] hci_read_local_codecs_sync+0x3e/0x60
[<ffffffffb39ff1b3>] hci_dev_open_sync+0x943/0x11e0
[<ffffffffb396d55d>] hci_power_on+0x10d/0x3f0
[<ffffffffb30c99b4>] process_one_work+0x404/0x800
[<ffffffffb30ca134>] worker_thread+0x374/0x670
[<ffffffffb30d9108>] kthread+0x188/0x1c0
[<ffffffffb304db6b>] ret_from_fork+0x2b/0x50
[<ffffffffb300206a>] ret_from_fork_asm+0x1a/0x30
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-52518", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-24T14:55:30.640088Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-01T15:47:47.632Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.700Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/626535077ba9dc110787540d1fe24881094c15a1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/eea5a8f0c3b7c884d2351e75fbdd0a3d7def5ae1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b938790e70540bf4f2e653dcd74b232494d06c8f" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/bluetooth/hci_core.c", "net/bluetooth/hci_event.c", "net/bluetooth/hci_sync.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "626535077ba9dc110787540d1fe24881094c15a1", "status": "affected", "version": "8961987f3f5fa2f2618e72304d013c8dd5e604a6", "versionType": "git" }, { "lessThan": "eea5a8f0c3b7c884d2351e75fbdd0a3d7def5ae1", "status": "affected", "version": "8961987f3f5fa2f2618e72304d013c8dd5e604a6", "versionType": "git" }, { "lessThan": "b938790e70540bf4f2e653dcd74b232494d06c8f", "status": "affected", "version": "8961987f3f5fa2f2618e72304d013c8dd5e604a6", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/bluetooth/hci_core.c", "net/bluetooth/hci_event.c", "net/bluetooth/hci_sync.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.16" }, { "lessThan": "5.16", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_codec: Fix leaking content of local_codecs\n\nThe following memory leak can be observed when the controller supports\ncodecs which are stored in local_codecs list but the elements are never\nfreed:\n\nunreferenced object 0xffff88800221d840 (size 32):\n comm \"kworker/u3:0\", pid 36, jiffies 4294898739 (age 127.060s)\n hex dump (first 32 bytes):\n f8 d3 02 03 80 88 ff ff 80 d8 21 02 80 88 ff ff ..........!.....\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffffb324f557\u003e] __kmalloc+0x47/0x120\n [\u003cffffffffb39ef37d\u003e] hci_codec_list_add.isra.0+0x2d/0x160\n [\u003cffffffffb39ef643\u003e] hci_read_codec_capabilities+0x183/0x270\n [\u003cffffffffb39ef9ab\u003e] hci_read_supported_codecs+0x1bb/0x2d0\n [\u003cffffffffb39f162e\u003e] hci_read_local_codecs_sync+0x3e/0x60\n [\u003cffffffffb39ff1b3\u003e] hci_dev_open_sync+0x943/0x11e0\n [\u003cffffffffb396d55d\u003e] hci_power_on+0x10d/0x3f0\n [\u003cffffffffb30c99b4\u003e] process_one_work+0x404/0x800\n [\u003cffffffffb30ca134\u003e] worker_thread+0x374/0x670\n [\u003cffffffffb30d9108\u003e] kthread+0x188/0x1c0\n [\u003cffffffffb304db6b\u003e] ret_from_fork+0x2b/0x50\n [\u003cffffffffb300206a\u003e] ret_from_fork_asm+0x1a/0x30" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:21.069Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/626535077ba9dc110787540d1fe24881094c15a1" }, { "url": "https://git.kernel.org/stable/c/eea5a8f0c3b7c884d2351e75fbdd0a3d7def5ae1" }, { "url": "https://git.kernel.org/stable/c/b938790e70540bf4f2e653dcd74b232494d06c8f" } ], "title": "Bluetooth: hci_codec: Fix leaking content of local_codecs", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52518", "datePublished": "2024-03-02T21:54:47.826Z", "dateReserved": "2024-02-20T12:30:33.317Z", "dateUpdated": "2024-12-19T08:21:21.069Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47079
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: ideapad-laptop: fix a NULL pointer dereference
The third parameter of dytc_cql_command should not be NULL since it will
be dereferenced immediately.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-47079", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-21T16:14:46.324077Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-21T16:14:56.130Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.849Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/beab753fe3b4e087411a850a64c6cd748544d8a1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ff67dbd554b2aaa22be933eced32610ff90209dd" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/platform/x86/ideapad-laptop.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "beab753fe3b4e087411a850a64c6cd748544d8a1", "status": "affected", "version": "ff36b0d953dc4cbc40a72945920ff8e805f1b0da", "versionType": "git" }, { "lessThan": "ff67dbd554b2aaa22be933eced32610ff90209dd", "status": "affected", "version": "ff36b0d953dc4cbc40a72945920ff8e805f1b0da", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/platform/x86/ideapad-laptop.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.12" }, { "lessThan": "5.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: ideapad-laptop: fix a NULL pointer dereference\n\nThe third parameter of dytc_cql_command should not be NULL since it will\nbe dereferenced immediately." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:51.684Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/beab753fe3b4e087411a850a64c6cd748544d8a1" }, { "url": "https://git.kernel.org/stable/c/ff67dbd554b2aaa22be933eced32610ff90209dd" } ], "title": "platform/x86: ideapad-laptop: fix a NULL pointer dereference", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47079", "datePublished": "2024-03-01T21:15:15.294Z", "dateReserved": "2024-02-29T22:33:44.298Z", "dateUpdated": "2024-12-19T07:34:51.684Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52560
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()
When CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y
and CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.
Since commit 9f86d624292c ("mm/damon/vaddr-test: remove unnecessary
variables"), the damon_destroy_ctx() is removed, but still call
damon_new_target() and damon_new_region(), the damon_region which is
allocated by kmem_cache_alloc() in damon_new_region() and the damon_target
which is allocated by kmalloc in damon_new_target() are not freed. And
the damon_region which is allocated in damon_new_region() in
damon_set_regions() is also not freed.
So use damon_destroy_target to free all the damon_regions and damon_target.
unreferenced object 0xffff888107c9a940 (size 64):
comm "kunit_try_catch", pid 1069, jiffies 4294670592 (age 732.761s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk
60 c7 9c 07 81 88 ff ff f8 cb 9c 07 81 88 ff ff `...............
backtrace:
[<ffffffff817e0167>] kmalloc_trace+0x27/0xa0
[<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0
[<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0
[<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260
[<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
[<ffffffff81237cf6>] kthread+0x2b6/0x380
[<ffffffff81097add>] ret_from_fork+0x2d/0x70
[<ffffffff81003791>] ret_from_fork_asm+0x11/0x20
unreferenced object 0xffff8881079cc740 (size 56):
comm "kunit_try_catch", pid 1069, jiffies 4294670592 (age 732.761s)
hex dump (first 32 bytes):
05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................
