Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-0773
Vulnerability from csaf_certbund
Published
2024-04-03 22:00
Modified
2024-07-24 22:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder einen nicht näher spezifizierten Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0773 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0773.json" }, { "category": "self", "summary": "WID-SEC-2024-0773 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0773" }, { "category": "external", "summary": "GitHub Advisory GHSA-4fj7-85cf-9m8p vom 2024-04-03", "url": "https://github.com/advisories/GHSA-4fj7-85cf-9m8p" }, { "category": "external", "summary": "Red Hat Bugtracker #2273072 vom 2024-04-03", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273072" }, { "category": "external", "summary": "Red Hat Bugtracker #2273076 vom 2024-04-03", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273076" }, { "category": "external", "summary": "Red Hat Bugtracker #2273074 vom 2024-04-03", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273074" }, { "category": "external", "summary": "GitHub Advisory GHSA-37h8-63p8-qhhg vom 2024-04-03", "url": "https://github.com/advisories/GHSA-37h8-63p8-qhhg" }, { "category": "external", "summary": "Linux Kernel CVE Announcements vom 2024-04-03", "url": "https://lore.kernel.org/linux-cve-announce/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1322-1 vom 2024-04-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018374.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1332-2 vom 2024-04-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018378.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1322-2 vom 2024-04-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018377.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1332-1 vom 2024-04-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018376.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1454-1 vom 2024-04-26", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018431.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1466-1 vom 2024-04-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018438.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1480-1 vom 2024-04-30", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018444.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1490-1 vom 2024-05-03", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018445.html" }, { "category": "external", "summary": "Debian Security Advisory DSA-5681 vom 2024-05-06", "url": "https://lists.debian.org/debian-security-announce/2024/msg00090.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6765-1 vom 2024-05-07", "url": "https://ubuntu.com/security/notices/USN-6765-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6767-1 vom 2024-05-07", "url": "https://ubuntu.com/security/notices/USN-6767-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6766-1 vom 2024-05-07", "url": "https://ubuntu.com/security/notices/USN-6766-1" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-12380 vom 2024-05-14", "url": "http://linux.oracle.com/errata/ELSA-2024-12380.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6767-2 vom 2024-05-14", "url": "https://ubuntu.com/security/notices/USN-6767-2" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1645-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018527.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1647-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018525.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1642-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018530.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1641-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018531.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1646-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018526.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1648-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018524.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1643-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018529.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1644-1 vom 2024-05-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018528.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1650-1 vom 2024-05-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018533.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1659-1 vom 2024-05-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018538.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6766-2 vom 2024-05-15", "url": "https://ubuntu.com/security/notices/USN-6766-2" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6774-1 vom 2024-05-16", "url": "https://ubuntu.com/security/notices/USN-6774-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6778-1 vom 2024-05-16", "url": "https://ubuntu.com/security/notices/USN-6778-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6777-1 vom 2024-05-16", "url": "https://ubuntu.com/security/notices/USN-6777-1" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1682-1 vom 2024-05-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018546.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1677-1 vom 2024-05-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018543.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1695-1 vom 2024-05-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018549.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1685-1 vom 2024-05-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018553.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1680-1 vom 2024-05-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018547.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6766-3 vom 2024-05-20", "url": "https://ubuntu.com/security/notices/USN-6766-3" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1679-1 vom 2024-05-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018544.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6777-2 vom 2024-05-20", "url": "https://ubuntu.com/security/notices/USN-6777-2" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1705-1 vom 2024-05-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018565.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1711-1 vom 2024-05-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018571.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1726-1 vom 2024-05-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018577.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1740-1 vom 2024-05-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018579.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1739-1 vom 2024-05-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018580.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6777-3 vom 2024-05-22", "url": "https://ubuntu.com/security/notices/USN-6777-3" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1648-2 vom 2024-05-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018572.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1748-1 vom 2024-05-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018589.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1749-1 vom 2024-05-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018587.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1759-1 vom 2024-05-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018592.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1750-1 vom 2024-05-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018586.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1753-1 vom 2024-05-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018584.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1757-1 vom 2024-05-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018593.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3306 vom 2024-05-23", "url": "https://access.redhat.com/errata/RHSA-2024:3306" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6777-4 vom 2024-05-23", "url": "https://ubuntu.com/security/notices/USN-6777-4" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-3306 vom 2024-05-25", "url": "https://linux.oracle.com/errata/ELSA-2024-3306.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6795-1 vom 2024-05-28", "url": "https://ubuntu.com/security/notices/USN-6795-1" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3460 vom 2024-05-29", "url": "https://access.redhat.com/errata/RHSA-2024:3460" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3461 vom 2024-05-29", "url": "https://access.redhat.com/errata/RHSA-2024:3461" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1870-1 vom 2024-05-30", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018634.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALASKERNEL-5.4-2024-068 vom 2024-05-30", "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-068.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3618 vom 2024-06-05", "url": "https://access.redhat.com/errata/RHSA-2024:3618" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3619 vom 2024-06-05", "url": "https://access.redhat.com/errata/RHSA-2024:3619" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-12377 vom 2024-06-05", "url": "https://oss.oracle.com/pipermail/el-errata/2024-June/015801.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-12377 vom 2024-06-05", "url": "https://oss.oracle.com/pipermail/el-errata/2024-June/015802.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:3627 vom 2024-06-05", "url": "https://access.redhat.com/errata/RHSA-2024:3627" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-12385 vom 2024-06-05", "url": "https://oss.oracle.com/pipermail/el-errata/2024-June/015807.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-12385 vom 2024-06-05", "url": "https://oss.oracle.com/pipermail/el-errata/2024-June/015806.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-3619 vom 2024-06-07", "url": "http://linux.oracle.com/errata/ELSA-2024-3619.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-3618 vom 2024-06-06", "url": "https://linux.oracle.com/errata/ELSA-2024-3618.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6821-1 vom 2024-06-08", "url": "https://ubuntu.com/security/notices/USN-6821-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6820-1 vom 2024-06-08", "url": "https://ubuntu.com/security/notices/USN-6820-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6816-1 vom 2024-06-08", "url": "https://ubuntu.com/security/notices/USN-6816-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6819-1 vom 2024-06-08", "url": "https://ubuntu.com/security/notices/USN-6819-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6817-1 vom 2024-06-08", "url": "https://ubuntu.com/security/notices/USN-6817-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6818-1 vom 2024-06-08", "url": "https://ubuntu.com/security/notices/USN-6818-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6818-2 vom 2024-06-10", "url": "https://ubuntu.com/security/notices/USN-6818-2" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6821-2 vom 2024-06-10", "url": "https://ubuntu.com/security/notices/USN-6821-2" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1979-1 vom 2024-06-11", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018685.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6817-2 vom 2024-06-11", "url": "https://ubuntu.com/security/notices/USN-6817-2" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6821-3 vom 2024-06-11", "url": "https://ubuntu.com/security/notices/USN-6821-3" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:1983-1 vom 2024-06-11", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018700.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6828-1 vom 2024-06-11", "url": "https://ubuntu.com/security/notices/USN-6828-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6820-2 vom 2024-06-11", "url": "https://ubuntu.com/security/notices/USN-6820-2" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6819-2 vom 2024-06-12", "url": "https://ubuntu.com/security/notices/USN-6819-2" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6831-1 vom 2024-06-12", "url": "https://ubuntu.com/security/notices/USN-6831-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6819-3 vom 2024-06-12", "url": "https://ubuntu.com/security/notices/USN-6819-3" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2008-1 vom 2024-06-12", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018706.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6818-3 vom 2024-06-14", "url": "https://ubuntu.com/security/notices/USN-6818-3" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6817-3 vom 2024-06-14", "url": "https://ubuntu.com/security/notices/USN-6817-3" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6821-4 vom 2024-06-14", "url": "https://ubuntu.com/security/notices/USN-6821-4" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6818-4 vom 2024-06-19", "url": "https://ubuntu.com/security/notices/USN-6818-4" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2092-1 vom 2024-06-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018765.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2162-1 vom 2024-06-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018785.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2135-1 vom 2024-06-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018783.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2163-1 vom 2024-06-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018784.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2184-1 vom 2024-06-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018807.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2189-1 vom 2024-06-25", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018811.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2190-1 vom 2024-06-25", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018819.html" }, { "category": "external", "summary": "Debian Security Advisory DLA-3842 vom 2024-06-25", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2207-1 vom 2024-06-25", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018824.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6819-4 vom 2024-06-26", "url": "https://ubuntu.com/security/notices/USN-6819-4" }, { "category": "external", "summary": "Debian Security Advisory DLA-3840 vom 2024-06-27", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4211 vom 2024-07-02", "url": "https://access.redhat.com/errata/RHSA-2024:4211" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-4211 vom 2024-07-03", "url": "https://linux.oracle.com/errata/ELSA-2024-4211.html" }, { "category": "external", "summary": "Dell Security Advisory DSA-2024-022 vom 2024-07-03", "url": "https://www.dell.com/support/kbdoc/de-de/000226633/dsa-2024-022-security-update-for-dell-networker-vproxy-multiple-component-vulnerabilities" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6871-1 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6871-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6872-1 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6872-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6873-1 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6873-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6866-1 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6866-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6865-1 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6865-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6874-1 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6874-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6872-2 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6872-2" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6873-2 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6873-2" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6866-2 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6866-2" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6878-1 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6878-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6865-2 vom 2024-07-04", "url": "https://ubuntu.com/security/notices/USN-6865-2" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4349 vom 2024-07-08", "url": "https://access.redhat.com/errata/RHSA-2024:4349" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4352 vom 2024-07-08", "url": "https://access.redhat.com/errata/RHSA-2024:4352" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-4349 vom 2024-07-09", "url": "https://linux.oracle.com/errata/ELSA-2024-4349.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2337-1 vom 2024-07-08", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018881.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2372-1 vom 2024-07-09", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018901.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2360-1 vom 2024-07-09", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018907.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4447 vom 2024-07-10", "url": "https://access.redhat.com/errata/RHSA-2024:4447" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2381-1 vom 2024-07-10", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018916.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6892-1 vom 2024-07-10", "url": "https://ubuntu.com/security/notices/USN-6892-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6866-3 vom 2024-07-10", "url": "https://ubuntu.com/security/notices/USN-6866-3" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4321 vom 2024-07-10", "url": "https://access.redhat.com/errata/RHSA-2024:4321" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2394-1 vom 2024-07-10", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018922.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2385-1 vom 2024-07-10", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018920.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4533 vom 2024-07-15", "url": "https://access.redhat.com/errata/RHSA-2024:4533" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2448-1 vom 2024-07-12", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018945.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2447-1 vom 2024-07-12", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018946.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2446-1 vom 2024-07-12", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018947.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6896-1 vom 2024-07-12", "url": "https://ubuntu.com/security/notices/USN-6896-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6895-1 vom 2024-07-12", "url": "https://ubuntu.com/security/notices/USN-6895-1" }, { "category": "external", "summary": "Rocky Linux Security Advisory RLSA-2024:4349 vom 2024-07-15", "url": "https://errata.build.resf.org/RLSA-2024:4349" }, { "category": "external", "summary": "Rocky Linux Security Advisory RLSA-2024:4352 vom 2024-07-15", "url": "https://errata.build.resf.org/RLSA-2024:4352" }, { "category": "external", "summary": "Rocky Linux Security Advisory RLSA-2024:4211 vom 2024-07-15", "url": "https://errata.build.resf.org/RLSA-2024:4211" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6898-1 vom 2024-07-15", "url": "https://ubuntu.com/security/notices/USN-6898-1" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4554 vom 2024-07-16", "url": "https://access.redhat.com/errata/RHSA-2024:4554" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2495-1 vom 2024-07-16", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018982.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6895-2 vom 2024-07-16", "url": "https://ubuntu.com/security/notices/USN-6895-2" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4583 vom 2024-07-17", "url": "https://access.redhat.com/errata/RHSA-2024:4583" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6896-2 vom 2024-07-16", "url": "https://ubuntu.com/security/notices/USN-6896-2" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6896-3 vom 2024-07-17", "url": "https://ubuntu.com/security/notices/USN-6896-3" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6900-1 vom 2024-07-17", "url": "https://ubuntu.com/security/notices/USN-6900-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6898-2 vom 2024-07-17", "url": "https://ubuntu.com/security/notices/USN-6898-2" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-4583 vom 2024-07-19", "url": "https://linux.oracle.com/errata/ELSA-2024-4583.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2561-1 vom 2024-07-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/019001.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4631 vom 2024-07-18", "url": "https://access.redhat.com/errata/RHSA-2024:4631" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6898-3 vom 2024-07-19", "url": "https://ubuntu.com/security/notices/USN-6898-3" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6895-3 vom 2024-07-19", "url": "https://ubuntu.com/security/notices/USN-6895-3" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6896-4 vom 2024-07-19", "url": "https://ubuntu.com/security/notices/USN-6896-4" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:2571-1 vom 2024-07-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/019019.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6896-5 vom 2024-07-23", "url": "https://ubuntu.com/security/notices/USN-6896-5" }, { "category": "external", "summary": "Ubuntu Security Notice USN-6898-4 vom 2024-07-23", "url": "https://ubuntu.com/security/notices/USN-6898-4" }, { "category": "external", "summary": "SEM 2024.2.1 release notes vom 2024-07-23", "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2024-2-1_release_notes.htm" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4740 vom 2024-07-24", "url": "https://access.redhat.com/errata/RHSA-2024:4740" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4831 vom 2024-07-24", "url": "https://access.redhat.com/errata/RHSA-2024:4831" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4823 vom 2024-07-24", "url": "https://access.redhat.com/errata/RHSA-2024:4823" } ], "source_lang": "en-US", "title": "Linux Kernel: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-07-24T22:00:00.000+00:00", "generator": { "date": "2024-07-25T08:35:37.135+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-0773", "initial_release_date": "2024-04-03T22:00:00.000+00:00", "revision_history": [ { "date": "2024-04-03T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-04-04T22:00:00.000+00:00", "number": "2", "summary": "CVE-2024-26752 erg\u00e4nzt" }, { "date": "2024-04-16T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-18T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-28T22:00:00.000+00:00", "number": "5", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-04-29T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-01T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-02T22:00:00.000+00:00", "number": "8", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-06T22:00:00.000+00:00", "number": "9", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2024-05-07T22:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-05-13T22:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2024-05-14T22:00:00.000+00:00", "number": "12", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-15T22:00:00.000+00:00", "number": "13", "summary": "Neue Updates von SUSE und Ubuntu aufgenommen" }, { "date": "2024-05-16T22:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-05-20T22:00:00.000+00:00", "number": "15", "summary": "Neue Updates von SUSE und Ubuntu aufgenommen" }, { "date": "2024-05-21T22:00:00.000+00:00", "number": "16", "summary": "Neue Updates von SUSE und Ubuntu aufgenommen" }, { "date": "2024-05-22T22:00:00.000+00:00", "number": "17", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-05-23T22:00:00.000+00:00", "number": "18", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-05-26T22:00:00.000+00:00", "number": "19", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2024-05-28T22:00:00.000+00:00", "number": "20", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-05-30T22:00:00.000+00:00", "number": "21", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-06-04T22:00:00.000+00:00", "number": "22", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-06-05T22:00:00.000+00:00", "number": "23", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2024-06-06T22:00:00.000+00:00", "number": "24", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2024-06-09T22:00:00.000+00:00", "number": "25", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-06-10T22:00:00.000+00:00", "number": "26", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-06-11T22:00:00.000+00:00", "number": "27", "summary": "Neue Updates von Ubuntu und SUSE aufgenommen" }, { "date": "2024-06-12T22:00:00.000+00:00", "number": "28", "summary": "Neue Updates von Ubuntu und SUSE aufgenommen" }, { "date": "2024-06-16T22:00:00.000+00:00", "number": "29", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-06-18T22:00:00.000+00:00", "number": "30", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-06-19T22:00:00.000+00:00", "number": "31", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-06-23T22:00:00.000+00:00", "number": "32", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-06-24T22:00:00.000+00:00", "number": "33", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-06-25T22:00:00.000+00:00", "number": "34", "summary": "Neue Updates von SUSE und Debian aufgenommen" }, { "date": "2024-06-26T22:00:00.000+00:00", "number": "35", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-06-27T22:00:00.000+00:00", "number": "36", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2024-07-01T22:00:00.000+00:00", "number": "37", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-07-02T22:00:00.000+00:00", "number": "38", "summary": "Neue Updates von Oracle Linux und Dell aufgenommen" }, { "date": "2024-07-03T22:00:00.000+00:00", "number": "39", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-07-04T22:00:00.000+00:00", "number": "40", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-07-07T22:00:00.000+00:00", "number": "41", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-07-08T22:00:00.000+00:00", "number": "42", "summary": "Neue Updates von Oracle Linux und SUSE aufgenommen" }, { "date": "2024-07-09T22:00:00.000+00:00", "number": "43", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-07-10T22:00:00.000+00:00", "number": "44", "summary": "Neue Updates von Ubuntu, Red Hat und SUSE aufgenommen" }, { "date": "2024-07-14T22:00:00.000+00:00", "number": "45", "summary": "Neue Updates von Red Hat, SUSE und Ubuntu aufgenommen" }, { "date": "2024-07-15T22:00:00.000+00:00", "number": "46", "summary": "Neue Updates von Rocky Enterprise Software Foundation, Ubuntu und Red Hat aufgenommen" }, { "date": "2024-07-16T22:00:00.000+00:00", "number": "47", "summary": "Neue Updates von Red Hat und Ubuntu aufgenommen" }, { "date": "2024-07-17T22:00:00.000+00:00", "number": "48", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2024-07-18T22:00:00.000+00:00", "number": "49", "summary": "Neue Updates von Oracle Linux, SUSE und Red Hat aufgenommen" }, { "date": "2024-07-22T22:00:00.000+00:00", "number": "50", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-07-23T22:00:00.000+00:00", "number": "51", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-07-24T22:00:00.000+00:00", "number": "52", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "52" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "398363", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c19.11", "product": { "name": "Dell NetWorker \u003c19.11", "product_id": "T035785", "product_identification_helper": { "cpe": "cpe:/a:dell:networker:19.11" } } } ], "category": "product_name", "name": "NetWorker" } ], "category": "vendor", "name": "Dell" }, { "branches": [ { "category": "product_name", "name": "Open Source Linux Kernel", "product": { "name": "Open Source Linux Kernel", "product_id": "T033861", "product_identification_helper": { "cpe": "cpe:/o:linux:linux_kernel:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "RESF Rocky Linux", "product": { "name": "RESF Rocky Linux", "product_id": "T032255", "product_identification_helper": { "cpe": "cpe:/o:resf:rocky_linux:-" } } } ], "category": "vendor", "name": "RESF" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c2024.2", "product": { "name": "SolarWinds Security Event Manager \u003c2024.2", "product_id": "T034244", "product_identification_helper": { "cpe": "cpe:/a:solarwinds:security_event_manager:2024.2" } } } ], "category": "product_name", "name": "Security Event Manager" } ], "category": "vendor", "name": "SolarWinds" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-3061", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2022-3061" }, { "cve": "CVE-2024-26685", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26685" }, { "cve": "CVE-2024-26686", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26686" }, { "cve": "CVE-2024-26687", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26687" }, { "cve": "CVE-2024-26688", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26688" }, { "cve": "CVE-2024-26689", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26689" }, { "cve": "CVE-2024-26690", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26690" }, { "cve": "CVE-2024-26691", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26691" }, { "cve": "CVE-2024-26692", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26692" }, { "cve": "CVE-2024-26693", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26693" }, { "cve": "CVE-2024-26694", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26694" }, { "cve": "CVE-2024-26695", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26695" }, { "cve": "CVE-2024-26696", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26696" }, { "cve": "CVE-2024-26697", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26697" }, { "cve": "CVE-2024-26698", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26698" }, { "cve": "CVE-2024-26699", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26699" }, { "cve": "CVE-2024-26700", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26700" }, { "cve": "CVE-2024-26701", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26701" }, { "cve": "CVE-2024-26702", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26702" }, { "cve": "CVE-2024-26703", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26703" }, { "cve": "CVE-2024-26704", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26704" }, { "cve": "CVE-2024-26705", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26705" }, { "cve": "CVE-2024-26706", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26706" }, { "cve": "CVE-2024-26707", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26707" }, { "cve": "CVE-2024-26708", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26708" }, { "cve": "CVE-2024-26709", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26709" }, { "cve": "CVE-2024-26710", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26710" }, { "cve": "CVE-2024-26711", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26711" }, { "cve": "CVE-2024-26712", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26712" }, { "cve": "CVE-2024-26713", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26713" }, { "cve": "CVE-2024-26714", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26714" }, { "cve": "CVE-2024-26715", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26715" }, { "cve": "CVE-2024-26716", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26716" }, { "cve": "CVE-2024-26717", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26717" }, { "cve": "CVE-2024-26718", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26718" }, { "cve": "CVE-2024-26719", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26719" }, { "cve": "CVE-2024-26720", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26720" }, { "cve": "CVE-2024-26721", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26721" }, { "cve": "CVE-2024-26722", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26722" }, { "cve": "CVE-2024-26723", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26723" }, { "cve": "CVE-2024-26724", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26724" }, { "cve": "CVE-2024-26725", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26725" }, { "cve": "CVE-2024-26726", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26726" }, { "cve": "CVE-2024-26727", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26727" }, { "cve": "CVE-2024-26728", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26728" }, { "cve": "CVE-2024-26729", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26729" }, { "cve": "CVE-2024-26730", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26730" }, { "cve": "CVE-2024-26731", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26731" }, { "cve": "CVE-2024-26732", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26732" }, { "cve": "CVE-2024-26733", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26733" }, { "cve": "CVE-2024-26734", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26734" }, { "cve": "CVE-2024-26735", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26735" }, { "cve": "CVE-2024-26736", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26736" }, { "cve": "CVE-2024-26737", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26737" }, { "cve": "CVE-2024-26738", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26738" }, { "cve": "CVE-2024-26739", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26739" }, { "cve": "CVE-2024-26740", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26740" }, { "cve": "CVE-2024-26741", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26741" }, { "cve": "CVE-2024-26742", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26742" }, { "cve": "CVE-2024-26743", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26743" }, { "cve": "CVE-2024-26744", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26744" }, { "cve": "CVE-2024-26745", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26745" }, { "cve": "CVE-2024-26746", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26746" }, { "cve": "CVE-2024-26747", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26747" }, { "cve": "CVE-2024-26748", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26748" }, { "cve": "CVE-2024-26749", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26749" }, { "cve": "CVE-2024-26750", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26750" }, { "cve": "CVE-2024-26751", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26751" }, { "cve": "CVE-2024-26752", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26752" }, { "cve": "CVE-2024-26753", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26753" }, { "cve": "CVE-2024-26754", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26754" }, { "cve": "CVE-2024-26755", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26755" }, { "cve": "CVE-2024-26756", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26756" }, { "cve": "CVE-2024-26757", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26757" }, { "cve": "CVE-2024-26758", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26758" }, { "cve": "CVE-2024-26759", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26759" }, { "cve": "CVE-2024-26760", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26760" }, { "cve": "CVE-2024-26761", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26761" }, { "cve": "CVE-2024-26762", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26762" }, { "cve": "CVE-2024-26763", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26763" }, { "cve": "CVE-2024-26764", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26764" }, { "cve": "CVE-2024-26765", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26765" }, { "cve": "CVE-2024-26766", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26766" }, { "cve": "CVE-2024-26767", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26767" }, { "cve": "CVE-2024-26768", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26768" }, { "cve": "CVE-2024-26769", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26769" }, { "cve": "CVE-2024-26770", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26770" }, { "cve": "CVE-2024-26771", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26771" }, { "cve": "CVE-2024-26772", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26772" }, { "cve": "CVE-2024-26773", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26773" }, { "cve": "CVE-2024-26774", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26774" }, { "cve": "CVE-2024-26775", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26775" }, { "cve": "CVE-2024-26776", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26776" }, { "cve": "CVE-2024-26777", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26777" }, { "cve": "CVE-2024-26778", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26778" }, { "cve": "CVE-2024-26779", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26779" }, { "cve": "CVE-2024-26780", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26780" }, { "cve": "CVE-2024-26781", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26781" }, { "cve": "CVE-2024-26782", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26782" }, { "cve": "CVE-2024-26783", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26783" }, { "cve": "CVE-2024-26784", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26784" }, { "cve": "CVE-2024-26785", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26785" }, { "cve": "CVE-2024-26786", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26786" }, { "cve": "CVE-2024-26787", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26787" }, { "cve": "CVE-2024-26788", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26788" }, { "cve": "CVE-2024-26789", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26789" }, { "cve": "CVE-2024-26790", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26790" }, { "cve": "CVE-2024-26791", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26791" }, { "cve": "CVE-2024-26792", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26792" }, { "cve": "CVE-2024-26793", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26793" }, { "cve": "CVE-2024-26794", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26794" }, { "cve": "CVE-2024-26795", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26795" }, { "cve": "CVE-2024-26796", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26796" }, { "cve": "CVE-2024-26797", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26797" }, { "cve": "CVE-2024-26798", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26798" }, { "cve": "CVE-2024-26799", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26799" }, { "cve": "CVE-2024-26800", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26800" }, { "cve": "CVE-2024-26801", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26801" }, { "cve": "CVE-2024-26802", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26802" }, { "cve": "CVE-2024-26803", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26803" }, { "cve": "CVE-2024-26804", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26804" }, { "cve": "CVE-2024-26805", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26805" }, { "cve": "CVE-2024-26806", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26806" }, { "cve": "CVE-2024-26807", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26807" }, { "cve": "CVE-2024-26808", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26808" }, { "cve": "CVE-2024-26809", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie powerpc/kasan, KVM oder nilfs2, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einem \"Use after Free\" oder einem Deadlock. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T004914", "T032255", "T033861", "T035785", "T034244" ] }, "release_date": "2024-04-03T22:00:00Z", "title": "CVE-2024-26809" } ] }
cve-2024-26760
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: pscsi: Fix bio_put() for error case
As of commit 066ff571011d ("block: turn bio_kmalloc into a simple kmalloc
wrapper"), a bio allocated by bio_kmalloc() must be freed by bio_uninit()
and kfree(). That is not done properly for the error case, hitting WARN and
NULL pointer dereference in bio_free().
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.227Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f49b20fd0134da84a6bd8108f9e73c077b7d6231" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4ebc079f0c7dcda1270843ab0f38ab4edb8f7921" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1cfe9489fb563e9a0c9cdc5ca68257a44428c2ec" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/de959094eb2197636f7c803af0943cb9d3b35804" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26760", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:34.318502Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:14.606Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/target/target_core_pscsi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f49b20fd0134da84a6bd8108f9e73c077b7d6231", "status": "affected", "version": "066ff571011d8416e903d3d4f1f41e0b5eb91e1d", "versionType": "git" }, { "lessThan": "4ebc079f0c7dcda1270843ab0f38ab4edb8f7921", "status": "affected", "version": "066ff571011d8416e903d3d4f1f41e0b5eb91e1d", "versionType": "git" }, { "lessThan": "1cfe9489fb563e9a0c9cdc5ca68257a44428c2ec", "status": "affected", "version": "066ff571011d8416e903d3d4f1f41e0b5eb91e1d", "versionType": "git" }, { "lessThan": "de959094eb2197636f7c803af0943cb9d3b35804", "status": "affected", "version": "066ff571011d8416e903d3d4f1f41e0b5eb91e1d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/target/target_core_pscsi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: pscsi: Fix bio_put() for error case\n\nAs of commit 066ff571011d (\"block: turn bio_kmalloc into a simple kmalloc\nwrapper\"), a bio allocated by bio_kmalloc() must be freed by bio_uninit()\nand kfree(). That is not done properly for the error case, hitting WARN and\nNULL pointer dereference in bio_free()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:38.962Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f49b20fd0134da84a6bd8108f9e73c077b7d6231" }, { "url": "https://git.kernel.org/stable/c/4ebc079f0c7dcda1270843ab0f38ab4edb8f7921" }, { "url": "https://git.kernel.org/stable/c/1cfe9489fb563e9a0c9cdc5ca68257a44428c2ec" }, { "url": "https://git.kernel.org/stable/c/de959094eb2197636f7c803af0943cb9d3b35804" } ], "title": "scsi: target: pscsi: Fix bio_put() for error case", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26760", "datePublished": "2024-04-03T17:00:44.230Z", "dateReserved": "2024-02-19T14:20:24.171Z", "dateUpdated": "2024-12-19T08:46:38.962Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26719
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nouveau: offload fence uevents work to workqueue
This should break the deadlock between the fctx lock and the irq lock.
This offloads the processing off the work from the irq into a workqueue.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26719", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:06:27.723285Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:20.316Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.594Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/985d053f7633d8b539ab1531738d538efac678a9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/39126abc5e20611579602f03b66627d7cd1422f0" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/nouveau/nouveau_fence.c", "drivers/gpu/drm/nouveau/nouveau_fence.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "985d053f7633d8b539ab1531738d538efac678a9", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "39126abc5e20611579602f03b66627d7cd1422f0", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/nouveau/nouveau_fence.c", "drivers/gpu/drm/nouveau/nouveau_fence.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: offload fence uevents work to workqueue\n\nThis should break the deadlock between the fctx lock and the irq lock.\n\nThis offloads the processing off the work from the irq into a workqueue." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:48.514Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906" }, { "url": "https://git.kernel.org/stable/c/985d053f7633d8b539ab1531738d538efac678a9" }, { "url": "https://git.kernel.org/stable/c/39126abc5e20611579602f03b66627d7cd1422f0" } ], "title": "nouveau: offload fence uevents work to workqueue", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26719", "datePublished": "2024-04-03T14:55:19.556Z", "dateReserved": "2024-02-19T14:20:24.161Z", "dateUpdated": "2024-12-19T08:45:48.514Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26712
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/kasan: Fix addr error caused by page alignment
In kasan_init_region, when k_start is not page aligned, at the begin of
for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then
`va = block + k_cur - k_start` is less than block, the addr va is invalid,
because the memory address space from va to block is not alloced by
memblock_alloc, which will not be reserved by memblock_reserve later, it
will be used by other places.
As a result, memory overwriting occurs.
for example:
int __init __weak kasan_init_region(void *start, size_t size)
{
[...]
/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */
block = memblock_alloc(k_end - k_start, PAGE_SIZE);
[...]
for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {
/* at the begin of for loop
* block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)
* va(dcd96c00) is less than block(dcd97000), va is invalid
*/
void *va = block + k_cur - k_start;
[...]
}
[...]
}
Therefore, page alignment is performed on k_start before
memblock_alloc() to ensure the validity of the VA address.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 663c0c9496a69f80011205ba3194049bcafd681d Version: 663c0c9496a69f80011205ba3194049bcafd681d Version: 663c0c9496a69f80011205ba3194049bcafd681d Version: 663c0c9496a69f80011205ba3194049bcafd681d Version: 663c0c9496a69f80011205ba3194049bcafd681d Version: 663c0c9496a69f80011205ba3194049bcafd681d |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26712", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:22:01.316380Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-05T15:47:32.026Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.618Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/230e89b5ad0a33f530a2a976b3e5e4385cb27882" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2738e0aa2fb24a7ab9c878d912dc2b239738c6c6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0c09912dd8387e228afcc5e34ac5d79b1e3a1058" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0516c06b19dc64807c10e01bb99b552bdf2d7dbe" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/70ef2ba1f4286b2b73675aeb424b590c92d57b25" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/powerpc/mm/kasan/init_32.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "230e89b5ad0a33f530a2a976b3e5e4385cb27882", "status": "affected", "version": "663c0c9496a69f80011205ba3194049bcafd681d", "versionType": "git" }, { "lessThan": "2738e0aa2fb24a7ab9c878d912dc2b239738c6c6", "status": "affected", "version": "663c0c9496a69f80011205ba3194049bcafd681d", "versionType": "git" }, { "lessThan": "0c09912dd8387e228afcc5e34ac5d79b1e3a1058", "status": "affected", "version": "663c0c9496a69f80011205ba3194049bcafd681d", "versionType": "git" }, { "lessThan": "0516c06b19dc64807c10e01bb99b552bdf2d7dbe", "status": "affected", "version": "663c0c9496a69f80011205ba3194049bcafd681d", "versionType": "git" }, { "lessThan": "70ef2ba1f4286b2b73675aeb424b590c92d57b25", "status": "affected", "version": "663c0c9496a69f80011205ba3194049bcafd681d", "versionType": "git" }, { "lessThan": "4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0", "status": "affected", "version": "663c0c9496a69f80011205ba3194049bcafd681d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/powerpc/mm/kasan/init_32.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.4" }, { "lessThan": "5.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Fix addr error caused by page alignment\n\nIn kasan_init_region, when k_start is not page aligned, at the begin of\nfor loop, k_cur = k_start \u0026 PAGE_MASK is less than k_start, and then\n`va = block + k_cur - k_start` is less than block, the addr va is invalid,\nbecause the memory address space from va to block is not alloced by\nmemblock_alloc, which will not be reserved by memblock_reserve later, it\nwill be used by other places.\n\nAs a result, memory overwriting occurs.\n\nfor example:\nint __init __weak kasan_init_region(void *start, size_t size)\n{\n[...]\n\t/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */\n\tblock = memblock_alloc(k_end - k_start, PAGE_SIZE);\n\t[...]\n\tfor (k_cur = k_start \u0026 PAGE_MASK; k_cur \u003c k_end; k_cur += PAGE_SIZE) {\n\t\t/* at the begin of for loop\n\t\t * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)\n\t\t * va(dcd96c00) is less than block(dcd97000), va is invalid\n\t\t */\n\t\tvoid *va = block + k_cur - k_start;\n\t\t[...]\n\t}\n[...]\n}\n\nTherefore, page alignment is performed on k_start before\nmemblock_alloc() to ensure the validity of the VA address." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:40.457Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/230e89b5ad0a33f530a2a976b3e5e4385cb27882" }, { "url": "https://git.kernel.org/stable/c/2738e0aa2fb24a7ab9c878d912dc2b239738c6c6" }, { "url": "https://git.kernel.org/stable/c/0c09912dd8387e228afcc5e34ac5d79b1e3a1058" }, { "url": "https://git.kernel.org/stable/c/0516c06b19dc64807c10e01bb99b552bdf2d7dbe" }, { "url": "https://git.kernel.org/stable/c/70ef2ba1f4286b2b73675aeb424b590c92d57b25" }, { "url": "https://git.kernel.org/stable/c/4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0" } ], "title": "powerpc/kasan: Fix addr error caused by page alignment", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26712", "datePublished": "2024-04-03T14:55:14.149Z", "dateReserved": "2024-02-19T14:20:24.159Z", "dateUpdated": "2024-12-19T08:45:40.457Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26686
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats
lock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call
do_task_stat() at the same time and the process has NR_THREADS, it will
spin with irqs disabled O(NR_CPUS * NR_THREADS) time.
Change do_task_stat() to use sig->stats_lock to gather the statistics
outside of ->siglock protected section, in the likely case this code will
run lockless.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26686", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:03:13.492262Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:23.666Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.556Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/proc/array.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "3820b0fac7732a653bcc6f6ac20c1d72e697f8f6", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "27978243f165b44e342f28f449b91327944ea071", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "7601df8031fd67310af891897ef6cc0df4209305", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/proc/array.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.82", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.64", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: do_task_stat: use sig-\u003estats_lock to gather the threads/children stats\n\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\n\nChange do_task_stat() to use sig-\u003estats_lock to gather the statistics\noutside of -\u003esiglock protected section, in the likely case this code will\nrun lockless." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:04.844Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d" }, { "url": "https://git.kernel.org/stable/c/3820b0fac7732a653bcc6f6ac20c1d72e697f8f6" }, { "url": "https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071" }, { "url": "https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305" } ], "title": "fs/proc: do_task_stat: use sig-\u003estats_lock to gather the threads/children stats", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26686", "datePublished": "2024-04-03T14:54:48.530Z", "dateReserved": "2024-02-19T14:20:24.154Z", "dateUpdated": "2024-12-19T08:45:04.844Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26715
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend
In current scenario if Plug-out and Plug-In performed continuously
there could be a chance while checking for dwc->gadget_driver in
dwc3_gadget_suspend, a NULL pointer dereference may occur.
Call Stack:
CPU1: CPU2:
gadget_unbind_driver dwc3_suspend_common
dwc3_gadget_stop dwc3_gadget_suspend
dwc3_disconnect_gadget
CPU1 basically clears the variable and CPU2 checks the variable.
Consider CPU1 is running and right before gadget_driver is cleared
and in parallel CPU2 executes dwc3_gadget_suspend where it finds
dwc->gadget_driver which is not NULL and resumes execution and then
CPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where
it checks dwc->gadget_driver is already NULL because of which the
NULL pointer deference occur.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9772b47a4c2916d645c551228b6085ea24acbe5d Version: 9772b47a4c2916d645c551228b6085ea24acbe5d Version: 9772b47a4c2916d645c551228b6085ea24acbe5d Version: 9772b47a4c2916d645c551228b6085ea24acbe5d Version: 9772b47a4c2916d645c551228b6085ea24acbe5d |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26715", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T17:49:51.140719Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:25.920Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.001Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/88936ceab6b426f1312327e9ef849c215c6007a7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/57e2e42ccd3cd6183228269715ed032f44536751" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c7ebd8149ee519d27232e6e4940e9c02071b568b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/36695d5eeeefe5a64b47d0336e7c8fc144e78182" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/61a348857e869432e6a920ad8ea9132e8d44c316" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/dwc3/gadget.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "88936ceab6b426f1312327e9ef849c215c6007a7", "status": "affected", "version": "9772b47a4c2916d645c551228b6085ea24acbe5d", "versionType": "git" }, { "lessThan": "57e2e42ccd3cd6183228269715ed032f44536751", "status": "affected", "version": "9772b47a4c2916d645c551228b6085ea24acbe5d", "versionType": "git" }, { "lessThan": "c7ebd8149ee519d27232e6e4940e9c02071b568b", "status": "affected", "version": "9772b47a4c2916d645c551228b6085ea24acbe5d", "versionType": "git" }, { "lessThan": "36695d5eeeefe5a64b47d0336e7c8fc144e78182", "status": "affected", "version": "9772b47a4c2916d645c551228b6085ea24acbe5d", "versionType": "git" }, { "lessThan": "61a348857e869432e6a920ad8ea9132e8d44c316", "status": "affected", "version": "9772b47a4c2916d645c551228b6085ea24acbe5d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/dwc3/gadget.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.6" }, { "lessThan": "4.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend\n\nIn current scenario if Plug-out and Plug-In performed continuously\nthere could be a chance while checking for dwc-\u003egadget_driver in\ndwc3_gadget_suspend, a NULL pointer dereference may occur.\n\nCall Stack:\n\n\tCPU1: CPU2:\n\tgadget_unbind_driver dwc3_suspend_common\n\tdwc3_gadget_stop dwc3_gadget_suspend\n dwc3_disconnect_gadget\n\nCPU1 basically clears the variable and CPU2 checks the variable.\nConsider CPU1 is running and right before gadget_driver is cleared\nand in parallel CPU2 executes dwc3_gadget_suspend where it finds\ndwc-\u003egadget_driver which is not NULL and resumes execution and then\nCPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where\nit checks dwc-\u003egadget_driver is already NULL because of which the\nNULL pointer deference occur." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:43.860Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/88936ceab6b426f1312327e9ef849c215c6007a7" }, { "url": "https://git.kernel.org/stable/c/57e2e42ccd3cd6183228269715ed032f44536751" }, { "url": "https://git.kernel.org/stable/c/c7ebd8149ee519d27232e6e4940e9c02071b568b" }, { "url": "https://git.kernel.org/stable/c/36695d5eeeefe5a64b47d0336e7c8fc144e78182" }, { "url": "https://git.kernel.org/stable/c/61a348857e869432e6a920ad8ea9132e8d44c316" } ], "title": "usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26715", "datePublished": "2024-04-03T14:55:16.395Z", "dateReserved": "2024-02-19T14:20:24.160Z", "dateUpdated": "2024-12-19T08:45:43.860Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26731
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()
syzbot reported the following NULL pointer dereference issue [1]:
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
RIP: 0010:0x0
[...]
Call Trace:
<TASK>
sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230
unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
If sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called
concurrently, psock->saved_data_ready can be NULL, causing the above issue.
This patch fixes this issue by calling the appropriate data ready function
using the sk_psock_data_ready() helper and protecting it from concurrency
with sk->sk_callback_lock.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26731", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:10:44.552667Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T21:26:34.391Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.980Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4588b13abcbd561ec67f5b3c1cb2eff690990a54" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9b099ed46dcaf1403c531ff02c3d7400fa37fa26" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d61608a4e394f23e0dca099df9eb8e555453d949" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4cd12c6065dfcdeba10f49949bffcf383b3952d8" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/core/skmsg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4588b13abcbd561ec67f5b3c1cb2eff690990a54", "status": "affected", "version": "dd628fc697ee59b76bd3877c4bd13f07ccc3776f", "versionType": "git" }, { "lessThan": "9b099ed46dcaf1403c531ff02c3d7400fa37fa26", "status": "affected", "version": "6df7f764cd3cf5a03a4a47b23be47e57e41fcd85", "versionType": "git" }, { "lessThan": "d61608a4e394f23e0dca099df9eb8e555453d949", "status": "affected", "version": "6df7f764cd3cf5a03a4a47b23be47e57e41fcd85", "versionType": "git" }, { "lessThan": "4cd12c6065dfcdeba10f49949bffcf383b3952d8", "status": "affected", "version": "6df7f764cd3cf5a03a4a47b23be47e57e41fcd85", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/core/skmsg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.4" }, { "lessThan": "6.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()\n\nsyzbot reported the following NULL pointer dereference issue [1]:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n [...]\n RIP: 0010:0x0\n [...]\n Call Trace:\n \u003cTASK\u003e\n sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230\n unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nIf sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called\nconcurrently, psock-\u003esaved_data_ready can be NULL, causing the above issue.\n\nThis patch fixes this issue by calling the appropriate data ready function\nusing the sk_psock_data_ready() helper and protecting it from concurrency\nwith sk-\u003esk_callback_lock." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:03.323Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4588b13abcbd561ec67f5b3c1cb2eff690990a54" }, { "url": "https://git.kernel.org/stable/c/9b099ed46dcaf1403c531ff02c3d7400fa37fa26" }, { "url": "https://git.kernel.org/stable/c/d61608a4e394f23e0dca099df9eb8e555453d949" }, { "url": "https://git.kernel.org/stable/c/4cd12c6065dfcdeba10f49949bffcf383b3952d8" } ], "title": "bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26731", "datePublished": "2024-04-03T17:00:18.823Z", "dateReserved": "2024-02-19T14:20:24.164Z", "dateUpdated": "2024-12-19T08:46:03.323Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26732
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: implement lockless setsockopt(SO_PEEK_OFF)
syzbot reported a lockdep violation [1] involving af_unix
support of SO_PEEK_OFF.
Since SO_PEEK_OFF is inherently not thread safe (it uses a per-socket
sk_peek_off field), there is really no point to enforce a pointless
thread safety in the kernel.
After this patch :
- setsockopt(SO_PEEK_OFF) no longer acquires the socket lock.
- skb_consume_udp() no longer has to acquire the socket lock.
- af_unix no longer needs a special version of sk_set_peek_off(),
because it does not lock u->iolock anymore.
As a followup, we could replace prot->set_peek_off to be a boolean
and avoid an indirect call, since we always use sk_set_peek_off().
[1]
WARNING: possible circular locking dependency detected
6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted
syz-executor.2/30025 is trying to acquire lock:
ffff8880765e7d80 (&u->iolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789
but task is already holding lock:
ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]
ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]
ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (sk_lock-AF_UNIX){+.+.}-{0:0}:
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
lock_sock_nested+0x48/0x100 net/core/sock.c:3524
lock_sock include/net/sock.h:1691 [inline]
__unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415
sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046
____sys_recvmsg+0x3c0/0x470 net/socket.c:2801
___sys_recvmsg net/socket.c:2845 [inline]
do_recvmmsg+0x474/0xae0 net/socket.c:2939
__sys_recvmmsg net/socket.c:3018 [inline]
__do_sys_recvmmsg net/socket.c:3041 [inline]
__se_sys_recvmmsg net/socket.c:3034 [inline]
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
-> #0 (&u->iolock){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789
sk_setsockopt+0x207e/0x3360
do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307
__sys_setsockopt+0x1ad/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sk_lock-AF_UNIX);
lock(&u->iolock);
lock(sk_lock-AF_UNIX);
lock(&u->iolock);
*** DEADLOCK ***
1 lock held by syz-executor.2/30025:
#0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]
#0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]
#0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193
stack backtrace:
CPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0
Hardware name: Google Google C
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26732", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T19:28:35.916343Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T19:28:53.102Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.930Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/897f75e2cde8a5f9f7529b55249af1fa4248c83b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/56667da7399eb19af857e30f41bea89aa6fa812c" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/core/sock.c", "net/ipv4/udp.c", "net/unix/af_unix.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "897f75e2cde8a5f9f7529b55249af1fa4248c83b", "status": "affected", "version": "859051dd165ec6cc915f0f2114699021144fd249", "versionType": "git" }, { "lessThan": "56667da7399eb19af857e30f41bea89aa6fa812c", "status": "affected", "version": "859051dd165ec6cc915f0f2114699021144fd249", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/core/sock.c", "net/ipv4/udp.c", "net/unix/af_unix.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: implement lockless setsockopt(SO_PEEK_OFF)\n\nsyzbot reported a lockdep violation [1] involving af_unix\nsupport of SO_PEEK_OFF.\n\nSince SO_PEEK_OFF is inherently not thread safe (it uses a per-socket\nsk_peek_off field), there is really no point to enforce a pointless\nthread safety in the kernel.\n\nAfter this patch :\n\n- setsockopt(SO_PEEK_OFF) no longer acquires the socket lock.\n\n- skb_consume_udp() no longer has to acquire the socket lock.\n\n- af_unix no longer needs a special version of sk_set_peek_off(),\n because it does not lock u-\u003eiolock anymore.\n\nAs a followup, we could replace prot-\u003eset_peek_off to be a boolean\nand avoid an indirect call, since we always use sk_set_peek_off().\n\n[1]\n\nWARNING: possible circular locking dependency detected\n6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted\n\nsyz-executor.2/30025 is trying to acquire lock:\n ffff8880765e7d80 (\u0026u-\u003eiolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789\n\nbut task is already holding lock:\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #1 (sk_lock-AF_UNIX){+.+.}-{0:0}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_nested+0x48/0x100 net/core/sock.c:3524\n lock_sock include/net/sock.h:1691 [inline]\n __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415\n sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046\n ____sys_recvmsg+0x3c0/0x470 net/socket.c:2801\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\n-\u003e #0 (\u0026u-\u003eiolock){+.+.}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __mutex_lock_common kernel/locking/mutex.c:608 [inline]\n __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752\n unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789\n sk_setsockopt+0x207e/0x3360\n do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307\n __sys_setsockopt+0x1ad/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(sk_lock-AF_UNIX);\n lock(\u0026u-\u003eiolock);\n lock(sk_lock-AF_UNIX);\n lock(\u0026u-\u003eiolock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor.2/30025:\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193\n\nstack backtrace:\nCPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0\nHardware name: Google Google C\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:04.536Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/897f75e2cde8a5f9f7529b55249af1fa4248c83b" }, { "url": "https://git.kernel.org/stable/c/56667da7399eb19af857e30f41bea89aa6fa812c" } ], "title": "net: implement lockless setsockopt(SO_PEEK_OFF)", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26732", "datePublished": "2024-04-03T17:00:19.722Z", "dateReserved": "2024-02-19T14:20:24.165Z", "dateUpdated": "2024-12-19T08:46:04.536Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26788
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: fsl-qdma: init irq after reg initialization
Initialize the qDMA irqs after the registers are configured so that
interrupts that may have been pending from a primary kernel don't get
processed by the irq handler before it is ready to and cause panic with
the following trace:
Call trace:
fsl_qdma_queue_handler+0xf8/0x3e8
__handle_irq_event_percpu+0x78/0x2b0
handle_irq_event_percpu+0x1c/0x68
handle_irq_event+0x44/0x78
handle_fasteoi_irq+0xc8/0x178
generic_handle_irq+0x24/0x38
__handle_domain_irq+0x90/0x100
gic_handle_irq+0x5c/0xb8
el1_irq+0xb8/0x180
_raw_spin_unlock_irqrestore+0x14/0x40
__setup_irq+0x4bc/0x798
request_threaded_irq+0xd8/0x190
devm_request_threaded_irq+0x74/0xe8
fsl_qdma_probe+0x4d4/0xca8
platform_drv_probe+0x50/0xa0
really_probe+0xe0/0x3f8
driver_probe_device+0x64/0x130
device_driver_attach+0x6c/0x78
__driver_attach+0xbc/0x158
bus_for_each_dev+0x5c/0x98
driver_attach+0x20/0x28
bus_add_driver+0x158/0x220
driver_register+0x60/0x110
__platform_driver_register+0x44/0x50
fsl_qdma_driver_init+0x18/0x20
do_one_initcall+0x48/0x258
kernel_init_freeable+0x1a4/0x23c
kernel_init+0x10/0xf8
ret_from_fork+0x10/0x18
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26788", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:30:20.690408Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:46.809Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.469Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3cc5fb824c2125aa3740d905b3e5b378c8a09478" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9579a21e99fe8dab22a253050ddff28d340d74e1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4529c084a320be78ff2c5e64297ae998c6fdf66b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/474d521da890b3e3585335fb80a6044cb2553d99" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a69c8bbb946936ac4eb6a6ae1e849435aa8d947d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/677102a930643c31f1b4c512b041407058bdfef8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/87a39071e0b639f45e05d296cc0538eef44ec0bd" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/dma/fsl-qdma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3cc5fb824c2125aa3740d905b3e5b378c8a09478", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "9579a21e99fe8dab22a253050ddff28d340d74e1", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "4529c084a320be78ff2c5e64297ae998c6fdf66b", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "474d521da890b3e3585335fb80a6044cb2553d99", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "a69c8bbb946936ac4eb6a6ae1e849435aa8d947d", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "677102a930643c31f1b4c512b041407058bdfef8", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "87a39071e0b639f45e05d296cc0538eef44ec0bd", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/dma/fsl-qdma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.1" }, { "lessThan": "5.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.271", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: init irq after reg initialization\n\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don\u0027t get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\n\n Call trace:\n fsl_qdma_queue_handler+0xf8/0x3e8\n __handle_irq_event_percpu+0x78/0x2b0\n handle_irq_event_percpu+0x1c/0x68\n handle_irq_event+0x44/0x78\n handle_fasteoi_irq+0xc8/0x178\n generic_handle_irq+0x24/0x38\n __handle_domain_irq+0x90/0x100\n gic_handle_irq+0x5c/0xb8\n el1_irq+0xb8/0x180\n _raw_spin_unlock_irqrestore+0x14/0x40\n __setup_irq+0x4bc/0x798\n request_threaded_irq+0xd8/0x190\n devm_request_threaded_irq+0x74/0xe8\n fsl_qdma_probe+0x4d4/0xca8\n platform_drv_probe+0x50/0xa0\n really_probe+0xe0/0x3f8\n driver_probe_device+0x64/0x130\n device_driver_attach+0x6c/0x78\n __driver_attach+0xbc/0x158\n bus_for_each_dev+0x5c/0x98\n driver_attach+0x20/0x28\n bus_add_driver+0x158/0x220\n driver_register+0x60/0x110\n __platform_driver_register+0x44/0x50\n fsl_qdma_driver_init+0x18/0x20\n do_one_initcall+0x48/0x258\n kernel_init_freeable+0x1a4/0x23c\n kernel_init+0x10/0xf8\n ret_from_fork+0x10/0x18" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:27.751Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3cc5fb824c2125aa3740d905b3e5b378c8a09478" }, { "url": "https://git.kernel.org/stable/c/9579a21e99fe8dab22a253050ddff28d340d74e1" }, { "url": "https://git.kernel.org/stable/c/4529c084a320be78ff2c5e64297ae998c6fdf66b" }, { "url": "https://git.kernel.org/stable/c/474d521da890b3e3585335fb80a6044cb2553d99" }, { "url": "https://git.kernel.org/stable/c/a69c8bbb946936ac4eb6a6ae1e849435aa8d947d" }, { "url": "https://git.kernel.org/stable/c/677102a930643c31f1b4c512b041407058bdfef8" }, { "url": "https://git.kernel.org/stable/c/87a39071e0b639f45e05d296cc0538eef44ec0bd" } ], "title": "dmaengine: fsl-qdma: init irq after reg initialization", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26788", "datePublished": "2024-04-04T08:20:20.410Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:27.751Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26735
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: sr: fix possible use-after-free and null-ptr-deref
The pernet operations structure for the subsystem must be registered
before registering the generic netlink family.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa Version: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa Version: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa Version: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa Version: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa Version: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa Version: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa Version: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26735", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-16T14:17:44.078376Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-31T13:57:56.491Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-11-01T17:03:12.597Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/953f42934533c151f440cd32390044d2396b87aa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/82831e3ff76ef09fb184eb93b79a3eb3fb284f1d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/65c38f23d10ff79feea1e5d50b76dc7af383c1e6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/91b020aaa1e59bfb669d34c968e3db3d5416bcee" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8391b9b651cfdf80ab0f1dc4a489f9d67386e197" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9e02973dbc6a91e40aa4f5d87b8c47446fbfce44" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/02b08db594e8218cfbc0e4680d4331b457968a9b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5559cea2d5aa3018a5f00dd2aca3427ba09b386b" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" }, { "url": "https://security.netapp.com/advisory/ntap-20241101-0012/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/ipv6/seg6.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "953f42934533c151f440cd32390044d2396b87aa", "status": "affected", "version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa", "versionType": "git" }, { "lessThan": "82831e3ff76ef09fb184eb93b79a3eb3fb284f1d", "status": "affected", "version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa", "versionType": "git" }, { "lessThan": "65c38f23d10ff79feea1e5d50b76dc7af383c1e6", "status": "affected", "version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa", "versionType": "git" }, { "lessThan": "91b020aaa1e59bfb669d34c968e3db3d5416bcee", "status": "affected", "version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa", "versionType": "git" }, { "lessThan": "8391b9b651cfdf80ab0f1dc4a489f9d67386e197", "status": "affected", "version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa", "versionType": "git" }, { "lessThan": "9e02973dbc6a91e40aa4f5d87b8c47446fbfce44", "status": "affected", "version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa", "versionType": "git" }, { "lessThan": "02b08db594e8218cfbc0e4680d4331b457968a9b", "status": "affected", "version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa", "versionType": "git" }, { "lessThan": "5559cea2d5aa3018a5f00dd2aca3427ba09b386b", "status": "affected", "version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/ipv6/seg6.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.10" }, { "lessThan": "4.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix possible use-after-free and null-ptr-deref\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:08.259Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/953f42934533c151f440cd32390044d2396b87aa" }, { "url": "https://git.kernel.org/stable/c/82831e3ff76ef09fb184eb93b79a3eb3fb284f1d" }, { "url": "https://git.kernel.org/stable/c/65c38f23d10ff79feea1e5d50b76dc7af383c1e6" }, { "url": "https://git.kernel.org/stable/c/91b020aaa1e59bfb669d34c968e3db3d5416bcee" }, { "url": "https://git.kernel.org/stable/c/8391b9b651cfdf80ab0f1dc4a489f9d67386e197" }, { "url": "https://git.kernel.org/stable/c/9e02973dbc6a91e40aa4f5d87b8c47446fbfce44" }, { "url": "https://git.kernel.org/stable/c/02b08db594e8218cfbc0e4680d4331b457968a9b" }, { "url": "https://git.kernel.org/stable/c/5559cea2d5aa3018a5f00dd2aca3427ba09b386b" } ], "title": "ipv6: sr: fix possible use-after-free and null-ptr-deref", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26735", "datePublished": "2024-04-03T17:00:21.972Z", "dateReserved": "2024-02-19T14:20:24.165Z", "dateUpdated": "2024-12-19T08:46:08.259Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26743
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/qedr: Fix qedr_create_user_qp error flow
Avoid the following warning by making sure to free the allocated
resources in case that qedr_init_user_queue() fail.
-----------[ cut here ]-----------
WARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]
Modules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3
ghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]
CPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1
Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022
RIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]
Code: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff
RSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286
RAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016
RDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80
R13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0
Call Trace:
<TASK>
? show_trace_log_lvl+0x1c4/0x2df
? show_trace_log_lvl+0x1c4/0x2df
? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]
? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]
? __warn+0x81/0x110
? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]
? report_bug+0x10a/0x140
? handle_bug+0x3c/0x70
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]
ib_uverbs_close+0x1f/0xb0 [ib_uverbs]
__fput+0x94/0x250
task_work_run+0x5c/0x90
do_exit+0x270/0x4a0
do_group_exit+0x2d/0x90
get_signal+0x87c/0x8c0
arch_do_signal_or_restart+0x25/0x100
? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]
exit_to_user_mode_loop+0x9c/0x130
exit_to_user_mode_prepare+0xb6/0x100
syscall_exit_to_user_mode+0x12/0x40
do_syscall_64+0x69/0x90
? syscall_exit_work+0x103/0x130
? syscall_exit_to_user_mode+0x22/0x40
? do_syscall_64+0x69/0x90
? syscall_exit_work+0x103/0x130
? syscall_exit_to_user_mode+0x22/0x40
? do_syscall_64+0x69/0x90
? do_syscall_64+0x69/0x90
? common_interrupt+0x43/0xa0
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x1470abe3ec6b
Code: Unable to access opcode bytes at RIP 0x1470abe3ec41.
RSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b
RDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004
RBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00
R10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358
R13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470
</TASK>
--[ end trace 888a9b92e04c5c97 ]--
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: df15856132bc837b512caa36d2227d2350cf64d8 Version: df15856132bc837b512caa36d2227d2350cf64d8 Version: df15856132bc837b512caa36d2227d2350cf64d8 Version: df15856132bc837b512caa36d2227d2350cf64d8 Version: df15856132bc837b512caa36d2227d2350cf64d8 Version: df15856132bc837b512caa36d2227d2350cf64d8 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26743", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T19:28:14.309187Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T19:28:21.844Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.229Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5639414a52a29336ffa1ede80a67c6d927acbc5a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/135e5465fefa463c5ec93c4eede48b9fedac894a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7f31a244c753aacf40b71d01f03ca6742f81bbbc" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/95175dda017cd4982cd47960536fa1de003d3298" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bab8875c06ebda5e01c5c4cab30022aed85c14e6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5ba4e6d5863c53e937f49932dee0ecb004c65928" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/infiniband/hw/qedr/verbs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5639414a52a29336ffa1ede80a67c6d927acbc5a", "status": "affected", "version": "df15856132bc837b512caa36d2227d2350cf64d8", "versionType": "git" }, { "lessThan": "135e5465fefa463c5ec93c4eede48b9fedac894a", "status": "affected", "version": "df15856132bc837b512caa36d2227d2350cf64d8", "versionType": "git" }, { "lessThan": "7f31a244c753aacf40b71d01f03ca6742f81bbbc", "status": "affected", "version": "df15856132bc837b512caa36d2227d2350cf64d8", "versionType": "git" }, { "lessThan": "95175dda017cd4982cd47960536fa1de003d3298", "status": "affected", "version": "df15856132bc837b512caa36d2227d2350cf64d8", "versionType": "git" }, { "lessThan": "bab8875c06ebda5e01c5c4cab30022aed85c14e6", "status": "affected", "version": "df15856132bc837b512caa36d2227d2350cf64d8", "versionType": "git" }, { "lessThan": "5ba4e6d5863c53e937f49932dee0ecb004c65928", "status": "affected", "version": "df15856132bc837b512caa36d2227d2350cf64d8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/infiniband/hw/qedr/verbs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.11" }, { "lessThan": "4.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/qedr: Fix qedr_create_user_qp error flow\n\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\n\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 \u003c0f\u003e 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n\u003cTASK\u003e\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n\u003c/TASK\u003e\n--[ end trace 888a9b92e04c5c97 ]--" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:18.258Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5639414a52a29336ffa1ede80a67c6d927acbc5a" }, { "url": "https://git.kernel.org/stable/c/135e5465fefa463c5ec93c4eede48b9fedac894a" }, { "url": "https://git.kernel.org/stable/c/7f31a244c753aacf40b71d01f03ca6742f81bbbc" }, { "url": "https://git.kernel.org/stable/c/95175dda017cd4982cd47960536fa1de003d3298" }, { "url": "https://git.kernel.org/stable/c/bab8875c06ebda5e01c5c4cab30022aed85c14e6" }, { "url": "https://git.kernel.org/stable/c/5ba4e6d5863c53e937f49932dee0ecb004c65928" } ], "title": "RDMA/qedr: Fix qedr_create_user_qp error flow", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26743", "datePublished": "2024-04-03T17:00:32.634Z", "dateReserved": "2024-02-19T14:20:24.167Z", "dateUpdated": "2024-12-19T08:46:18.258Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26687
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/events: close evtchn after mapping cleanup
shutdown_pirq and startup_pirq are not taking the
irq_mapping_update_lock because they can't due to lock inversion. Both
are called with the irq_desc->lock being taking. The lock order,
however, is first irq_mapping_update_lock and then irq_desc->lock.
This opens multiple races:
- shutdown_pirq can be interrupted by a function that allocates an event
channel:
CPU0 CPU1
shutdown_pirq {
xen_evtchn_close(e)
__startup_pirq {
EVTCHNOP_bind_pirq
-> returns just freed evtchn e
set_evtchn_to_irq(e, irq)
}
xen_irq_info_cleanup() {
set_evtchn_to_irq(e, -1)
}
}
Assume here event channel e refers here to the same event channel
number.
After this race the evtchn_to_irq mapping for e is invalid (-1).
- __startup_pirq races with __unbind_from_irq in a similar way. Because
__startup_pirq doesn't take irq_mapping_update_lock it can grab the
evtchn that __unbind_from_irq is currently freeing and cleaning up. In
this case even though the event channel is allocated, its mapping can
be unset in evtchn_to_irq.
The fix is to first cleanup the mappings and then close the event
channel. In this way, when an event channel gets allocated it's
potential previous evtchn_to_irq mappings are guaranteed to be unset already.
This is also the reverse order of the allocation where first the event
channel is allocated and then the mappings are setup.
On a 5.10 kernel prior to commit 3fcdaf3d7634 ("xen/events: modify internal
[un]bind interfaces"), we hit a BUG like the following during probing of NVMe
devices. The issue is that during nvme_setup_io_queues, pci_free_irq
is called for every device which results in a call to shutdown_pirq.
With many nvme devices it's therefore likely to hit this race during
boot because there will be multiple calls to shutdown_pirq and
startup_pirq are running potentially in parallel.
------------[ cut here ]------------
blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled
kernel BUG at drivers/xen/events/events_base.c:499!
invalid opcode: 0000 [#1] SMP PTI
CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1
Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006
Workqueue: nvme-reset-wq nvme_reset_work
RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0
Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00
RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff
RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed
R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
? show_trace_log_lvl+0x1c1/0x2d9
? show_trace_log_lvl+0x1c1/0x2d9
? set_affinity_irq+0xdc/0x1c0
? __die_body.cold+0x8/0xd
? die+0x2b/0x50
? do_trap+0x90/0x110
? bind_evtchn_to_cpu+0xdf/0xf0
? do_error_trap+0x65/0x80
? bind_evtchn_to_cpu+0xdf/0xf0
? exc_invalid_op+0x4e/0x70
? bind_evtchn_to_cpu+0xdf/0xf0
? asm_exc_invalid_op+0x12/0x20
? bind_evtchn_to_cpu+0xdf/0x
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55 Version: d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55 Version: d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55 Version: d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55 Version: d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55 Version: d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55 Version: d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.637Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26687", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:53:07.213399Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:32.707Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/xen/events/events_base.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "9470f5b2503cae994098dea9682aee15b313fa44", "status": "affected", "version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "versionType": "git" }, { "lessThan": "0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd", "status": "affected", "version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "versionType": "git" }, { "lessThan": "ea592baf9e41779fe9a0424c03dd2f324feca3b3", "status": "affected", "version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "versionType": "git" }, { "lessThan": "585a344af6bcac222608a158fc2830ff02712af5", "status": "affected", "version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "versionType": "git" }, { "lessThan": "20980195ec8d2e41653800c45c8c367fa1b1f2b4", "status": "affected", "version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "versionType": "git" }, { "lessThan": "9be71aa12afa91dfe457b3fb4a444c42b1ee036b", "status": "affected", "version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "versionType": "git" }, { "lessThan": "fa765c4b4aed2d64266b694520ecb025c862c5a9", "status": "affected", "version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/xen/events/events_base.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.37" }, { "lessThan": "2.6.37", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.274", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.215", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.154", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: close evtchn after mapping cleanup\n\nshutdown_pirq and startup_pirq are not taking the\nirq_mapping_update_lock because they can\u0027t due to lock inversion. Both\nare called with the irq_desc-\u003elock being taking. The lock order,\nhowever, is first irq_mapping_update_lock and then irq_desc-\u003elock.\n\nThis opens multiple races:\n- shutdown_pirq can be interrupted by a function that allocates an event\n channel:\n\n CPU0 CPU1\n shutdown_pirq {\n xen_evtchn_close(e)\n __startup_pirq {\n EVTCHNOP_bind_pirq\n -\u003e returns just freed evtchn e\n set_evtchn_to_irq(e, irq)\n }\n xen_irq_info_cleanup() {\n set_evtchn_to_irq(e, -1)\n }\n }\n\n Assume here event channel e refers here to the same event channel\n number.\n After this race the evtchn_to_irq mapping for e is invalid (-1).\n\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\n __startup_pirq doesn\u0027t take irq_mapping_update_lock it can grab the\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\n this case even though the event channel is allocated, its mapping can\n be unset in evtchn_to_irq.\n\nThe fix is to first cleanup the mappings and then close the event\nchannel. In this way, when an event channel gets allocated it\u0027s\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\nThis is also the reverse order of the allocation where first the event\nchannel is allocated and then the mappings are setup.\n\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\"xen/events: modify internal\n[un]bind interfaces\"), we hit a BUG like the following during probing of NVMe\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\nis called for every device which results in a call to shutdown_pirq.\nWith many nvme devices it\u0027s therefore likely to hit this race during\nboot because there will be multiple calls to shutdown_pirq and\nstartup_pirq are running potentially in parallel.\n\n ------------[ cut here ]------------\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\n kernel BUG at drivers/xen/events/events_base.c:499!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\n Workqueue: nvme-reset-wq nvme_reset_work\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff \u003c0f\u003e 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? set_affinity_irq+0xdc/0x1c0\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0x90/0x110\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? do_error_trap+0x65/0x80\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? exc_invalid_op+0x4e/0x70\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? asm_exc_invalid_op+0x12/0x20\n ? bind_evtchn_to_cpu+0xdf/0x\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:06.071Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44" }, { "url": "https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd" }, { "url": "https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3" }, { "url": "https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5" }, { "url": "https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4" }, { "url": "https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b" }, { "url": "https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9" } ], "title": "xen/events: close evtchn after mapping cleanup", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26687", "datePublished": "2024-04-03T14:54:49.250Z", "dateReserved": "2024-02-19T14:20:24.154Z", "dateUpdated": "2024-12-19T08:45:06.071Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26685
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix potential bug in end_buffer_async_write
According to a syzbot report, end_buffer_async_write(), which handles the
completion of block device writes, may detect abnormal condition of the
buffer async_write flag and cause a BUG_ON failure when using nilfs2.
Nilfs2 itself does not use end_buffer_async_write(). But, the async_write
flag is now used as a marker by commit 7f42ec394156 ("nilfs2: fix issue
with race condition of competition between segments for dirty blocks") as
a means of resolving double list insertion of dirty blocks in
nilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the
resulting crash.
This modification is safe as long as it is used for file data and b-tree
node blocks where the page caches are independent. However, it was
irrelevant and redundant to also introduce async_write for segment summary
and super root blocks that share buffers with the backing device. This
led to the possibility that the BUG_ON check in end_buffer_async_write
would fail as described above, if independent writebacks of the backing
device occurred in parallel.
The use of async_write for segment summary buffers has already been
removed in a previous change.
Fix this issue by removing the manipulation of the async_write flag for
the remaining super root block buffer.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7f42ec3941560f0902fe3671e36f2c20ffd3af0a Version: 7f42ec3941560f0902fe3671e36f2c20ffd3af0a Version: 7f42ec3941560f0902fe3671e36f2c20ffd3af0a Version: 7f42ec3941560f0902fe3671e36f2c20ffd3af0a Version: 7f42ec3941560f0902fe3671e36f2c20ffd3af0a Version: 7f42ec3941560f0902fe3671e36f2c20ffd3af0a Version: 7f42ec3941560f0902fe3671e36f2c20ffd3af0a Version: 7f42ec3941560f0902fe3671e36f2c20ffd3af0a |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26685", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:35:50.019246Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-07T14:55:46.383Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.823Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c4a09fdac625e64abe478dcf88bfa20406616928" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d31c8721e816eff5ca6573cc487754f357c093cd" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f3e4963566f58726d3265a727116a42b591f6596" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8fa90634ec3e9cc50f42dd605eec60f2d146ced8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6589f0f72f8edd1fa11adce4eedbd3615f2e78ab" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2c3bdba00283a6c7a5b19481a59a730f46063803" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/626daab3811b772086aef1bf8eed3ffe6f523eff" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5bc09b397cbf1221f8a8aacb1152650c9195b02b" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/nilfs2/segment.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c4a09fdac625e64abe478dcf88bfa20406616928", "status": "affected", "version": "7f42ec3941560f0902fe3671e36f2c20ffd3af0a", "versionType": "git" }, { "lessThan": "d31c8721e816eff5ca6573cc487754f357c093cd", "status": "affected", "version": "7f42ec3941560f0902fe3671e36f2c20ffd3af0a", "versionType": "git" }, { "lessThan": "f3e4963566f58726d3265a727116a42b591f6596", "status": "affected", "version": "7f42ec3941560f0902fe3671e36f2c20ffd3af0a", "versionType": "git" }, { "lessThan": "8fa90634ec3e9cc50f42dd605eec60f2d146ced8", "status": "affected", "version": "7f42ec3941560f0902fe3671e36f2c20ffd3af0a", "versionType": "git" }, { "lessThan": "6589f0f72f8edd1fa11adce4eedbd3615f2e78ab", "status": "affected", "version": "7f42ec3941560f0902fe3671e36f2c20ffd3af0a", "versionType": "git" }, { "lessThan": "2c3bdba00283a6c7a5b19481a59a730f46063803", "status": "affected", "version": "7f42ec3941560f0902fe3671e36f2c20ffd3af0a", "versionType": "git" }, { "lessThan": "626daab3811b772086aef1bf8eed3ffe6f523eff", "status": "affected", "version": "7f42ec3941560f0902fe3671e36f2c20ffd3af0a", "versionType": "git" }, { "lessThan": "5bc09b397cbf1221f8a8aacb1152650c9195b02b", "status": "affected", "version": "7f42ec3941560f0902fe3671e36f2c20ffd3af0a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/nilfs2/segment.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.12" }, { "lessThan": "3.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.307", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.269", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential bug in end_buffer_async_write\n\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\n\nNilfs2 itself does not use end_buffer_async_write(). But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\n\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent. However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device. This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\n\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\n\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:03.589Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c4a09fdac625e64abe478dcf88bfa20406616928" }, { "url": "https://git.kernel.org/stable/c/d31c8721e816eff5ca6573cc487754f357c093cd" }, { "url": "https://git.kernel.org/stable/c/f3e4963566f58726d3265a727116a42b591f6596" }, { "url": "https://git.kernel.org/stable/c/8fa90634ec3e9cc50f42dd605eec60f2d146ced8" }, { "url": "https://git.kernel.org/stable/c/6589f0f72f8edd1fa11adce4eedbd3615f2e78ab" }, { "url": "https://git.kernel.org/stable/c/2c3bdba00283a6c7a5b19481a59a730f46063803" }, { "url": "https://git.kernel.org/stable/c/626daab3811b772086aef1bf8eed3ffe6f523eff" }, { "url": "https://git.kernel.org/stable/c/5bc09b397cbf1221f8a8aacb1152650c9195b02b" } ], "title": "nilfs2: fix potential bug in end_buffer_async_write", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26685", "datePublished": "2024-04-03T14:54:47.688Z", "dateReserved": "2024-02-19T14:20:24.153Z", "dateUpdated": "2024-12-19T08:45:03.589Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26751
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: ep93xx: Add terminator to gpiod_lookup_table
Without the terminator, if a con_id is passed to gpio_find() that
does not exist in the lookup table the function will not stop looping
correctly, and eventually cause an oops.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b2e63555592f81331c8da3afaa607d8cf83e8138 Version: b2e63555592f81331c8da3afaa607d8cf83e8138 Version: b2e63555592f81331c8da3afaa607d8cf83e8138 Version: b2e63555592f81331c8da3afaa607d8cf83e8138 Version: b2e63555592f81331c8da3afaa607d8cf83e8138 Version: b2e63555592f81331c8da3afaa607d8cf83e8138 Version: b2e63555592f81331c8da3afaa607d8cf83e8138 Version: b2e63555592f81331c8da3afaa607d8cf83e8138 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26751", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:36:01.250592Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:52.747Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.203Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9e200a06ae2abb321939693008290af32b33dd6e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/999a8bb70da2946336327b4480824d1691cae1fa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/70d92abbe29692a3de8697ae082c60f2d21ab482" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/eec6cbbfa1e8d685cc245cfd5626d0715a127a48" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/786f089086b505372fb3f4f008d57e7845fff0d8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/97ba7c1f9c0a2401e644760d857b2386aa895997" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6abe0895b63c20de06685c8544b908c7e413efa8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fdf87a0dc26d0550c60edc911cda42f9afec3557" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/arm/mach-ep93xx/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "9e200a06ae2abb321939693008290af32b33dd6e", "status": "affected", "version": "b2e63555592f81331c8da3afaa607d8cf83e8138", "versionType": "git" }, { "lessThan": "999a8bb70da2946336327b4480824d1691cae1fa", "status": "affected", "version": "b2e63555592f81331c8da3afaa607d8cf83e8138", "versionType": "git" }, { "lessThan": "70d92abbe29692a3de8697ae082c60f2d21ab482", "status": "affected", "version": "b2e63555592f81331c8da3afaa607d8cf83e8138", "versionType": "git" }, { "lessThan": "eec6cbbfa1e8d685cc245cfd5626d0715a127a48", "status": "affected", "version": "b2e63555592f81331c8da3afaa607d8cf83e8138", "versionType": "git" }, { "lessThan": "786f089086b505372fb3f4f008d57e7845fff0d8", "status": "affected", "version": "b2e63555592f81331c8da3afaa607d8cf83e8138", "versionType": "git" }, { "lessThan": "97ba7c1f9c0a2401e644760d857b2386aa895997", "status": "affected", "version": "b2e63555592f81331c8da3afaa607d8cf83e8138", "versionType": "git" }, { "lessThan": "6abe0895b63c20de06685c8544b908c7e413efa8", "status": "affected", "version": "b2e63555592f81331c8da3afaa607d8cf83e8138", "versionType": "git" }, { "lessThan": "fdf87a0dc26d0550c60edc911cda42f9afec3557", "status": "affected", "version": "b2e63555592f81331c8da3afaa607d8cf83e8138", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/arm/mach-ep93xx/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.15" }, { "lessThan": "4.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: ep93xx: Add terminator to gpiod_lookup_table\n\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:27.867Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/9e200a06ae2abb321939693008290af32b33dd6e" }, { "url": "https://git.kernel.org/stable/c/999a8bb70da2946336327b4480824d1691cae1fa" }, { "url": "https://git.kernel.org/stable/c/70d92abbe29692a3de8697ae082c60f2d21ab482" }, { "url": "https://git.kernel.org/stable/c/eec6cbbfa1e8d685cc245cfd5626d0715a127a48" }, { "url": "https://git.kernel.org/stable/c/786f089086b505372fb3f4f008d57e7845fff0d8" }, { "url": "https://git.kernel.org/stable/c/97ba7c1f9c0a2401e644760d857b2386aa895997" }, { "url": "https://git.kernel.org/stable/c/6abe0895b63c20de06685c8544b908c7e413efa8" }, { "url": "https://git.kernel.org/stable/c/fdf87a0dc26d0550c60edc911cda42f9afec3557" } ], "title": "ARM: ep93xx: Add terminator to gpiod_lookup_table", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26751", "datePublished": "2024-04-03T17:00:36.523Z", "dateReserved": "2024-02-19T14:20:24.169Z", "dateUpdated": "2024-12-19T08:46:27.867Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26796
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: perf: ctr_get_width function for legacy is not defined
With parameters CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n
linux kernel crashes when you try perf record:
$ perf record ls
[ 46.749286] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 46.750199] Oops [#1]
[ 46.750342] Modules linked in:
[ 46.750608] CPU: 0 PID: 107 Comm: perf-exec Not tainted 6.6.0 #2
[ 46.750906] Hardware name: riscv-virtio,qemu (DT)
[ 46.751184] epc : 0x0
[ 46.751430] ra : arch_perf_update_userpage+0x54/0x13e
[ 46.751680] epc : 0000000000000000 ra : ffffffff8072ee52 sp : ff2000000022b8f0
[ 46.751958] gp : ffffffff81505988 tp : ff6000000290d400 t0 : ff2000000022b9c0
[ 46.752229] t1 : 0000000000000001 t2 : 0000000000000003 s0 : ff2000000022b930
[ 46.752451] s1 : ff600000028fb000 a0 : 0000000000000000 a1 : ff600000028fb000
[ 46.752673] a2 : 0000000ae2751268 a3 : 00000000004fb708 a4 : 0000000000000004
[ 46.752895] a5 : 0000000000000000 a6 : 000000000017ffe3 a7 : 00000000000000d2
[ 46.753117] s2 : ff600000028fb000 s3 : 0000000ae2751268 s4 : 0000000000000000
[ 46.753338] s5 : ffffffff8153e290 s6 : ff600000863b9000 s7 : ff60000002961078
[ 46.753562] s8 : ff60000002961048 s9 : ff60000002961058 s10: 0000000000000001
[ 46.753783] s11: 0000000000000018 t3 : ffffffffffffffff t4 : ffffffffffffffff
[ 46.754005] t5 : ff6000000292270c t6 : ff2000000022bb30
[ 46.754179] status: 0000000200000100 badaddr: 0000000000000000 cause: 000000000000000c
[ 46.754653] Code: Unable to access instruction at 0xffffffffffffffec.