6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk
backtrace:
[<ffffffff819bc492>] damon_new_region+0x22/0x1c0
[<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0
[<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260
[<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
[<ffffffff81237cf6>] kthread+0x2b6/0x380
[<ffffffff81097add>] ret_from_fork+0x2d/0x70
[<ffffffff81003791>] ret_from_fork_asm+0x11/0x20
unreferenced object 0xffff888107c9ac40 (size 64):
comm "kunit_try_catch", pid 1071, jiffies 4294670595 (age 732.843s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk
a0 cc 9c 07 81 88 ff ff 78 a1 76 07 81 88 ff ff ........x.v.....
backtrace:
[<ffffffff817e0167>] kmalloc_trace+0x27/0xa0
[<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0
[<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0
[<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260
[<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
[<ffffffff81237cf6>] kthread+0x2b6/0x380
[<ffffffff81097add>] ret_from_fork+0x2d/0x70
[<ffffffff81003791>] ret_from_fork_asm+0x11/0x20
unreferenced object 0xffff8881079ccc80 (size 56):
comm "kunit_try_catch", pid 1071, jiffies 4294670595 (age 732.843s)
hex dump (first 32 bytes):
05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................
6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk
backtrace:
[<ffffffff819bc492>] damon_new_region+0x22/0x1c0
[<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0
[<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260
[<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
[<ffffffff81237cf6>] kthread+0x2b6/0x380
[<ffffffff81097add>] ret_from_fork+0x2d/0x70
[<ffff
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52560", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T15:35:56.845645Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:24:06.685Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.913Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9a4fe81a8644b717d57d81ce5849e16583b13fe8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6b522001693aa113d97a985abc5f6932972e8e86" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/45120b15743fa7c0aa53d5db6dfb4c8f87be4abd" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/damon/vaddr-test.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "9a4fe81a8644b717d57d81ce5849e16583b13fe8", "status": "affected", "version": "9f86d624292c238203b3687cdb870a2cde1a6f9b", "versionType": "git" }, { "lessThan": "6b522001693aa113d97a985abc5f6932972e8e86", "status": "affected", "version": "9f86d624292c238203b3687cdb870a2cde1a6f9b", "versionType": "git" }, { "lessThan": "45120b15743fa7c0aa53d5db6dfb4c8f87be4abd", "status": "affected", "version": "9f86d624292c238203b3687cdb870a2cde1a6f9b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/damon/vaddr-test.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.16" }, { "lessThan": "5.16", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()\n\nWhen CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y\nand CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.\n\nSince commit 9f86d624292c (\"mm/damon/vaddr-test: remove unnecessary\nvariables\"), the damon_destroy_ctx() is removed, but still call\ndamon_new_target() and damon_new_region(), the damon_region which is\nallocated by kmem_cache_alloc() in damon_new_region() and the damon_target\nwhich is allocated by kmalloc in damon_new_target() are not freed. And\nthe damon_region which is allocated in damon_new_region() in\ndamon_set_regions() is also not freed.\n\nSo use damon_destroy_target to free all the damon_regions and damon_target.\n\n unreferenced object 0xffff888107c9a940 (size 64):\n comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk\n 60 c7 9c 07 81 88 ff ff f8 cb 9c 07 81 88 ff ff `...............\n backtrace:\n [\u003cffffffff817e0167\u003e] kmalloc_trace+0x27/0xa0\n [\u003cffffffff819c11cf\u003e] damon_new_target+0x3f/0x1b0\n [\u003cffffffff819c7d55\u003e] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n [\u003cffffffff819c82be\u003e] damon_test_apply_three_regions1+0x21e/0x260\n [\u003cffffffff829fce6a\u003e] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [\u003cffffffff81237cf6\u003e] kthread+0x2b6/0x380\n [\u003cffffffff81097add\u003e] ret_from_fork+0x2d/0x70\n [\u003cffffffff81003791\u003e] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff8881079cc740 (size 56):\n comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n hex dump (first 32 bytes):\n 05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................\n 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk\n backtrace:\n [\u003cffffffff819bc492\u003e] damon_new_region+0x22/0x1c0\n [\u003cffffffff819c7d91\u003e] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n [\u003cffffffff819c82be\u003e] damon_test_apply_three_regions1+0x21e/0x260\n [\u003cffffffff829fce6a\u003e] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [\u003cffffffff81237cf6\u003e] kthread+0x2b6/0x380\n [\u003cffffffff81097add\u003e] ret_from_fork+0x2d/0x70\n [\u003cffffffff81003791\u003e] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff888107c9ac40 (size 64):\n comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk\n a0 cc 9c 07 81 88 ff ff 78 a1 76 07 81 88 ff ff ........x.v.....\n backtrace:\n [\u003cffffffff817e0167\u003e] kmalloc_trace+0x27/0xa0\n [\u003cffffffff819c11cf\u003e] damon_new_target+0x3f/0x1b0\n [\u003cffffffff819c7d55\u003e] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n [\u003cffffffff819c851e\u003e] damon_test_apply_three_regions2+0x21e/0x260\n [\u003cffffffff829fce6a\u003e] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [\u003cffffffff81237cf6\u003e] kthread+0x2b6/0x380\n [\u003cffffffff81097add\u003e] ret_from_fork+0x2d/0x70\n [\u003cffffffff81003791\u003e] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff8881079ccc80 (size 56):\n comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n hex dump (first 32 bytes):\n 05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................\n 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk\n backtrace:\n [\u003cffffffff819bc492\u003e] damon_new_region+0x22/0x1c0\n [\u003cffffffff819c7d91\u003e] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n [\u003cffffffff819c851e\u003e] damon_test_apply_three_regions2+0x21e/0x260\n [\u003cffffffff829fce6a\u003e] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [\u003cffffffff81237cf6\u003e] kthread+0x2b6/0x380\n [\u003cffffffff81097add\u003e] ret_from_fork+0x2d/0x70\n [\u003cffff\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:38.528Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/9a4fe81a8644b717d57d81ce5849e16583b13fe8" }, { "url": "https://git.kernel.org/stable/c/6b522001693aa113d97a985abc5f6932972e8e86" }, { "url": "https://git.kernel.org/stable/c/45120b15743fa7c0aa53d5db6dfb4c8f87be4abd" } ], "title": "mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52560", "datePublished": "2024-03-02T21:59:34.084Z", "dateReserved": "2024-03-02T21:55:42.566Z", "dateUpdated": "2024-12-19T08:21:38.528Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52577
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dccp: fix dccp_v4_err()/dccp_v6_err() again
dh->dccph_x is the 9th byte (offset 8) in "struct dccp_hdr",
not in the "byte 7" as Jann claimed.
We need to make sure the ICMP messages are big enough,
using more standard ways (no more assumptions).
syzbot reported:
BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]
BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline]
BUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94
pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]
pskb_may_pull include/linux/skbuff.h:2681 [inline]
dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94
icmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867
icmpv6_rcv+0x19d5/0x30d0
ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
NF_HOOK include/linux/netfilter.h:304 [inline]
ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
dst_input include/net/dst.h:468 [inline]
ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:304 [inline]
ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
__netif_receive_skb_one_core net/core/dev.c:5523 [inline]
__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
netif_receive_skb_internal net/core/dev.c:5723 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5782
tun_rx_batched+0x83b/0x920
tun_get_user+0x564c/0x6940 drivers/net/tun.c:2002
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:1985 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x8ef/0x15c0 fs/read_write.c:584
ksys_write+0x20f/0x4c0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x93/0xd0 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559
__alloc_skb+0x318/0x740 net/core/skbuff.c:650
alloc_skb include/linux/skbuff.h:1286 [inline]
alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313
sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795
tun_alloc_skb drivers/net/tun.c:1531 [inline]
tun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:1985 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x8ef/0x15c0 fs/read_write.c:584
ksys_write+0x20f/0x4c0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x93/0xd0 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
CPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 3533e10272555c422a7d51ebc0ce8c483429f7f2 Version: 177212bf6dc1ff2d13d0409cddc5c9e81feec63d Version: 7a7dd70cb954d3efa706a429687ded88c02496fa Version: 4b8a938e329ae4eb54b73b0c87b5170607b038a8 Version: 6ecf09699eb1554299aa1e7fd13e9e80f656c2f9 Version: f8a7f10a1dccf9868ff09342a73dce27501b86df Version: ec620c34f5fa5d055f9f6136a387755db6157712 Version: 977ad86c2a1bcaf58f01ab98df5cc145083c489c |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52577", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-26T20:40:23.115267Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-26T20:40:47.293Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:21.243Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4600beae416d754a3cedbb1ecea8181ec05073b6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/62c218124fe58372e0e1f60d5b634d21c264b337" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a6f4d582e25d512c9b492670b6608436694357b3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/60d73c62e3e4464f375758b6f2459c13d46465b6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/26df9ab5de308caa1503d937533c56c35793018d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/73be49248a04746096339a48a33fa2f03bd85969" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1512d8f45d3c5d0b5baa00bd8e600492fa569f40" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6af289746a636f71f4c0535a9801774118486c7a" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/dccp/ipv4.c", "net/dccp/ipv6.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4600beae416d754a3cedbb1ecea8181ec05073b6", "status": "affected", "version": "3533e10272555c422a7d51ebc0ce8c483429f7f2", "versionType": "git" }, { "lessThan": "62c218124fe58372e0e1f60d5b634d21c264b337", "status": "affected", "version": "177212bf6dc1ff2d13d0409cddc5c9e81feec63d", "versionType": "git" }, { "lessThan": "a6f4d582e25d512c9b492670b6608436694357b3", "status": "affected", "version": "7a7dd70cb954d3efa706a429687ded88c02496fa", "versionType": "git" }, { "lessThan": "60d73c62e3e4464f375758b6f2459c13d46465b6", "status": "affected", "version": "4b8a938e329ae4eb54b73b0c87b5170607b038a8", "versionType": "git" }, { "lessThan": "26df9ab5de308caa1503d937533c56c35793018d", "status": "affected", "version": "6ecf09699eb1554299aa1e7fd13e9e80f656c2f9", "versionType": "git" }, { "lessThan": "73be49248a04746096339a48a33fa2f03bd85969", "status": "affected", "version": "f8a7f10a1dccf9868ff09342a73dce27501b86df", "versionType": "git" }, { "lessThan": "1512d8f45d3c5d0b5baa00bd8e600492fa569f40", "status": "affected", "version": "ec620c34f5fa5d055f9f6136a387755db6157712", "versionType": "git" }, { "lessThan": "6af289746a636f71f4c0535a9801774118486c7a", "status": "affected", "version": "977ad86c2a1bcaf58f01ab98df5cc145083c489c", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/dccp/ipv4.c", "net/dccp/ipv6.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4.14.327", "status": "affected", "version": "4.14.326", "versionType": "semver" }, { "lessThan": "4.19.296", "status": "affected", "version": "4.19.295", "versionType": "semver" }, { "lessThan": "5.4.258", "status": "affected", "version": "5.4.257", "versionType": "semver" }, { "lessThan": "5.10.198", "status": "affected", "version": "5.10.195", "versionType": "semver" }, { "lessThan": "5.15.134", "status": "affected", "version": "5.15.132", "versionType": "semver" }, { "lessThan": "6.1.56", "status": "affected", "version": "6.1.53", "versionType": "semver" }, { "lessThan": "6.5.6", "status": "affected", "version": "6.5.3", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: fix dccp_v4_err()/dccp_v6_err() again\n\ndh-\u003edccph_x is the 9th byte (offset 8) in \"struct dccp_hdr\",\nnot in the \"byte 7\" as Jann claimed.\n\nWe need to make sure the ICMP messages are big enough,\nusing more standard ways (no more assumptions).\n\nsyzbot reported:\nBUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]\nBUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline]\nBUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94\npskb_may_pull_reason include/linux/skbuff.h:2667 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\ndccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94\nicmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867\nicmpv6_rcv+0x19d5/0x30d0\nip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\nip6_input_finish net/ipv6/ip6_input.c:483 [inline]\nNF_HOOK include/linux/netfilter.h:304 [inline]\nip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\nip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\ndst_input include/net/dst.h:468 [inline]\nip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\nNF_HOOK include/linux/netfilter.h:304 [inline]\nipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n__netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\nnetif_receive_skb_internal net/core/dev.c:5723 [inline]\nnetif_receive_skb+0x58/0x660 net/core/dev.c:5782\ntun_rx_batched+0x83b/0x920\ntun_get_user+0x564c/0x6940 drivers/net/tun.c:2002\ntun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\ncall_write_iter include/linux/fs.h:1985 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x8ef/0x15c0 fs/read_write.c:584\nksys_write+0x20f/0x4c0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x93/0xd0 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\nslab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\nslab_alloc_node mm/slub.c:3478 [inline]\nkmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\nkmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n__alloc_skb+0x318/0x740 net/core/skbuff.c:650\nalloc_skb include/linux/skbuff.h:1286 [inline]\nalloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313\nsock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795\ntun_alloc_skb drivers/net/tun.c:1531 [inline]\ntun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846\ntun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\ncall_write_iter include/linux/fs.h:1985 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x8ef/0x15c0 fs/read_write.c:584\nksys_write+0x20f/0x4c0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x93/0xd0 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:57.796Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4600beae416d754a3cedbb1ecea8181ec05073b6" }, { "url": "https://git.kernel.org/stable/c/62c218124fe58372e0e1f60d5b634d21c264b337" }, { "url": "https://git.kernel.org/stable/c/a6f4d582e25d512c9b492670b6608436694357b3" }, { "url": "https://git.kernel.org/stable/c/60d73c62e3e4464f375758b6f2459c13d46465b6" }, { "url": "https://git.kernel.org/stable/c/26df9ab5de308caa1503d937533c56c35793018d" }, { "url": "https://git.kernel.org/stable/c/73be49248a04746096339a48a33fa2f03bd85969" }, { "url": "https://git.kernel.org/stable/c/1512d8f45d3c5d0b5baa00bd8e600492fa569f40" }, { "url": "https://git.kernel.org/stable/c/6af289746a636f71f4c0535a9801774118486c7a" } ], "title": "dccp: fix dccp_v4_err()/dccp_v6_err() again", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52577", "datePublished": "2024-03-02T21:59:45.279Z", "dateReserved": "2024-03-02T21:55:42.568Z", "dateUpdated": "2024-12-19T08:21:57.796Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52564
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"
This reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.
The commit above is reverted as it did not solve the original issue.
gsm_cleanup_mux() tries to free up the virtual ttys by calling
gsm_dlci_release() for each available DLCI. There, dlci_put() is called to
decrease the reference counter for the DLCI via tty_port_put() which
finally calls gsm_dlci_free(). This already clears the pointer which is
being checked in gsm_cleanup_mux() before calling gsm_dlci_release().