[ 46.754939] ---[ end trace 0000000000000000 ]---
[ 46.755131] note: perf-exec[107] exited with irqs disabled
[ 46.755546] note: perf-exec[107] exited with preempt_count 4
This happens because in the legacy case the ctr_get_width function was not
defined, but it is used in arch_perf_update_userpage.
Also remove extra check in riscv_pmu_ctr_get_width_mask
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.539Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e0d17ee872cf8d0f51cc561329b8e1a0aa792bbb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e4f50e85de5a6b21dfdc0d7ca435eba4f62935c3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/682dc133f83e0194796e6ea72eb642df1c03dfbe" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26796", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:50:49.551123Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:47.808Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/perf/riscv_pmu.c", "drivers/perf/riscv_pmu_legacy.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e0d17ee872cf8d0f51cc561329b8e1a0aa792bbb", "status": "affected", "version": "cc4c07c89aada16229084eeb93895c95b7eabaa3", "versionType": "git" }, { "lessThan": "e4f50e85de5a6b21dfdc0d7ca435eba4f62935c3", "status": "affected", "version": "cc4c07c89aada16229084eeb93895c95b7eabaa3", "versionType": "git" }, { "lessThan": "682dc133f83e0194796e6ea72eb642df1c03dfbe", "status": "affected", "version": "cc4c07c89aada16229084eeb93895c95b7eabaa3", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/perf/riscv_pmu.c", "drivers/perf/riscv_pmu_legacy.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: perf: ctr_get_width function for legacy is not defined\n\nWith parameters CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n\nlinux kernel crashes when you try perf record:\n\n$ perf record ls\n[ 46.749286] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 46.750199] Oops [#1]\n[ 46.750342] Modules linked in:\n[ 46.750608] CPU: 0 PID: 107 Comm: perf-exec Not tainted 6.6.0 #2\n[ 46.750906] Hardware name: riscv-virtio,qemu (DT)\n[ 46.751184] epc : 0x0\n[ 46.751430] ra : arch_perf_update_userpage+0x54/0x13e\n[ 46.751680] epc : 0000000000000000 ra : ffffffff8072ee52 sp : ff2000000022b8f0\n[ 46.751958] gp : ffffffff81505988 tp : ff6000000290d400 t0 : ff2000000022b9c0\n[ 46.752229] t1 : 0000000000000001 t2 : 0000000000000003 s0 : ff2000000022b930\n[ 46.752451] s1 : ff600000028fb000 a0 : 0000000000000000 a1 : ff600000028fb000\n[ 46.752673] a2 : 0000000ae2751268 a3 : 00000000004fb708 a4 : 0000000000000004\n[ 46.752895] a5 : 0000000000000000 a6 : 000000000017ffe3 a7 : 00000000000000d2\n[ 46.753117] s2 : ff600000028fb000 s3 : 0000000ae2751268 s4 : 0000000000000000\n[ 46.753338] s5 : ffffffff8153e290 s6 : ff600000863b9000 s7 : ff60000002961078\n[ 46.753562] s8 : ff60000002961048 s9 : ff60000002961058 s10: 0000000000000001\n[ 46.753783] s11: 0000000000000018 t3 : ffffffffffffffff t4 : ffffffffffffffff\n[ 46.754005] t5 : ff6000000292270c t6 : ff2000000022bb30\n[ 46.754179] status: 0000000200000100 badaddr: 0000000000000000 cause: 000000000000000c\n[ 46.754653] Code: Unable to access instruction at 0xffffffffffffffec.\n[ 46.754939] ---[ end trace 0000000000000000 ]---\n[ 46.755131] note: perf-exec[107] exited with irqs disabled\n[ 46.755546] note: perf-exec[107] exited with preempt_count 4\n\nThis happens because in the legacy case the ctr_get_width function was not\ndefined, but it is used in arch_perf_update_userpage.\n\nAlso remove extra check in riscv_pmu_ctr_get_width_mask" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:37.598Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e0d17ee872cf8d0f51cc561329b8e1a0aa792bbb" }, { "url": "https://git.kernel.org/stable/c/e4f50e85de5a6b21dfdc0d7ca435eba4f62935c3" }, { "url": "https://git.kernel.org/stable/c/682dc133f83e0194796e6ea72eb642df1c03dfbe" } ], "title": "drivers: perf: ctr_get_width function for legacy is not defined", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26796", "datePublished": "2024-04-04T08:20:25.823Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:37.598Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26807
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Both cadence-quadspi ->runtime_suspend() and ->runtime_resume()
implementations start with:
struct cqspi_st *cqspi = dev_get_drvdata(dev);
struct spi_controller *host = dev_get_drvdata(dev);
This obviously cannot be correct, unless "struct cqspi_st" is the
first member of " struct spi_controller", or the other way around, but
it is not the case. "struct spi_controller" is allocated by
devm_spi_alloc_host(), which allocates an extra amount of memory for
private data, used to store "struct cqspi_st".
The ->probe() function of the cadence-quadspi driver then sets the
device drvdata to store the address of the "struct cqspi_st"
structure. Therefore:
struct cqspi_st *cqspi = dev_get_drvdata(dev);
is correct, but:
struct spi_controller *host = dev_get_drvdata(dev);
is not, as it makes "host" point not to a "struct spi_controller" but
to the same "struct cqspi_st" structure as above.
This obviously leads to bad things (memory corruption, kernel crashes)
directly during ->probe(), as ->probe() enables the device using PM
runtime, leading the ->runtime_resume() hook being called, which in
turns calls spi_controller_resume() with the wrong pointer.
This has at least been reported [0] to cause a kernel crash, but the
exact behavior will depend on the memory contents.
[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/
This issue potentially affects all platforms that are currently using
the cadence-quadspi driver.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.598Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26807", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:50:43.187812Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:46.008Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/spi/spi-cadence-quadspi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "03f1573c9587029730ca68503f5062105b122f61", "status": "affected", "version": "2087e85bb66ee3652dafe732bb9b9b896229eafc", "versionType": "git" }, { "lessThan": "34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03", "status": "affected", "version": "2087e85bb66ee3652dafe732bb9b9b896229eafc", "versionType": "git" }, { "lessThan": "32ce3bb57b6b402de2aec1012511e7ac4e7449dc", "status": "affected", "version": "2087e85bb66ee3652dafe732bb9b9b896229eafc", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/spi/spi-cadence-quadspi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.4" }, { "lessThan": "6.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBoth cadence-quadspi -\u003eruntime_suspend() and -\u003eruntime_resume()\nimplementations start with:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nThis obviously cannot be correct, unless \"struct cqspi_st\" is the\nfirst member of \" struct spi_controller\", or the other way around, but\nit is not the case. \"struct spi_controller\" is allocated by\ndevm_spi_alloc_host(), which allocates an extra amount of memory for\nprivate data, used to store \"struct cqspi_st\".\n\nThe -\u003eprobe() function of the cadence-quadspi driver then sets the\ndevice drvdata to store the address of the \"struct cqspi_st\"\nstructure. Therefore:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\nis correct, but:\n\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nis not, as it makes \"host\" point not to a \"struct spi_controller\" but\nto the same \"struct cqspi_st\" structure as above.\n\nThis obviously leads to bad things (memory corruption, kernel crashes)\ndirectly during -\u003eprobe(), as -\u003eprobe() enables the device using PM\nruntime, leading the -\u003eruntime_resume() hook being called, which in\nturns calls spi_controller_resume() with the wrong pointer.\n\nThis has at least been reported [0] to cause a kernel crash, but the\nexact behavior will depend on the memory contents.\n\n[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/\n\nThis issue potentially affects all platforms that are currently using\nthe cadence-quadspi driver." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:51.037Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61" }, { "url": "https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03" }, { "url": "https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc" } ], "title": "spi: cadence-qspi: fix pointer reference in runtime PM hooks", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26807", "datePublished": "2024-04-04T08:20:34.155Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:51.037Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26759
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/swap: fix race when skipping swapcache
When skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads
swapin the same entry at the same time, they get different pages (A, B).
Before one thread (T0) finishes the swapin and installs page (A) to the
PTE, another thread (T1) could finish swapin of page (B), swap_free the
entry, then swap out the possibly modified page reusing the same entry.
It breaks the pte_same check in (T0) because PTE value is unchanged,
causing ABA problem. Thread (T0) will install a stalled page (A) into the
PTE and cause data corruption.
One possible callstack is like this:
CPU0 CPU1
---- ----
do_swap_page() do_swap_page() with same entry
<direct swapin path> <direct swapin path>
<alloc page A> <alloc page B>
swap_read_folio() <- read to page A swap_read_folio() <- read to page B
<slow on later locks or interrupt> <finished swapin first>
... set_pte_at()
swap_free() <- entry is free
<write to page B, now page A stalled>
<swap out page B to same swap entry>
pte_same() <- Check pass, PTE seems
unchanged, but page A
is stalled!
swap_free() <- page B content lost!
set_pte_at() <- staled page A installed!
And besides, for ZRAM, swap_free() allows the swap device to discard the
entry content, so even if page (B) is not modified, if swap_read_folio()
on CPU0 happens later than swap_free() on CPU1, it may also cause data
loss.
To fix this, reuse swapcache_prepare which will pin the swap entry using
the cache flag, and allow only one thread to swap it in, also prevent any
parallel code from putting the entry in the cache. Release the pin after
PT unlocked.
Racers just loop and wait since it's a rare and very short event. A
schedule_timeout_uninterruptible(1) call is added to avoid repeated page
faults wasting too much CPU, causing livelock or adding too much noise to
perf statistics. A similar livelock issue was described in commit
029c4628b2eb ("mm: swap: get rid of livelock in swapin readahead")
Reproducer:
This race issue can be triggered easily using a well constructed
reproducer and patched brd (with a delay in read path) [1]:
With latest 6.8 mainline, race caused data loss can be observed easily:
$ gcc -g -lpthread test-thread-swap-race.c && ./a.out
Polulating 32MB of memory region...
Keep swapping out...
Starting round 0...
Spawning 65536 workers...
32746 workers spawned, wait for done...
Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!
Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!
Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!
Round 0 Failed, 15 data loss!
This reproducer spawns multiple threads sharing the same memory region
using a small swap device. Every two threads updates mapped pages one by
one in opposite direction trying to create a race, with one dedicated
thread keep swapping out the data out using madvise.
The reproducer created a reproduce rate of about once every 5 minutes, so
the race should be totally possible in production.
After this patch, I ran the reproducer for over a few hundred rounds and
no data loss observed.
Performance overhead is minimal, microbenchmark swapin 10G from 32G
zram:
Before: 10934698 us
After: 11157121 us
Cached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)
[kasong@tencent.com: v4]
Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26759", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-08T14:03:53.009974Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:35.865Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.279Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/linux/swap.h", "mm/memory.c", "mm/swap.h", "mm/swapfile.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2dedda77d4493f3e92e414b272bfa60f1f51ed95", "status": "affected", "version": "0bcac06f27d7528591c27ac2b093ccd71c5d0168", "versionType": "git" }, { "lessThan": "305152314df82b22cf9b181f3dc5fc411002079a", "status": "affected", "version": "0bcac06f27d7528591c27ac2b093ccd71c5d0168", "versionType": "git" }, { "lessThan": "d183a4631acfc7af955c02a02e739cec15f5234d", "status": "affected", "version": "0bcac06f27d7528591c27ac2b093ccd71c5d0168", "versionType": "git" }, { "lessThan": "13ddaf26be324a7f951891ecd9ccd04466d27458", "status": "affected", "version": "0bcac06f27d7528591c27ac2b093ccd71c5d0168", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/linux/swap.h", "mm/memory.c", "mm/swap.h", "mm/swapfile.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.15" }, { "lessThan": "4.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n\u003cdirect swapin path\u003e \u003cdirect swapin path\u003e\n\u003calloc page A\u003e \u003calloc page B\u003e\nswap_read_folio() \u003c- read to page A swap_read_folio() \u003c- read to page B\n\u003cslow on later locks or interrupt\u003e \u003cfinished swapin first\u003e\n... set_pte_at()\n swap_free() \u003c- entry is free\n \u003cwrite to page B, now page A stalled\u003e\n \u003cswap out page B to same swap entry\u003e\npte_same() \u003c- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() \u003c- page B content lost!\nset_pte_at() \u003c- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it\u0027s a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c \u0026\u0026 ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:37.730Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95" }, { "url": "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a" }, { "url": "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d" }, { "url": "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458" } ], "title": "mm/swap: fix race when skipping swapcache", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26759", "datePublished": "2024-04-03T17:00:43.288Z", "dateReserved": "2024-02-19T14:20:24.170Z", "dateUpdated": "2024-12-19T08:46:37.730Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26729
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix potential null pointer dereference in dc_dmub_srv
Fixes potential null pointer dereference warnings in the
dc_dmub_srv_cmd_list_queue_execute() and dc_dmub_srv_is_hw_pwr_up()
functions.
In both functions, the 'dc_dmub_srv' variable was being dereferenced
before it was checked for null. This could lead to a null pointer
dereference if 'dc_dmub_srv' is null. The fix is to check if
'dc_dmub_srv' is null before dereferencing it.
Thus moving the null checks for 'dc_dmub_srv' to the beginning of the
functions to ensure that 'dc_dmub_srv' is not null when it is
dereferenced.
Found by smatch & thus fixing the below:
drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:133 dc_dmub_srv_cmd_list_queue_execute() warn: variable dereferenced before check 'dc_dmub_srv' (see line 128)
drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_is_hw_pwr_up() warn: variable dereferenced before check 'dc_dmub_srv' (see line 1164)
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26729", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:06:25.283225Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:53.203Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.976Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/351080ba3414c96afff0f1338b4aeb2983195b80" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d2b48f340d9e4a8fbeb1cdc84cd8da6ad143a907" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "351080ba3414c96afff0f1338b4aeb2983195b80", "status": "affected", "version": "028bac5834495f4f4036bf8b3206fcdafe99a393", "versionType": "git" }, { "lessThan": "d2b48f340d9e4a8fbeb1cdc84cd8da6ad143a907", "status": "affected", "version": "028bac5834495f4f4036bf8b3206fcdafe99a393", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential null pointer dereference in dc_dmub_srv\n\nFixes potential null pointer dereference warnings in the\ndc_dmub_srv_cmd_list_queue_execute() and dc_dmub_srv_is_hw_pwr_up()\nfunctions.\n\nIn both functions, the \u0027dc_dmub_srv\u0027 variable was being dereferenced\nbefore it was checked for null. This could lead to a null pointer\ndereference if \u0027dc_dmub_srv\u0027 is null. The fix is to check if\n\u0027dc_dmub_srv\u0027 is null before dereferencing it.\n\nThus moving the null checks for \u0027dc_dmub_srv\u0027 to the beginning of the\nfunctions to ensure that \u0027dc_dmub_srv\u0027 is not null when it is\ndereferenced.\n\nFound by smatch \u0026 thus fixing the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:133 dc_dmub_srv_cmd_list_queue_execute() warn: variable dereferenced before check \u0027dc_dmub_srv\u0027 (see line 128)\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_is_hw_pwr_up() warn: variable dereferenced before check \u0027dc_dmub_srv\u0027 (see line 1164)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:00.881Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/351080ba3414c96afff0f1338b4aeb2983195b80" }, { "url": "https://git.kernel.org/stable/c/d2b48f340d9e4a8fbeb1cdc84cd8da6ad143a907" } ], "title": "drm/amd/display: Fix potential null pointer dereference in dc_dmub_srv", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26729", "datePublished": "2024-04-03T17:00:17.494Z", "dateReserved": "2024-02-19T14:20:24.164Z", "dateUpdated": "2024-12-19T08:46:00.881Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26799
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: Fix uninitialized pointer dmactl
In the case where __lpass_get_dmactl_handle is called and the driver
id dai_id is invalid the pointer dmactl is not being assigned a value,
and dmactl contains a garbage value since it has not been initialized
and so the null check may not work. Fix this to initialize dmactl to
NULL. One could argue that modern compilers will set this to zero, but
it is useful to keep this initialized as per the same way in functions
__lpass_platform_codec_intf_init and lpass_cdc_dma_daiops_hw_params.
Cleans up clang scan build warning:
sound/soc/qcom/lpass-cdc-dma.c:275:7: warning: Branch condition
evaluates to a garbage value [core.uninitialized.Branch]
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26799", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:07:57.653434Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-01T14:54:06.205Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.565Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/99adc8b4d2f38bf0d06483ec845bc48f60c3f8cf" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d5a7726e6ea62d447b79ab5baeb537ea6bdb225b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1382d8b55129875b2e07c4d2a7ebc790183769ee" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "sound/soc/qcom/lpass-cdc-dma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "99adc8b4d2f38bf0d06483ec845bc48f60c3f8cf", "status": "affected", "version": "b81af585ea54ee9f749391e594ee9cbd44061eae", "versionType": "git" }, { "lessThan": "d5a7726e6ea62d447b79ab5baeb537ea6bdb225b", "status": "affected", "version": "b81af585ea54ee9f749391e594ee9cbd44061eae", "versionType": "git" }, { "lessThan": "1382d8b55129875b2e07c4d2a7ebc790183769ee", "status": "affected", "version": "b81af585ea54ee9f749391e594ee9cbd44061eae", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "sound/soc/qcom/lpass-cdc-dma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.18" }, { "lessThan": "5.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix uninitialized pointer dmactl\n\nIn the case where __lpass_get_dmactl_handle is called and the driver\nid dai_id is invalid the pointer dmactl is not being assigned a value,\nand dmactl contains a garbage value since it has not been initialized\nand so the null check may not work. Fix this to initialize dmactl to\nNULL. One could argue that modern compilers will set this to zero, but\nit is useful to keep this initialized as per the same way in functions\n__lpass_platform_codec_intf_init and lpass_cdc_dma_daiops_hw_params.\n\nCleans up clang scan build warning:\nsound/soc/qcom/lpass-cdc-dma.c:275:7: warning: Branch condition\nevaluates to a garbage value [core.uninitialized.Branch]" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:41.166Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/99adc8b4d2f38bf0d06483ec845bc48f60c3f8cf" }, { "url": "https://git.kernel.org/stable/c/d5a7726e6ea62d447b79ab5baeb537ea6bdb225b" }, { "url": "https://git.kernel.org/stable/c/1382d8b55129875b2e07c4d2a7ebc790183769ee" } ], "title": "ASoC: qcom: Fix uninitialized pointer dmactl", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26799", "datePublished": "2024-04-04T08:20:27.888Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:41.166Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26766
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
Unfortunately the commit `fd8958efe877` introduced another error
causing the `descs` array to overflow. This reults in further crashes
easily reproducible by `sendmsg` system call.
[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI
[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]
--
[ 1080.974535] Call Trace:
[ 1080.976990] <TASK>
[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]
[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]
[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]
[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]
[ 1081.046978] dev_hard_start_xmit+0xc4/0x210
--
[ 1081.148347] __sys_sendmsg+0x59/0xa0
crash> ipoib_txreq 0xffff9cfeba229f00
struct ipoib_txreq {
txreq = {
list = {
next = 0xffff9cfeba229f00,
prev = 0xffff9cfeba229f00
},
descp = 0xffff9cfeba229f40,
coalesce_buf = 0x0,
wait = 0xffff9cfea4e69a48,
complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,
packet_len = 0x46d,
tlen = 0x0,
num_desc = 0x0,
desc_limit = 0x6,
next_descq_idx = 0x45c,
coalesce_idx = 0x0,
flags = 0x0,
descs = {{
qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
}, {
qw = { 0x3800014231b108, 0x4}
}, {
qw = { 0x310000e4ee0fcf0, 0x8}
}, {
qw = { 0x3000012e9f8000, 0x8}
}, {
qw = { 0x59000dfb9d0000, 0x8}
}, {
qw = { 0x78000e02e40000, 0x8}
}}
},
sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure
sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)
complete = 0x0,
priv = 0x0,
txq = 0xffff9cfea4e69880,
skb = 0xffff9d099809f400
}
If an SDMA send consists of exactly 6 descriptors and requires dword
padding (in the 7th descriptor), the sdma_txreq descriptor array is not
properly expanded and the packet will overflow into the container
structure. This results in a panic when the send completion runs. The
exact panic varies depending on what elements of the container structure
get corrupted. The fix is to use the correct expression in
_pad_sdma_tx_descs() to test the need to expand the descriptor array.
With this patch the crashes are no longer reproducible and the machine is
stable.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d1c1ee052d25ca23735eea912f843bc7834781b4 Version: 40ac5cb6cbb01afa40881f78b4d2f559fb7065c4 Version: 6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179 Version: bd57756a7e43c7127d0eca1fc5868e705fd0f7ba Version: eeaf35f4e3b360162081de5e744cf32d6d1b0091 Version: fd8958efe8779d3db19c9124fce593ce681ac709 Version: fd8958efe8779d3db19c9124fce593ce681ac709 Version: fd8958efe8779d3db19c9124fce593ce681ac709 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26766", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:11:09.801717Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:44.178Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.309Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/infiniband/hw/hfi1/sdma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "115b7f3bc1dce590a6851a2dcf23dc1100c49790", "status": "affected", "version": "d1c1ee052d25ca23735eea912f843bc7834781b4", "versionType": "git" }, { "lessThan": "5833024a9856f454a964a198c63a57e59e07baf5", "status": "affected", "version": "40ac5cb6cbb01afa40881f78b4d2f559fb7065c4", "versionType": "git" }, { "lessThan": "3f38d22e645e2e994979426ea5a35186102ff3c2", "status": "affected", "version": "6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179", "versionType": "git" }, { "lessThan": "47ae64df23ed1318e27bd9844e135a5e1c0e6e39", "status": "affected", "version": "bd57756a7e43c7127d0eca1fc5868e705fd0f7ba", "versionType": "git" }, { "lessThan": "52dc9a7a573dbf778625a0efca0fca55489f084b", "status": "affected", "version": "eeaf35f4e3b360162081de5e744cf32d6d1b0091", "versionType": "git" }, { "lessThan": "a2fef1d81becf4ff60e1a249477464eae3c3bc2a", "status": "affected", "version": "fd8958efe8779d3db19c9124fce593ce681ac709", "versionType": "git" }, { "lessThan": "9034a1bec35e9f725315a3bb6002ef39666114d9", "status": "affected", "version": "fd8958efe8779d3db19c9124fce593ce681ac709", "versionType": "git" }, { "lessThan": "e6f57c6881916df39db7d95981a8ad2b9c3458d6", "status": "affected", "version": "fd8958efe8779d3db19c9124fce593ce681ac709", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/infiniband/hw/hfi1/sdma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx-\u003enum_descs off-by-one error\n\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\n\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990] \u003cTASK\u003e\n[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978] dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347] __sys_sendmsg+0x59/0xa0\n\ncrash\u003e ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n txreq = {\n list = {\n next = 0xffff9cfeba229f00,\n prev = 0xffff9cfeba229f00\n },\n descp = 0xffff9cfeba229f40,\n coalesce_buf = 0x0,\n wait = 0xffff9cfea4e69a48,\n complete = 0xffffffffc0fe0760 \u003chfi1_ipoib_sdma_complete\u003e,\n packet_len = 0x46d,\n tlen = 0x0,\n num_desc = 0x0,\n desc_limit = 0x6,\n next_descq_idx = 0x45c,\n coalesce_idx = 0x0,\n flags = 0x0,\n descs = {{\n qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n }, {\n qw = { 0x3800014231b108, 0x4}\n }, {\n qw = { 0x310000e4ee0fcf0, 0x8}\n }, {\n qw = { 0x3000012e9f8000, 0x8}\n }, {\n qw = { 0x59000dfb9d0000, 0x8}\n }, {\n qw = { 0x78000e02e40000, 0x8}\n }}\n },\n sdma_hdr = 0x400300015528b000, \u003c\u003c\u003c invalid pointer in the tx request structure\n sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n complete = 0x0,\n priv = 0x0,\n txq = 0xffff9cfea4e69880,\n skb = 0xffff9d099809f400\n}\n\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\n\nWith this patch the crashes are no longer reproducible and the machine is\nstable." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:00.988Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790" }, { "url": "https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5" }, { "url": "https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2" }, { "url": "https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39" }, { "url": "https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b" }, { "url": "https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a" }, { "url": "https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9" }, { "url": "https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6" } ], "title": "IB/hfi1: Fix sdma.h tx-\u003enum_descs off-by-one error", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26766", "datePublished": "2024-04-03T17:00:48.642Z", "dateReserved": "2024-02-19T14:20:24.173Z", "dateUpdated": "2024-12-19T08:47:00.988Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26697
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix data corruption in dsync block recovery for small block sizes
The helper function nilfs_recovery_copy_block() of
nilfs_recovery_dsync_blocks(), which recovers data from logs created by
data sync writes during a mount after an unclean shutdown, incorrectly
calculates the on-page offset when copying repair data to the file's page
cache. In environments where the block size is smaller than the page
size, this flaw can cause data corruption and leak uninitialized memory
bytes during the recovery process.
Fix these issues by correcting this byte offset calculation on the page.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.662Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5278c3eb6bf5896417572b52adb6be9d26e92f65" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a6efe6dbaaf504f5b3f8a5c3f711fe54e7dda0ba" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/364a66be2abdcd4fd426ffa44d9b8f40aafb3caa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/120f7fa2008e3bd8b7680b4ab5df942decf60fd5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9c9c68d64fd3284f7097ed6ae057c8441f39fcd3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2e1480538ef60bfee5473dfe02b1ecbaf1a4aa0d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2000016bab499074e6248ea85aeea7dd762355d9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/67b8bcbaed4777871bb0dcc888fb02a614a98ab1" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26697", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:50.686290Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:29.604Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/nilfs2/recovery.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5278c3eb6bf5896417572b52adb6be9d26e92f65", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a6efe6dbaaf504f5b3f8a5c3f711fe54e7dda0ba", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "364a66be2abdcd4fd426ffa44d9b8f40aafb3caa", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "120f7fa2008e3bd8b7680b4ab5df942decf60fd5", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "9c9c68d64fd3284f7097ed6ae057c8441f39fcd3", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "2e1480538ef60bfee5473dfe02b1ecbaf1a4aa0d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "2000016bab499074e6248ea85aeea7dd762355d9", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "67b8bcbaed4777871bb0dcc888fb02a614a98ab1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/nilfs2/recovery.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.307", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.269", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix data corruption in dsync block recovery for small block sizes\n\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file\u0027s page\ncache. In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\n\nFix these issues by correcting this byte offset calculation on the page." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:23.424Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5278c3eb6bf5896417572b52adb6be9d26e92f65" }, { "url": "https://git.kernel.org/stable/c/a6efe6dbaaf504f5b3f8a5c3f711fe54e7dda0ba" }, { "url": "https://git.kernel.org/stable/c/364a66be2abdcd4fd426ffa44d9b8f40aafb3caa" }, { "url": "https://git.kernel.org/stable/c/120f7fa2008e3bd8b7680b4ab5df942decf60fd5" }, { "url": "https://git.kernel.org/stable/c/9c9c68d64fd3284f7097ed6ae057c8441f39fcd3" }, { "url": "https://git.kernel.org/stable/c/2e1480538ef60bfee5473dfe02b1ecbaf1a4aa0d" }, { "url": "https://git.kernel.org/stable/c/2000016bab499074e6248ea85aeea7dd762355d9" }, { "url": "https://git.kernel.org/stable/c/67b8bcbaed4777871bb0dcc888fb02a614a98ab1" } ], "title": "nilfs2: fix data corruption in dsync block recovery for small block sizes", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26697", "datePublished": "2024-04-03T14:54:57.848Z", "dateReserved": "2024-02-19T14:20:24.156Z", "dateUpdated": "2024-12-19T08:45:23.424Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26730
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (nct6775) Fix access to temperature configuration registers
The number of temperature configuration registers does
not always match the total number of temperature registers.
This can result in access errors reported if KASAN is enabled.
BUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 nct6775_core
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.970Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f006c45a3ea424f8f6c8e4b9283bc245ce2a4d0f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c196387820c9214c5ceaff56d77303c82514b8b1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d56e460e19ea8382f813eb489730248ec8d7eb73" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26730", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:03.714243Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:21.224Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hwmon/nct6775-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f006c45a3ea424f8f6c8e4b9283bc245ce2a4d0f", "status": "affected", "version": "b7f1f7b2523a6a4382f12fe953380b847b80e09d", "versionType": "git" }, { "lessThan": "c196387820c9214c5ceaff56d77303c82514b8b1", "status": "affected", "version": "b7f1f7b2523a6a4382f12fe953380b847b80e09d", "versionType": "git" }, { "lessThan": "d56e460e19ea8382f813eb489730248ec8d7eb73", "status": "affected", "version": "b7f1f7b2523a6a4382f12fe953380b847b80e09d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hwmon/nct6775-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (nct6775) Fix access to temperature configuration registers\n\nThe number of temperature configuration registers does\nnot always match the total number of temperature registers.\nThis can result in access errors reported if KASAN is enabled.\n\nBUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 nct6775_core" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:02.146Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f006c45a3ea424f8f6c8e4b9283bc245ce2a4d0f" }, { "url": "https://git.kernel.org/stable/c/c196387820c9214c5ceaff56d77303c82514b8b1" }, { "url": "https://git.kernel.org/stable/c/d56e460e19ea8382f813eb489730248ec8d7eb73" } ], "title": "hwmon: (nct6775) Fix access to temperature configuration registers", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26730", "datePublished": "2024-04-03T17:00:18.186Z", "dateReserved": "2024-02-19T14:20:24.164Z", "dateUpdated": "2024-12-19T08:46:02.146Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26713
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ "containers": { "cna": { "providerMetadata": { "dateUpdated": "2024-12-19T11:14:14.696Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "rejectedReasons": [ { "lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority." } ] } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26713", "datePublished": "2024-04-03T14:55:14.857Z", "dateRejected": "2024-12-19T11:14:14.696Z", "dateReserved": "2024-02-19T14:20:24.159Z", "dateUpdated": "2024-12-19T11:14:14.696Z", "state": "REJECTED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26775
Vulnerability from cvelistv5
Published
2024-04-03 17:01
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
aoe: avoid potential deadlock at set_capacity
Move set_capacity() outside of the section procected by (&d->lock).
To avoid possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
[1] lock(&bdev->bd_size_lock);
local_irq_disable();
[2] lock(&d->lock);
[3] lock(&bdev->bd_size_lock);
<Interrupt>
[4] lock(&d->lock);
*** DEADLOCK ***
Where [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().
[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()
is trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.
In this situation an attempt to acquire [4]lock(&d->lock) from
aoecmd_cfg_rsp() will lead to deadlock.