Therefore, it is not necessary to clear this pointer in gsm_cleanup_mux()
as done in the reverted commit. The commit introduces a null pointer
dereference:
<TASK>
? __die+0x1f/0x70
? page_fault_oops+0x156/0x420
? search_exception_tables+0x37/0x50
? fixup_exception+0x21/0x310
? exc_page_fault+0x69/0x150
? asm_exc_page_fault+0x26/0x30
? tty_port_put+0x19/0xa0
gsmtty_cleanup+0x29/0x80 [n_gsm]
release_one_tty+0x37/0xe0
process_one_work+0x1e6/0x3e0
worker_thread+0x4c/0x3d0
? __pfx_worker_thread+0x10/0x10
kthread+0xe1/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
The actual issue is that nothing guards dlci_put() from being called
multiple times while the tty driver was triggered but did not yet finished
calling gsm_dlci_free().
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8fc0eabaa73bbd9bd705577071564616da5c8c61 Version: 5138c228311a863c3cf937b94a3ab4c87f1f70c4 Version: 9615ca54bc138e35353a001e8b5d4824dce72188 Version: 9b9c8195f3f0d74a826077fc1c01b9ee74907239 Version: 9b9c8195f3f0d74a826077fc1c01b9ee74907239 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52564", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-07T20:09:41.921733Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:21:06.965Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.987Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6d5c8862932d31a810b6545f7d69ecc124402c6e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c61d0b87a7028c2c10faffc524d748334c7b9827" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2bff660e0ff349dee84dc4f6f6d10da4497f5b28" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/29346e217b8ab8a52889b88f00b268278d6b7668" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/tty/n_gsm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6d5c8862932d31a810b6545f7d69ecc124402c6e", "status": "affected", "version": "8fc0eabaa73bbd9bd705577071564616da5c8c61", "versionType": "git" }, { "lessThan": "a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb", "status": "affected", "version": "5138c228311a863c3cf937b94a3ab4c87f1f70c4", "versionType": "git" }, { "lessThan": "c61d0b87a7028c2c10faffc524d748334c7b9827", "status": "affected", "version": "9615ca54bc138e35353a001e8b5d4824dce72188", "versionType": "git" }, { "lessThan": "2bff660e0ff349dee84dc4f6f6d10da4497f5b28", "status": "affected", "version": "9b9c8195f3f0d74a826077fc1c01b9ee74907239", "versionType": "git" }, { "lessThan": "29346e217b8ab8a52889b88f00b268278d6b7668", "status": "affected", "version": "9b9c8195f3f0d74a826077fc1c01b9ee74907239", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/tty/n_gsm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.5" }, { "lessThan": "6.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.198", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.134", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"\n\nThis reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.\n\nThe commit above is reverted as it did not solve the original issue.\n\ngsm_cleanup_mux() tries to free up the virtual ttys by calling\ngsm_dlci_release() for each available DLCI. There, dlci_put() is called to\ndecrease the reference counter for the DLCI via tty_port_put() which\nfinally calls gsm_dlci_free(). This already clears the pointer which is\nbeing checked in gsm_cleanup_mux() before calling gsm_dlci_release().\nTherefore, it is not necessary to clear this pointer in gsm_cleanup_mux()\nas done in the reverted commit. The commit introduces a null pointer\ndereference:\n \u003cTASK\u003e\n ? __die+0x1f/0x70\n ? page_fault_oops+0x156/0x420\n ? search_exception_tables+0x37/0x50\n ? fixup_exception+0x21/0x310\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? tty_port_put+0x19/0xa0\n gsmtty_cleanup+0x29/0x80 [n_gsm]\n release_one_tty+0x37/0xe0\n process_one_work+0x1e6/0x3e0\n worker_thread+0x4c/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe1/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e\n\nThe actual issue is that nothing guards dlci_put() from being called\nmultiple times while the tty driver was triggered but did not yet finished\ncalling gsm_dlci_free()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:43.366Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6d5c8862932d31a810b6545f7d69ecc124402c6e" }, { "url": "https://git.kernel.org/stable/c/a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb" }, { "url": "https://git.kernel.org/stable/c/c61d0b87a7028c2c10faffc524d748334c7b9827" }, { "url": "https://git.kernel.org/stable/c/2bff660e0ff349dee84dc4f6f6d10da4497f5b28" }, { "url": "https://git.kernel.org/stable/c/29346e217b8ab8a52889b88f00b268278d6b7668" } ], "title": "Revert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52564", "datePublished": "2024-03-02T21:59:36.867Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-12-19T08:21:43.366Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47070
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
uio_hv_generic: Fix another memory leak in error handling paths
Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe
function is never freed in the error handling path.
Add the missing 'vmbus_free_ring()' call.
Note that it is already freed in the .remove function.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2021-47070", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T19:35:32.485237Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-04T18:26:07.449Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.793Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5f59240cf25b2f7a0fdffc2701482a70310fec07" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0b0226be3a52dadd965644bc52a807961c2c26df" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/uio/uio_hv_generic.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5f59240cf25b2f7a0fdffc2701482a70310fec07", "status": "affected", "version": "cdfa835c6e5e87d145f9f632b58843de97509f2b", "versionType": "git" }, { "lessThan": "0b0226be3a52dadd965644bc52a807961c2c26df", "status": "affected", "version": "cdfa835c6e5e87d145f9f632b58843de97509f2b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/uio/uio_hv_generic.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.20" }, { "lessThan": "4.20", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Fix another memory leak in error handling paths\n\nMemory allocated by \u0027vmbus_alloc_ring()\u0027 at the beginning of the probe\nfunction is never freed in the error handling path.\n\nAdd the missing \u0027vmbus_free_ring()\u0027 call.\n\nNote that it is already freed in the .remove function." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:41.591Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5f59240cf25b2f7a0fdffc2701482a70310fec07" }, { "url": "https://git.kernel.org/stable/c/0b0226be3a52dadd965644bc52a807961c2c26df" } ], "title": "uio_hv_generic: Fix another memory leak in error handling paths", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47070", "datePublished": "2024-03-01T21:15:09.387Z", "dateReserved": "2024-02-29T22:33:44.296Z", "dateUpdated": "2024-12-19T07:34:41.591Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52559
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Avoid memory allocation in iommu_suspend()
The iommu_suspend() syscore suspend callback is invoked with IRQ disabled.
Allocating memory with the GFP_KERNEL flag may re-enable IRQs during
the suspend callback, which can cause intermittent suspend/hibernation
problems with the following kernel traces:
Calling iommu_suspend+0x0/0x1d0
------------[ cut here ]------------
WARNING: CPU: 0 PID: 15 at kernel/time/timekeeping.c:868 ktime_get+0x9b/0xb0
...
CPU: 0 PID: 15 Comm: rcu_preempt Tainted: G U E 6.3-intel #r1
RIP: 0010:ktime_get+0x9b/0xb0
...