So the simplest solution is breaking lock dependency
[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()
outside.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.394Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26775", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:17.891108Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:55.155Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/block/aoe/aoeblk.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2d623c94fbba3554f4446ba6f3c764994e8b0d26", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "673629018ba04906899dcb631beec34d871f709c", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "19a77b27163820f793b4d022979ffdca8f659b77", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e169bd4fb2b36c4b2bee63c35c740c85daeb2e86", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/block/aoe/aoeblk.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (\u0026d-\u003elock).\nTo avoid possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n[1] lock(\u0026bdev-\u003ebd_size_lock);\n local_irq_disable();\n [2] lock(\u0026d-\u003elock);\n [3] lock(\u0026bdev-\u003ebd_size_lock);\n \u003cInterrupt\u003e\n[4] lock(\u0026d-\u003elock);\n\n *** DEADLOCK ***\n\nWhere [1](\u0026bdev-\u003ebd_size_lock) hold by zram_add()-\u003eset_capacity().\n[2]lock(\u0026d-\u003elock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](\u0026bdev-\u003ebd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(\u0026d-\u003elock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](\u0026d-\u003elock) -\u003e [3](\u0026bdev-\u003ebd_size_lock) by moving set_capacity()\noutside." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:12.099Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26" }, { "url": "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c" }, { "url": "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77" }, { "url": "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86" } ], "title": "aoe: avoid potential deadlock at set_capacity", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26775", "datePublished": "2024-04-03T17:01:01.299Z", "dateReserved": "2024-02-19T14:20:24.176Z", "dateUpdated": "2024-12-19T08:47:12.099Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26744
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/srpt: Support specifying the srpt_service_guid parameter
Make loading ib_srpt with this parameter set work. The current behavior is
that setting that parameter while loading the ib_srpt kernel module
triggers the following kernel crash:
BUG: kernel NULL pointer dereference, address: 0000000000000000
Call Trace:
<TASK>
parse_one+0x18c/0x1d0
parse_args+0xe1/0x230
load_module+0x8de/0xa60
init_module_from_file+0x8b/0xd0
idempotent_init_module+0x181/0x240
__x64_sys_finit_module+0x5a/0xb0
do_syscall_64+0x5f/0xe0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a42d985bd5b234da8b61347a78dc3057bf7bb94d Version: a42d985bd5b234da8b61347a78dc3057bf7bb94d Version: a42d985bd5b234da8b61347a78dc3057bf7bb94d Version: a42d985bd5b234da8b61347a78dc3057bf7bb94d Version: a42d985bd5b234da8b61347a78dc3057bf7bb94d Version: a42d985bd5b234da8b61347a78dc3057bf7bb94d Version: a42d985bd5b234da8b61347a78dc3057bf7bb94d |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26744", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T19:40:03.230655Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T21:08:27.208Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.022Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/84f1dac960cfa210a3b7a7522e6c2320ae91932b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5a5c039dac1b1b7ba3e91c791f4421052bf79b82" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/989af2f29342a9a7c7515523d879b698ac8465f4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/aee4dcfe17219fe60f2821923adea98549060af8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fe2a73d57319feab4b3b175945671ce43492172f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c99a827d3cff9f84e1cb997b7cc6386d107aa74d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fdfa083549de5d50ebf7f6811f33757781e838c0" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/infiniband/ulp/srpt/ib_srpt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "84f1dac960cfa210a3b7a7522e6c2320ae91932b", "status": "affected", "version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d", "versionType": "git" }, { "lessThan": "5a5c039dac1b1b7ba3e91c791f4421052bf79b82", "status": "affected", "version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d", "versionType": "git" }, { "lessThan": "989af2f29342a9a7c7515523d879b698ac8465f4", "status": "affected", "version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d", "versionType": "git" }, { "lessThan": "aee4dcfe17219fe60f2821923adea98549060af8", "status": "affected", "version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d", "versionType": "git" }, { "lessThan": "fe2a73d57319feab4b3b175945671ce43492172f", "status": "affected", "version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d", "versionType": "git" }, { "lessThan": "c99a827d3cff9f84e1cb997b7cc6386d107aa74d", "status": "affected", "version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d", "versionType": "git" }, { "lessThan": "fdfa083549de5d50ebf7f6811f33757781e838c0", "status": "affected", "version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/infiniband/ulp/srpt/ib_srpt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.3" }, { "lessThan": "3.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Support specifying the srpt_service_guid parameter\n\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n \u003cTASK\u003e\n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:19.436Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/84f1dac960cfa210a3b7a7522e6c2320ae91932b" }, { "url": "https://git.kernel.org/stable/c/5a5c039dac1b1b7ba3e91c791f4421052bf79b82" }, { "url": "https://git.kernel.org/stable/c/989af2f29342a9a7c7515523d879b698ac8465f4" }, { "url": "https://git.kernel.org/stable/c/aee4dcfe17219fe60f2821923adea98549060af8" }, { "url": "https://git.kernel.org/stable/c/fe2a73d57319feab4b3b175945671ce43492172f" }, { "url": "https://git.kernel.org/stable/c/c99a827d3cff9f84e1cb997b7cc6386d107aa74d" }, { "url": "https://git.kernel.org/stable/c/fdfa083549de5d50ebf7f6811f33757781e838c0" } ], "title": "RDMA/srpt: Support specifying the srpt_service_guid parameter", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26744", "datePublished": "2024-04-03T17:00:33.280Z", "dateReserved": "2024-02-19T14:20:24.168Z", "dateUpdated": "2024-12-19T08:46:19.436Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26791
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: dev-replace: properly validate device names
There's a syzbot report that device name buffers passed to device
replace are not properly checked for string termination which could lead
to a read out of bounds in getname_kernel().
Add a helper that validates both source and target device name buffers.
For devid as the source initialize the buffer to empty string in case
something tries to read it later.
This was originally analyzed and fixed in a different way by Edward Adam
Davis (see links).
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.455Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c6652e20d7d783d060fe5f987eac7b5cabe31311" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2886fe308a83968dde252302884a1e63351cf16d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ab2d68655d0f04650bef09fee948ff80597c5fb9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f590040ce2b712177306b03c2a63b16f7d48d3c8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b1690ced4d2d8b28868811fb81cd33eee5aefee1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/343eecb4ff49a7b1cc1dfe86958a805cf2341cfb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9845664b9ee47ce7ee7ea93caf47d39a9d4552c4" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26791", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:50:58.820208Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:50.626Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/dev-replace.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "11d7a2e429c02d51e2dc90713823ea8b8d3d3a84", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "c6652e20d7d783d060fe5f987eac7b5cabe31311", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "2886fe308a83968dde252302884a1e63351cf16d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "ab2d68655d0f04650bef09fee948ff80597c5fb9", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f590040ce2b712177306b03c2a63b16f7d48d3c8", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "b1690ced4d2d8b28868811fb81cd33eee5aefee1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "343eecb4ff49a7b1cc1dfe86958a805cf2341cfb", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "9845664b9ee47ce7ee7ea93caf47d39a9d4552c4", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/btrfs/dev-replace.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.309", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.271", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: dev-replace: properly validate device names\n\nThere\u0027s a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\n\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\n\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links)." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:31.383Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84" }, { "url": "https://git.kernel.org/stable/c/c6652e20d7d783d060fe5f987eac7b5cabe31311" }, { "url": "https://git.kernel.org/stable/c/2886fe308a83968dde252302884a1e63351cf16d" }, { "url": "https://git.kernel.org/stable/c/ab2d68655d0f04650bef09fee948ff80597c5fb9" }, { "url": "https://git.kernel.org/stable/c/f590040ce2b712177306b03c2a63b16f7d48d3c8" }, { "url": "https://git.kernel.org/stable/c/b1690ced4d2d8b28868811fb81cd33eee5aefee1" }, { "url": "https://git.kernel.org/stable/c/343eecb4ff49a7b1cc1dfe86958a805cf2341cfb" }, { "url": "https://git.kernel.org/stable/c/9845664b9ee47ce7ee7ea93caf47d39a9d4552c4" } ], "title": "btrfs: dev-replace: properly validate device names", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26791", "datePublished": "2024-04-04T08:20:22.374Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:31.383Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26724
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers
I managed to hit following use after free warning recently:
[ 2169.711665] ==================================================================
[ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0
[ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0
[ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2
[ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 2169.722457] Call Trace:
[ 2169.722756] <IRQ>
[ 2169.723024] dump_stack_lvl+0x58/0xb0
[ 2169.723417] print_report+0xc5/0x630
[ 2169.723807] ? __virt_addr_valid+0x126/0x2b0
[ 2169.724268] kasan_report+0xbe/0xf0
[ 2169.724667] ? __run_timers.part.0+0x179/0x4c0
[ 2169.725116] ? __run_timers.part.0+0x179/0x4c0
[ 2169.725570] __run_timers.part.0+0x179/0x4c0
[ 2169.726003] ? call_timer_fn+0x320/0x320
[ 2169.726404] ? lock_downgrade+0x3a0/0x3a0
[ 2169.726820] ? kvm_clock_get_cycles+0x14/0x20
[ 2169.727257] ? ktime_get+0x92/0x150
[ 2169.727630] ? lapic_next_deadline+0x35/0x60
[ 2169.728069] run_timer_softirq+0x40/0x80
[ 2169.728475] __do_softirq+0x1a1/0x509
[ 2169.728866] irq_exit_rcu+0x95/0xc0
[ 2169.729241] sysvec_apic_timer_interrupt+0x6b/0x80
[ 2169.729718] </IRQ>
[ 2169.729993] <TASK>
[ 2169.730259] asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 2169.730755] RIP: 0010:default_idle+0x13/0x20
[ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 <fa> c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00
[ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242
[ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62
[ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55
[ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14
[ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0
[ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200
[ 2169.736478] ? ct_kernel_exit.constprop.0+0xa2/0xc0
[ 2169.736954] ? do_idle+0x285/0x290
[ 2169.737323] default_idle_call+0x63/0x90
[ 2169.737730] do_idle+0x285/0x290
[ 2169.738089] ? arch_cpu_idle_exit+0x30/0x30
[ 2169.738511] ? mark_held_locks+0x1a/0x80
[ 2169.738917] ? lockdep_hardirqs_on_prepare+0x12e/0x200
[ 2169.739417] cpu_startup_entry+0x30/0x40
[ 2169.739825] start_secondary+0x19a/0x1c0
[ 2169.740229] ? set_cpu_sibling_map+0xbd0/0xbd0
[ 2169.740673] secondary_startup_64_no_verify+0x15d/0x16b
[ 2169.741179] </TASK>
[ 2169.741686] Allocated by task 1098:
[ 2169.742058] kasan_save_stack+0x1c/0x40
[ 2169.742456] kasan_save_track+0x10/0x30
[ 2169.742852] __kasan_kmalloc+0x83/0x90
[ 2169.743246] mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll]
[ 2169.743730] auxiliary_bus_probe+0x62/0xb0
[ 2169.744148] really_probe+0x127/0x590
[ 2169.744534] __driver_probe_device+0xd2/0x200
[ 2169.744973] device_driver_attach+0x6b/0xf0
[ 2169.745402] bind_store+0x90/0xe0
[ 2169.745761] kernfs_fop_write_iter+0x1df/0x2a0
[ 2169.746210] vfs_write+0x41f/0x790
[ 2169.746579] ksys_write+0xc7/0x160
[ 2169.746947] do_syscall_64+0x6f/0x140
[ 2169.747333] entry_SYSCALL_64_after_hwframe+0x46/0x4e
[ 2169.748049] Freed by task 1220:
[ 2169.748393] kasan_save_stack+0x1c/0x40
[ 2169.748789] kasan_save_track+0x10/0x30
[ 2169.749188] kasan_save_free_info+0x3b/0x50
[ 2169.749621] poison_slab_object+0x106/0x180
[ 2169.750044] __kasan_slab_free+0x14/0x50
[ 2169.750451] kfree+0x118/0x330
[ 2169.750792] mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll]
[ 2169.751271] auxiliary_bus_remove+0x2e/0x40
[ 2169.751694] device_release_driver_internal+0x24b/0x2e0
[ 2169.752191] unbind_store+0xa6/0xb0
[ 2169.752563] kernfs_fo
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26724", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-05T17:56:55.554456Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:11.438Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.956Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/dpll.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1596126ea50228f0ed96697bae4e9368fda02c56", "status": "affected", "version": "496fd0a26bbf73b6b12407ee4fbe5ff49d659a6d", "versionType": "git" }, { "lessThan": "aa1eec2f546f2afa8c98ec41e5d8ee488165d685", "status": "affected", "version": "496fd0a26bbf73b6b12407ee4fbe5ff49d659a6d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/dpll.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: DPLL, Fix possible use after free after delayed work timer triggers\n\nI managed to hit following use after free warning recently:\n\n[ 2169.711665] ==================================================================\n[ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0\n[ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0\n\n[ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2\n[ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 2169.722457] Call Trace:\n[ 2169.722756] \u003cIRQ\u003e\n[ 2169.723024] dump_stack_lvl+0x58/0xb0\n[ 2169.723417] print_report+0xc5/0x630\n[ 2169.723807] ? __virt_addr_valid+0x126/0x2b0\n[ 2169.724268] kasan_report+0xbe/0xf0\n[ 2169.724667] ? __run_timers.part.0+0x179/0x4c0\n[ 2169.725116] ? __run_timers.part.0+0x179/0x4c0\n[ 2169.725570] __run_timers.part.0+0x179/0x4c0\n[ 2169.726003] ? call_timer_fn+0x320/0x320\n[ 2169.726404] ? lock_downgrade+0x3a0/0x3a0\n[ 2169.726820] ? kvm_clock_get_cycles+0x14/0x20\n[ 2169.727257] ? ktime_get+0x92/0x150\n[ 2169.727630] ? lapic_next_deadline+0x35/0x60\n[ 2169.728069] run_timer_softirq+0x40/0x80\n[ 2169.728475] __do_softirq+0x1a1/0x509\n[ 2169.728866] irq_exit_rcu+0x95/0xc0\n[ 2169.729241] sysvec_apic_timer_interrupt+0x6b/0x80\n[ 2169.729718] \u003c/IRQ\u003e\n[ 2169.729993] \u003cTASK\u003e\n[ 2169.730259] asm_sysvec_apic_timer_interrupt+0x16/0x20\n[ 2169.730755] RIP: 0010:default_idle+0x13/0x20\n[ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 \u003cfa\u003e c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00\n[ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242\n[ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62\n[ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55\n[ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14\n[ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0\n[ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200\n[ 2169.736478] ? ct_kernel_exit.constprop.0+0xa2/0xc0\n[ 2169.736954] ? do_idle+0x285/0x290\n[ 2169.737323] default_idle_call+0x63/0x90\n[ 2169.737730] do_idle+0x285/0x290\n[ 2169.738089] ? arch_cpu_idle_exit+0x30/0x30\n[ 2169.738511] ? mark_held_locks+0x1a/0x80\n[ 2169.738917] ? lockdep_hardirqs_on_prepare+0x12e/0x200\n[ 2169.739417] cpu_startup_entry+0x30/0x40\n[ 2169.739825] start_secondary+0x19a/0x1c0\n[ 2169.740229] ? set_cpu_sibling_map+0xbd0/0xbd0\n[ 2169.740673] secondary_startup_64_no_verify+0x15d/0x16b\n[ 2169.741179] \u003c/TASK\u003e\n\n[ 2169.741686] Allocated by task 1098:\n[ 2169.742058] kasan_save_stack+0x1c/0x40\n[ 2169.742456] kasan_save_track+0x10/0x30\n[ 2169.742852] __kasan_kmalloc+0x83/0x90\n[ 2169.743246] mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll]\n[ 2169.743730] auxiliary_bus_probe+0x62/0xb0\n[ 2169.744148] really_probe+0x127/0x590\n[ 2169.744534] __driver_probe_device+0xd2/0x200\n[ 2169.744973] device_driver_attach+0x6b/0xf0\n[ 2169.745402] bind_store+0x90/0xe0\n[ 2169.745761] kernfs_fop_write_iter+0x1df/0x2a0\n[ 2169.746210] vfs_write+0x41f/0x790\n[ 2169.746579] ksys_write+0xc7/0x160\n[ 2169.746947] do_syscall_64+0x6f/0x140\n[ 2169.747333] entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\n[ 2169.748049] Freed by task 1220:\n[ 2169.748393] kasan_save_stack+0x1c/0x40\n[ 2169.748789] kasan_save_track+0x10/0x30\n[ 2169.749188] kasan_save_free_info+0x3b/0x50\n[ 2169.749621] poison_slab_object+0x106/0x180\n[ 2169.750044] __kasan_slab_free+0x14/0x50\n[ 2169.750451] kfree+0x118/0x330\n[ 2169.750792] mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll]\n[ 2169.751271] auxiliary_bus_remove+0x2e/0x40\n[ 2169.751694] device_release_driver_internal+0x24b/0x2e0\n[ 2169.752191] unbind_store+0xa6/0xb0\n[ 2169.752563] kernfs_fo\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:54.253Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56" }, { "url": "https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685" } ], "title": "net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26724", "datePublished": "2024-04-03T14:55:23.349Z", "dateReserved": "2024-02-19T14:20:24.163Z", "dateUpdated": "2024-12-19T08:45:54.253Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26780
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix task hung while purging oob_skb in GC.
syzbot reported a task hung; at the same time, GC was looping infinitely
in list_for_each_entry_safe() for OOB skb. [0]
syzbot demonstrated that the list_for_each_entry_safe() was not actually
safe in this case.
A single skb could have references for multiple sockets. If we free such
a skb in the list_for_each_entry_safe(), the current and next sockets could
be unlinked in a single iteration.
unix_notinflight() uses list_del_init() to unlink the socket, so the
prefetched next socket forms a loop itself and list_for_each_entry_safe()
never stops.
Here, we must use while() and make sure we always fetch the first socket.
[0]:
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207
Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74
RSP: 0018:ffffc900033efa58 EFLAGS: 00000283
RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189
RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70
RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c
R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800
R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
unix_gc+0x563/0x13b0 net/unix/garbage.c:319
unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683
unix_release+0x91/0xf0 net/unix/af_unix.c:1064
__sock_release+0xb0/0x270 net/socket.c:659
sock_close+0x1c/0x30 net/socket.c:1421
__fput+0x270/0xb80 fs/file_table.c:376
task_work_run+0x14f/0x250 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
__do_sys_exit_group kernel/exit.c:1031 [inline]
__se_sys_exit_group kernel/exit.c:1029 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f9d6cbdac09
Code: Unable to access opcode bytes at 0x7f9d6cbdabdf.
RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006
R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0
R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70
</TASK>
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4fe505c63aa3273135a57597fda761e9aecc7668 Version: e0e09186d8821ad59806115d347ea32efa43ca4b Version: b74aa9ce13d02b7fd37c5325b99854f91b9b4276 Version: 82ae47c5c3a6b27fdc0f9e83c1499cb439c56140 Version: 1279f9d9dec2d7462823a18c29ad61359e0a007d |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.403Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/36f7371de977f805750748e80279be7e370df85c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2a3d40b4025fcfe51b04924979f1653993b17669" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/69e0f04460f4037e01e29f0d9675544f62aafca3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cb8890318dde26fc89c6ea67d6e9070ab50b6e91" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/25236c91b5ab4a26a56ba2e79b8060cf4e047839" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26780", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:08.468266Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:52.933Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/unix/garbage.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "36f7371de977f805750748e80279be7e370df85c", "status": "affected", "version": "4fe505c63aa3273135a57597fda761e9aecc7668", "versionType": "git" }, { "lessThan": "2a3d40b4025fcfe51b04924979f1653993b17669", "status": "affected", "version": "e0e09186d8821ad59806115d347ea32efa43ca4b", "versionType": "git" }, { "lessThan": "69e0f04460f4037e01e29f0d9675544f62aafca3", "status": "affected", "version": "b74aa9ce13d02b7fd37c5325b99854f91b9b4276", "versionType": "git" }, { "lessThan": "cb8890318dde26fc89c6ea67d6e9070ab50b6e91", "status": "affected", "version": "82ae47c5c3a6b27fdc0f9e83c1499cb439c56140", "versionType": "git" }, { "lessThan": "25236c91b5ab4a26a56ba2e79b8060cf4e047839", "status": "affected", "version": "1279f9d9dec2d7462823a18c29ad61359e0a007d", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/unix/garbage.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6.1.81", "status": "affected", "version": "6.1.78", "versionType": "semver" }, { "lessThan": "6.6.21", "status": "affected", "version": "6.6.17", "versionType": "semver" }, { "lessThan": "6.7.9", "status": "affected", "version": "6.7.5", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix task hung while purging oob_skb in GC.\n\nsyzbot reported a task hung; at the same time, GC was looping infinitely\nin list_for_each_entry_safe() for OOB skb. [0]\n\nsyzbot demonstrated that the list_for_each_entry_safe() was not actually\nsafe in this case.\n\nA single skb could have references for multiple sockets. If we free such\na skb in the list_for_each_entry_safe(), the current and next sockets could\nbe unlinked in a single iteration.\n\nunix_notinflight() uses list_del_init() to unlink the socket, so the\nprefetched next socket forms a loop itself and list_for_each_entry_safe()\nnever stops.\n\nHere, we must use while() and make sure we always fetch the first socket.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nRIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]\nRIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]\nRIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207\nCode: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 \u003c65\u003e 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74\nRSP: 0018:ffffc900033efa58 EFLAGS: 00000283\nRAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189\nRDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70\nRBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c\nR10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800\nR13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cNMI\u003e\n \u003c/NMI\u003e\n \u003cTASK\u003e\n unix_gc+0x563/0x13b0 net/unix/garbage.c:319\n unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683\n unix_release+0x91/0xf0 net/unix/af_unix.c:1064\n __sock_release+0xb0/0x270 net/socket.c:659\n sock_close+0x1c/0x30 net/socket.c:1421\n __fput+0x270/0xb80 fs/file_table.c:376\n task_work_run+0x14f/0x250 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xa8a/0x2ad0 kernel/exit.c:871\n do_group_exit+0xd4/0x2a0 kernel/exit.c:1020\n __do_sys_exit_group kernel/exit.c:1031 [inline]\n __se_sys_exit_group kernel/exit.c:1029 [inline]\n __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f9d6cbdac09\nCode: Unable to access opcode bytes at 0x7f9d6cbdabdf.\nRSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0\nR13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70\n \u003c/TASK\u003e" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:17.999Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/36f7371de977f805750748e80279be7e370df85c" }, { "url": "https://git.kernel.org/stable/c/2a3d40b4025fcfe51b04924979f1653993b17669" }, { "url": "https://git.kernel.org/stable/c/69e0f04460f4037e01e29f0d9675544f62aafca3" }, { "url": "https://git.kernel.org/stable/c/cb8890318dde26fc89c6ea67d6e9070ab50b6e91" }, { "url": "https://git.kernel.org/stable/c/25236c91b5ab4a26a56ba2e79b8060cf4e047839" } ], "title": "af_unix: Fix task hung while purging oob_skb in GC.", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26780", "datePublished": "2024-04-04T08:20:15.120Z", "dateReserved": "2024-02-19T14:20:24.177Z", "dateUpdated": "2024-12-19T08:47:17.999Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26798
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: always restore the old font data in fbcon_do_set_font()
Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when
vc_resize() failed) started restoring old font data upon failure (of
vc_resize()). But it performs so only for user fonts. It means that the
"system"/internal fonts are not restored at all. So in result, the very
first call to fbcon_do_set_font() performs no restore at all upon
failing vc_resize().
This can be reproduced by Syzkaller to crash the system on the next
invocation of font_get(). It's rather hard to hit the allocation failure
in vc_resize() on the first font_set(), but not impossible. Esp. if
fault injection is used to aid the execution/failure. It was
demonstrated by Sirius:
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286
Call Trace:
<TASK>
con_font_get drivers/tty/vt/vt.c:4558 [inline]
con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673
vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752
tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803
vfs_ioctl fs/ioctl.c:51 [inline]
...
So restore the font data in any case, not only for user fonts. Note the
later 'if' is now protected by 'old_userfont' and not 'old_data' as the
latter is always set now. (And it is supposed to be non-NULL. Otherwise
we would see the bug above again.)
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ebd6f886aa2447fcfcdce5450c9e1028e1d681bb Version: a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 Version: a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 Version: a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 Version: a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26798", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-08T20:53:12.971429Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:30.291Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.539Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/video/fbdev/core/fbcon.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "20a4b5214f7bee13c897477168c77bbf79683c3d", "status": "affected", "version": "ebd6f886aa2447fcfcdce5450c9e1028e1d681bb", "versionType": "git" }, { "lessThan": "2f91a96b892fab2f2543b4a55740c5bee36b1a6b", "status": "affected", "version": "a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24", "versionType": "git" }, { "lessThan": "73a6bd68a1342f3a44cac9dffad81ad6a003e520", "status": "affected", "version": "a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24", "versionType": "git" }, { "lessThan": "a2c881413dcc5d801bdc9535e51270cc88cb9cd8", "status": "affected", "version": "a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24", "versionType": "git" }, { "lessThan": "00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f", "status": "affected", "version": "a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/video/fbdev/core/fbcon.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.0" }, { "lessThan": "6.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: always restore the old font data in fbcon_do_set_font()\n\nCommit a5a923038d70 (fbdev: fbcon: Properly revert changes when\nvc_resize() failed) started restoring old font data upon failure (of\nvc_resize()). But it performs so only for user fonts. It means that the\n\"system\"/internal fonts are not restored at all. So in result, the very\nfirst call to fbcon_do_set_font() performs no restore at all upon\nfailing vc_resize().\n\nThis can be reproduced by Syzkaller to crash the system on the next\ninvocation of font_get(). It\u0027s rather hard to hit the allocation failure\nin vc_resize() on the first font_set(), but not impossible. Esp. if\nfault injection is used to aid the execution/failure. It was\ndemonstrated by Sirius:\n BUG: unable to handle page fault for address: fffffffffffffff8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286\n Call Trace:\n \u003cTASK\u003e\n con_font_get drivers/tty/vt/vt.c:4558 [inline]\n con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673\n vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]\n vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752\n tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803\n vfs_ioctl fs/ioctl.c:51 [inline]\n ...\n\nSo restore the font data in any case, not only for user fonts. Note the\nlater \u0027if\u0027 is now protected by \u0027old_userfont\u0027 and not \u0027old_data\u0027 as the\nlatter is always set now. (And it is supposed to be non-NULL. Otherwise\nwe would see the bug above again.)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:39.931Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d" }, { "url": "https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b" }, { "url": "https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520" }, { "url": "https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8" }, { "url": "https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f" } ], "title": "fbcon: always restore the old font data in fbcon_do_set_font()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26798", "datePublished": "2024-04-04T08:20:27.195Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:39.931Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26758
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: Don't ignore suspended array in md_check_recovery()
mddev_suspend() never stop sync_thread, hence it doesn't make sense to
ignore suspended array in md_check_recovery(), which might cause
sync_thread can't be unregistered.
After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following
hang can be triggered by test shell/integrity-caching.sh:
1) suspend the array:
raid_postsuspend
mddev_suspend
2) stop the array:
raid_dtr
md_stop
__md_stop_writes
stop_sync_thread
set_bit(MD_RECOVERY_INTR, &mddev->recovery);
md_wakeup_thread_directly(mddev->sync_thread);
wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))
3) sync thread done:
md_do_sync
set_bit(MD_RECOVERY_DONE, &mddev->recovery);
md_wakeup_thread(mddev->thread);
4) daemon thread can't unregister sync thread:
md_check_recovery
if (mddev->suspended)
return; -> return directly
md_read_sync_thread
clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);
-> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;
This problem is not just related to dm-raid, fix it by ignoring
suspended array in md_check_recovery(). And follow up patches will
improve dm-raid better to frozen sync thread during suspend.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26758", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:44:46.004126Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-129", "description": "CWE-129 Improper Validation of Array Index", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-04T17:38:20.783Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.281Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/md.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a55f0d6179a19c6b982e2dc344d58c98647a3be0", "status": "affected", "version": "68866e425be2ef2664aa5c691bb3ab789736acf5", "versionType": "git" }, { "lessThan": "1baae052cccd08daf9a9d64c3f959d8cdb689757", "status": "affected", "version": "68866e425be2ef2664aa5c691bb3ab789736acf5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/md.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.0" }, { "lessThan": "3.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don\u0027t ignore suspended array in md_check_recovery()\n\nmddev_suspend() never stop sync_thread, hence it doesn\u0027t make sense to\nignore suspended array in md_check_recovery(), which might cause\nsync_thread can\u0027t be unregistered.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) suspend the array:\nraid_postsuspend\n mddev_suspend\n\n2) stop the array:\nraid_dtr\n md_stop\n __md_stop_writes\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, \u0026mddev-\u003erecovery);\n md_wakeup_thread_directly(mddev-\u003esync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, \u0026mddev-\u003erecovery))\n\n3) sync thread done:\nmd_do_sync\n set_bit(MD_RECOVERY_DONE, \u0026mddev-\u003erecovery);\n md_wakeup_thread(mddev-\u003ethread);\n\n4) daemon thread can\u0027t unregister sync thread:\nmd_check_recovery\n if (mddev-\u003esuspended)\n return; -\u003e return directly\n md_read_sync_thread\n clear_bit(MD_RECOVERY_RUNNING, \u0026mddev-\u003erecovery);\n -\u003e MD_RECOVERY_RUNNING can\u0027t be cleared, hence step 2 hang;\n\nThis problem is not just related to dm-raid, fix it by ignoring\nsuspended array in md_check_recovery(). And follow up patches will\nimprove dm-raid better to frozen sync thread during suspend." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:36.424Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0" }, { "url": "https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757" } ], "title": "md: Don\u0027t ignore suspended array in md_check_recovery()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26758", "datePublished": "2024-04-03T17:00:42.448Z", "dateReserved": "2024-02-19T14:20:24.170Z", "dateUpdated": "2024-12-19T08:46:36.424Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26774
Vulnerability from cvelistv5
Published
2024-04-03 17:01
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt
Determine if bb_fragments is 0 instead of determining bb_free to eliminate
the risk of dividing by zero when the block bitmap is corrupted.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.371Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/687061cfaa2ac3095170e136dd9c29a4974f41d4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8b40eb2e716b503f7a4e1090815a17b1341b2150" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f32d2a745b02123258026e105a008f474f896d6a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8cf9cc602cfb40085967c0d140e32691c8b71cf3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/993bf0f4c393b3667830918f9247438a8f6fdb5b" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26774", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:21.311447Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:10.554Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ext4/mballoc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "687061cfaa2ac3095170e136dd9c29a4974f41d4", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "8b40eb2e716b503f7a4e1090815a17b1341b2150", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f32d2a745b02123258026e105a008f474f896d6a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "8cf9cc602cfb40085967c0d140e32691c8b71cf3", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "993bf0f4c393b3667830918f9247438a8f6fdb5b", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ext4/mballoc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt\n\nDetermine if bb_fragments is 0 instead of determining bb_free to eliminate\nthe risk of dividing by zero when the block bitmap is corrupted." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:10.928Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/687061cfaa2ac3095170e136dd9c29a4974f41d4" }, { "url": "https://git.kernel.org/stable/c/8b40eb2e716b503f7a4e1090815a17b1341b2150" }, { "url": "https://git.kernel.org/stable/c/f32d2a745b02123258026e105a008f474f896d6a" }, { "url": "https://git.kernel.org/stable/c/8cf9cc602cfb40085967c0d140e32691c8b71cf3" }, { "url": "https://git.kernel.org/stable/c/993bf0f4c393b3667830918f9247438a8f6fdb5b" } ], "title": "ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26774", "datePublished": "2024-04-03T17:01:00.618Z", "dateReserved": "2024-02-19T14:20:24.176Z", "dateUpdated": "2024-12-19T08:47:10.928Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26700
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix MST Null Ptr for RV
The change try to fix below error specific to RV platform:
BUG: kernel NULL pointer dereference, address: 0000000000000008
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2
Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022
RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x171/0x4e0
? plist_add+0xbe/0x100
? exc_page_fault+0x7c/0x180
? asm_exc_page_fault+0x26/0x30
? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
drm_atomic_check_only+0x5c5/0xa40
drm_mode_atomic_ioctl+0x76e/0xbc0
? _copy_to_user+0x25/0x30
? drm_ioctl+0x296/0x4b0
? __pfx_drm_mode_atomic_ioctl+0x10/0x10
drm_ioctl_kernel+0xcd/0x170
drm_ioctl+0x26d/0x4b0
? __pfx_drm_mode_atomic_ioctl+0x10/0x10
amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
__x64_sys_ioctl+0x94/0xd0
do_syscall_64+0x60/0x90
? do_syscall_64+0x6c/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f4dad17f76f
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>
RSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f
RDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b
RBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc
R13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0
</TASK>
Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >
typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>
CR2: 0000000000000008
---[ end trace 0000000000000000 ]---
RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.975Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26700", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:43.322834Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:28.912Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "01d992088dce3945f70f49f34b0b911c5213c238", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "7407c61f43b66e90ad127d0cdd13cbc9d87141a5", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "5cd7185d2db76c42a9b7e69adad9591d9fca093f", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.82", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix MST Null Ptr for RV\n\nThe change try to fix below error specific to RV platform:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 \u003c48\u003e 8\u003e\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n ? _copy_to_user+0x25/0x30\n ? drm_ioctl+0x296/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n drm_ioctl_kernel+0xcd/0x170\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4dad17f76f\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 \u003c89\u003e c\u003e\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\n \u003c/TASK\u003e\nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep \u003e\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas\u003e\nCR2: 0000000000000008\n---[ end trace 0000000000000000 ]---\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 \u003c48\u003e 8\u003e\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:27.219Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238" }, { "url": "https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5" }, { "url": "https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f" }, { "url": "https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57" } ], "title": "drm/amd/display: Fix MST Null Ptr for RV", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26700", "datePublished": "2024-04-03T14:54:59.997Z", "dateReserved": "2024-02-19T14:20:24.157Z", "dateUpdated": "2024-12-19T08:45:27.219Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26725
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpll: fix possible deadlock during netlink dump operation
Recently, I've been hitting following deadlock warning during dpll pin
dump:
[52804.637962] ======================================================
[52804.638536] WARNING: possible circular locking dependency detected
[52804.639111] 6.8.0-rc2jiri+ #1 Not tainted
[52804.639529] ------------------------------------------------------
[52804.640104] python3/2984 is trying to acquire lock:
[52804.640581] ffff88810e642678 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}, at: netlink_dump+0xb3/0x780
[52804.641417]
but task is already holding lock:
[52804.642010] ffffffff83bde4c8 (dpll_lock){+.+.}-{3:3}, at: dpll_lock_dumpit+0x13/0x20
[52804.642747]
which lock already depends on the new lock.
[52804.643551]
the existing dependency chain (in reverse order) is:
[52804.644259]
-> #1 (dpll_lock){+.+.}-{3:3}:
[52804.644836] lock_acquire+0x174/0x3e0
[52804.645271] __mutex_lock+0x119/0x1150
[52804.645723] dpll_lock_dumpit+0x13/0x20
[52804.646169] genl_start+0x266/0x320
[52804.646578] __netlink_dump_start+0x321/0x450
[52804.647056] genl_family_rcv_msg_dumpit+0x155/0x1e0
[52804.647575] genl_rcv_msg+0x1ed/0x3b0
[52804.648001] netlink_rcv_skb+0xdc/0x210
[52804.648440] genl_rcv+0x24/0x40
[52804.648831] netlink_unicast+0x2f1/0x490
[52804.649290] netlink_sendmsg+0x36d/0x660
[52804.649742] __sock_sendmsg+0x73/0xc0
[52804.650165] __sys_sendto+0x184/0x210
[52804.650597] __x64_sys_sendto+0x72/0x80
[52804.651045] do_syscall_64+0x6f/0x140
[52804.651474] entry_SYSCALL_64_after_hwframe+0x46/0x4e
[52804.652001]
-> #0 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}:
[52804.652650] check_prev_add+0x1ae/0x1280
[52804.653107] __lock_acquire+0x1ed3/0x29a0
[52804.653559] lock_acquire+0x174/0x3e0
[52804.653984] __mutex_lock+0x119/0x1150
[52804.654423] netlink_dump+0xb3/0x780
[52804.654845] __netlink_dump_start+0x389/0x450
[52804.655321] genl_family_rcv_msg_dumpit+0x155/0x1e0
[52804.655842] genl_rcv_msg+0x1ed/0x3b0
[52804.656272] netlink_rcv_skb+0xdc/0x210
[52804.656721] genl_rcv+0x24/0x40
[52804.657119] netlink_unicast+0x2f1/0x490
[52804.657570] netlink_sendmsg+0x36d/0x660
[52804.658022] __sock_sendmsg+0x73/0xc0
[52804.658450] __sys_sendto+0x184/0x210
[52804.658877] __x64_sys_sendto+0x72/0x80
[52804.659322] do_syscall_64+0x6f/0x140
[52804.659752] entry_SYSCALL_64_after_hwframe+0x46/0x4e
[52804.660281]
other info that might help us debug this:
[52804.661077] Possible unsafe locking scenario:
[52804.661671] CPU0 CPU1
[52804.662129] ---- ----
[52804.662577] lock(dpll_lock);
[52804.662924] lock(nlk_cb_mutex-GENERIC);
[52804.663538] lock(dpll_lock);
[52804.664073] lock(nlk_cb_mutex-GENERIC);
[52804.664490]
The issue as follows: __netlink_dump_start() calls control->start(cb)
with nlk->cb_mutex held. In control->start(cb) the dpll_lock is taken.
Then nlk->cb_mutex is released and taken again in netlink_dump(), while
dpll_lock still being held. That leads to ABBA deadlock when another
CPU races with the same operation.
Fix this by moving dpll_lock taking into dumpit() callback which ensures
correct lock taking order.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.969Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/087739cbd0d0b87b6cec2c0799436ac66e24acc8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/53c0441dd2c44ee93fddb5473885fd41e4bc2361" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26725", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:13.550439Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:32:52.134Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "Documentation/netlink/specs/dpll.yaml", "drivers/dpll/dpll_netlink.c", "drivers/dpll/dpll_nl.c", "drivers/dpll/dpll_nl.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "087739cbd0d0b87b6cec2c0799436ac66e24acc8", "status": "affected", "version": "9d71b54b65b1fb6c0d3a6c5c88ba9b915c783fbc", "versionType": "git" }, { "lessThan": "53c0441dd2c44ee93fddb5473885fd41e4bc2361", "status": "affected", "version": "9d71b54b65b1fb6c0d3a6c5c88ba9b915c783fbc", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "Documentation/netlink/specs/dpll.yaml", "drivers/dpll/dpll_netlink.c", "drivers/dpll/dpll_nl.c", "drivers/dpll/dpll_nl.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix possible deadlock during netlink dump operation\n\nRecently, I\u0027ve been hitting following deadlock warning during dpll pin\ndump:\n\n[52804.637962] ======================================================\n[52804.638536] WARNING: possible circular locking dependency detected\n[52804.639111] 6.8.0-rc2jiri+ #1 Not tainted\n[52804.639529] ------------------------------------------------------\n[52804.640104] python3/2984 is trying to acquire lock:\n[52804.640581] ffff88810e642678 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}, at: netlink_dump+0xb3/0x780\n[52804.641417]\n but task is already holding lock:\n[52804.642010] ffffffff83bde4c8 (dpll_lock){+.+.}-{3:3}, at: dpll_lock_dumpit+0x13/0x20\n[52804.642747]\n which lock already depends on the new lock.\n\n[52804.643551]\n the existing dependency chain (in reverse order) is:\n[52804.644259]\n -\u003e #1 (dpll_lock){+.+.}-{3:3}:\n[52804.644836] lock_acquire+0x174/0x3e0\n[52804.645271] __mutex_lock+0x119/0x1150\n[52804.645723] dpll_lock_dumpit+0x13/0x20\n[52804.646169] genl_start+0x266/0x320\n[52804.646578] __netlink_dump_start+0x321/0x450\n[52804.647056] genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.647575] genl_rcv_msg+0x1ed/0x3b0\n[52804.648001] netlink_rcv_skb+0xdc/0x210\n[52804.648440] genl_rcv+0x24/0x40\n[52804.648831] netlink_unicast+0x2f1/0x490\n[52804.649290] netlink_sendmsg+0x36d/0x660\n[52804.649742] __sock_sendmsg+0x73/0xc0\n[52804.650165] __sys_sendto+0x184/0x210\n[52804.650597] __x64_sys_sendto+0x72/0x80\n[52804.651045] do_syscall_64+0x6f/0x140\n[52804.651474] entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.652001]\n -\u003e #0 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}:\n[52804.652650] check_prev_add+0x1ae/0x1280\n[52804.653107] __lock_acquire+0x1ed3/0x29a0\n[52804.653559] lock_acquire+0x174/0x3e0\n[52804.653984] __mutex_lock+0x119/0x1150\n[52804.654423] netlink_dump+0xb3/0x780\n[52804.654845] __netlink_dump_start+0x389/0x450\n[52804.655321] genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.655842] genl_rcv_msg+0x1ed/0x3b0\n[52804.656272] netlink_rcv_skb+0xdc/0x210\n[52804.656721] genl_rcv+0x24/0x40\n[52804.657119] netlink_unicast+0x2f1/0x490\n[52804.657570] netlink_sendmsg+0x36d/0x660\n[52804.658022] __sock_sendmsg+0x73/0xc0\n[52804.658450] __sys_sendto+0x184/0x210\n[52804.658877] __x64_sys_sendto+0x72/0x80\n[52804.659322] do_syscall_64+0x6f/0x140\n[52804.659752] entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.660281]\n other info that might help us debug this:\n\n[52804.661077] Possible unsafe locking scenario:\n\n[52804.661671] CPU0 CPU1\n[52804.662129] ---- ----\n[52804.662577] lock(dpll_lock);\n[52804.662924] lock(nlk_cb_mutex-GENERIC);\n[52804.663538] lock(dpll_lock);\n[52804.664073] lock(nlk_cb_mutex-GENERIC);\n[52804.664490]\n\nThe issue as follows: __netlink_dump_start() calls control-\u003estart(cb)\nwith nlk-\u003ecb_mutex held. In control-\u003estart(cb) the dpll_lock is taken.\nThen nlk-\u003ecb_mutex is released and taken again in netlink_dump(), while\ndpll_lock still being held. That leads to ABBA deadlock when another\nCPU races with the same operation.\n\nFix this by moving dpll_lock taking into dumpit() callback which ensures\ncorrect lock taking order." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:56.002Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/087739cbd0d0b87b6cec2c0799436ac66e24acc8" }, { "url": "https://git.kernel.org/stable/c/53c0441dd2c44ee93fddb5473885fd41e4bc2361" } ], "title": "dpll: fix possible deadlock during netlink dump operation", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26725", "datePublished": "2024-04-03T14:55:24.074Z", "dateReserved": "2024-02-19T14:20:24.163Z", "dateUpdated": "2024-12-19T08:45:56.002Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26754
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()
The gtp_net_ops pernet operations structure for the subsystem must be
registered before registering the generic netlink family.
Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:
general protection fault, probably for non-canonical address
0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014
RIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]
Code: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86
df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>
3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74
RSP: 0018:ffff888014107220 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000
FS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? show_regs+0x90/0xa0
? die_addr+0x50/0xd0
? exc_general_protection+0x148/0x220
? asm_exc_general_protection+0x22/0x30
? gtp_genl_dump_pdp+0x1be/0x800 [gtp]
? __alloc_skb+0x1dd/0x350
? __pfx___alloc_skb+0x10/0x10
genl_dumpit+0x11d/0x230
netlink_dump+0x5b9/0xce0
? lockdep_hardirqs_on_prepare+0x253/0x430
? __pfx_netlink_dump+0x10/0x10
? kasan_save_track+0x10/0x40
? __kasan_kmalloc+0x9b/0xa0
? genl_start+0x675/0x970
__netlink_dump_start+0x6fc/0x9f0
genl_family_rcv_msg_dumpit+0x1bb/0x2d0
? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10
? genl_op_from_small+0x2a/0x440
? cap_capable+0x1d0/0x240
? __pfx_genl_start+0x10/0x10
? __pfx_genl_dumpit+0x10/0x10
? __pfx_genl_done+0x10/0x10
? security_capable+0x9d/0xe0
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.216Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f0ecdfa679189d26aedfe24212d4e69e42c2c861" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f8cbd1791900b5d96466eede8e9439a5b9ca4de7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2e534fd15e5c2ca15821c897352cf0e8a3e30dca" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a576308800be28f2eaa099e7caad093b97d66e77" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3963f16cc7643b461271989b712329520374ad2a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ba6b8b02a3314e62571a540efa96560888c5f03e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5013bd54d283eda5262c9ae3bcc966d01daf8576" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/136cfaca22567a03bbb3bf53a43d8cb5748b80ec" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26754", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:37.587111Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:15.622Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/gtp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f0ecdfa679189d26aedfe24212d4e69e42c2c861", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "f8cbd1791900b5d96466eede8e9439a5b9ca4de7", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "2e534fd15e5c2ca15821c897352cf0e8a3e30dca", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "a576308800be28f2eaa099e7caad093b97d66e77", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "3963f16cc7643b461271989b712329520374ad2a", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "ba6b8b02a3314e62571a540efa96560888c5f03e", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "5013bd54d283eda5262c9ae3bcc966d01daf8576", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "136cfaca22567a03bbb3bf53a43d8cb5748b80ec", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/gtp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.7" }, { "lessThan": "4.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\n\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\n\nSyzkaller hit \u0027general protection fault in gtp_genl_dump_pdp\u0027 bug:\n\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 \u003c80\u003e\n 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:31.598Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f0ecdfa679189d26aedfe24212d4e69e42c2c861" }, { "url": "https://git.kernel.org/stable/c/f8cbd1791900b5d96466eede8e9439a5b9ca4de7" }, { "url": "https://git.kernel.org/stable/c/2e534fd15e5c2ca15821c897352cf0e8a3e30dca" }, { "url": "https://git.kernel.org/stable/c/a576308800be28f2eaa099e7caad093b97d66e77" }, { "url": "https://git.kernel.org/stable/c/3963f16cc7643b461271989b712329520374ad2a" }, { "url": "https://git.kernel.org/stable/c/ba6b8b02a3314e62571a540efa96560888c5f03e" }, { "url": "https://git.kernel.org/stable/c/5013bd54d283eda5262c9ae3bcc966d01daf8576" }, { "url": "https://git.kernel.org/stable/c/136cfaca22567a03bbb3bf53a43d8cb5748b80ec" } ], "title": "gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26754", "datePublished": "2024-04-03T17:00:39.079Z", "dateReserved": "2024-02-19T14:20:24.170Z", "dateUpdated": "2024-12-19T08:46:31.598Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26726
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't drop extent_map for free space inode on write error
While running the CI for an unrelated change I hit the following panic
with generic/648 on btrfs_holes_spacecache.
assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385
------------[ cut here ]------------
kernel BUG at fs/btrfs/extent_io.c:1385!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1
RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0
Call Trace:
<TASK>
extent_write_cache_pages+0x2ac/0x8f0
extent_writepages+0x87/0x110
do_writepages+0xd5/0x1f0
filemap_fdatawrite_wbc+0x63/0x90
__filemap_fdatawrite_range+0x5c/0x80
btrfs_fdatawrite_range+0x1f/0x50
btrfs_write_out_cache+0x507/0x560
btrfs_write_dirty_block_groups+0x32a/0x420
commit_cowonly_roots+0x21b/0x290
btrfs_commit_transaction+0x813/0x1360
btrfs_sync_file+0x51a/0x640
__x64_sys_fdatasync+0x52/0x90
do_syscall_64+0x9c/0x190
entry_SYSCALL_64_after_hwframe+0x6e/0x76
This happens because we fail to write out the free space cache in one
instance, come back around and attempt to write it again. However on
the second pass through we go to call btrfs_get_extent() on the inode to
get the extent mapping. Because this is a new block group, and with the
free space inode we always search the commit root to avoid deadlocking
with the tree, we find nothing and return a EXTENT_MAP_HOLE for the
requested range.
This happens because the first time we try to write the space cache out
we hit an error, and on an error we drop the extent mapping. This is
normal for normal files, but the free space cache inode is special. We
always expect the extent map to be correct. Thus the second time
through we end up with a bogus extent map.
Since we're deprecating this feature, the most straightforward way to
fix this is to simply skip dropping the extent map range for this failed
range.
I shortened the test by using error injection to stress the area to make
it easier to reproduce. With this patch in place we no longer panic
with my error injection test.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26726", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:10:16.242115Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:45.957Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.173Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/inode.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "02f2b95b00bf57d20320ee168b30fb7f3db8e555", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "7bddf18f474f166c19f91b2baf67bf7c5eda03f7", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a4b7741c8302e28073bfc6dd1c2e73598e5e535e", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "5571e41ec6e56e35f34ae9f5b3a335ef510e0ade", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/btrfs/inode.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t drop extent_map for free space inode on write error\n\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\n\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n \u003cTASK\u003e\n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again. However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping. Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\n\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping. This is\nnormal for normal files, but the free space cache inode is special. We\nalways expect the extent map to be correct. Thus the second time\nthrough we end up with a bogus extent map.\n\nSince we\u0027re deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\n\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce. With this patch in place we no longer panic\nwith my error injection test." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:57.149Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555" }, { "url": "https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7" }, { "url": "https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e" }, { "url": "https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade" } ], "title": "btrfs: don\u0027t drop extent_map for free space inode on write error", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26726", "datePublished": "2024-04-03T14:55:24.983Z", "dateReserved": "2024-02-19T14:20:24.163Z", "dateUpdated": "2024-12-19T08:45:57.149Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26771
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: edma: Add some null pointer checks to the edma_probe
devm_kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure. Ensure the allocation was successful
by checking the pointer validity.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26771", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-08T14:05:41.933267Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:46.373Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.369Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c432094aa7c9970f2fa10d2305d550d3810657ce" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4fe4e5adc7d29d214c59b59f61db73dec505ca3d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9d508c897153ae8dd79303f7f035f078139f6b49" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7b24760f3a3c7ae1a176d343136b6c25174b7b27" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f2a5e30d1e9a629de6179fa23923a318d5feb29e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6e2276203ac9ff10fc76917ec9813c660f627369" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/dma/ti/edma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c432094aa7c9970f2fa10d2305d550d3810657ce", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "4fe4e5adc7d29d214c59b59f61db73dec505ca3d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "9d508c897153ae8dd79303f7f035f078139f6b49", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "7b24760f3a3c7ae1a176d343136b6c25174b7b27", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f2a5e30d1e9a629de6179fa23923a318d5feb29e", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "6e2276203ac9ff10fc76917ec9813c660f627369", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/dma/ti/edma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Add some null pointer checks to the edma_probe\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:07.379Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c432094aa7c9970f2fa10d2305d550d3810657ce" }, { "url": "https://git.kernel.org/stable/c/4fe4e5adc7d29d214c59b59f61db73dec505ca3d" }, { "url": "https://git.kernel.org/stable/c/9d508c897153ae8dd79303f7f035f078139f6b49" }, { "url": "https://git.kernel.org/stable/c/7b24760f3a3c7ae1a176d343136b6c25174b7b27" }, { "url": "https://git.kernel.org/stable/c/f2a5e30d1e9a629de6179fa23923a318d5feb29e" }, { "url": "https://git.kernel.org/stable/c/6e2276203ac9ff10fc76917ec9813c660f627369" } ], "title": "dmaengine: ti: edma: Add some null pointer checks to the edma_probe", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26771", "datePublished": "2024-04-03T17:00:57.918Z", "dateReserved": "2024-02-19T14:20:24.175Z", "dateUpdated": "2024-12-19T08:47:07.379Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26696
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
Syzbot reported a hang issue in migrate_pages_batch() called by mbind()
and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.
While migrate_pages_batch() locks a folio and waits for the writeback to
complete, the log writer thread that should bring the writeback to
completion picks up the folio being written back in
nilfs_lookup_dirty_data_buffers() that it calls for subsequent log
creation and was trying to lock the folio. Thus causing a deadlock.
In the first place, it is unexpected that folios/pages in the middle of
writeback will be updated and become dirty. Nilfs2 adds a checksum to
verify the validity of the log being written and uses it for recovery at
mount, so data changes during writeback are suppressed. Since this is
broken, an unclean shutdown could potentially cause recovery to fail.
Investigation revealed that the root cause is that the wait for writeback
completion in nilfs_page_mkwrite() is conditional, and if the backing
device does not require stable writes, data may be modified without
waiting.
Fix these issues by making nilfs_page_mkwrite() wait for writeback to
finish regardless of the stable write requirement of the backing device.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0 Version: 1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0 Version: 1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0 Version: 1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0 Version: 1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0 Version: 1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0 Version: 1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0 Version: 1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.590Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/228742b2ddfb99dfd71e5a307e6088ab6836272e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/862ee4422c38be5c249844a684b00d0dbe9d1e46" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/98a4026b22ff440c7f47056481bcbbe442f607d6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7e9b622bd0748cc104d66535b76d9b3535f9dc0f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8494ba2c9ea00a54d5b50e69b22c55a8958bce32" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ea5ddbc11613b55e5128c85f57b08f907abd9b28" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e38585401d464578d30f5868ff4ca54475c34f7d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/38296afe3c6ee07319e01bb249aa4bb47c07b534" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26696", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:53.851812Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:30.066Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/nilfs2/file.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "228742b2ddfb99dfd71e5a307e6088ab6836272e", "status": "affected", "version": "1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0", "versionType": "git" }, { "lessThan": "862ee4422c38be5c249844a684b00d0dbe9d1e46", "status": "affected", "version": "1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0", "versionType": "git" }, { "lessThan": "98a4026b22ff440c7f47056481bcbbe442f607d6", "status": "affected", "version": "1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0", "versionType": "git" }, { "lessThan": "7e9b622bd0748cc104d66535b76d9b3535f9dc0f", "status": "affected", "version": "1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0", "versionType": "git" }, { "lessThan": "8494ba2c9ea00a54d5b50e69b22c55a8958bce32", "status": "affected", "version": "1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0", "versionType": "git" }, { "lessThan": "ea5ddbc11613b55e5128c85f57b08f907abd9b28", "status": "affected", "version": "1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0", "versionType": "git" }, { "lessThan": "e38585401d464578d30f5868ff4ca54475c34f7d", "status": "affected", "version": "1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0", "versionType": "git" }, { "lessThan": "38296afe3c6ee07319e01bb249aa4bb47c07b534", "status": "affected", "version": "1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/nilfs2/file.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.9" }, { "lessThan": "3.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.307", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.269", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\n\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\n\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio. Thus causing a deadlock.\n\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty. Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed. Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\n\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\n\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:22.210Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/228742b2ddfb99dfd71e5a307e6088ab6836272e" }, { "url": "https://git.kernel.org/stable/c/862ee4422c38be5c249844a684b00d0dbe9d1e46" }, { "url": "https://git.kernel.org/stable/c/98a4026b22ff440c7f47056481bcbbe442f607d6" }, { "url": "https://git.kernel.org/stable/c/7e9b622bd0748cc104d66535b76d9b3535f9dc0f" }, { "url": "https://git.kernel.org/stable/c/8494ba2c9ea00a54d5b50e69b22c55a8958bce32" }, { "url": "https://git.kernel.org/stable/c/ea5ddbc11613b55e5128c85f57b08f907abd9b28" }, { "url": "https://git.kernel.org/stable/c/e38585401d464578d30f5868ff4ca54475c34f7d" }, { "url": "https://git.kernel.org/stable/c/38296afe3c6ee07319e01bb249aa4bb47c07b534" } ], "title": "nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26696", "datePublished": "2024-04-03T14:54:56.926Z", "dateReserved": "2024-02-19T14:20:24.156Z", "dateUpdated": "2024-12-19T08:45:22.210Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26755
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: Don't suspend the array for interrupted reshape
md_start_sync() will suspend the array if there are spares that can be
added or removed from conf, however, if reshape is still in progress,
this won't happen at all or data will be corrupted(remove_and_add_spares
won't be called from md_choose_sync_action for reshape), hence there is
no need to suspend the array if reshape is not done yet.
Meanwhile, there is a potential deadlock for raid456:
1) reshape is interrupted;
2) set one of the disk WantReplacement, and add a new disk to the array,
however, recovery won't start until the reshape is finished;
3) then issue an IO across reshpae position, this IO will wait for
reshape to make progress;
4) continue to reshape, then md_start_sync() found there is a spare disk
that can be added to conf, mddev_suspend() is called;
Step 4 and step 3 is waiting for each other, deadlock triggered. Noted
this problem is found by code review, and it's not reporduced yet.
Fix this porblem by don't suspend the array for interrupted reshape,
this is safe because conf won't be changed until reshape is done.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26755", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:11:19.922447Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-08T21:17:47.641Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.228Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/60d6130d0ac1d883ed93c2a1e10aadb60967fd48" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9e46c70e829bddc24e04f963471e9983a11598b7" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/md.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "60d6130d0ac1d883ed93c2a1e10aadb60967fd48", "status": "affected", "version": "bc08041b32abe6c9824f78735bac22018eabfc06", "versionType": "git" }, { "lessThan": "9e46c70e829bddc24e04f963471e9983a11598b7", "status": "affected", "version": "bc08041b32abe6c9824f78735bac22018eabfc06", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/md.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don\u0027t suspend the array for interrupted reshape\n\nmd_start_sync() will suspend the array if there are spares that can be\nadded or removed from conf, however, if reshape is still in progress,\nthis won\u0027t happen at all or data will be corrupted(remove_and_add_spares\nwon\u0027t be called from md_choose_sync_action for reshape), hence there is\nno need to suspend the array if reshape is not done yet.\n\nMeanwhile, there is a potential deadlock for raid456:\n\n1) reshape is interrupted;\n\n2) set one of the disk WantReplacement, and add a new disk to the array,\n however, recovery won\u0027t start until the reshape is finished;\n\n3) then issue an IO across reshpae position, this IO will wait for\n reshape to make progress;\n\n4) continue to reshape, then md_start_sync() found there is a spare disk\n that can be added to conf, mddev_suspend() is called;\n\nStep 4 and step 3 is waiting for each other, deadlock triggered. Noted\nthis problem is found by code review, and it\u0027s not reporduced yet.\n\nFix this porblem by don\u0027t suspend the array for interrupted reshape,\nthis is safe because conf won\u0027t be changed until reshape is done." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:32.835Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/60d6130d0ac1d883ed93c2a1e10aadb60967fd48" }, { "url": "https://git.kernel.org/stable/c/9e46c70e829bddc24e04f963471e9983a11598b7" } ], "title": "md: Don\u0027t suspend the array for interrupted reshape", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26755", "datePublished": "2024-04-03T17:00:39.888Z", "dateReserved": "2024-02-19T14:20:24.170Z", "dateUpdated": "2024-12-19T08:46:32.835Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26714
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
interconnect: qcom: sc8180x: Mark CO0 BCM keepalive
The CO0 BCM needs to be up at all times, otherwise some hardware (like
the UFS controller) loses its connection to the rest of the SoC,
resulting in a hang of the platform, accompanied by a spectacular
logspam.
Mark it as keepalive to prevent such cases.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.962Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6616d3c4f8284a7b3ef978c916566bd240cea1c7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d8e36ff40cf9dadb135f3a97341c02c9a7afcc43" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/85e985a4f46e462a37f1875cb74ed380e7c0c2e0" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26714", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:29.730845Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:25.465Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/interconnect/qcom/sc8180x.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6616d3c4f8284a7b3ef978c916566bd240cea1c7", "status": "affected", "version": "9c8c6bac1ae86f6902baa938101902fb3a0a100b", "versionType": "git" }, { "lessThan": "d8e36ff40cf9dadb135f3a97341c02c9a7afcc43", "status": "affected", "version": "9c8c6bac1ae86f6902baa938101902fb3a0a100b", "versionType": "git" }, { "lessThan": "7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0", "status": "affected", "version": "9c8c6bac1ae86f6902baa938101902fb3a0a100b", "versionType": "git" }, { "lessThan": "85e985a4f46e462a37f1875cb74ed380e7c0c2e0", "status": "affected", "version": "9c8c6bac1ae86f6902baa938101902fb3a0a100b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/interconnect/qcom/sc8180x.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\n\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\nthe UFS controller) loses its connection to the rest of the SoC,\nresulting in a hang of the platform, accompanied by a spectacular\nlogspam.\n\nMark it as keepalive to prevent such cases." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:42.729Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6616d3c4f8284a7b3ef978c916566bd240cea1c7" }, { "url": "https://git.kernel.org/stable/c/d8e36ff40cf9dadb135f3a97341c02c9a7afcc43" }, { "url": "https://git.kernel.org/stable/c/7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0" }, { "url": "https://git.kernel.org/stable/c/85e985a4f46e462a37f1875cb74ed380e7c0c2e0" } ], "title": "interconnect: qcom: sc8180x: Mark CO0 BCM keepalive", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26714", "datePublished": "2024-04-03T14:55:15.662Z", "dateReserved": "2024-02-19T14:20:24.160Z", "dateUpdated": "2024-12-19T08:45:42.729Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26710
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/kasan: Limit KASAN thread size increase to 32KB
KASAN is seen to increase stack usage, to the point that it was reported
to lead to stack overflow on some 32-bit machines (see link).
To avoid overflows the stack size was doubled for KASAN builds in
commit 3e8635fb2e07 ("powerpc/kasan: Force thread size increase with
KASAN").
However with a 32KB stack size to begin with, the doubling leads to a
64KB stack, which causes build errors:
arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff)
Although the asm could be reworked, in practice a 32KB stack seems
sufficient even for KASAN builds - the additional usage seems to be in
the 2-3KB range for a 64-bit KASAN build.
So only increase the stack for KASAN if the stack size is < 32KB.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9ccf64e763aca088b0d25c1274af42b1a6a45135 Version: b38014874530d3776de75679315e8c1fe04aa89b Version: 58f396513cb1fa4ef91838c78698d458100cc27c Version: 18f14afe281648e31ed35c9ad2fcb724c4838ad9 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26710", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T17:38:18.725321Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-06T19:09:54.006Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.978Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4297217bcf1f0948a19c2bacc6b68d92e7778ad9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4cc31fa07445879a13750cb061bb8c2654975fcb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b29b16bd836a838b7690f80e37f8376414c74cbe" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f1acb109505d983779bbb7e20a1ee6244d2b5736" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/powerpc/include/asm/thread_info.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4297217bcf1f0948a19c2bacc6b68d92e7778ad9", "status": "affected", "version": "9ccf64e763aca088b0d25c1274af42b1a6a45135", "versionType": "git" }, { "lessThan": "4cc31fa07445879a13750cb061bb8c2654975fcb", "status": "affected", "version": "b38014874530d3776de75679315e8c1fe04aa89b", "versionType": "git" }, { "lessThan": "b29b16bd836a838b7690f80e37f8376414c74cbe", "status": "affected", "version": "58f396513cb1fa4ef91838c78698d458100cc27c", "versionType": "git" }, { "lessThan": "f1acb109505d983779bbb7e20a1ee6244d2b5736", "status": "affected", "version": "18f14afe281648e31ed35c9ad2fcb724c4838ad9", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/powerpc/include/asm/thread_info.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6.1.79", "status": "affected", "version": "6.1.75", "versionType": "semver" }, { "lessThan": "6.6.18", "status": "affected", "version": "6.6.14", "versionType": "semver" }, { "lessThan": "6.7.6", "status": "affected", "version": "6.7.2", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Limit KASAN thread size increase to 32KB\n\nKASAN is seen to increase stack usage, to the point that it was reported\nto lead to stack overflow on some 32-bit machines (see link).\n\nTo avoid overflows the stack size was doubled for KASAN builds in\ncommit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with\nKASAN\").\n\nHowever with a 32KB stack size to begin with, the doubling leads to a\n64KB stack, which causes build errors:\n arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff)\n\nAlthough the asm could be reworked, in practice a 32KB stack seems\nsufficient even for KASAN builds - the additional usage seems to be in\nthe 2-3KB range for a 64-bit KASAN build.\n\nSo only increase the stack for KASAN if the stack size is \u003c 32KB." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:37.993Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4297217bcf1f0948a19c2bacc6b68d92e7778ad9" }, { "url": "https://git.kernel.org/stable/c/4cc31fa07445879a13750cb061bb8c2654975fcb" }, { "url": "https://git.kernel.org/stable/c/b29b16bd836a838b7690f80e37f8376414c74cbe" }, { "url": "https://git.kernel.org/stable/c/f1acb109505d983779bbb7e20a1ee6244d2b5736" } ], "title": "powerpc/kasan: Limit KASAN thread size increase to 32KB", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26710", "datePublished": "2024-04-03T14:55:12.583Z", "dateReserved": "2024-02-19T14:20:24.159Z", "dateUpdated": "2024-12-19T08:45:37.993Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26786
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Fix iopt_access_list_id overwrite bug
Syzkaller reported the following WARN_ON:
WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360
Call Trace:
iommufd_access_change_ioas+0x2fe/0x4e0
iommufd_access_destroy_object+0x50/0xb0
iommufd_object_remove+0x2a3/0x490
iommufd_object_destroy_user
iommufd_access_destroy+0x71/0xb0
iommufd_test_staccess_release+0x89/0xd0
__fput+0x272/0xb50
__fput_sync+0x4b/0x60
__do_sys_close
__se_sys_close
__x64_sys_close+0x8b/0x110
do_syscall_x64
The mismatch between the access pointer in the list and the passed-in
pointer is resulting from an overwrite of access->iopt_access_list_id, in
iopt_add_access(). Called from iommufd_access_change_ioas() when
xa_alloc() succeeds but iopt_calculate_iova_alignment() fails.
Add a new_id in iopt_add_access() and only update iopt_access_list_id when
returning successfully.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26786", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-15T16:04:45.617050Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-04T16:19:48.130Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.526Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9526a46cc0c378d381560279bea9aa34c84298a0" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/aeb004c0cd6958e910123a1607634401009c9539" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/iommu/iommufd/io_pagetable.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9", "status": "affected", "version": "9227da7816dd1a42e20d41e2244cb63c205477ca", "versionType": "git" }, { "lessThan": "9526a46cc0c378d381560279bea9aa34c84298a0", "status": "affected", "version": "9227da7816dd1a42e20d41e2244cb63c205477ca", "versionType": "git" }, { "lessThan": "aeb004c0cd6958e910123a1607634401009c9539", "status": "affected", "version": "9227da7816dd1a42e20d41e2244cb63c205477ca", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/iommu/iommufd/io_pagetable.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix iopt_access_list_id overwrite bug\n\nSyzkaller reported the following WARN_ON:\n WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360\n\n Call Trace:\n iommufd_access_change_ioas+0x2fe/0x4e0\n iommufd_access_destroy_object+0x50/0xb0\n iommufd_object_remove+0x2a3/0x490\n iommufd_object_destroy_user\n iommufd_access_destroy+0x71/0xb0\n iommufd_test_staccess_release+0x89/0xd0\n __fput+0x272/0xb50\n __fput_sync+0x4b/0x60\n __do_sys_close\n __se_sys_close\n __x64_sys_close+0x8b/0x110\n do_syscall_x64\n\nThe mismatch between the access pointer in the list and the passed-in\npointer is resulting from an overwrite of access-\u003eiopt_access_list_id, in\niopt_add_access(). Called from iommufd_access_change_ioas() when\nxa_alloc() succeeds but iopt_calculate_iova_alignment() fails.\n\nAdd a new_id in iopt_add_access() and only update iopt_access_list_id when\nreturning successfully." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:25.307Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9" }, { "url": "https://git.kernel.org/stable/c/9526a46cc0c378d381560279bea9aa34c84298a0" }, { "url": "https://git.kernel.org/stable/c/aeb004c0cd6958e910123a1607634401009c9539" } ], "title": "iommufd: Fix iopt_access_list_id overwrite bug", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26786", "datePublished": "2024-04-04T08:20:19.109Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:25.307Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26748
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: fix memory double free when handle zero packet
829 if (request->complete) {
830 spin_unlock(&priv_dev->lock);
831 usb_gadget_giveback_request(&priv_ep->endpoint,
832 request);
833 spin_lock(&priv_dev->lock);
834 }
835
836 if (request->buf == priv_dev->zlp_buf)
837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request);
Driver append an additional zero packet request when queue a packet, which
length mod max packet size is 0. When transfer complete, run to line 831,
usb_gadget_giveback_request() will free this requestion. 836 condition is
true, so cdns3_gadget_ep_free_request() free this request again.
Log:
[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3]
[ 1920.140696][ T150]
[ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36):
[ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3]
[ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3]
Add check at line 829, skip call usb_gadget_giveback_request() if it is
additional zero length packet request. Needn't call
usb_gadget_giveback_request() because it is allocated in this driver.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26748", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-05T17:31:00.230088Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:02.965Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.207Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/aad6132ae6e4809e375431f8defd1521985e44e7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1e204a8e9eb514e22a6567fb340ebb47df3f3a48" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3a2a909942b5335b7ea66366d84261b3ed5f89c8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9a52b694b066f299d8b9800854a8503457a8b64c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/70e8038813f9d3e72df966748ebbc40efe466019" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/92d20406a3d4ff3e8be667c79209dc9ed31df5b3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5fd9e45f1ebcd57181358af28506e8a661a260b3" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/cdns3/cdns3-gadget.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "aad6132ae6e4809e375431f8defd1521985e44e7", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "1e204a8e9eb514e22a6567fb340ebb47df3f3a48", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "3a2a909942b5335b7ea66366d84261b3ed5f89c8", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "9a52b694b066f299d8b9800854a8503457a8b64c", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "70e8038813f9d3e72df966748ebbc40efe466019", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "92d20406a3d4ff3e8be667c79209dc9ed31df5b3", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "5fd9e45f1ebcd57181358af28506e8a661a260b3", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/cdns3/cdns3-gadget.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.4" }, { "lessThan": "5.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix memory double free when handle zero packet\n\n829 if (request-\u003ecomplete) {\n830 spin_unlock(\u0026priv_dev-\u003elock);\n831 usb_gadget_giveback_request(\u0026priv_ep-\u003eendpoint,\n832 request);\n833 spin_lock(\u0026priv_dev-\u003elock);\n834 }\n835\n836 if (request-\u003ebuf == priv_dev-\u003ezlp_buf)\n837 cdns3_gadget_ep_free_request(\u0026priv_ep-\u003eendpoint, request);\n\nDriver append an additional zero packet request when queue a packet, which\nlength mod max packet size is 0. When transfer complete, run to line 831,\nusb_gadget_giveback_request() will free this requestion. 836 condition is\ntrue, so cdns3_gadget_ep_free_request() free this request again.\n\nLog:\n\n[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.140696][ T150]\n[ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36):\n[ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3]\n\nAdd check at line 829, skip call usb_gadget_giveback_request() if it is\nadditional zero length packet request. Needn\u0027t call\nusb_gadget_giveback_request() because it is allocated in this driver." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:24.222Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/aad6132ae6e4809e375431f8defd1521985e44e7" }, { "url": "https://git.kernel.org/stable/c/1e204a8e9eb514e22a6567fb340ebb47df3f3a48" }, { "url": "https://git.kernel.org/stable/c/3a2a909942b5335b7ea66366d84261b3ed5f89c8" }, { "url": "https://git.kernel.org/stable/c/9a52b694b066f299d8b9800854a8503457a8b64c" }, { "url": "https://git.kernel.org/stable/c/70e8038813f9d3e72df966748ebbc40efe466019" }, { "url": "https://git.kernel.org/stable/c/92d20406a3d4ff3e8be667c79209dc9ed31df5b3" }, { "url": "https://git.kernel.org/stable/c/5fd9e45f1ebcd57181358af28506e8a661a260b3" } ], "title": "usb: cdns3: fix memory double free when handle zero packet", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26748", "datePublished": "2024-04-03T17:00:35.087Z", "dateReserved": "2024-02-19T14:20:24.168Z", "dateUpdated": "2024-12-19T08:46:24.222Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26704
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix double-free of blocks due to wrong extents moved_len
In ext4_move_extents(), moved_len is only updated when all moves are
successfully executed, and only discards orig_inode and donor_inode
preallocations when moved_len is not zero. When the loop fails to exit
after successfully moving some extents, moved_len is not updated and
remains at 0, so it does not discard the preallocations.
If the moved extents overlap with the preallocated extents, the
overlapped extents are freed twice in ext4_mb_release_inode_pa() and
ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4:
Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is
incremented twice. Hence when trim is executed, a zero-division bug is
triggered in mb_update_avg_fragment_size() because bb_free is not zero
and bb_fragments is zero.