Call Trace:
<IRQ>
tick_sched_timer+0x22/0x90
? __pfx_tick_sched_timer+0x10/0x10
__hrtimer_run_queues+0x111/0x2b0
hrtimer_interrupt+0xfa/0x230
__sysvec_apic_timer_interrupt+0x63/0x140
sysvec_apic_timer_interrupt+0x7b/0xa0
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1f/0x30
...
------------[ cut here ]------------
Interrupts enabled after iommu_suspend+0x0/0x1d0
WARNING: CPU: 0 PID: 27420 at drivers/base/syscore.c:68 syscore_suspend+0x147/0x270
CPU: 0 PID: 27420 Comm: rtcwake Tainted: G U W E 6.3-intel #r1
RIP: 0010:syscore_suspend+0x147/0x270
...
Call Trace:
<TASK>
hibernation_snapshot+0x25b/0x670
hibernate+0xcd/0x390
state_store+0xcf/0xe0
kobj_attr_store+0x13/0x30
sysfs_kf_write+0x3f/0x50
kernfs_fop_write_iter+0x128/0x200
vfs_write+0x1fd/0x3c0
ksys_write+0x6f/0xf0
__x64_sys_write+0x1d/0x30
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Given that only 4 words memory is needed, avoid the memory allocation in
iommu_suspend().
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52559", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T15:56:43.408444Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:22:39.974Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.799Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/29298c85a81abdc512e87537515ed4b1a9601d0e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c12ef025add77ca3a0902e8719d552b6d47b4282" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/496c591f0b389eb782f36d9d4c2564b9a865eed0" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/iommu/intel/iommu.c", "drivers/iommu/intel/iommu.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "29298c85a81abdc512e87537515ed4b1a9601d0e", "status": "affected", "version": "33e07157105e472b746b70b3ed4197c57c43ab68", "versionType": "git" }, { "lessThan": "c12ef025add77ca3a0902e8719d552b6d47b4282", "status": "affected", "version": "33e07157105e472b746b70b3ed4197c57c43ab68", "versionType": "git" }, { "lessThan": "496c591f0b389eb782f36d9d4c2564b9a865eed0", "status": "affected", "version": "33e07157105e472b746b70b3ed4197c57c43ab68", "versionType": "git" }, { "lessThan": "59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e", "status": "affected", "version": "33e07157105e472b746b70b3ed4197c57c43ab68", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/iommu/intel/iommu.c", "drivers/iommu/intel/iommu.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.11" }, { "lessThan": "5.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.136", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid memory allocation in iommu_suspend()\n\nThe iommu_suspend() syscore suspend callback is invoked with IRQ disabled.\nAllocating memory with the GFP_KERNEL flag may re-enable IRQs during\nthe suspend callback, which can cause intermittent suspend/hibernation\nproblems with the following kernel traces:\n\nCalling iommu_suspend+0x0/0x1d0\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 15 at kernel/time/timekeeping.c:868 ktime_get+0x9b/0xb0\n...\nCPU: 0 PID: 15 Comm: rcu_preempt Tainted: G U E 6.3-intel #r1\nRIP: 0010:ktime_get+0x9b/0xb0\n...\nCall Trace:\n \u003cIRQ\u003e\n tick_sched_timer+0x22/0x90\n ? __pfx_tick_sched_timer+0x10/0x10\n __hrtimer_run_queues+0x111/0x2b0\n hrtimer_interrupt+0xfa/0x230\n __sysvec_apic_timer_interrupt+0x63/0x140\n sysvec_apic_timer_interrupt+0x7b/0xa0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_sysvec_apic_timer_interrupt+0x1f/0x30\n...\n------------[ cut here ]------------\nInterrupts enabled after iommu_suspend+0x0/0x1d0\nWARNING: CPU: 0 PID: 27420 at drivers/base/syscore.c:68 syscore_suspend+0x147/0x270\nCPU: 0 PID: 27420 Comm: rtcwake Tainted: G U W E 6.3-intel #r1\nRIP: 0010:syscore_suspend+0x147/0x270\n...\nCall Trace:\n \u003cTASK\u003e\n hibernation_snapshot+0x25b/0x670\n hibernate+0xcd/0x390\n state_store+0xcf/0xe0\n kobj_attr_store+0x13/0x30\n sysfs_kf_write+0x3f/0x50\n kernfs_fop_write_iter+0x128/0x200\n vfs_write+0x1fd/0x3c0\n ksys_write+0x6f/0xf0\n __x64_sys_write+0x1d/0x30\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nGiven that only 4 words memory is needed, avoid the memory allocation in\niommu_suspend()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:37.380Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/29298c85a81abdc512e87537515ed4b1a9601d0e" }, { "url": "https://git.kernel.org/stable/c/c12ef025add77ca3a0902e8719d552b6d47b4282" }, { "url": "https://git.kernel.org/stable/c/496c591f0b389eb782f36d9d4c2564b9a865eed0" }, { "url": "https://git.kernel.org/stable/c/59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e" } ], "title": "iommu/vt-d: Avoid memory allocation in iommu_suspend()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52559", "datePublished": "2024-03-02T21:59:33.301Z", "dateReserved": "2024-03-02T21:55:42.566Z", "dateUpdated": "2024-12-19T08:21:37.380Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52582
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:22
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfs: Only call folio_start_fscache() one time for each folio
If a network filesystem using netfs implements a clamp_length()
function, it can set subrequest lengths smaller than a page size.
When we loop through the folios in netfs_rreq_unlock_folios() to
set any folios to be written back, we need to make sure we only
call folio_start_fscache() once for each folio.
Otherwise, this simple testcase:
mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs
dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s
echo 3 > /proc/sys/vm/drop_caches
cat /mnt/nfs/file.bin > /dev/null
will trigger an oops similar to the following:
page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))
------------[ cut here ]------------
kernel BUG at include/linux/netfs.h:44!
...
CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5
...
RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]
...