Therefore, update move_len after each extent move to avoid the issue.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.613Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b4fbb89d722cbb16beaaea234b7230faaaf68c71" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/afbcad9ae7d6d11608399188f03a837451b6b3a1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d033a555d9a1cf53dbf3301af7199cc4a4c8f537" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/afba9d11320dad5ce222ac8964caf64b7b4bedb1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2883940b19c38d5884c8626483811acf4d7e148f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/559ddacb90da1d8786dd8ec4fd76bbfa404eaef6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/55583e899a5357308274601364741a83e78d6ac4" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26704", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:39.832740Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:27.505Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ext4/move_extent.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b4fbb89d722cbb16beaaea234b7230faaaf68c71", "status": "affected", "version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a", "versionType": "git" }, { "lessThan": "afbcad9ae7d6d11608399188f03a837451b6b3a1", "status": "affected", "version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a", "versionType": "git" }, { "lessThan": "d033a555d9a1cf53dbf3301af7199cc4a4c8f537", "status": "affected", "version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a", "versionType": "git" }, { "lessThan": "afba9d11320dad5ce222ac8964caf64b7b4bedb1", "status": "affected", "version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a", "versionType": "git" }, { "lessThan": "185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1", "status": "affected", "version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a", "versionType": "git" }, { "lessThan": "2883940b19c38d5884c8626483811acf4d7e148f", "status": "affected", "version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a", "versionType": "git" }, { "lessThan": "559ddacb90da1d8786dd8ec4fd76bbfa404eaef6", "status": "affected", "version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a", "versionType": "git" }, { "lessThan": "55583e899a5357308274601364741a83e78d6ac4", "status": "affected", "version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ext4/move_extent.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.18" }, { "lessThan": "3.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.307", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.269", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix double-free of blocks due to wrong extents moved_len\n\nIn ext4_move_extents(), moved_len is only updated when all moves are\nsuccessfully executed, and only discards orig_inode and donor_inode\npreallocations when moved_len is not zero. When the loop fails to exit\nafter successfully moving some extents, moved_len is not updated and\nremains at 0, so it does not discard the preallocations.\n\nIf the moved extents overlap with the preallocated extents, the\noverlapped extents are freed twice in ext4_mb_release_inode_pa() and\next4_process_freed_data() (as described in commit 94d7c16cbbbd (\"ext4:\nFix double-free of blocks with EXT4_IOC_MOVE_EXT\")), and bb_free is\nincremented twice. Hence when trim is executed, a zero-division bug is\ntriggered in mb_update_avg_fragment_size() because bb_free is not zero\nand bb_fragments is zero.\n\nTherefore, update move_len after each extent move to avoid the issue." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:30.807Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b4fbb89d722cbb16beaaea234b7230faaaf68c71" }, { "url": "https://git.kernel.org/stable/c/afbcad9ae7d6d11608399188f03a837451b6b3a1" }, { "url": "https://git.kernel.org/stable/c/d033a555d9a1cf53dbf3301af7199cc4a4c8f537" }, { "url": "https://git.kernel.org/stable/c/afba9d11320dad5ce222ac8964caf64b7b4bedb1" }, { "url": "https://git.kernel.org/stable/c/185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1" }, { "url": "https://git.kernel.org/stable/c/2883940b19c38d5884c8626483811acf4d7e148f" }, { "url": "https://git.kernel.org/stable/c/559ddacb90da1d8786dd8ec4fd76bbfa404eaef6" }, { "url": "https://git.kernel.org/stable/c/55583e899a5357308274601364741a83e78d6ac4" } ], "title": "ext4: fix double-free of blocks due to wrong extents moved_len", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26704", "datePublished": "2024-04-03T14:55:02.672Z", "dateReserved": "2024-02-19T14:20:24.158Z", "dateUpdated": "2024-12-19T08:45:30.807Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26728
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: fix null-pointer dereference on edid reading
Use i2c adapter when there isn't aux_mode in dc_link to fix a
null-pointer derefence that happens when running
igt@kms_force_connector_basic in a system with DCN2.1 and HDMI connector
detected as below:
[ +0.178146] BUG: kernel NULL pointer dereference, address: 00000000000004c0
[ +0.000010] #PF: supervisor read access in kernel mode
[ +0.000005] #PF: error_code(0x0000) - not-present page
[ +0.000004] PGD 0 P4D 0
[ +0.000006] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ +0.000006] CPU: 15 PID: 2368 Comm: kms_force_conne Not tainted 6.5.0-asdn+ #152
[ +0.000005] Hardware name: HP HP ENVY x360 Convertible 13-ay1xxx/8929, BIOS F.01 07/14/2021
[ +0.000004] RIP: 0010:i2c_transfer+0xd/0x100
[ +0.000011] Code: ea fc ff ff 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 55 53 <48> 8b 47 10 48 89 fb 48 83 38 00 0f 84 b3 00 00 00 83 3d 2f 80 16
[ +0.000004] RSP: 0018:ffff9c4f89c0fad0 EFLAGS: 00010246
[ +0.000005] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000080
[ +0.000003] RDX: 0000000000000002 RSI: ffff9c4f89c0fb20 RDI: 00000000000004b0
[ +0.000003] RBP: ffff9c4f89c0fb80 R08: 0000000000000080 R09: ffff8d8e0b15b980
[ +0.000003] R10: 00000000000380e0 R11: 0000000000000000 R12: 0000000000000080
[ +0.000002] R13: 0000000000000002 R14: ffff9c4f89c0fb0e R15: ffff9c4f89c0fb0f
[ +0.000004] FS: 00007f9ad2176c40(0000) GS:ffff8d90fe9c0000(0000) knlGS:0000000000000000
[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000004] CR2: 00000000000004c0 CR3: 0000000121bc4000 CR4: 0000000000750ee0
[ +0.000003] PKRU: 55555554
[ +0.000003] Call Trace:
[ +0.000006] <TASK>
[ +0.000006] ? __die+0x23/0x70
[ +0.000011] ? page_fault_oops+0x17d/0x4c0
[ +0.000008] ? preempt_count_add+0x6e/0xa0
[ +0.000008] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000011] ? exc_page_fault+0x7f/0x180
[ +0.000009] ? asm_exc_page_fault+0x26/0x30
[ +0.000013] ? i2c_transfer+0xd/0x100
[ +0.000010] drm_do_probe_ddc_edid+0xc2/0x140 [drm]
[ +0.000067] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000006] ? _drm_do_get_edid+0x97/0x3c0 [drm]
[ +0.000043] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]
[ +0.000042] edid_block_read+0x3b/0xd0 [drm]
[ +0.000043] _drm_do_get_edid+0xb6/0x3c0 [drm]
[ +0.000041] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]
[ +0.000043] drm_edid_read_custom+0x37/0xd0 [drm]
[ +0.000044] amdgpu_dm_connector_mode_valid+0x129/0x1d0 [amdgpu]
[ +0.000153] drm_connector_mode_valid+0x3b/0x60 [drm_kms_helper]
[ +0.000000] __drm_helper_update_and_validate+0xfe/0x3c0 [drm_kms_helper]
[ +0.000000] ? amdgpu_dm_connector_get_modes+0xb6/0x520 [amdgpu]
[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000000] drm_helper_probe_single_connector_modes+0x2ab/0x540 [drm_kms_helper]
[ +0.000000] status_store+0xb2/0x1f0 [drm]
[ +0.000000] kernfs_fop_write_iter+0x136/0x1d0
[ +0.000000] vfs_write+0x24d/0x440
[ +0.000000] ksys_write+0x6f/0xf0
[ +0.000000] do_syscall_64+0x60/0xc0
[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000000] ? syscall_exit_to_user_mode+0x2b/0x40
[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000000] ? do_syscall_64+0x6c/0xc0
[ +0.000000] ? do_syscall_64+0x6c/0xc0
[ +0.000000] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ +0.000000] RIP: 0033:0x7f9ad46b4b00
[ +0.000000] Code: 40 00 48 8b 15 19 b3 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d e1 3a 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
[ +0.000000] RSP: 002b:00007ffcbd3bd6d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[ +0.000000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ad46b4b00
[ +0.000000] RDX: 0000000000000002 RSI: 00007f9ad48a7417 RDI: 0000000000000009
[ +0.000000] RBP: 0000000000000002 R08
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.935Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2d392f7268a1a9bfbd98c831f0f4c964e59aa145" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9671761792156f2339627918bafcd713a8a6f777" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26728", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:07.138513Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:21.807Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2d392f7268a1a9bfbd98c831f0f4c964e59aa145", "status": "affected", "version": "0e859faf8670a78ce206977dcf1a31a0231e9ca5", "versionType": "git" }, { "lessThan": "9671761792156f2339627918bafcd713a8a6f777", "status": "affected", "version": "0e859faf8670a78ce206977dcf1a31a0231e9ca5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix null-pointer dereference on edid reading\n\nUse i2c adapter when there isn\u0027t aux_mode in dc_link to fix a\nnull-pointer derefence that happens when running\nigt@kms_force_connector_basic in a system with DCN2.1 and HDMI connector\ndetected as below:\n\n[ +0.178146] BUG: kernel NULL pointer dereference, address: 00000000000004c0\n[ +0.000010] #PF: supervisor read access in kernel mode\n[ +0.000005] #PF: error_code(0x0000) - not-present page\n[ +0.000004] PGD 0 P4D 0\n[ +0.000006] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ +0.000006] CPU: 15 PID: 2368 Comm: kms_force_conne Not tainted 6.5.0-asdn+ #152\n[ +0.000005] Hardware name: HP HP ENVY x360 Convertible 13-ay1xxx/8929, BIOS F.01 07/14/2021\n[ +0.000004] RIP: 0010:i2c_transfer+0xd/0x100\n[ +0.000011] Code: ea fc ff ff 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 55 53 \u003c48\u003e 8b 47 10 48 89 fb 48 83 38 00 0f 84 b3 00 00 00 83 3d 2f 80 16\n[ +0.000004] RSP: 0018:ffff9c4f89c0fad0 EFLAGS: 00010246\n[ +0.000005] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000080\n[ +0.000003] RDX: 0000000000000002 RSI: ffff9c4f89c0fb20 RDI: 00000000000004b0\n[ +0.000003] RBP: ffff9c4f89c0fb80 R08: 0000000000000080 R09: ffff8d8e0b15b980\n[ +0.000003] R10: 00000000000380e0 R11: 0000000000000000 R12: 0000000000000080\n[ +0.000002] R13: 0000000000000002 R14: ffff9c4f89c0fb0e R15: ffff9c4f89c0fb0f\n[ +0.000004] FS: 00007f9ad2176c40(0000) GS:ffff8d90fe9c0000(0000) knlGS:0000000000000000\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000004] CR2: 00000000000004c0 CR3: 0000000121bc4000 CR4: 0000000000750ee0\n[ +0.000003] PKRU: 55555554\n[ +0.000003] Call Trace:\n[ +0.000006] \u003cTASK\u003e\n[ +0.000006] ? __die+0x23/0x70\n[ +0.000011] ? page_fault_oops+0x17d/0x4c0\n[ +0.000008] ? preempt_count_add+0x6e/0xa0\n[ +0.000008] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000011] ? exc_page_fault+0x7f/0x180\n[ +0.000009] ? asm_exc_page_fault+0x26/0x30\n[ +0.000013] ? i2c_transfer+0xd/0x100\n[ +0.000010] drm_do_probe_ddc_edid+0xc2/0x140 [drm]\n[ +0.000067] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000006] ? _drm_do_get_edid+0x97/0x3c0 [drm]\n[ +0.000043] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]\n[ +0.000042] edid_block_read+0x3b/0xd0 [drm]\n[ +0.000043] _drm_do_get_edid+0xb6/0x3c0 [drm]\n[ +0.000041] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]\n[ +0.000043] drm_edid_read_custom+0x37/0xd0 [drm]\n[ +0.000044] amdgpu_dm_connector_mode_valid+0x129/0x1d0 [amdgpu]\n[ +0.000153] drm_connector_mode_valid+0x3b/0x60 [drm_kms_helper]\n[ +0.000000] __drm_helper_update_and_validate+0xfe/0x3c0 [drm_kms_helper]\n[ +0.000000] ? amdgpu_dm_connector_get_modes+0xb6/0x520 [amdgpu]\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] drm_helper_probe_single_connector_modes+0x2ab/0x540 [drm_kms_helper]\n[ +0.000000] status_store+0xb2/0x1f0 [drm]\n[ +0.000000] kernfs_fop_write_iter+0x136/0x1d0\n[ +0.000000] vfs_write+0x24d/0x440\n[ +0.000000] ksys_write+0x6f/0xf0\n[ +0.000000] do_syscall_64+0x60/0xc0\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] ? syscall_exit_to_user_mode+0x2b/0x40\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] ? do_syscall_64+0x6c/0xc0\n[ +0.000000] ? do_syscall_64+0x6c/0xc0\n[ +0.000000] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ +0.000000] RIP: 0033:0x7f9ad46b4b00\n[ +0.000000] Code: 40 00 48 8b 15 19 b3 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d e1 3a 0e 00 00 74 17 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89\n[ +0.000000] RSP: 002b:00007ffcbd3bd6d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n[ +0.000000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ad46b4b00\n[ +0.000000] RDX: 0000000000000002 RSI: 00007f9ad48a7417 RDI: 0000000000000009\n[ +0.000000] RBP: 0000000000000002 R08\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:59.543Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2d392f7268a1a9bfbd98c831f0f4c964e59aa145" }, { "url": "https://git.kernel.org/stable/c/9671761792156f2339627918bafcd713a8a6f777" } ], "title": "drm/amd/display: fix null-pointer dereference on edid reading", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26728", "datePublished": "2024-04-03T17:00:16.776Z", "dateReserved": "2024-02-19T14:20:24.164Z", "dateUpdated": "2024-12-19T08:45:59.543Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26734
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
devlink: fix possible use-after-free and memory leaks in devlink_init()
The pernet operations structure for the subsystem must be registered
before registering the generic netlink family.
Make an unregister in case of unsuccessful registration.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.249Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/919092bd5482b7070ae66d1daef73b600738f3a2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e91d3561e28d7665f4f837880501dc8755f635a9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/def689fc26b9a9622d2e2cb0c4933dd3b1c8071c" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26734", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:57.238703Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:19.585Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/devlink/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "919092bd5482b7070ae66d1daef73b600738f3a2", "status": "affected", "version": "687125b5799cd5120437fa455cfccbe8537916ff", "versionType": "git" }, { "lessThan": "e91d3561e28d7665f4f837880501dc8755f635a9", "status": "affected", "version": "687125b5799cd5120437fa455cfccbe8537916ff", "versionType": "git" }, { "lessThan": "def689fc26b9a9622d2e2cb0c4933dd3b1c8071c", "status": "affected", "version": "687125b5799cd5120437fa455cfccbe8537916ff", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/devlink/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: fix possible use-after-free and memory leaks in devlink_init()\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.\n\nMake an unregister in case of unsuccessful registration." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:06.906Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/919092bd5482b7070ae66d1daef73b600738f3a2" }, { "url": "https://git.kernel.org/stable/c/e91d3561e28d7665f4f837880501dc8755f635a9" }, { "url": "https://git.kernel.org/stable/c/def689fc26b9a9622d2e2cb0c4933dd3b1c8071c" } ], "title": "devlink: fix possible use-after-free and memory leaks in devlink_init()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26734", "datePublished": "2024-04-03T17:00:21.162Z", "dateReserved": "2024-02-19T14:20:24.165Z", "dateUpdated": "2024-12-19T08:46:06.906Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26738
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller
When a PCI device is dynamically added, the kernel oopses with a NULL
pointer dereference:
BUG: Kernel NULL pointer dereference on read at 0x00000030
Faulting instruction address: 0xc0000000006bbe5c
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse
CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66
Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries
NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8
REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+)
MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002220 XER: 20040006
CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0
...
NIP sysfs_add_link_to_group+0x34/0x94
LR iommu_device_link+0x5c/0x118
Call Trace:
iommu_init_device+0x26c/0x318 (unreliable)
iommu_device_link+0x5c/0x118
iommu_init_device+0xa8/0x318
iommu_probe_device+0xc0/0x134
iommu_bus_notifier+0x44/0x104
notifier_call_chain+0xb8/0x19c
blocking_notifier_call_chain+0x64/0x98
bus_notify+0x50/0x7c
device_add+0x640/0x918
pci_device_add+0x23c/0x298
of_create_pci_dev+0x400/0x884
of_scan_pci_dev+0x124/0x1b0
__of_scan_bus+0x78/0x18c
pcibios_scan_phb+0x2a4/0x3b0
init_phb_dynamic+0xb8/0x110
dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]
add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]
kobj_attr_store+0x2c/0x48
sysfs_kf_write+0x64/0x78
kernfs_fop_write_iter+0x1b0/0x290
vfs_write+0x350/0x4a0
ksys_write+0x84/0x140
system_call_exception+0x124/0x330
system_call_vectored_common+0x15c/0x2ec
Commit a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities
and allow blocking domains") broke DLPAR add of PCI devices.
The above added iommu_device structure to pci_controller. During
system boot, PCI devices are discovered and this newly added iommu_device
structure is initialized by a call to iommu_device_register().
During DLPAR add of a PCI device, a new pci_controller structure is
allocated but there are no calls made to iommu_device_register()
interface.
Fix is to register the iommu device during DLPAR add as well.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26738", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:32:38.410311Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:33.182Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.091Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b8315b2e25b4e68e42fcb74630f824b9a5067765" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/46e36ebd5e00a148b67ed77c1d31675996f77c25" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/powerpc/include/asm/ppc-pci.h", "arch/powerpc/kernel/iommu.c", "arch/powerpc/platforms/pseries/pci_dlpar.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b8315b2e25b4e68e42fcb74630f824b9a5067765", "status": "affected", "version": "a940904443e432623579245babe63e2486ff327b", "versionType": "git" }, { "lessThan": "46e36ebd5e00a148b67ed77c1d31675996f77c25", "status": "affected", "version": "a940904443e432623579245babe63e2486ff327b", "versionType": "git" }, { "lessThan": "a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321", "status": "affected", "version": "a940904443e432623579245babe63e2486ff327b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/powerpc/include/asm/ppc-pci.h", "arch/powerpc/kernel/iommu.c", "arch/powerpc/platforms/pseries/pci_dlpar.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.4" }, { "lessThan": "6.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: DLPAR add doesn\u0027t completely initialize pci_controller\n\nWhen a PCI device is dynamically added, the kernel oopses with a NULL\npointer dereference:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000030\n Faulting instruction address: 0xc0000000006bbe5c\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8\n REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+)\n MSR: 8000000000009033 \u003cSF,EE,ME,IR,DR,RI,LE\u003e CR: 24002220 XER: 20040006\n CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0\n ...\n NIP sysfs_add_link_to_group+0x34/0x94\n LR iommu_device_link+0x5c/0x118\n Call Trace:\n iommu_init_device+0x26c/0x318 (unreliable)\n iommu_device_link+0x5c/0x118\n iommu_init_device+0xa8/0x318\n iommu_probe_device+0xc0/0x134\n iommu_bus_notifier+0x44/0x104\n notifier_call_chain+0xb8/0x19c\n blocking_notifier_call_chain+0x64/0x98\n bus_notify+0x50/0x7c\n device_add+0x640/0x918\n pci_device_add+0x23c/0x298\n of_create_pci_dev+0x400/0x884\n of_scan_pci_dev+0x124/0x1b0\n __of_scan_bus+0x78/0x18c\n pcibios_scan_phb+0x2a4/0x3b0\n init_phb_dynamic+0xb8/0x110\n dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]\n add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]\n kobj_attr_store+0x2c/0x48\n sysfs_kf_write+0x64/0x78\n kernfs_fop_write_iter+0x1b0/0x290\n vfs_write+0x350/0x4a0\n ksys_write+0x84/0x140\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n\nCommit a940904443e4 (\"powerpc/iommu: Add iommu_ops to report capabilities\nand allow blocking domains\") broke DLPAR add of PCI devices.\n\nThe above added iommu_device structure to pci_controller. During\nsystem boot, PCI devices are discovered and this newly added iommu_device\nstructure is initialized by a call to iommu_device_register().\n\nDuring DLPAR add of a PCI device, a new pci_controller structure is\nallocated but there are no calls made to iommu_device_register()\ninterface.\n\nFix is to register the iommu device during DLPAR add as well." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:12.110Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b8315b2e25b4e68e42fcb74630f824b9a5067765" }, { "url": "https://git.kernel.org/stable/c/46e36ebd5e00a148b67ed77c1d31675996f77c25" }, { "url": "https://git.kernel.org/stable/c/a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321" } ], "title": "powerpc/pseries/iommu: DLPAR add doesn\u0027t completely initialize pci_controller", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26738", "datePublished": "2024-04-03T17:00:24.126Z", "dateReserved": "2024-02-19T14:20:24.166Z", "dateUpdated": "2024-12-19T08:46:12.110Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26794
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race between ordered extent completion and fiemap
For fiemap we recently stopped locking the target extent range for the
whole duration of the fiemap call, in order to avoid a deadlock in a
scenario where the fiemap buffer happens to be a memory mapped range of
the same file. This use case is very unlikely to be useful in practice but
it may be triggered by fuzz testing (syzbot, etc).
However by not locking the target extent range for the whole duration of
the fiemap call we can race with an ordered extent. This happens like
this:
1) The fiemap task finishes processing a file extent item that covers
the file range [512K, 1M[, and that file extent item is the last item
in the leaf currently being processed;
2) And ordered extent for the file range [768K, 2M[, in COW mode,
completes (btrfs_finish_one_ordered()) and the file extent item
covering the range [512K, 1M[ is trimmed to cover the range
[512K, 768K[ and then a new file extent item for the range [768K, 2M[
is inserted in the inode's subvolume tree;
3) The fiemap task calls fiemap_next_leaf_item(), which then calls
btrfs_next_leaf() to find the next leaf / item. This finds that the
the next key following the one we previously processed (its type is
BTRFS_EXTENT_DATA_KEY and its offset is 512K), is the key corresponding
to the new file extent item inserted by the ordered extent, which has
a type of BTRFS_EXTENT_DATA_KEY and an offset of 768K;
4) Later the fiemap code ends up at emit_fiemap_extent() and triggers
the warning:
if (cache->offset + cache->len > offset) {
WARN_ON(1);
return -EINVAL;
}
Since we get 1M > 768K, because the previously emitted entry for the
old extent covering the file range [512K, 1M[ ends at an offset that
is greater than the new extent's start offset (768K). This makes fiemap
fail with -EINVAL besides triggering the warning that produces a stack
trace like the following:
[1621.677651] ------------[ cut here ]------------
[1621.677656] WARNING: CPU: 1 PID: 204366 at fs/btrfs/extent_io.c:2492 emit_fiemap_extent+0x84/0x90 [btrfs]
[1621.677899] Modules linked in: btrfs blake2b_generic (...)
[1621.677951] CPU: 1 PID: 204366 Comm: pool Not tainted 6.8.0-rc5-btrfs-next-151+ #1
[1621.677954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[1621.677956] RIP: 0010:emit_fiemap_extent+0x84/0x90 [btrfs]
[1621.678033] Code: 2b 4c 89 63 (...)
[1621.678035] RSP: 0018:ffffab16089ffd20 EFLAGS: 00010206
[1621.678037] RAX: 00000000004fa000 RBX: ffffab16089ffe08 RCX: 0000000000009000
[1621.678039] RDX: 00000000004f9000 RSI: 00000000004f1000 RDI: ffffab16089ffe90
[1621.678040] RBP: 00000000004f9000 R08: 0000000000001000 R09: 0000000000000000
[1621.678041] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000041d78000
[1621.678043] R13: 0000000000001000 R14: 0000000000000000 R15: ffff9434f0b17850
[1621.678044] FS: 00007fa6e20006c0(0000) GS:ffff943bdfa40000(0000) knlGS:0000000000000000
[1621.678046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1621.678048] CR2: 00007fa6b0801000 CR3: 000000012d404002 CR4: 0000000000370ef0
[1621.678053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[1621.678055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[1621.678056] Call Trace:
[1621.678074] <TASK>
[1621.678076] ? __warn+0x80/0x130
[1621.678082] ? emit_fiemap_extent+0x84/0x90 [btrfs]
[1621.678159] ? report_bug+0x1f4/0x200
[1621.678164] ? handle_bug+0x42/0x70
[1621.678167] ? exc_invalid_op+0x14/0x70
[1621.678170] ? asm_exc_invalid_op+0x16/0x20
[1621.678178] ? emit_fiemap_extent+0x84/0x90 [btrfs]
[1621.678253] extent_fiemap+0x766
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26794", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T16:20:51.967231Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-07T19:30:31.848Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.497Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d43f8e58f10a44df8c08e7f7076f3288352cd168" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/31d07a757c6d3430e03cc22799921569999b9a12" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a1a4a9ca77f143c00fce69c1239887ff8b813bec" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/extent_io.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d43f8e58f10a44df8c08e7f7076f3288352cd168", "status": "affected", "version": "ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf", "versionType": "git" }, { "lessThan": "31d07a757c6d3430e03cc22799921569999b9a12", "status": "affected", "version": "89bca7fe6382d61e88c67a0b0e7bce315986fb8b", "versionType": "git" }, { "lessThan": "a1a4a9ca77f143c00fce69c1239887ff8b813bec", "status": "affected", "version": "b0ad381fa7690244802aed119b478b4bdafc31dd", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/extent_io.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6.6.21", "status": "affected", "version": "6.6.24", "versionType": "semver" }, { "lessThan": "6.7.9", "status": "affected", "version": "6.7.12", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between ordered extent completion and fiemap\n\nFor fiemap we recently stopped locking the target extent range for the\nwhole duration of the fiemap call, in order to avoid a deadlock in a\nscenario where the fiemap buffer happens to be a memory mapped range of\nthe same file. This use case is very unlikely to be useful in practice but\nit may be triggered by fuzz testing (syzbot, etc).\n\nHowever by not locking the target extent range for the whole duration of\nthe fiemap call we can race with an ordered extent. This happens like\nthis:\n\n1) The fiemap task finishes processing a file extent item that covers\n the file range [512K, 1M[, and that file extent item is the last item\n in the leaf currently being processed;\n\n2) And ordered extent for the file range [768K, 2M[, in COW mode,\n completes (btrfs_finish_one_ordered()) and the file extent item\n covering the range [512K, 1M[ is trimmed to cover the range\n [512K, 768K[ and then a new file extent item for the range [768K, 2M[\n is inserted in the inode\u0027s subvolume tree;\n\n3) The fiemap task calls fiemap_next_leaf_item(), which then calls\n btrfs_next_leaf() to find the next leaf / item. This finds that the\n the next key following the one we previously processed (its type is\n BTRFS_EXTENT_DATA_KEY and its offset is 512K), is the key corresponding\n to the new file extent item inserted by the ordered extent, which has\n a type of BTRFS_EXTENT_DATA_KEY and an offset of 768K;\n\n4) Later the fiemap code ends up at emit_fiemap_extent() and triggers\n the warning:\n\n if (cache-\u003eoffset + cache-\u003elen \u003e offset) {\n WARN_ON(1);\n return -EINVAL;\n }\n\n Since we get 1M \u003e 768K, because the previously emitted entry for the\n old extent covering the file range [512K, 1M[ ends at an offset that\n is greater than the new extent\u0027s start offset (768K). This makes fiemap\n fail with -EINVAL besides triggering the warning that produces a stack\n trace like the following:\n\n [1621.677651] ------------[ cut here ]------------\n [1621.677656] WARNING: CPU: 1 PID: 204366 at fs/btrfs/extent_io.c:2492 emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.677899] Modules linked in: btrfs blake2b_generic (...)\n [1621.677951] CPU: 1 PID: 204366 Comm: pool Not tainted 6.8.0-rc5-btrfs-next-151+ #1\n [1621.677954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [1621.677956] RIP: 0010:emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.678033] Code: 2b 4c 89 63 (...)\n [1621.678035] RSP: 0018:ffffab16089ffd20 EFLAGS: 00010206\n [1621.678037] RAX: 00000000004fa000 RBX: ffffab16089ffe08 RCX: 0000000000009000\n [1621.678039] RDX: 00000000004f9000 RSI: 00000000004f1000 RDI: ffffab16089ffe90\n [1621.678040] RBP: 00000000004f9000 R08: 0000000000001000 R09: 0000000000000000\n [1621.678041] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000041d78000\n [1621.678043] R13: 0000000000001000 R14: 0000000000000000 R15: ffff9434f0b17850\n [1621.678044] FS: 00007fa6e20006c0(0000) GS:ffff943bdfa40000(0000) knlGS:0000000000000000\n [1621.678046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [1621.678048] CR2: 00007fa6b0801000 CR3: 000000012d404002 CR4: 0000000000370ef0\n [1621.678053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [1621.678055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [1621.678056] Call Trace:\n [1621.678074] \u003cTASK\u003e\n [1621.678076] ? __warn+0x80/0x130\n [1621.678082] ? emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.678159] ? report_bug+0x1f4/0x200\n [1621.678164] ? handle_bug+0x42/0x70\n [1621.678167] ? exc_invalid_op+0x14/0x70\n [1621.678170] ? asm_exc_invalid_op+0x16/0x20\n [1621.678178] ? emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.678253] extent_fiemap+0x766\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:35.187Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d43f8e58f10a44df8c08e7f7076f3288352cd168" }, { "url": "https://git.kernel.org/stable/c/31d07a757c6d3430e03cc22799921569999b9a12" }, { "url": "https://git.kernel.org/stable/c/a1a4a9ca77f143c00fce69c1239887ff8b813bec" } ], "title": "btrfs: fix race between ordered extent completion and fiemap", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26794", "datePublished": "2024-04-04T08:20:24.410Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:35.187Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26723
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
lan966x: Fix crash when adding interface under a lag
There is a crash when adding one of the lan966x interfaces under a lag
interface. The issue can be reproduced like this:
ip link add name bond0 type bond miimon 100 mode balance-xor
ip link set dev eth0 master bond0
The reason is because when adding a interface under the lag it would go
through all the ports and try to figure out which other ports are under
that lag interface. And the issue is that lan966x can have ports that are
NULL pointer as they are not probed. So then iterating over these ports
it would just crash as they are NULL pointers.
The fix consists in actually checking for NULL pointers before accessing
something from the ports. Like we do in other places.
References
Impacted products
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "linux_kernel", "vendor": "linux", "versions": [ { "lessThan": "b9357489c46c", "status": "affected", "version": "cabc9d49333d", "versionType": "custom" }, { "lessThan": "48fae67d8374", "status": "affected", "version": "cabc9d49333d", "versionType": "custom" }, { "lessThan": "2a492f01228b", "status": "affected", "version": "cabc9d49333d", "versionType": "custom" }, { "lessThan": "15faa1f67ab4", "status": "affected", "version": "cabc9d49333d", "versionType": "custom" }, { "status": "affected", "version": "6.1" }, { "lessThan": "6.1", "status": "unaffected", "version": "0", "versionType": "custom" }, { "lessThanOrEqual": "6.2", "status": "unaffected", "version": "6.1.79", "versionType": "custom" }, { "lessThanOrEqual": "6.7", "status": "unaffected", "version": "6.6.18", "versionType": "custom" }, { "lessThanOrEqual": "6.8", "status": "unaffected", "version": "6.76", "versionType": "custom" }, { "lessThanOrEqual": "6.8", "status": "unaffected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26723", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-07-16T14:40:24.360692Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-07-16T14:53:54.712Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.203Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b9357489c46c7a43999964628db8b47d3a1f8672" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/48fae67d837488c87379f0c9f27df7391718477c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2a492f01228b7d091dfe38974ef40dccf8f9f2f1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/15faa1f67ab405d47789d4702f587ec7df7ef03e" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/microchip/lan966x/lan966x_lag.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b9357489c46c7a43999964628db8b47d3a1f8672", "status": "affected", "version": "cabc9d49333df72fe0f6d58bdcf9057ba341e701", "versionType": "git" }, { "lessThan": "48fae67d837488c87379f0c9f27df7391718477c", "status": "affected", "version": "cabc9d49333df72fe0f6d58bdcf9057ba341e701", "versionType": "git" }, { "lessThan": "2a492f01228b7d091dfe38974ef40dccf8f9f2f1", "status": "affected", "version": "cabc9d49333df72fe0f6d58bdcf9057ba341e701", "versionType": "git" }, { "lessThan": "15faa1f67ab405d47789d4702f587ec7df7ef03e", "status": "affected", "version": "cabc9d49333df72fe0f6d58bdcf9057ba341e701", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/microchip/lan966x/lan966x_lag.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.1" }, { "lessThan": "6.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlan966x: Fix crash when adding interface under a lag\n\nThere is a crash when adding one of the lan966x interfaces under a lag\ninterface. The issue can be reproduced like this:\nip link add name bond0 type bond miimon 100 mode balance-xor\nip link set dev eth0 master bond0\n\nThe reason is because when adding a interface under the lag it would go\nthrough all the ports and try to figure out which other ports are under\nthat lag interface. And the issue is that lan966x can have ports that are\nNULL pointer as they are not probed. So then iterating over these ports\nit would just crash as they are NULL pointers.\nThe fix consists in actually checking for NULL pointers before accessing\nsomething from the ports. Like we do in other places." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:53.100Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b9357489c46c7a43999964628db8b47d3a1f8672" }, { "url": "https://git.kernel.org/stable/c/48fae67d837488c87379f0c9f27df7391718477c" }, { "url": "https://git.kernel.org/stable/c/2a492f01228b7d091dfe38974ef40dccf8f9f2f1" }, { "url": "https://git.kernel.org/stable/c/15faa1f67ab405d47789d4702f587ec7df7ef03e" } ], "title": "lan966x: Fix crash when adding interface under a lag", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26723", "datePublished": "2024-04-03T14:55:22.529Z", "dateReserved": "2024-02-19T14:20:24.163Z", "dateUpdated": "2024-12-19T08:45:53.100Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-3061
Vulnerability from cvelistv5
Published
2022-09-01 00:00
Modified
2024-08-03 01:00
Severity ?
EPSS score ?
Summary
Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by zero error.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T01:00:10.183Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev.git/commit/?id=15cf0b82271b1823fb02ab8c377badba614d95d5" }, { "name": "DSA-5257", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5257" }, { "name": "[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Kernel", "vendor": "n/a", "versions": [ { "status": "affected", "version": "Linux kernel 5.18-rc5" } ] } ], "descriptions": [ { "lang": "en", "value": "Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn\u0027t check the value of \u0027pixclock\u0027, so it may cause a divide by zero error." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-369", "description": "CWE-369", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-01T00:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "url": "https://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev.git/commit/?id=15cf0b82271b1823fb02ab8c377badba614d95d5" }, { "name": "DSA-5257", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5257" }, { "name": "[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-3061", "datePublished": "2022-09-01T00:00:00", "dateReserved": "2022-08-30T00:00:00", "dateUpdated": "2024-08-03T01:00:10.183Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26717
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: i2c-hid-of: fix NULL-deref on failed power up
A while back the I2C HID implementation was split in an ACPI and OF
part, but the new OF driver never initialises the client pointer which
is dereferenced on power-up failures.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b33752c300232d7f95dd9a4353947d0c9e6a0e52 Version: b33752c300232d7f95dd9a4353947d0c9e6a0e52 Version: b33752c300232d7f95dd9a4353947d0c9e6a0e52 Version: b33752c300232d7f95dd9a4353947d0c9e6a0e52 Version: b33752c300232d7f95dd9a4353947d0c9e6a0e52 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.683Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/62f5d219edbd174829aa18d4b3d97cd5fefbb783" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d7d7a0e3b6f5adc45f23667cbb919e99093a5b5c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4cad91344a62536a2949873bad6365fbb6232776" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e28d6b63aeecbda450935fb58db0e682ea8212d3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/00aab7dcb2267f2aef59447602f34501efe1a07f" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26717", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:26.621999Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:24.749Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hid/i2c-hid/i2c-hid-of.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "62f5d219edbd174829aa18d4b3d97cd5fefbb783", "status": "affected", "version": "b33752c300232d7f95dd9a4353947d0c9e6a0e52", "versionType": "git" }, { "lessThan": "d7d7a0e3b6f5adc45f23667cbb919e99093a5b5c", "status": "affected", "version": "b33752c300232d7f95dd9a4353947d0c9e6a0e52", "versionType": "git" }, { "lessThan": "4cad91344a62536a2949873bad6365fbb6232776", "status": "affected", "version": "b33752c300232d7f95dd9a4353947d0c9e6a0e52", "versionType": "git" }, { "lessThan": "e28d6b63aeecbda450935fb58db0e682ea8212d3", "status": "affected", "version": "b33752c300232d7f95dd9a4353947d0c9e6a0e52", "versionType": "git" }, { "lessThan": "00aab7dcb2267f2aef59447602f34501efe1a07f", "status": "affected", "version": "b33752c300232d7f95dd9a4353947d0c9e6a0e52", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hid/i2c-hid/i2c-hid-of.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.12" }, { "lessThan": "5.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid-of: fix NULL-deref on failed power up\n\nA while back the I2C HID implementation was split in an ACPI and OF\npart, but the new OF driver never initialises the client pointer which\nis dereferenced on power-up failures." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:46.179Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/62f5d219edbd174829aa18d4b3d97cd5fefbb783" }, { "url": "https://git.kernel.org/stable/c/d7d7a0e3b6f5adc45f23667cbb919e99093a5b5c" }, { "url": "https://git.kernel.org/stable/c/4cad91344a62536a2949873bad6365fbb6232776" }, { "url": "https://git.kernel.org/stable/c/e28d6b63aeecbda450935fb58db0e682ea8212d3" }, { "url": "https://git.kernel.org/stable/c/00aab7dcb2267f2aef59447602f34501efe1a07f" } ], "title": "HID: i2c-hid-of: fix NULL-deref on failed power up", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26717", "datePublished": "2024-04-03T14:55:18.063Z", "dateReserved": "2024-02-19T14:20:24.161Z", "dateUpdated": "2024-12-19T08:45:46.179Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26800
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: fix use-after-free on failed backlog decryption
When the decrypt request goes to the backlog and crypto_aead_decrypt
returns -EBUSY, tls_do_decryption will wait until all async
decryptions have completed. If one of them fails, tls_do_decryption
will return -EBADMSG and tls_decrypt_sg jumps to the error path,
releasing all the pages. But the pages have been passed to the async
callback, and have already been released by tls_decrypt_done.