Call Trace:
netfs_rreq_assess+0x497/0x660 [netfs]
netfs_subreq_terminated+0x32b/0x610 [netfs]
nfs_netfs_read_completion+0x14e/0x1a0 [nfs]
nfs_read_completion+0x2f9/0x330 [nfs]
rpc_free_task+0x72/0xa0 [sunrpc]
rpc_async_release+0x46/0x70 [sunrpc]
process_one_work+0x3bd/0x710
worker_thread+0x89/0x610
kthread+0x181/0x1c0
ret_from_fork+0x29/0x50
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52582", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T19:13:04.085277Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:51.958Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:21.213Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/df9950d37df113db59495fa09d060754366a2b7c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d9f5537479d4ec97ea92ff24e81a517d5772581a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/df1c357f25d808e30b216188330e708e09e1a412" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/netfs/buffered_read.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "df9950d37df113db59495fa09d060754366a2b7c", "status": "affected", "version": "3d3c95046742e4eebaa4b891b0b01cbbed94ebbd", "versionType": "git" }, { "lessThan": "d9f5537479d4ec97ea92ff24e81a517d5772581a", "status": "affected", "version": "3d3c95046742e4eebaa4b891b0b01cbbed94ebbd", "versionType": "git" }, { "lessThan": "df1c357f25d808e30b216188330e708e09e1a412", "status": "affected", "version": "3d3c95046742e4eebaa4b891b0b01cbbed94ebbd", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/netfs/buffered_read.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.13" }, { "lessThan": "5.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only call folio_start_fscache() one time for each folio\n\nIf a network filesystem using netfs implements a clamp_length()\nfunction, it can set subrequest lengths smaller than a page size.\n\nWhen we loop through the folios in netfs_rreq_unlock_folios() to\nset any folios to be written back, we need to make sure we only\ncall folio_start_fscache() once for each folio.\n\nOtherwise, this simple testcase:\n\n mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1\n 1+0 records in\n 1+0 records out\n 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s\n echo 3 \u003e /proc/sys/vm/drop_caches\n cat /mnt/nfs/file.bin \u003e /dev/null\n\nwill trigger an oops similar to the following:\n\n page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))\n ------------[ cut here ]------------\n kernel BUG at include/linux/netfs.h:44!\n ...\n CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5\n ...\n RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]\n ...\n Call Trace:\n netfs_rreq_assess+0x497/0x660 [netfs]\n netfs_subreq_terminated+0x32b/0x610 [netfs]\n nfs_netfs_read_completion+0x14e/0x1a0 [nfs]\n nfs_read_completion+0x2f9/0x330 [nfs]\n rpc_free_task+0x72/0xa0 [sunrpc]\n rpc_async_release+0x46/0x70 [sunrpc]\n process_one_work+0x3bd/0x710\n worker_thread+0x89/0x610\n kthread+0x181/0x1c0\n ret_from_fork+0x29/0x50" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:22:02.872Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/df9950d37df113db59495fa09d060754366a2b7c" }, { "url": "https://git.kernel.org/stable/c/d9f5537479d4ec97ea92ff24e81a517d5772581a" }, { "url": "https://git.kernel.org/stable/c/df1c357f25d808e30b216188330e708e09e1a412" } ], "title": "netfs: Only call folio_start_fscache() one time for each folio", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52582", "datePublished": "2024-03-02T21:59:48.490Z", "dateReserved": "2024-03-02T21:55:42.569Z", "dateUpdated": "2024-12-19T08:22:02.872Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47075
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet: fix memory leak in nvmet_alloc_ctrl()
When creating ctrl in nvmet_alloc_ctrl(), if the cntlid_min is larger
than cntlid_max of the subsystem, and jumps to the
"out_free_changed_ns_list" label, but the ctrl->sqs lack of be freed.
Fix this by jumping to the "out_free_sqs" label.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2021-47075", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T15:41:37.390042Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T21:34:27.643Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.501Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4720f29acb3fe67aa8aa71e6b675b079d193aaeb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/afb680ed7ecbb7fd66ddb43650e9b533fd8b4b9a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fec356a61aa3d3a66416b4321f1279e09e0f256f" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/nvme/target/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4720f29acb3fe67aa8aa71e6b675b079d193aaeb", "status": "affected", "version": "94a39d61f80fcd679debda11e1ca02b88d90e67e", "versionType": "git" }, { "lessThan": "afb680ed7ecbb7fd66ddb43650e9b533fd8b4b9a", "status": "affected", "version": "94a39d61f80fcd679debda11e1ca02b88d90e67e", "versionType": "git" }, { "lessThan": "fec356a61aa3d3a66416b4321f1279e09e0f256f", "status": "affected", "version": "94a39d61f80fcd679debda11e1ca02b88d90e67e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/nvme/target/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.7" }, { "lessThan": "5.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.40", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix memory leak in nvmet_alloc_ctrl()\n\nWhen creating ctrl in nvmet_alloc_ctrl(), if the cntlid_min is larger\nthan cntlid_max of the subsystem, and jumps to the\n\"out_free_changed_ns_list\" label, but the ctrl-\u003esqs lack of be freed.\nFix this by jumping to the \"out_free_sqs\" label." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:47.239Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4720f29acb3fe67aa8aa71e6b675b079d193aaeb" }, { "url": "https://git.kernel.org/stable/c/afb680ed7ecbb7fd66ddb43650e9b533fd8b4b9a" }, { "url": "https://git.kernel.org/stable/c/fec356a61aa3d3a66416b4321f1279e09e0f256f" } ], "title": "nvmet: fix memory leak in nvmet_alloc_ctrl()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47075", "datePublished": "2024-03-01T21:15:12.739Z", "dateReserved": "2024-02-29T22:33:44.297Z", "dateUpdated": "2024-12-19T07:34:47.239Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47072
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix removed dentries still existing after log is synced
When we move one inode from one directory to another and both the inode
and its previous parent directory were logged before, we are not supposed
to have the dentry for the old parent if we have a power failure after the
log is synced. Only the new dentry is supposed to exist.
Generally this works correctly, however there is a scenario where this is
not currently working, because the old parent of the file/directory that
was moved is not authoritative for a range that includes the dir index and
dir item keys of the old dentry. This case is better explained with the
following example and reproducer:
# The test requires a very specific layout of keys and items in the
# fs/subvolume btree to trigger the bug. So we want to make sure that
# on whatever platform we are, we have the same leaf/node size.
#
# Currently in btrfs the node/leaf size can not be smaller than the page
# size (but it can be greater than the page size). So use the largest
# supported node/leaf size (64K).
$ mkfs.btrfs -f -n 65536 /dev/sdc
$ mount /dev/sdc /mnt
# "testdir" is inode 257.
$ mkdir /mnt/testdir
$ chmod 755 /mnt/testdir
# Create several empty files to have the directory "testdir" with its
# items spread over several leaves (7 in this case).
$ for ((i = 1; i <= 1200; i++)); do
echo -n > /mnt/testdir/file$i
done
# Create our test directory "dira", inode number 1458, which gets all
# its items in leaf 7.
#
# The BTRFS_DIR_ITEM_KEY item for inode 257 ("testdir") that points to
# the entry named "dira" is in leaf 2, while the BTRFS_DIR_INDEX_KEY
# item that points to that entry is in leaf 3.
#
# For this particular filesystem node size (64K), file count and file
# names, we endup with the directory entry items from inode 257 in
# leaves 2 and 3, as previously mentioned - what matters for triggering
# the bug exercised by this test case is that those items are not placed
# in leaf 1, they must be placed in a leaf different from the one
# containing the inode item for inode 257.
#
# The corresponding BTRFS_DIR_ITEM_KEY and BTRFS_DIR_INDEX_KEY items for
# the parent inode (257) are the following:
#
# item 460 key (257 DIR_ITEM 3724298081) itemoff 48344 itemsize 34
# location key (1458 INODE_ITEM 0) type DIR
# transid 6 data_len 0 name_len 4
# name: dira
#
# and:
#
# item 771 key (257 DIR_INDEX 1202) itemoff 36673 itemsize 34
# location key (1458 INODE_ITEM 0) type DIR
# transid 6 data_len 0 name_len 4
# name: dira
$ mkdir /mnt/testdir/dira
# Make sure everything done so far is durably persisted.
$ sync
# Now do a change to inode 257 ("testdir") that does not result in
# COWing leaves 2 and 3 - the leaves that contain the directory items
# pointing to inode 1458 (directory "dira").
#
# Changing permissions, the owner/group, updating or adding a xattr,
# etc, will not change (COW) leaves 2 and 3. So for the sake of
# simplicity change the permissions of inode 257, which results in
# updating its inode item and therefore change (COW) only leaf 1.
$ chmod 700 /mnt/testdir
# Now fsync directory inode 257.
#
# Since only the first leaf was changed/COWed, we log the inode item of
# inode 257 and only the dentries found in the first leaf, all have a
# key type of BTRFS_DIR_ITEM_KEY, and no keys of type
# BTRFS_DIR_INDEX_KEY, because they sort after the former type and none
# exist in the first leaf.
#
# We also log 3 items that represent ranges for dir items and dir
# indexes for which the log is authoritative:
#
# 1) a key of type BTRFS_DIR_LOG_ITEM_KEY, which indicates the log is
# authoritative for all BTRFS_DIR_ITEM_KEY keys that have an offset
# in the range [0, 2285968570] (the offset here is th
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-47072", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-11T16:49:49.252452Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:13:49.970Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.601Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6d0924c5b742036b4f20a0ffdf2b6cf3f963f5f6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/54a40fc3a1da21b52dbf19f72fdc27a2ec740760" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/tree-log.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6d0924c5b742036b4f20a0ffdf2b6cf3f963f5f6", "status": "affected", "version": "64d6b281ba4db044c946158387c74e1149b9487e", "versionType": "git" }, { "lessThan": "54a40fc3a1da21b52dbf19f72fdc27a2ec740760", "status": "affected", "version": "64d6b281ba4db044c946158387c74e1149b9487e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/btrfs/tree-log.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.12" }, { "lessThan": "5.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix removed dentries still existing after log is synced\n\nWhen we move one inode from one directory to another and both the inode\nand its previous parent directory were logged before, we are not supposed\nto have the dentry for the old parent if we have a power failure after the\nlog is synced. Only the new dentry is supposed to exist.\n\nGenerally this works correctly, however there is a scenario where this is\nnot currently working, because the old parent of the file/directory that\nwas moved is not authoritative for a range that includes the dir index and\ndir item keys of the old dentry. This case is better explained with the\nfollowing example and reproducer:\n\n # The test requires a very specific layout of keys and items in the\n # fs/subvolume btree to trigger the bug. So we want to make sure that\n # on whatever platform we are, we have the same leaf/node size.\n #\n # Currently in btrfs the node/leaf size can not be smaller than the page\n # size (but it can be greater than the page size). So use the largest\n # supported node/leaf size (64K).\n\n $ mkfs.btrfs -f -n 65536 /dev/sdc\n $ mount /dev/sdc /mnt\n\n # \"testdir\" is inode 257.\n $ mkdir /mnt/testdir\n $ chmod 755 /mnt/testdir\n\n # Create several empty files to have the directory \"testdir\" with its\n # items spread over several leaves (7 in this case).\n $ for ((i = 1; i \u003c= 1200; i++)); do\n echo -n \u003e /mnt/testdir/file$i\n done\n\n # Create our test directory \"dira\", inode number 1458, which gets all\n # its items in leaf 7.\n #\n # The BTRFS_DIR_ITEM_KEY item for inode 257 (\"testdir\") that points to\n # the entry named \"dira\" is in leaf 2, while the BTRFS_DIR_INDEX_KEY\n # item that points to that entry is in leaf 3.\n #\n # For this particular filesystem node size (64K), file count and file\n # names, we endup with the directory entry items from inode 257 in\n # leaves 2 and 3, as previously mentioned - what matters for triggering\n # the bug exercised by this test case is that those items are not placed\n # in leaf 1, they must be placed in a leaf different from the one\n # containing the inode item for inode 257.\n #\n # The corresponding BTRFS_DIR_ITEM_KEY and BTRFS_DIR_INDEX_KEY items for\n # the parent inode (257) are the following:\n #\n # item 460 key (257 DIR_ITEM 3724298081) itemoff 48344 itemsize 34\n # location key (1458 INODE_ITEM 0) type DIR\n # transid 6 data_len 0 name_len 4\n # name: dira\n #\n # and:\n #\n # item 771 key (257 DIR_INDEX 1202) itemoff 36673 itemsize 34\n # location key (1458 INODE_ITEM 0) type DIR\n # transid 6 data_len 0 name_len 4\n # name: dira\n\n $ mkdir /mnt/testdir/dira\n\n # Make sure everything done so far is durably persisted.\n $ sync\n\n # Now do a change to inode 257 (\"testdir\") that does not result in\n # COWing leaves 2 and 3 - the leaves that contain the directory items\n # pointing to inode 1458 (directory \"dira\").\n #\n # Changing permissions, the owner/group, updating or adding a xattr,\n # etc, will not change (COW) leaves 2 and 3. So for the sake of\n # simplicity change the permissions of inode 257, which results in\n # updating its inode item and therefore change (COW) only leaf 1.\n\n $ chmod 700 /mnt/testdir\n\n # Now fsync directory inode 257.\n #\n # Since only the first leaf was changed/COWed, we log the inode item of\n # inode 257 and only the dentries found in the first leaf, all have a\n # key type of BTRFS_DIR_ITEM_KEY, and no keys of type\n # BTRFS_DIR_INDEX_KEY, because they sort after the former type and none\n # exist in the first leaf.\n #\n # We also log 3 items that represent ranges for dir items and dir\n # indexes for which the log is authoritative:\n #\n # 1) a key of type BTRFS_DIR_LOG_ITEM_KEY, which indicates the log is\n # authoritative for all BTRFS_DIR_ITEM_KEY keys that have an offset\n # in the range [0, 2285968570] (the offset here is th\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:43.837Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6d0924c5b742036b4f20a0ffdf2b6cf3f963f5f6" }, { "url": "https://git.kernel.org/stable/c/54a40fc3a1da21b52dbf19f72fdc27a2ec740760" } ], "title": "btrfs: fix removed dentries still existing after log is synced", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47072", "datePublished": "2024-03-01T21:15:10.710Z", "dateReserved": "2024-02-29T22:33:44.297Z", "dateUpdated": "2024-12-19T07:34:43.837Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52566
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the
reference count of bh when the call to nilfs_dat_translate() fails. If
the reference count hits 0 and its owner page gets unlocked, bh may be
freed. However, bh->b_page is dereferenced to put the page after that,
which may result in a use-after-free bug. This patch moves the release
operation after unlocking and putting the page.
NOTE: The function in question is only called in GC, and in combination
with current userland tools, address translation using DAT does not occur
in that function, so the code path that causes this issue will not be
executed. However, it is possible to run that code path by intentionally
modifying the userland GC library or by calling the GC ioctl directly.