The only true async case is when crypto_aead_decrypt returns
-EINPROGRESS. With -EBUSY, we already waited so we can tell
tls_sw_recvmsg that the data is available for immediate copy, but we
need to notify tls_decrypt_sg (via the new ->async_done flag) that the
memory has already been released.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26800", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-31T20:01:08.576744Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-31T20:01:16.218Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.534Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/tls/tls_sw.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f2b85a4cc763841843de693bbd7308fe9a2c4c89", "status": "affected", "version": "cd1bbca03f3c1d845ce274c0d0a66de8e5929f72", "versionType": "git" }, { "lessThan": "81be85353b0f5a7b660635634b655329b429eefe", "status": "affected", "version": "13eca403876bbea3716e82cdfe6f1e6febb38754", "versionType": "git" }, { "lessThan": "1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1", "status": "affected", "version": "ab6397f072e5097f267abf5cb08a8004e6b17694", "versionType": "git" }, { "lessThan": "13114dc5543069f7b97991e3b79937b6da05f5b0", "status": "affected", "version": "8590541473188741055d27b955db0777569438e3", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/tls/tls_sw.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6.6.21", "status": "affected", "version": "6.6.18", "versionType": "semver" }, { "lessThan": "6.7.9", "status": "affected", "version": "6.7.6", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new -\u003easync_done flag) that the\nmemory has already been released." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:42.325Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89" }, { "url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe" }, { "url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1" }, { "url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0" } ], "title": "tls: fix use-after-free on failed backlog decryption", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26800", "datePublished": "2024-04-04T08:20:28.554Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:42.325Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26757
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: Don't ignore read-only array in md_check_recovery()
Usually if the array is not read-write, md_check_recovery() won't
register new sync_thread in the first place. And if the array is
read-write and sync_thread is registered, md_set_readonly() will
unregister sync_thread before setting the array read-only. md/raid
follow this behavior hence there is no problem.
After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following
hang can be triggered by test shell/integrity-caching.sh:
1) array is read-only. dm-raid update super block:
rs_update_sbs
ro = mddev->ro
mddev->ro = 0
-> set array read-write
md_update_sb
2) register new sync thread concurrently.
3) dm-raid set array back to read-only:
rs_update_sbs
mddev->ro = ro
4) stop the array:
raid_dtr
md_stop
stop_sync_thread
set_bit(MD_RECOVERY_INTR, &mddev->recovery);
md_wakeup_thread_directly(mddev->sync_thread);
wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))
5) sync thread done:
md_do_sync
set_bit(MD_RECOVERY_DONE, &mddev->recovery);
md_wakeup_thread(mddev->thread);
6) daemon thread can't unregister sync thread:
md_check_recovery
if (!md_is_rdwr(mddev) &&
!test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))
return;
-> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;
The root cause is that dm-raid manipulate 'mddev->ro' by itself,
however, dm-raid really should stop sync thread before setting the
array read-only. Unfortunately, I need to read more code before I
can refacter the handler of 'mddev->ro' in dm-raid, hence let's fix
the problem the easy way for now to prevent dm-raid regression.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26757", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T19:35:42.965370Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T20:23:13.287Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.354Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/md.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2ea169c5a0b1134d573d07fc27a16f327ad0e7d3", "status": "affected", "version": "ecbfb9f118bce49f571675929160e4ecef91cc8a", "versionType": "git" }, { "lessThan": "55a48ad2db64737f7ffc0407634218cc6e4c513b", "status": "affected", "version": "ecbfb9f118bce49f571675929160e4ecef91cc8a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/md.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.8" }, { "lessThan": "4.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don\u0027t ignore read-only array in md_check_recovery()\n\nUsually if the array is not read-write, md_check_recovery() won\u0027t\nregister new sync_thread in the first place. And if the array is\nread-write and sync_thread is registered, md_set_readonly() will\nunregister sync_thread before setting the array read-only. md/raid\nfollow this behavior hence there is no problem.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) array is read-only. dm-raid update super block:\nrs_update_sbs\n ro = mddev-\u003ero\n mddev-\u003ero = 0\n -\u003e set array read-write\n md_update_sb\n\n2) register new sync thread concurrently.\n\n3) dm-raid set array back to read-only:\nrs_update_sbs\n mddev-\u003ero = ro\n\n4) stop the array:\nraid_dtr\n md_stop\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, \u0026mddev-\u003erecovery);\n md_wakeup_thread_directly(mddev-\u003esync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, \u0026mddev-\u003erecovery))\n\n5) sync thread done:\n md_do_sync\n set_bit(MD_RECOVERY_DONE, \u0026mddev-\u003erecovery);\n md_wakeup_thread(mddev-\u003ethread);\n\n6) daemon thread can\u0027t unregister sync thread:\n md_check_recovery\n if (!md_is_rdwr(mddev) \u0026\u0026\n !test_bit(MD_RECOVERY_NEEDED, \u0026mddev-\u003erecovery))\n return;\n -\u003e -\u003e MD_RECOVERY_RUNNING can\u0027t be cleared, hence step 4 hang;\n\nThe root cause is that dm-raid manipulate \u0027mddev-\u003ero\u0027 by itself,\nhowever, dm-raid really should stop sync thread before setting the\narray read-only. Unfortunately, I need to read more code before I\ncan refacter the handler of \u0027mddev-\u003ero\u0027 in dm-raid, hence let\u0027s fix\nthe problem the easy way for now to prevent dm-raid regression." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:35.223Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3" }, { "url": "https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b" } ], "title": "md: Don\u0027t ignore read-only array in md_check_recovery()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26757", "datePublished": "2024-04-03T17:00:41.633Z", "dateReserved": "2024-02-19T14:20:24.170Z", "dateUpdated": "2024-12-19T08:46:35.223Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26789
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: arm64/neonbs - fix out-of-bounds access on short input
The bit-sliced implementation of AES-CTR operates on blocks of 128
bytes, and will fall back to the plain NEON version for tail blocks or
inputs that are shorter than 128 bytes to begin with.
It will call straight into the plain NEON asm helper, which performs all
memory accesses in granules of 16 bytes (the size of a NEON register).
For this reason, the associated plain NEON glue code will copy inputs
shorter than 16 bytes into a temporary buffer, given that this is a rare
occurrence and it is not worth the effort to work around this in the asm
code.
The fallback from the bit-sliced NEON version fails to take this into
account, potentially resulting in out-of-bounds accesses. So clone the
same workaround, and use a temp buffer for short in/outputs.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26789", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:13:15.619626Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-01T14:46:58.156Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.508Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/034e2d70b5c7f578200ad09955aeb2aa65d1164a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1291d278b5574819a7266568ce4c28bce9438705" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9e8ecd4908b53941ab6f0f51584ab80c6c6606c4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1c0cf6d19690141002889d72622b90fc01562ce4" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/arm64/crypto/aes-neonbs-glue.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "034e2d70b5c7f578200ad09955aeb2aa65d1164a", "status": "affected", "version": "fc074e130051015e39245a4241956ff122e2f465", "versionType": "git" }, { "lessThan": "1291d278b5574819a7266568ce4c28bce9438705", "status": "affected", "version": "fc074e130051015e39245a4241956ff122e2f465", "versionType": "git" }, { "lessThan": "9e8ecd4908b53941ab6f0f51584ab80c6c6606c4", "status": "affected", "version": "fc074e130051015e39245a4241956ff122e2f465", "versionType": "git" }, { "lessThan": "1c0cf6d19690141002889d72622b90fc01562ce4", "status": "affected", "version": "fc074e130051015e39245a4241956ff122e2f465", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/arm64/crypto/aes-neonbs-glue.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.18" }, { "lessThan": "5.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: arm64/neonbs - fix out-of-bounds access on short input\n\nThe bit-sliced implementation of AES-CTR operates on blocks of 128\nbytes, and will fall back to the plain NEON version for tail blocks or\ninputs that are shorter than 128 bytes to begin with.\n\nIt will call straight into the plain NEON asm helper, which performs all\nmemory accesses in granules of 16 bytes (the size of a NEON register).\nFor this reason, the associated plain NEON glue code will copy inputs\nshorter than 16 bytes into a temporary buffer, given that this is a rare\noccurrence and it is not worth the effort to work around this in the asm\ncode.\n\nThe fallback from the bit-sliced NEON version fails to take this into\naccount, potentially resulting in out-of-bounds accesses. So clone the\nsame workaround, and use a temp buffer for short in/outputs." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:28.923Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/034e2d70b5c7f578200ad09955aeb2aa65d1164a" }, { "url": "https://git.kernel.org/stable/c/1291d278b5574819a7266568ce4c28bce9438705" }, { "url": "https://git.kernel.org/stable/c/9e8ecd4908b53941ab6f0f51584ab80c6c6606c4" }, { "url": "https://git.kernel.org/stable/c/1c0cf6d19690141002889d72622b90fc01562ce4" } ], "title": "crypto: arm64/neonbs - fix out-of-bounds access on short input", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26789", "datePublished": "2024-04-04T08:20:21.077Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:28.923Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26688
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super
When configuring a hugetlb filesystem via the fsconfig() syscall, there is
a possible NULL dereference in hugetlbfs_fill_super() caused by assigning
NULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize
is non valid.
E.g: Taking the following steps:
fd = fsopen("hugetlbfs", FSOPEN_CLOEXEC);
fsconfig(fd, FSCONFIG_SET_STRING, "pagesize", "1024", 0);
fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);
Given that the requested "pagesize" is invalid, ctxt->hstate will be replaced
with NULL, losing its previous value, and we will print an error:
...
...
case Opt_pagesize:
ps = memparse(param->string, &rest);
ctx->hstate = h;
if (!ctx->hstate) {
pr_err("Unsupported page size %lu MB\n", ps / SZ_1M);
return -EINVAL;
}
return 0;
...
...
This is a problem because later on, we will dereference ctxt->hstate in
hugetlbfs_fill_super()
...
...
sb->s_blocksize = huge_page_size(ctx->hstate);
...
...
Causing below Oops.
Fix this by replacing cxt->hstate value only when then pagesize is known
to be valid.
kernel: hugetlbfs: Unsupported page size 0 MB
kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028
kernel: #PF: supervisor read access in kernel mode
kernel: #PF: error_code(0x0000) - not-present page
kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0
kernel: Oops: 0000 [#1] PREEMPT SMP PTI
kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f
kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017
kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0
kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28
kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246
kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004
kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000
kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004
kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000
kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400
kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0
kernel: Call Trace:
kernel: <TASK>
kernel: ? __die_body+0x1a/0x60
kernel: ? page_fault_oops+0x16f/0x4a0
kernel: ? search_bpf_extables+0x65/0x70
kernel: ? fixup_exception+0x22/0x310
kernel: ? exc_page_fault+0x69/0x150
kernel: ? asm_exc_page_fault+0x22/0x30
kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10
kernel: ? hugetlbfs_fill_super+0xb4/0x1a0
kernel: ? hugetlbfs_fill_super+0x28/0x1a0
kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10
kernel: vfs_get_super+0x40/0xa0
kernel: ? __pfx_bpf_lsm_capable+0x10/0x10
kernel: vfs_get_tree+0x25/0xd0
kernel: vfs_cmd_create+0x64/0xe0
kernel: __x64_sys_fsconfig+0x395/0x410
kernel: do_syscall_64+0x80/0x160
kernel: ? syscall_exit_to_user_mode+0x82/0x240
kernel: ? do_syscall_64+0x8d/0x160
kernel: ? syscall_exit_to_user_mode+0x82/0x240
kernel: ? do_syscall_64+0x8d/0x160
kernel: ? exc_page_fault+0x69/0x150
kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76
kernel: RIP: 0033:0x7ffbc0cb87c9
kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48
kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af
kernel: RAX: fffffffffff
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 32021982a324dce93b4ae00c06213bf45fb319c8 Version: 32021982a324dce93b4ae00c06213bf45fb319c8 Version: 32021982a324dce93b4ae00c06213bf45fb319c8 Version: 32021982a324dce93b4ae00c06213bf45fb319c8 Version: 32021982a324dce93b4ae00c06213bf45fb319c8 Version: 32021982a324dce93b4ae00c06213bf45fb319c8 Version: 32021982a324dce93b4ae00c06213bf45fb319c8 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.699Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1dde8ef4b7a749ae1bc73617c91775631d167557" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/80d852299987a8037be145a94f41874228f1a773" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/22850c9950a4e43a67299755d11498f3292d02ff" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2e2c07104b4904aed1389a59b25799b95a85b5b9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/13c5a9fb07105557a1fa9efdb4f23d7ef30b7274" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ec78418801ef7b0c22cd6a30145ec480dd48db39" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/79d72c68c58784a3e1cd2378669d51bfd0cb7498" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26688", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:53:03.970404Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:32.587Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/hugetlbfs/inode.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1dde8ef4b7a749ae1bc73617c91775631d167557", "status": "affected", "version": "32021982a324dce93b4ae00c06213bf45fb319c8", "versionType": "git" }, { "lessThan": "80d852299987a8037be145a94f41874228f1a773", "status": "affected", "version": "32021982a324dce93b4ae00c06213bf45fb319c8", "versionType": "git" }, { "lessThan": "22850c9950a4e43a67299755d11498f3292d02ff", "status": "affected", "version": "32021982a324dce93b4ae00c06213bf45fb319c8", "versionType": "git" }, { "lessThan": "2e2c07104b4904aed1389a59b25799b95a85b5b9", "status": "affected", "version": "32021982a324dce93b4ae00c06213bf45fb319c8", "versionType": "git" }, { "lessThan": "13c5a9fb07105557a1fa9efdb4f23d7ef30b7274", "status": "affected", "version": "32021982a324dce93b4ae00c06213bf45fb319c8", "versionType": "git" }, { "lessThan": "ec78418801ef7b0c22cd6a30145ec480dd48db39", "status": "affected", "version": "32021982a324dce93b4ae00c06213bf45fb319c8", "versionType": "git" }, { "lessThan": "79d72c68c58784a3e1cd2378669d51bfd0cb7498", "status": "affected", "version": "32021982a324dce93b4ae00c06213bf45fb319c8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/hugetlbfs/inode.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.1" }, { "lessThan": "5.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.271", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\n\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx-\u003ehstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\n\nE.g: Taking the following steps:\n\n fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\n\nGiven that the requested \"pagesize\" is invalid, ctxt-\u003ehstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\n\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param-\u003estring, \u0026rest);\n ctx-\u003ehstate = h;\n if (!ctx-\u003ehstate) {\n pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n return -EINVAL;\n }\n return 0;\n ...\n ...\n\nThis is a problem because later on, we will dereference ctxt-\u003ehstate in\nhugetlbfs_fill_super()\n\n ...\n ...\n sb-\u003es_blocksize = huge_page_size(ctx-\u003ehstate);\n ...\n ...\n\nCausing below Oops.\n\nFix this by replacing cxt-\u003ehstate value only when then pagesize is known\nto be valid.\n\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 \u003c8b\u003e 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel: \u003cTASK\u003e\n kernel: ? __die_body+0x1a/0x60\n kernel: ? page_fault_oops+0x16f/0x4a0\n kernel: ? search_bpf_extables+0x65/0x70\n kernel: ? fixup_exception+0x22/0x310\n kernel: ? exc_page_fault+0x69/0x150\n kernel: ? asm_exc_page_fault+0x22/0x30\n kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel: ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel: ? hugetlbfs_fill_super+0x28/0x1a0\n kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel: vfs_get_super+0x40/0xa0\n kernel: ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel: vfs_get_tree+0x25/0xd0\n kernel: vfs_cmd_create+0x64/0xe0\n kernel: __x64_sys_fsconfig+0x395/0x410\n kernel: do_syscall_64+0x80/0x160\n kernel: ? syscall_exit_to_user_mode+0x82/0x240\n kernel: ? do_syscall_64+0x8d/0x160\n kernel: ? syscall_exit_to_user_mode+0x82/0x240\n kernel: ? do_syscall_64+0x8d/0x160\n kernel: ? exc_page_fault+0x69/0x150\n kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:07.332Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1dde8ef4b7a749ae1bc73617c91775631d167557" }, { "url": "https://git.kernel.org/stable/c/80d852299987a8037be145a94f41874228f1a773" }, { "url": "https://git.kernel.org/stable/c/22850c9950a4e43a67299755d11498f3292d02ff" }, { "url": "https://git.kernel.org/stable/c/2e2c07104b4904aed1389a59b25799b95a85b5b9" }, { "url": "https://git.kernel.org/stable/c/13c5a9fb07105557a1fa9efdb4f23d7ef30b7274" }, { "url": "https://git.kernel.org/stable/c/ec78418801ef7b0c22cd6a30145ec480dd48db39" }, { "url": "https://git.kernel.org/stable/c/79d72c68c58784a3e1cd2378669d51bfd0cb7498" } ], "title": "fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26688", "datePublished": "2024-04-03T14:54:49.964Z", "dateReserved": "2024-02-19T14:20:24.154Z", "dateUpdated": "2024-12-19T08:45:07.332Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26733
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arp: Prevent overflow in arp_req_get().
syzkaller reported an overflown write in arp_req_get(). [0]
When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour
entry and copies neigh->ha to struct arpreq.arp_ha.sa_data.
The arp_ha here is struct sockaddr, not struct sockaddr_storage, so
the sa_data buffer is just 14 bytes.
In the splat below, 2 bytes are overflown to the next int field,
arp_flags. We initialise the field just after the memcpy(), so it's
not a problem.
However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),
arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)
in arp_ioctl() before calling arp_req_get().
To avoid the overflow, let's limit the max length of memcpy().
Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible
array in struct sockaddr") just silenced syzkaller.
[0]:
memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14)
WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
Modules linked in:
CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6
RSP: 0018:ffffc900050b7998 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001
RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000
R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010
FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261
inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981
sock_do_ioctl+0xdf/0x260 net/socket.c:1204
sock_ioctl+0x3ef/0x650 net/socket.c:1321
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x64/0xce
RIP: 0033:0x7f172b262b8d
Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d
RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003
RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000
</TASK>
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-11-01T17:03:11.240Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "url": "https://security.netapp.com/advisory/ntap-20241101-0013/" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26733", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:00.464269Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:20.304Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/ipv4/arp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "97eaa2955db4120ce6ec2ef123e860bc32232c50", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f119f2325ba70cbfdec701000dcad4d88805d5b0", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a3f2c083cb575d80a7627baf3339e78fedccbb91", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a7d6027790acea24446ddd6632d394096c0f4667", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/ipv4/arp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.12" }, { "lessThan": "2.6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: Prevent overflow in arp_req_get().\n\nsyzkaller reported an overflown write in arp_req_get(). [0]\n\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh-\u003eha to struct arpreq.arp_ha.sa_data.\n\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\n\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags. We initialise the field just after the memcpy(), so it\u0027s\nnot a problem.\n\nHowever, when dev-\u003eaddr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\n\nTo avoid the overflow, let\u0027s limit the max length of memcpy().\n\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\n\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r-\u003earp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb \u003c0f\u003e 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n \u003c/TASK\u003e" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:05.705Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587" }, { "url": "https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50" }, { "url": "https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0" }, { "url": "https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91" }, { "url": "https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a" }, { "url": "https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667" } ], "title": "arp: Prevent overflow in arp_req_get().", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26733", "datePublished": "2024-04-03T17:00:20.437Z", "dateReserved": "2024-02-19T14:20:24.165Z", "dateUpdated": "2024-12-19T08:46:05.705Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26740
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_mirred: use the backlog for mirred ingress
The test Davide added in commit ca22da2fbd69 ("act_mirred: use the backlog
for nested calls to mirred ingress") hangs our testing VMs every 10 or so
runs, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by
lockdep.
The problem as previously described by Davide (see Link) is that
if we reverse flow of traffic with the redirect (egress -> ingress)
we may reach the same socket which generated the packet. And we may
still be holding its socket lock. The common solution to such deadlocks
is to put the packet in the Rx backlog, rather than run the Rx path
inline. Do that for all egress -> ingress reversals, not just once
we started to nest mirred calls.
In the past there was a concern that the backlog indirection will
lead to loss of error reporting / less accurate stats. But the current
workaround does not seem to address the issue.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.957Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26740", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:50.686758Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:17.875Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sched/act_mirred.c", "tools/testing/selftests/net/forwarding/tc_actions.sh" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7c787888d164689da8b1b115f3ef562c1e843af4", "status": "affected", "version": "53592b3640019f2834701093e38272fdfd367ad8", "versionType": "git" }, { "lessThan": "60ddea1600bc476e0f5e02bce0e29a460ccbf0be", "status": "affected", "version": "53592b3640019f2834701093e38272fdfd367ad8", "versionType": "git" }, { "lessThan": "52f671db18823089a02f07efc04efdb2272ddc17", "status": "affected", "version": "53592b3640019f2834701093e38272fdfd367ad8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sched/act_mirred.c", "tools/testing/selftests/net/forwarding/tc_actions.sh" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.10" }, { "lessThan": "4.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -\u003e tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -\u003e ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -\u003e ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:14.492Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4" }, { "url": "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be" }, { "url": "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17" } ], "title": "net/sched: act_mirred: use the backlog for mirred ingress", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26740", "datePublished": "2024-04-03T17:00:25.534Z", "dateReserved": "2024-02-19T14:20:24.166Z", "dateUpdated": "2024-12-19T08:46:14.492Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26691
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Fix circular locking dependency
The rule inside kvm enforces that the vcpu->mutex is taken *inside*
kvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires
the kvm->lock while already holding the vcpu->mutex lock from
kvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by
protecting the hyp vm handle with the config_lock, much like we already
do for other forms of VM-scoped data.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26691", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-05T18:06:14.355944Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:19.459Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.502Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3d16cebf01127f459dcfeb79ed77bd68b124c228" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3ab1c40a1e915e350d9181a4603af393141970cc" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/10c02aad111df02088d1a81792a709f6a7eca6cc" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/arm64/kvm/pkvm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3d16cebf01127f459dcfeb79ed77bd68b124c228", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "3ab1c40a1e915e350d9181a4603af393141970cc", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "10c02aad111df02088d1a81792a709f6a7eca6cc", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/arm64/kvm/pkvm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix circular locking dependency\n\nThe rule inside kvm enforces that the vcpu-\u003emutex is taken *inside*\nkvm-\u003elock. The rule is violated by the pkvm_create_hyp_vm() which acquires\nthe kvm-\u003elock while already holding the vcpu-\u003emutex lock from\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\nprotecting the hyp vm handle with the config_lock, much like we already\ndo for other forms of VM-scoped data." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:10.959Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3d16cebf01127f459dcfeb79ed77bd68b124c228" }, { "url": "https://git.kernel.org/stable/c/3ab1c40a1e915e350d9181a4603af393141970cc" }, { "url": "https://git.kernel.org/stable/c/10c02aad111df02088d1a81792a709f6a7eca6cc" } ], "title": "KVM: arm64: Fix circular locking dependency", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26691", "datePublished": "2024-04-03T14:54:52.518Z", "dateReserved": "2024-02-19T14:20:24.155Z", "dateUpdated": "2024-12-19T08:45:10.959Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26698
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove
In commit ac5047671758 ("hv_netvsc: Disable NAPI before closing the
VMBus channel"), napi_disable was getting called for all channels,
including all subchannels without confirming if they are enabled or not.
This caused hv_netvsc getting hung at napi_disable, when netvsc_probe()
has finished running but nvdev->subchan_work has not started yet.
netvsc_subchan_work() -> rndis_set_subchannel() has not created the
sub-channels and because of that netvsc_sc_open() is not running.
netvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which
netvsc_subchan_work did not run.
netif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI
cannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the
NAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the
opposite.
Now during netvsc_device_remove(), when napi_disable is called for those
subchannels, napi_disable gets stuck on infinite msleep.
This fix addresses this problem by ensuring that napi_disable() is not
getting called for non-enabled NAPI struct.
But netif_napi_del() is still necessary for these non-enabled NAPI struct
for cleanup purpose.
Call trace:
[ 654.559417] task:modprobe state:D stack: 0 pid: 2321 ppid: 1091 flags:0x00004002
[ 654.568030] Call Trace:
[ 654.571221] <TASK>
[ 654.573790] __schedule+0x2d6/0x960
[ 654.577733] schedule+0x69/0xf0
[ 654.581214] schedule_timeout+0x87/0x140
[ 654.585463] ? __bpf_trace_tick_stop+0x20/0x20
[ 654.590291] msleep+0x2d/0x40
[ 654.593625] napi_disable+0x2b/0x80
[ 654.597437] netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]
[ 654.603935] rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]
[ 654.611101] ? do_wait_intr+0xb0/0xb0
[ 654.615753] netvsc_remove+0x7c/0x120 [hv_netvsc]
[ 654.621675] vmbus_remove+0x27/0x40 [hv_vmbus]
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ac5047671758ad4be9f93898247b3a8b6dfde4c7 Version: ac5047671758ad4be9f93898247b3a8b6dfde4c7 Version: ac5047671758ad4be9f93898247b3a8b6dfde4c7 Version: ac5047671758ad4be9f93898247b3a8b6dfde4c7 Version: ac5047671758ad4be9f93898247b3a8b6dfde4c7 Version: ac5047671758ad4be9f93898247b3a8b6dfde4c7 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26698", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:03:45.740958Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:08.824Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.951Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9ec807e7b6f5fcf9499f3baa69f254bb239a847f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7656372ae190e54e8c8cf1039725a5ea59fdf84a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/48a8ccccffbae10c91d31fc872db5c31aba07518" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/22a77c0f5b8233237731df3288d067af51a2fd7b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0e8875de9dad12805ff66e92cd5edea6a421f1cd" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e0526ec5360a48ad3ab2e26e802b0532302a7e11" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/hyperv/netvsc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "9ec807e7b6f5fcf9499f3baa69f254bb239a847f", "status": "affected", "version": "ac5047671758ad4be9f93898247b3a8b6dfde4c7", "versionType": "git" }, { "lessThan": "7656372ae190e54e8c8cf1039725a5ea59fdf84a", "status": "affected", "version": "ac5047671758ad4be9f93898247b3a8b6dfde4c7", "versionType": "git" }, { "lessThan": "48a8ccccffbae10c91d31fc872db5c31aba07518", "status": "affected", "version": "ac5047671758ad4be9f93898247b3a8b6dfde4c7", "versionType": "git" }, { "lessThan": "22a77c0f5b8233237731df3288d067af51a2fd7b", "status": "affected", "version": "ac5047671758ad4be9f93898247b3a8b6dfde4c7", "versionType": "git" }, { "lessThan": "0e8875de9dad12805ff66e92cd5edea6a421f1cd", "status": "affected", "version": "ac5047671758ad4be9f93898247b3a8b6dfde4c7", "versionType": "git" }, { "lessThan": "e0526ec5360a48ad3ab2e26e802b0532302a7e11", "status": "affected", "version": "ac5047671758ad4be9f93898247b3a8b6dfde4c7", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/hyperv/netvsc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.8" }, { "lessThan": "5.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\n\nIn commit ac5047671758 (\"hv_netvsc: Disable NAPI before closing the\nVMBus channel\"), napi_disable was getting called for all channels,\nincluding all subchannels without confirming if they are enabled or not.\n\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\nhas finished running but nvdev-\u003esubchan_work has not started yet.\nnetvsc_subchan_work() -\u003e rndis_set_subchannel() has not created the\nsub-channels and because of that netvsc_sc_open() is not running.\nnetvsc_remove() calls cancel_work_sync(\u0026nvdev-\u003esubchan_work), for which\nnetvsc_subchan_work did not run.\n\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\ncannot be scheduled. Then netvsc_sc_open() -\u003e napi_enable will clear the\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\nopposite.\n\nNow during netvsc_device_remove(), when napi_disable is called for those\nsubchannels, napi_disable gets stuck on infinite msleep.\n\nThis fix addresses this problem by ensuring that napi_disable() is not\ngetting called for non-enabled NAPI struct.\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\nfor cleanup purpose.\n\nCall trace:\n[ 654.559417] task:modprobe state:D stack: 0 pid: 2321 ppid: 1091 flags:0x00004002\n[ 654.568030] Call Trace:\n[ 654.571221] \u003cTASK\u003e\n[ 654.573790] __schedule+0x2d6/0x960\n[ 654.577733] schedule+0x69/0xf0\n[ 654.581214] schedule_timeout+0x87/0x140\n[ 654.585463] ? __bpf_trace_tick_stop+0x20/0x20\n[ 654.590291] msleep+0x2d/0x40\n[ 654.593625] napi_disable+0x2b/0x80\n[ 654.597437] netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\n[ 654.603935] rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\n[ 654.611101] ? do_wait_intr+0xb0/0xb0\n[ 654.615753] netvsc_remove+0x7c/0x120 [hv_netvsc]\n[ 654.621675] vmbus_remove+0x27/0x40 [hv_vmbus]" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:24.650Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/9ec807e7b6f5fcf9499f3baa69f254bb239a847f" }, { "url": "https://git.kernel.org/stable/c/7656372ae190e54e8c8cf1039725a5ea59fdf84a" }, { "url": "https://git.kernel.org/stable/c/48a8ccccffbae10c91d31fc872db5c31aba07518" }, { "url": "https://git.kernel.org/stable/c/22a77c0f5b8233237731df3288d067af51a2fd7b" }, { "url": "https://git.kernel.org/stable/c/0e8875de9dad12805ff66e92cd5edea6a421f1cd" }, { "url": "https://git.kernel.org/stable/c/e0526ec5360a48ad3ab2e26e802b0532302a7e11" } ], "title": "hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26698", "datePublished": "2024-04-03T14:54:58.577Z", "dateReserved": "2024-02-19T14:20:24.157Z", "dateUpdated": "2024-12-19T08:45:24.650Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26763
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm-crypt: don't modify the data when using authenticated encryption
It was said that authenticated encryption could produce invalid tag when
the data that is being encrypted is modified [1]. So, fix this problem by
copying the data into the clone bio first and then encrypt them inside the
clone bio.
This may reduce performance, but it is needed to prevent the user from
corrupting the device by writing data with O_DIRECT and modifying them at
the same time.
[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.305Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/43a202bd552976497474ae144942e32cc5f34d7e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0dccbb93538fe89a86c6de31d4b1c8c560848eaa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3c652f6fa1e1f9f02c3fbf359d260ad153ec5f90" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1a4371db68a31076afbe56ecce34fbbe6c80c529" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e08c2a8d27e989f0f5b0888792643027d7e691e6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/64ba01a365980755732972523600a961c4266b75" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d9e3763a505e50ba3bd22846f2a8db99429fb857" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/50c70240097ce41fe6bce6478b80478281e4d0f7" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26763", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:31.262032Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:13.692Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/dm-crypt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "43a202bd552976497474ae144942e32cc5f34d7e", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "0dccbb93538fe89a86c6de31d4b1c8c560848eaa", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "3c652f6fa1e1f9f02c3fbf359d260ad153ec5f90", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "1a4371db68a31076afbe56ecce34fbbe6c80c529", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e08c2a8d27e989f0f5b0888792643027d7e691e6", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "64ba01a365980755732972523600a961c4266b75", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d9e3763a505e50ba3bd22846f2a8db99429fb857", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "50c70240097ce41fe6bce6478b80478281e4d0f7", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/dm-crypt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt: don\u0027t modify the data when using authenticated encryption\n\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\n\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\n\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:42.722Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/43a202bd552976497474ae144942e32cc5f34d7e" }, { "url": "https://git.kernel.org/stable/c/0dccbb93538fe89a86c6de31d4b1c8c560848eaa" }, { "url": "https://git.kernel.org/stable/c/3c652f6fa1e1f9f02c3fbf359d260ad153ec5f90" }, { "url": "https://git.kernel.org/stable/c/1a4371db68a31076afbe56ecce34fbbe6c80c529" }, { "url": "https://git.kernel.org/stable/c/e08c2a8d27e989f0f5b0888792643027d7e691e6" }, { "url": "https://git.kernel.org/stable/c/64ba01a365980755732972523600a961c4266b75" }, { "url": "https://git.kernel.org/stable/c/d9e3763a505e50ba3bd22846f2a8db99429fb857" }, { "url": "https://git.kernel.org/stable/c/50c70240097ce41fe6bce6478b80478281e4d0f7" } ], "title": "dm-crypt: don\u0027t modify the data when using authenticated encryption", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26763", "datePublished": "2024-04-03T17:00:46.308Z", "dateReserved": "2024-02-19T14:20:24.172Z", "dateUpdated": "2024-12-19T08:46:42.722Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26721
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address
Commit bd077259d0a9 ("drm/i915/vdsc: Add function to read any PPS
register") defines a new macro to calculate the DSC PPS register
addresses with PPS number as an input. This macro correctly calculates
the addresses till PPS 11 since the addresses increment by 4. So in that
case the following macro works correctly to give correct register
address:
_MMIO(_DSCA_PPS_0 + (pps) * 4)
However after PPS 11, the register address for PPS 12 increments by 12
because of RC Buffer memory allocation in between. Because of this
discontinuity in the address space, the macro calculates wrong addresses
for PPS 12 - 16 resulting into incorrect DSC PPS parameter value
read/writes causing DSC corruption.
This fixes it by correcting this macro to add the offset of 12 for PPS
>=12.
v3: Add correct paranthesis for pps argument (Jani Nikula)
(cherry picked from commit 6074be620c31dc2ae11af96a1a5ea95580976fb5)
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.016Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ff5999fb03f467e1e7159f0ddb199c787f7512b9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/962ac2dce56bb3aad1f82a4bbe3ada57a020287c" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26721", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:16.898186Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:32:52.594Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/i915/display/intel_vdsc_regs.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ff5999fb03f467e1e7159f0ddb199c787f7512b9", "status": "affected", "version": "bd077259d0a9c9bf453e7e9751bf41f1996e6585", "versionType": "git" }, { "lessThan": "962ac2dce56bb3aad1f82a4bbe3ada57a020287c", "status": "affected", "version": "bd077259d0a9c9bf453e7e9751bf41f1996e6585", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/i915/display/intel_vdsc_regs.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address\n\nCommit bd077259d0a9 (\"drm/i915/vdsc: Add function to read any PPS\nregister\") defines a new macro to calculate the DSC PPS register\naddresses with PPS number as an input. This macro correctly calculates\nthe addresses till PPS 11 since the addresses increment by 4. So in that\ncase the following macro works correctly to give correct register\naddress:\n\n_MMIO(_DSCA_PPS_0 + (pps) * 4)\n\nHowever after PPS 11, the register address for PPS 12 increments by 12\nbecause of RC Buffer memory allocation in between. Because of this\ndiscontinuity in the address space, the macro calculates wrong addresses\nfor PPS 12 - 16 resulting into incorrect DSC PPS parameter value\nread/writes causing DSC corruption.\n\nThis fixes it by correcting this macro to add the offset of 12 for PPS\n\u003e=12.\n\nv3: Add correct paranthesis for pps argument (Jani Nikula)\n\n(cherry picked from commit 6074be620c31dc2ae11af96a1a5ea95580976fb5)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:50.831Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ff5999fb03f467e1e7159f0ddb199c787f7512b9" }, { "url": "https://git.kernel.org/stable/c/962ac2dce56bb3aad1f82a4bbe3ada57a020287c" } ], "title": "drm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26721", "datePublished": "2024-04-03T14:55:20.995Z", "dateReserved": "2024-02-19T14:20:24.162Z", "dateUpdated": "2024-12-19T08:45:50.831Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26742
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: smartpqi: Fix disable_managed_interrupts
Correct blk-mq registration issue with module parameter
disable_managed_interrupts enabled.
When we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to
register with blk-mq using blk_mq_map_queues(). The driver is currently
calling blk_mq_pci_map_queues() which results in a stack trace and possibly
undefined behavior.