[konishi.ryusuke@gmail.com: NOTE added to the commit log]
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a3d93f709e893187d301aa5458b2248db9f22bd1 Version: a3d93f709e893187d301aa5458b2248db9f22bd1 Version: a3d93f709e893187d301aa5458b2248db9f22bd1 Version: a3d93f709e893187d301aa5458b2248db9f22bd1 Version: a3d93f709e893187d301aa5458b2248db9f22bd1 Version: a3d93f709e893187d301aa5458b2248db9f22bd1 Version: a3d93f709e893187d301aa5458b2248db9f22bd1 Version: a3d93f709e893187d301aa5458b2248db9f22bd1 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-52566", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-24T14:54:19.803278Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T14:43:57.106Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:21.025Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/nilfs2/gcinode.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "fb1084e63ee56958b0a56e17a50a4fd86445b9c1", "status": "affected", "version": "a3d93f709e893187d301aa5458b2248db9f22bd1", "versionType": "git" }, { "lessThan": "bb61224f6abc8e71bfdf06d7c984e23460875f5b", "status": "affected", "version": "a3d93f709e893187d301aa5458b2248db9f22bd1", "versionType": "git" }, { "lessThan": "193b5a1c6c67c36b430989dc063fe7ea4e200a33", "status": "affected", "version": "a3d93f709e893187d301aa5458b2248db9f22bd1", "versionType": "git" }, { "lessThan": "7130a87ca32396eb9bf48b71a2d42259ae44c6c7", "status": "affected", "version": "a3d93f709e893187d301aa5458b2248db9f22bd1", "versionType": "git" }, { "lessThan": "3936e8714907cd55e37c7cc50e50229e4a9042e8", "status": "affected", "version": "a3d93f709e893187d301aa5458b2248db9f22bd1", "versionType": "git" }, { "lessThan": "980663f1d189eedafd18d80053d9cf3e2ceb5c8c", "status": "affected", "version": "a3d93f709e893187d301aa5458b2248db9f22bd1", "versionType": "git" }, { "lessThan": "28df4646ad8b433340772edc90ca709cdefc53e2", "status": "affected", "version": "a3d93f709e893187d301aa5458b2248db9f22bd1", "versionType": "git" }, { "lessThan": "7ee29facd8a9c5a26079148e36bcf07141b3a6bc", "status": "affected", "version": "a3d93f709e893187d301aa5458b2248db9f22bd1", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/nilfs2/gcinode.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.30" }, { "lessThan": "2.6.30", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.327", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.296", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.258", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.198", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.134", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\n\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails. If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed. However, bh-\u003eb_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug. This patch moves the release\noperation after unlocking and putting the page.\n\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted. However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\n\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:45.971Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1" }, { "url": "https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b" }, { "url": "https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33" }, { "url": "https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7" }, { "url": "https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8" }, { "url": "https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c" }, { "url": "https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2" }, { "url": "https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc" } ], "title": "nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52566", "datePublished": "2024-03-02T21:59:38.167Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-12-19T08:21:45.971Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-47081
Vulnerability from cvelistv5
Published
2024-03-01 21:15
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
habanalabs/gaudi: Fix a potential use after free in gaudi_memset_device_memory
Our code analyzer reported a uaf.
In gaudi_memset_device_memory, cb is get via hl_cb_kernel_create()
with 2 refcount.
If hl_cs_allocate_job() failed, the execution runs into release_cb
branch. One ref of cb is dropped by hl_cb_put(cb) and could be freed
if other thread also drops one ref. Then cb is used by cb->id later,
which is a potential uaf.
My patch add a variable 'id' to accept the value of cb->id before the
hl_cb_put(cb) is called, to avoid the potential uaf.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-47081", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T19:32:29.244809Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:14:15.058Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.774Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b49f5af30b0e4064fbd91e83823a4bfcb2c7a3e7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/115726c5d312b462c9d9931ea42becdfa838a076" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/misc/habanalabs/gaudi/gaudi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b49f5af30b0e4064fbd91e83823a4bfcb2c7a3e7", "status": "affected", "version": "423815bf02e257091d5337be5c63b57fc29e4254", "versionType": "git" }, { "lessThan": "115726c5d312b462c9d9931ea42becdfa838a076", "status": "affected", "version": "423815bf02e257091d5337be5c63b57fc29e4254", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/misc/habanalabs/gaudi/gaudi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.12" }, { "lessThan": "5.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhabanalabs/gaudi: Fix a potential use after free in gaudi_memset_device_memory\n\nOur code analyzer reported a uaf.\n\nIn gaudi_memset_device_memory, cb is get via hl_cb_kernel_create()\nwith 2 refcount.\nIf hl_cs_allocate_job() failed, the execution runs into release_cb\nbranch. One ref of cb is dropped by hl_cb_put(cb) and could be freed\nif other thread also drops one ref. Then cb is used by cb-\u003eid later,\nwhich is a potential uaf.\n\nMy patch add a variable \u0027id\u0027 to accept the value of cb-\u003eid before the\nhl_cb_put(cb) is called, to avoid the potential uaf." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:53.893Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b49f5af30b0e4064fbd91e83823a4bfcb2c7a3e7" }, { "url": "https://git.kernel.org/stable/c/115726c5d312b462c9d9931ea42becdfa838a076" } ], "title": "habanalabs/gaudi: Fix a potential use after free in gaudi_memset_device_memory", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47081", "datePublished": "2024-03-01T21:15:16.684Z", "dateReserved": "2024-02-29T22:33:44.298Z", "dateUpdated": "2024-12-19T07:34:53.893Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52526
Vulnerability from cvelistv5
Published
2024-03-02 21:52
Modified
2024-12-19 08:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix memory leak of LZMA global compressed deduplication
When stressing microLZMA EROFS images with the new global compressed
deduplication feature enabled (`-Ededupe`), I found some short-lived
temporary pages weren't properly released, which could slowly cause
unexpected OOMs hours later.
Let's fix it now (LZ4 and DEFLATE don't have this issue.)
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52526", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T14:37:17.181611Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:24.983Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.817Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6a5a8f0a9740f865693d5aa97a42cc4504538e18" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c955751cbf864cf2055117dd3fe7f780d2a57b56" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/75a5221630fe5aa3fedba7a06be618db0f79ba1e" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/erofs/decompressor_lzma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6a5a8f0a9740f865693d5aa97a42cc4504538e18", "status": "affected", "version": "5c2a64252c5dc4cfe78e5b2a531c118894e3d155", "versionType": "git" }, { "lessThan": "c955751cbf864cf2055117dd3fe7f780d2a57b56", "status": "affected", "version": "5c2a64252c5dc4cfe78e5b2a531c118894e3d155", "versionType": "git" }, { "lessThan": "75a5221630fe5aa3fedba7a06be618db0f79ba1e", "status": "affected", "version": "5c2a64252c5dc4cfe78e5b2a531c118894e3d155", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/erofs/decompressor_lzma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.1" }, { "lessThan": "6.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.57", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix memory leak of LZMA global compressed deduplication\n\nWhen stressing microLZMA EROFS images with the new global compressed\ndeduplication feature enabled (`-Ededupe`), I found some short-lived\ntemporary pages weren\u0027t properly released, which could slowly cause\nunexpected OOMs hours later.\n\nLet\u0027s fix it now (LZ4 and DEFLATE don\u0027t have this issue.)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:21:29.277Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6a5a8f0a9740f865693d5aa97a42cc4504538e18" }, { "url": "https://git.kernel.org/stable/c/c955751cbf864cf2055117dd3fe7f780d2a57b56" }, { "url": "https://git.kernel.org/stable/c/75a5221630fe5aa3fedba7a06be618db0f79ba1e" } ], "title": "erofs: fix memory leak of LZMA global compressed deduplication", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52526", "datePublished": "2024-03-02T21:52:32.261Z", "dateReserved": "2024-02-20T12:30:33.318Z", "dateUpdated": "2024-12-19T08:21:29.277Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.