Stack Trace:
[ 7.860089] scsi host2: smartpqi
[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0
[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse
[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1
[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022
[ 7.963026] Workqueue: events work_for_cpu_fn
[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0
[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54
[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216
[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010
[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310
[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00
[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000
[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8
[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000
[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0
[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 8.172818] PKRU: 55555554
[ 8.172819] Call Trace:
[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310
[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245
[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]
[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]
[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]
[ 8.323286] local_pci_probe+0x42/0x80
[ 8.337855] work_for_cpu_fn+0x16/0x20
[ 8.351193] process_one_work+0x1a7/0x360
[ 8.364462] ? create_worker+0x1a0/0x1a0
[ 8.379252] worker_thread+0x1ce/0x390
[ 8.392623] ? create_worker+0x1a0/0x1a0
[ 8.406295] kthread+0x10a/0x120
[ 8.418428] ? set_kthread_struct+0x50/0x50
[ 8.431532] ret_from_fork+0x1f/0x40
[ 8.444137] ---[ end trace 1bf0173d39354506 ]---
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26742", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:11:28.621284Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:24.448Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.975Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/scsi/smartpqi/smartpqi_init.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3c31b18a8dd8b7bf36af1cd723d455853b8f94fe", "status": "affected", "version": "cf15c3e734e8d25de7b4d9170f5a69ace633a583", "versionType": "git" }, { "lessThan": "4f5b15c15e6016efb3e14582d02cc4ddf57227df", "status": "affected", "version": "cf15c3e734e8d25de7b4d9170f5a69ace633a583", "versionType": "git" }, { "lessThan": "b9433b25cb06c415c9cb24782599649a406c8d6d", "status": "affected", "version": "cf15c3e734e8d25de7b4d9170f5a69ace633a583", "versionType": "git" }, { "lessThan": "5761eb9761d2d5fe8248a9b719efc4d8baf1f24a", "status": "affected", "version": "cf15c3e734e8d25de7b4d9170f5a69ace633a583", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/scsi/smartpqi/smartpqi_init.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.0" }, { "lessThan": "6.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix disable_managed_interrupts\n\nCorrect blk-mq registration issue with module parameter\ndisable_managed_interrupts enabled.\n\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\nundefined behavior.\n\nStack Trace:\n[ 7.860089] scsi host2: smartpqi\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\n[ 7.963026] Workqueue: events work_for_cpu_fn\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 \u003c0f\u003e 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8.172818] PKRU: 55555554\n[ 8.172819] Call Trace:\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.323286] local_pci_probe+0x42/0x80\n[ 8.337855] work_for_cpu_fn+0x16/0x20\n[ 8.351193] process_one_work+0x1a7/0x360\n[ 8.364462] ? create_worker+0x1a0/0x1a0\n[ 8.379252] worker_thread+0x1ce/0x390\n[ 8.392623] ? create_worker+0x1a0/0x1a0\n[ 8.406295] kthread+0x10a/0x120\n[ 8.418428] ? set_kthread_struct+0x50/0x50\n[ 8.431532] ret_from_fork+0x1f/0x40\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:16.964Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe" }, { "url": "https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df" }, { "url": "https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d" }, { "url": "https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a" } ], "title": "scsi: smartpqi: Fix disable_managed_interrupts", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26742", "datePublished": "2024-04-03T17:00:31.982Z", "dateReserved": "2024-02-19T14:20:24.167Z", "dateUpdated": "2024-12-19T08:46:16.964Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26787
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: mmci: stm32: fix DMA API overlapping mappings warning
Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning:
DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,
overlapping mappings aren't supported
WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568
add_dma_entry+0x234/0x2f4
Modules linked in:
CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1
Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)
Workqueue: events_freezable mmc_rescan
Call trace:
add_dma_entry+0x234/0x2f4
debug_dma_map_sg+0x198/0x350
__dma_map_sg_attrs+0xa0/0x110
dma_map_sg_attrs+0x10/0x2c
sdmmc_idma_prep_data+0x80/0xc0
mmci_prep_data+0x38/0x84
mmci_start_data+0x108/0x2dc
mmci_request+0xe4/0x190
__mmc_start_request+0x68/0x140
mmc_start_request+0x94/0xc0
mmc_wait_for_req+0x70/0x100
mmc_send_tuning+0x108/0x1ac
sdmmc_execute_tuning+0x14c/0x210
mmc_execute_tuning+0x48/0xec
mmc_sd_init_uhs_card.part.0+0x208/0x464
mmc_sd_init_card+0x318/0x89c
mmc_attach_sd+0xe4/0x180
mmc_rescan+0x244/0x320
DMA API debug brings to light leaking dma-mappings as dma_map_sg and
dma_unmap_sg are not correctly balanced.
If an error occurs in mmci_cmd_irq function, only mmci_dma_error
function is called and as this API is not managed on stm32 variant,
dma_unmap_sg is never called in this error path.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 46b723dd867d599420fb640c0eaf2a866ef721d4 Version: 46b723dd867d599420fb640c0eaf2a866ef721d4 Version: 46b723dd867d599420fb640c0eaf2a866ef721d4 Version: 46b723dd867d599420fb640c0eaf2a866ef721d4 Version: 46b723dd867d599420fb640c0eaf2a866ef721d4 Version: 46b723dd867d599420fb640c0eaf2a866ef721d4 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.461Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0224cbc53ba82b84affa7619b6d1b1a254bc2c53" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/70af82bb9c897faa25a44e4181f36c60312b71ef" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/176e66269f0de327375fc0ea51c12c2f5a97e4c4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d610a307225951929b9dff807788439454476f85" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6b1ba3f9040be5efc4396d86c9752cdc564730be" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26787", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:02.092511Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:51.566Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/mmc/host/mmci_stm32_sdmmc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "0224cbc53ba82b84affa7619b6d1b1a254bc2c53", "status": "affected", "version": "46b723dd867d599420fb640c0eaf2a866ef721d4", "versionType": "git" }, { "lessThan": "5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c", "status": "affected", "version": "46b723dd867d599420fb640c0eaf2a866ef721d4", "versionType": "git" }, { "lessThan": "70af82bb9c897faa25a44e4181f36c60312b71ef", "status": "affected", "version": "46b723dd867d599420fb640c0eaf2a866ef721d4", "versionType": "git" }, { "lessThan": "176e66269f0de327375fc0ea51c12c2f5a97e4c4", "status": "affected", "version": "46b723dd867d599420fb640c0eaf2a866ef721d4", "versionType": "git" }, { "lessThan": "d610a307225951929b9dff807788439454476f85", "status": "affected", "version": "46b723dd867d599420fb640c0eaf2a866ef721d4", "versionType": "git" }, { "lessThan": "6b1ba3f9040be5efc4396d86c9752cdc564730be", "status": "affected", "version": "46b723dd867d599420fb640c0eaf2a866ef721d4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/mmc/host/mmci_stm32_sdmmc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.20" }, { "lessThan": "4.20", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.213", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.152", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\n\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\n\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren\u0027t supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\n\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\n\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:26.483Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/0224cbc53ba82b84affa7619b6d1b1a254bc2c53" }, { "url": "https://git.kernel.org/stable/c/5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c" }, { "url": "https://git.kernel.org/stable/c/70af82bb9c897faa25a44e4181f36c60312b71ef" }, { "url": "https://git.kernel.org/stable/c/176e66269f0de327375fc0ea51c12c2f5a97e4c4" }, { "url": "https://git.kernel.org/stable/c/d610a307225951929b9dff807788439454476f85" }, { "url": "https://git.kernel.org/stable/c/6b1ba3f9040be5efc4396d86c9752cdc564730be" } ], "title": "mmc: mmci: stm32: fix DMA API overlapping mappings warning", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26787", "datePublished": "2024-04-04T08:20:19.751Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:26.483Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26764
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio
If kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the
following kernel warning appears:
WARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8
Call trace:
kiocb_set_cancel_fn+0x9c/0xa8
ffs_epfile_read_iter+0x144/0x1d0
io_read+0x19c/0x498
io_issue_sqe+0x118/0x27c
io_submit_sqes+0x25c/0x5fc
__arm64_sys_io_uring_enter+0x104/0xab0
invoke_syscall+0x58/0x11c
el0_svc_common+0xb4/0xf4
do_el0_svc+0x2c/0xb0
el0_svc+0x2c/0xa4
el0t_64_sync_handler+0x68/0xb4
el0t_64_sync+0x1a4/0x1a8
Fix this by setting the IOCB_AIO_RW flag for read and write I/O that is
submitted by libaio.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26764", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:05:37.687851Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:01.111Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.386Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/337b543e274fe7a8f47df3c8293cc6686ffa620f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b4eea7a05ee0ab5ab0514421e6ba8c5d249cf942" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ea1cd64d59f22d6d13f367d62ec6e27b9344695f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d7b6fa97ec894edd02f64b83e5e72e1aa352f353" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/18f614369def2a11a52f569fe0f910b199d13487" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e7e23fc5d5fe422827c9a43ecb579448f73876c7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1dc7d74fe456944a9b1c57bd776280249f441ac6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b820de741ae48ccf50dd95e297889c286ff4f760" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/aio.c", "include/linux/fs.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "337b543e274fe7a8f47df3c8293cc6686ffa620f", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "b4eea7a05ee0ab5ab0514421e6ba8c5d249cf942", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "ea1cd64d59f22d6d13f367d62ec6e27b9344695f", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d7b6fa97ec894edd02f64b83e5e72e1aa352f353", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "18f614369def2a11a52f569fe0f910b199d13487", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e7e23fc5d5fe422827c9a43ecb579448f73876c7", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "1dc7d74fe456944a9b1c57bd776280249f441ac6", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "b820de741ae48ccf50dd95e297889c286ff4f760", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/aio.c", "include/linux/fs.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\n\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\n\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\n\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:55.805Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/337b543e274fe7a8f47df3c8293cc6686ffa620f" }, { "url": "https://git.kernel.org/stable/c/b4eea7a05ee0ab5ab0514421e6ba8c5d249cf942" }, { "url": "https://git.kernel.org/stable/c/ea1cd64d59f22d6d13f367d62ec6e27b9344695f" }, { "url": "https://git.kernel.org/stable/c/d7b6fa97ec894edd02f64b83e5e72e1aa352f353" }, { "url": "https://git.kernel.org/stable/c/18f614369def2a11a52f569fe0f910b199d13487" }, { "url": "https://git.kernel.org/stable/c/e7e23fc5d5fe422827c9a43ecb579448f73876c7" }, { "url": "https://git.kernel.org/stable/c/1dc7d74fe456944a9b1c57bd776280249f441ac6" }, { "url": "https://git.kernel.org/stable/c/b820de741ae48ccf50dd95e297889c286ff4f760" } ], "title": "fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26764", "datePublished": "2024-04-03T17:00:46.962Z", "dateReserved": "2024-02-19T14:20:24.172Z", "dateUpdated": "2024-12-19T08:46:55.805Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26770
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: nvidia-shield: Add missing null pointer checks to LED initialization
devm_kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure. Ensure the allocation was successful
by checking the pointer validity.
[jkosina@suse.com: tweak changelog a bit]
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.354Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26770", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:24.782459Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:11.391Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hid/hid-nvidia-shield.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "83527a13740f57b45f162e3af4c7db4b88521100", "status": "affected", "version": "09308562d4afb1abc66366608fa1cb9de783272f", "versionType": "git" }, { "lessThan": "e71cc4a1e584293deafff1a7dea614b0210d0443", "status": "affected", "version": "09308562d4afb1abc66366608fa1cb9de783272f", "versionType": "git" }, { "lessThan": "b6eda11c44dc89a681e1c105f0f4660e69b1e183", "status": "affected", "version": "09308562d4afb1abc66366608fa1cb9de783272f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hid/hid-nvidia-shield.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.5" }, { "lessThan": "6.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.\n\n[jkosina@suse.com: tweak changelog a bit]" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:06.270Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100" }, { "url": "https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443" }, { "url": "https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183" } ], "title": "HID: nvidia-shield: Add missing null pointer checks to LED initialization", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26770", "datePublished": "2024-04-03T17:00:56.894Z", "dateReserved": "2024-02-19T14:20:24.175Z", "dateUpdated": "2024-12-19T08:47:06.270Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26745
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV
When kdump kernel tries to copy dump data over SR-IOV, LPAR panics due
to NULL pointer exception:
Kernel attempted to read user page (0) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on read at 0x00000000
Faulting instruction address: 0xc000000020847ad4
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop
CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12
Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries
NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c
REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+)
MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 48288244 XER: 00000008
CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1
...
NIP _find_next_zero_bit+0x24/0x110
LR bitmap_find_next_zero_area_off+0x5c/0xe0
Call Trace:
dev_printk_emit+0x38/0x48 (unreliable)
iommu_area_alloc+0xc4/0x180
iommu_range_alloc+0x1e8/0x580
iommu_alloc+0x60/0x130
iommu_alloc_coherent+0x158/0x2b0
dma_iommu_alloc_coherent+0x3c/0x50
dma_alloc_attrs+0x170/0x1f0
mlx5_cmd_init+0xc0/0x760 [mlx5_core]
mlx5_function_setup+0xf0/0x510 [mlx5_core]
mlx5_init_one+0x84/0x210 [mlx5_core]
probe_one+0x118/0x2c0 [mlx5_core]
local_pci_probe+0x68/0x110
pci_call_probe+0x68/0x200
pci_device_probe+0xbc/0x1a0
really_probe+0x104/0x540
__driver_probe_device+0xb4/0x230
driver_probe_device+0x54/0x130
__driver_attach+0x158/0x2b0
bus_for_each_dev+0xa8/0x130
driver_attach+0x34/0x50
bus_add_driver+0x16c/0x300
driver_register+0xa4/0x1b0
__pci_register_driver+0x68/0x80
mlx5_init+0xb8/0x100 [mlx5_core]
do_one_initcall+0x60/0x300
do_init_module+0x7c/0x2b0
At the time of LPAR dump, before kexec hands over control to kdump
kernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT.
For the SR-IOV case, default DMA window "ibm,dma-window" is removed from
the FDT and DDW added, for the device.
Now, kexec hands over control to the kdump kernel.
When the kdump kernel initializes, PCI busses are scanned and IOMMU
group/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV
case, there is no "ibm,dma-window". The original commit: b1fc44eaa9ba,
fixes the path where memory is pre-mapped (direct mapped) to the DDW.
When TCEs are direct mapped, there is no need to initialize IOMMU
tables.
iommu_table_setparms_lpar() only considers "ibm,dma-window" property
when initiallizing IOMMU table. In the scenario where TCEs are
dynamically allocated for SR-IOV, newly created IOMMU table is not
initialized. Later, when the device driver tries to enter TCEs for the
SR-IOV device, NULL pointer execption is thrown from iommu_area_alloc().
The fix is to initialize the IOMMU table with DDW property stored in the
FDT. There are 2 points to remember:
1. For the dedicated adapter, kdump kernel would encounter both
default and DDW in FDT. In this case, DDW property is used to
initialize the IOMMU table.
2. A DDW could be direct or dynamic mapped. kdump kernel would
initialize IOMMU table and mark the existing DDW as
"dynamic". This works fine since, at the time of table
initialization, iommu_table_clear() makes some space in the
DDW, for some predefined number of TCEs which are needed for
kdump to succeed.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26745", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:11:41.135555Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-31T18:11:38.179Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.198Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7eb95e0af5c9c2e6fad50356eaf32d216d0e7bc3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d4d1e4b1513d975961de7bb4f75e450a92d65ebf" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5da6d306f315344af1ca2eff4bd9b10b130f0c28" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/09a3c1e46142199adcee372a420b024b4fc61051" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/powerpc/platforms/pseries/iommu.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7eb95e0af5c9c2e6fad50356eaf32d216d0e7bc3", "status": "affected", "version": "b1fc44eaa9ba31e28c4125d6b9205a3582b47b5d", "versionType": "git" }, { "lessThan": "d4d1e4b1513d975961de7bb4f75e450a92d65ebf", "status": "affected", "version": "b1fc44eaa9ba31e28c4125d6b9205a3582b47b5d", "versionType": "git" }, { "lessThan": "5da6d306f315344af1ca2eff4bd9b10b130f0c28", "status": "affected", "version": "b1fc44eaa9ba31e28c4125d6b9205a3582b47b5d", "versionType": "git" }, { "lessThan": "09a3c1e46142199adcee372a420b024b4fc61051", "status": "affected", "version": "b1fc44eaa9ba31e28c4125d6b9205a3582b47b5d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/powerpc/platforms/pseries/iommu.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.0" }, { "lessThan": "6.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV\n\nWhen kdump kernel tries to copy dump data over SR-IOV, LPAR panics due\nto NULL pointer exception:\n\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000020847ad4\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop\n CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c\n REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+)\n MSR: 800000000280b033 \u003cSF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u003e CR: 48288244 XER: 00000008\n CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1\n ...\n NIP _find_next_zero_bit+0x24/0x110\n LR bitmap_find_next_zero_area_off+0x5c/0xe0\n Call Trace:\n dev_printk_emit+0x38/0x48 (unreliable)\n iommu_area_alloc+0xc4/0x180\n iommu_range_alloc+0x1e8/0x580\n iommu_alloc+0x60/0x130\n iommu_alloc_coherent+0x158/0x2b0\n dma_iommu_alloc_coherent+0x3c/0x50\n dma_alloc_attrs+0x170/0x1f0\n mlx5_cmd_init+0xc0/0x760 [mlx5_core]\n mlx5_function_setup+0xf0/0x510 [mlx5_core]\n mlx5_init_one+0x84/0x210 [mlx5_core]\n probe_one+0x118/0x2c0 [mlx5_core]\n local_pci_probe+0x68/0x110\n pci_call_probe+0x68/0x200\n pci_device_probe+0xbc/0x1a0\n really_probe+0x104/0x540\n __driver_probe_device+0xb4/0x230\n driver_probe_device+0x54/0x130\n __driver_attach+0x158/0x2b0\n bus_for_each_dev+0xa8/0x130\n driver_attach+0x34/0x50\n bus_add_driver+0x16c/0x300\n driver_register+0xa4/0x1b0\n __pci_register_driver+0x68/0x80\n mlx5_init+0xb8/0x100 [mlx5_core]\n do_one_initcall+0x60/0x300\n do_init_module+0x7c/0x2b0\n\nAt the time of LPAR dump, before kexec hands over control to kdump\nkernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT.\nFor the SR-IOV case, default DMA window \"ibm,dma-window\" is removed from\nthe FDT and DDW added, for the device.\n\nNow, kexec hands over control to the kdump kernel.\n\nWhen the kdump kernel initializes, PCI busses are scanned and IOMMU\ngroup/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV\ncase, there is no \"ibm,dma-window\". The original commit: b1fc44eaa9ba,\nfixes the path where memory is pre-mapped (direct mapped) to the DDW.\nWhen TCEs are direct mapped, there is no need to initialize IOMMU\ntables.\n\niommu_table_setparms_lpar() only considers \"ibm,dma-window\" property\nwhen initiallizing IOMMU table. In the scenario where TCEs are\ndynamically allocated for SR-IOV, newly created IOMMU table is not\ninitialized. Later, when the device driver tries to enter TCEs for the\nSR-IOV device, NULL pointer execption is thrown from iommu_area_alloc().\n\nThe fix is to initialize the IOMMU table with DDW property stored in the\nFDT. There are 2 points to remember:\n\n\t1. For the dedicated adapter, kdump kernel would encounter both\n\t default and DDW in FDT. In this case, DDW property is used to\n\t initialize the IOMMU table.\n\n\t2. A DDW could be direct or dynamic mapped. kdump kernel would\n\t initialize IOMMU table and mark the existing DDW as\n\t \"dynamic\". This works fine since, at the time of table\n\t initialization, iommu_table_clear() makes some space in the\n\t DDW, for some predefined number of TCEs which are needed for\n\t kdump to succeed." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:20.553Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7eb95e0af5c9c2e6fad50356eaf32d216d0e7bc3" }, { "url": "https://git.kernel.org/stable/c/d4d1e4b1513d975961de7bb4f75e450a92d65ebf" }, { "url": "https://git.kernel.org/stable/c/5da6d306f315344af1ca2eff4bd9b10b130f0c28" }, { "url": "https://git.kernel.org/stable/c/09a3c1e46142199adcee372a420b024b4fc61051" } ], "title": "powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26745", "datePublished": "2024-04-04T08:20:13.182Z", "dateReserved": "2024-02-19T14:20:24.168Z", "dateUpdated": "2024-12-19T08:46:20.553Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26699
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr
[Why]
There is a potential memory access violation while
iterating through array of dcn35 clks.
[How]
Limit iteration per array size.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.940Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/46806e59a87790760870d216f54951a5b4d545bc" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26699", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:47.122143Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:29.383Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb", "status": "affected", "version": "8774029f76b9806f2f3586bb0502408076767fd5", "versionType": "git" }, { "lessThan": "46806e59a87790760870d216f54951a5b4d545bc", "status": "affected", "version": "8774029f76b9806f2f3586bb0502408076767fd5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\n\n[Why]\nThere is a potential memory access violation while\niterating through array of dcn35 clks.\n\n[How]\nLimit iteration per array size." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:26.023Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb" }, { "url": "https://git.kernel.org/stable/c/46806e59a87790760870d216f54951a5b4d545bc" } ], "title": "drm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26699", "datePublished": "2024-04-03T14:54:59.268Z", "dateReserved": "2024-02-19T14:20:24.157Z", "dateUpdated": "2024-12-19T08:45:26.023Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26718
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm-crypt, dm-verity: disable tasklets
Tasklets have an inherent problem with memory corruption. The function
tasklet_action_common calls tasklet_trylock, then it calls the tasklet
callback and then it calls tasklet_unlock. If the tasklet callback frees
the structure that contains the tasklet or if it calls some code that may
free it, tasklet_unlock will write into free memory.
The commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but
it is not a sufficient fix and the data corruption can still happen [1].
There is no fix for dm-verity and dm-verity will write into free memory
with every tasklet-processed bio.
There will be atomic workqueues implemented in the kernel 6.9 [2]. They
will have better interface and they will not suffer from the memory
corruption problem.
But we need something that stops the memory corruption now and that can be
backported to the stable kernels. So, I'm proposing this commit that
disables tasklets in both dm-crypt and dm-verity. This commit doesn't
remove the tasklet support, because the tasklet code will be reused when
atomic workqueues will be implemented.
[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/
[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 Version: 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 Version: 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 Version: 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 Version: 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.969Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26718", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:23.335095Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:24.008Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/dm-crypt.c", "drivers/md/dm-verity-target.c", "drivers/md/dm-verity.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b825e0f9d68c178072bffd32dd34c39e3d2d597a", "status": "affected", "version": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877", "versionType": "git" }, { "lessThan": "30884a44e0cedc3dfda8c22432f3ba4078ec2d94", "status": "affected", "version": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877", "versionType": "git" }, { "lessThan": "5735a2671ffb70ea29ca83969fe01316ee2ed6fc", "status": "affected", "version": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877", "versionType": "git" }, { "lessThan": "0c45a20cbe68bc4d681734f5c03891124a274257", "status": "affected", "version": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877", "versionType": "git" }, { "lessThan": "0a9bab391e336489169b95cb0d4553d921302189", "status": "affected", "version": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/dm-crypt.c", "drivers/md/dm-verity-target.c", "drivers/md/dm-verity.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.9" }, { "lessThan": "5.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.169", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt, dm-verity: disable tasklets\n\nTasklets have an inherent problem with memory corruption. The function\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\nthe structure that contains the tasklet or if it calls some code that may\nfree it, tasklet_unlock will write into free memory.\n\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\nit is not a sufficient fix and the data corruption can still happen [1].\nThere is no fix for dm-verity and dm-verity will write into free memory\nwith every tasklet-processed bio.\n\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\nwill have better interface and they will not suffer from the memory\ncorruption problem.\n\nBut we need something that stops the memory corruption now and that can be\nbackported to the stable kernels. So, I\u0027m proposing this commit that\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn\u0027t\nremove the tasklet support, because the tasklet code will be reused when\natomic workqueues will be implemented.\n\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:47.317Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b825e0f9d68c178072bffd32dd34c39e3d2d597a" }, { "url": "https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94" }, { "url": "https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc" }, { "url": "https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257" }, { "url": "https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189" } ], "title": "dm-crypt, dm-verity: disable tasklets", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26718", "datePublished": "2024-04-03T14:55:18.756Z", "dateReserved": "2024-02-19T14:20:24.161Z", "dateUpdated": "2024-12-19T08:45:47.317Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26692
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: Fix regression in writes when non-standard maximum write size negotiated
The conversion to netfs in the 6.3 kernel caused a regression when
maximum write size is set by the server to an unexpected value which is
not a multiple of 4096 (similarly if the user overrides the maximum
write size by setting mount parm "wsize", but sets it to a value that
is not a multiple of 4096). When negotiated write size is not a
multiple of 4096 the netfs code can skip the end of the final
page when doing large sequential writes, causing data corruption.
This section of code is being rewritten/removed due to a large
netfs change, but until that point (ie for the 6.3 kernel until now)
we can not support non-standard maximum write sizes.
Add a warning if a user specifies a wsize on mount that is not
a multiple of 4096 (and round down), also add a change where we
round down the maximum write size if the server negotiates a value
that is not a multiple of 4096 (we also have to check to make sure that
we do not round it down to zero).
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.775Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4145ccff546ea868428b3e0fe6818c6261b574a9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/63c35afd50e28b49c5b75542045a8c42b696dab9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4860abb91f3d7fbaf8147d54782149bb1fc45892" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26692", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:53:00.719188Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:31.032Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/client/connect.c", "fs/smb/client/fs_context.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4145ccff546ea868428b3e0fe6818c6261b574a9", "status": "affected", "version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2", "versionType": "git" }, { "lessThan": "63c35afd50e28b49c5b75542045a8c42b696dab9", "status": "affected", "version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2", "versionType": "git" }, { "lessThan": "4860abb91f3d7fbaf8147d54782149bb1fc45892", "status": "affected", "version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/client/connect.c", "fs/smb/client/fs_context.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Fix regression in writes when non-standard maximum write size negotiated\n\nThe conversion to netfs in the 6.3 kernel caused a regression when\nmaximum write size is set by the server to an unexpected value which is\nnot a multiple of 4096 (similarly if the user overrides the maximum\nwrite size by setting mount parm \"wsize\", but sets it to a value that\nis not a multiple of 4096). When negotiated write size is not a\nmultiple of 4096 the netfs code can skip the end of the final\npage when doing large sequential writes, causing data corruption.\n\nThis section of code is being rewritten/removed due to a large\nnetfs change, but until that point (ie for the 6.3 kernel until now)\nwe can not support non-standard maximum write sizes.\n\nAdd a warning if a user specifies a wsize on mount that is not\na multiple of 4096 (and round down), also add a change where we\nround down the maximum write size if the server negotiates a value\nthat is not a multiple of 4096 (we also have to check to make sure that\nwe do not round it down to zero)." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:12.182Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4145ccff546ea868428b3e0fe6818c6261b574a9" }, { "url": "https://git.kernel.org/stable/c/63c35afd50e28b49c5b75542045a8c42b696dab9" }, { "url": "https://git.kernel.org/stable/c/4860abb91f3d7fbaf8147d54782149bb1fc45892" } ], "title": "smb: Fix regression in writes when non-standard maximum write size negotiated", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26692", "datePublished": "2024-04-03T14:54:53.343Z", "dateReserved": "2024-02-19T14:20:24.155Z", "dateUpdated": "2024-12-19T08:45:12.182Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26801
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Avoid potential use-after-free in hci_error_reset
While handling the HCI_EV_HARDWARE_ERROR event, if the underlying
BT controller is not responding, the GPIO reset mechanism would
free the hci_dev and lead to a use-after-free in hci_error_reset.
Here's the call trace observed on a ChromeOS device with Intel AX201:
queue_work_on+0x3e/0x6c
__hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]
? init_wait_entry+0x31/0x31
__hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]
hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]
process_one_work+0x1d8/0x33f
worker_thread+0x21b/0x373
kthread+0x13a/0x152
? pr_cont_work+0x54/0x54
? kthread_blkcg+0x31/0x31
ret_from_fork+0x1f/0x30
This patch holds the reference count on the hci_dev while processing
a HCI_EV_HARDWARE_ERROR event to avoid potential crash.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c7741d16a57cbf97eebe53f27e8216b1ff20e20c Version: c7741d16a57cbf97eebe53f27e8216b1ff20e20c Version: c7741d16a57cbf97eebe53f27e8216b1ff20e20c Version: c7741d16a57cbf97eebe53f27e8216b1ff20e20c Version: c7741d16a57cbf97eebe53f27e8216b1ff20e20c Version: c7741d16a57cbf97eebe53f27e8216b1ff20e20c Version: c7741d16a57cbf97eebe53f27e8216b1ff20e20c Version: c7741d16a57cbf97eebe53f27e8216b1ff20e20c |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.522Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26801", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-15T19:27:12.303916Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-15T19:27:19.532Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/bluetooth/hci_core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e0b278650f07acf2e0932149183458468a731c03", "status": "affected", "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c", "versionType": "git" }, { "lessThan": "98fb98fd37e42fd4ce13ff657ea64503e24b6090", "status": "affected", "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c", "versionType": "git" }, { "lessThan": "6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2", "status": "affected", "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c", "versionType": "git" }, { "lessThan": "da4569d450b193e39e87119fd316c0291b585d14", "status": "affected", "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c", "versionType": "git" }, { "lessThan": "45085686b9559bfbe3a4f41d3d695a520668f5e1", "status": "affected", "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c", "versionType": "git" }, { "lessThan": "2ab9a19d896f5a0dd386e1f001c5309bc35f433b", "status": "affected", "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c", "versionType": "git" }, { "lessThan": "dd594cdc24f2e48dab441732e6dfcafd6b0711d1", "status": "affected", "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c", "versionType": "git" }, { "lessThan": "2449007d3f73b2842c9734f45f0aadb522daf592", "status": "affected", "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/bluetooth/hci_core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.0" }, { "lessThan": "4.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.309", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.271", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Avoid potential use-after-free in hci_error_reset\n\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\n\nHere\u0027s the call trace observed on a ChromeOS device with Intel AX201:\n queue_work_on+0x3e/0x6c\n __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth \u003cHASH:3b4a6\u003e]\n ? init_wait_entry+0x31/0x31\n __hci_cmd_sync+0x16/0x20 [bluetooth \u003cHASH:3b4a 6\u003e]\n hci_error_reset+0x4f/0xa4 [bluetooth \u003cHASH:3b4a 6\u003e]\n process_one_work+0x1d8/0x33f\n worker_thread+0x21b/0x373\n kthread+0x13a/0x152\n ? pr_cont_work+0x54/0x54\n ? kthread_blkcg+0x31/0x31\n ret_from_fork+0x1f/0x30\n\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:43.548Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03" }, { "url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090" }, { "url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2" }, { "url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14" }, { "url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1" }, { "url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b" }, { "url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1" }, { "url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592" } ], "title": "Bluetooth: Avoid potential use-after-free in hci_error_reset", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26801", "datePublished": "2024-04-04T08:20:29.211Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:43.548Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26709
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/iommu: Fix the missing iommu_group_put() during platform domain attach
The function spapr_tce_platform_iommu_attach_dev() is missing to call
iommu_group_put() when the domain is already set. This refcount leak
shows up with BUG_ON() during DLPAR remove operation as:
KernelBug: Kernel bug in state 'None': kernel BUG at arch/powerpc/platforms/pseries/iommu.c:100!
Oops: Exception in kernel mode, sig: 5 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=8192 NUMA pSeries
<snip>
Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_016) hv:phyp pSeries
NIP: c0000000000ff4d4 LR: c0000000000ff4cc CTR: 0000000000000000
REGS: c0000013aed5f840 TRAP: 0700 Tainted: G I (6.8.0-rc3-autotest-g99bd3cb0d12e)
MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 44002402 XER: 20040000
CFAR: c000000000a0d170 IRQMASK: 0
...
NIP iommu_reconfig_notifier+0x94/0x200
LR iommu_reconfig_notifier+0x8c/0x200
Call Trace:
iommu_reconfig_notifier+0x8c/0x200 (unreliable)
notifier_call_chain+0xb8/0x19c
blocking_notifier_call_chain+0x64/0x98
of_reconfig_notify+0x44/0xdc
of_detach_node+0x78/0xb0
ofdt_write.part.0+0x86c/0xbb8
proc_reg_write+0xf4/0x150
vfs_write+0xf8/0x488
ksys_write+0x84/0x140
system_call_exception+0x138/0x330
system_call_vectored_common+0x15c/0x2ec
The patch adds the missing iommu_group_put() call.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26709", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:05:58.062446Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:05.160Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.569Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c90fdea9cac9eb419fc266e75d625cb60c8f7f6c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0846dd77c8349ec92ca0079c9c71d130f34cb192" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/powerpc/kernel/iommu.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c90fdea9cac9eb419fc266e75d625cb60c8f7f6c", "status": "affected", "version": "a8ca9fc9134c1a43e6d4db7ff59496bbd7075def", "versionType": "git" }, { "lessThan": "0846dd77c8349ec92ca0079c9c71d130f34cb192", "status": "affected", "version": "a8ca9fc9134c1a43e6d4db7ff59496bbd7075def", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/powerpc/kernel/iommu.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/iommu: Fix the missing iommu_group_put() during platform domain attach\n\nThe function spapr_tce_platform_iommu_attach_dev() is missing to call\niommu_group_put() when the domain is already set. This refcount leak\nshows up with BUG_ON() during DLPAR remove operation as:\n\n KernelBug: Kernel bug in state \u0027None\u0027: kernel BUG at arch/powerpc/platforms/pseries/iommu.c:100!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=8192 NUMA pSeries\n \u003csnip\u003e\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_016) hv:phyp pSeries\n NIP: c0000000000ff4d4 LR: c0000000000ff4cc CTR: 0000000000000000\n REGS: c0000013aed5f840 TRAP: 0700 Tainted: G I (6.8.0-rc3-autotest-g99bd3cb0d12e)\n MSR: 8000000000029033 \u003cSF,EE,ME,IR,DR,RI,LE\u003e CR: 44002402 XER: 20040000\n CFAR: c000000000a0d170 IRQMASK: 0\n ...\n NIP iommu_reconfig_notifier+0x94/0x200\n LR iommu_reconfig_notifier+0x8c/0x200\n Call Trace:\n iommu_reconfig_notifier+0x8c/0x200 (unreliable)\n notifier_call_chain+0xb8/0x19c\n blocking_notifier_call_chain+0x64/0x98\n of_reconfig_notify+0x44/0xdc\n of_detach_node+0x78/0xb0\n ofdt_write.part.0+0x86c/0xbb8\n proc_reg_write+0xf4/0x150\n vfs_write+0xf8/0x488\n ksys_write+0x84/0x140\n system_call_exception+0x138/0x330\n system_call_vectored_common+0x15c/0x2ec\n\nThe patch adds the missing iommu_group_put() call." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:36.752Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c90fdea9cac9eb419fc266e75d625cb60c8f7f6c" }, { "url": "https://git.kernel.org/stable/c/0846dd77c8349ec92ca0079c9c71d130f34cb192" } ], "title": "powerpc/iommu: Fix the missing iommu_group_put() during platform domain attach", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26709", "datePublished": "2024-04-03T14:55:11.868Z", "dateReserved": "2024-02-19T14:20:24.159Z", "dateUpdated": "2024-12-19T08:45:36.752Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26703
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/timerlat: Move hrtimer_init to timerlat_fd open()
Currently, the timerlat's hrtimer is initialized at the first read of
timerlat_fd, and destroyed at close(). It works, but it causes an error
if the user program open() and close() the file without reading.
Here's an example:
# echo NO_OSNOISE_WORKLOAD > /sys/kernel/debug/tracing/osnoise/options
# echo timerlat > /sys/kernel/debug/tracing/current_tracer
# cat <<EOF > ./timerlat_load.py
# !/usr/bin/env python3
timerlat_fd = open("/sys/kernel/tracing/osnoise/per_cpu/cpu0/timerlat_fd", 'r')
timerlat_fd.close();
EOF
# ./taskset -c 0 ./timerlat_load.py
<BOOM>
BUG: kernel NULL pointer dereference, address: 0000000000000010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 2673 Comm: python3 Not tainted 6.6.13-200.fc39.x86_64 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014
RIP: 0010:hrtimer_active+0xd/0x50
Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 57 30 <8b> 42 10 a8 01 74 09 f3 90 8b 42 10 a8 01 75 f7 80 7f 38 00 75 1d
RSP: 0018:ffffb031009b7e10 EFLAGS: 00010286
RAX: 000000000002db00 RBX: ffff9118f786db08 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff9117a0e64400 RDI: ffff9118f786db08
RBP: ffff9118f786db80 R08: ffff9117a0ddd420 R09: ffff9117804d4f70
R10: 0000000000000000 R11: 0000000000000000 R12: ffff9118f786db08
R13: ffff91178fdd5e20 R14: ffff9117840978c0 R15: 0000000000000000
FS: 00007f2ffbab1740(0000) GS:ffff9118f7840000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 00000001b402e000 CR4: 0000000000750ee0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x171/0x4e0
? srso_alias_return_thunk+0x5/0x7f
? avc_has_extended_perms+0x237/0x520
? exc_page_fault+0x7f/0x180
? asm_exc_page_fault+0x26/0x30
? hrtimer_active+0xd/0x50
hrtimer_cancel+0x15/0x40
timerlat_fd_release+0x48/0xe0
__fput+0xf5/0x290
__x64_sys_close+0x3d/0x80
do_syscall_64+0x60/0x90
? srso_alias_return_thunk+0x5/0x7f
? __x64_sys_ioctl+0x72/0xd0
? srso_alias_return_thunk+0x5/0x7f
? syscall_exit_to_user_mode+0x2b/0x40
? srso_alias_return_thunk+0x5/0x7f
? do_syscall_64+0x6c/0x90
? srso_alias_return_thunk+0x5/0x7f
? exit_to_user_mode_prepare+0x142/0x1f0
? srso_alias_return_thunk+0x5/0x7f
? syscall_exit_to_user_mode+0x2b/0x40
? srso_alias_return_thunk+0x5/0x7f
? do_syscall_64+0x6c/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7f2ffb321594
Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 cd 0d 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d
RSP: 002b:00007ffe8d8eef18 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007f2ffba4e668 RCX: 00007f2ffb321594
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffe8d8eef40 R08: 0000000000000000 R09: 0000000000000000
R10: 55c926e3167eae79 R11: 0000000000000202 R12: 0000000000000003
R13: 00007ffe8d8ef030 R14: 0000000000000000 R15: 00007f2ffba4e668
</TASK>
CR2: 0000000000000010
---[ end trace 0000000000000000 ]---
Move hrtimer_init to timerlat_fd open() to avoid this problem.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26703", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-05T18:03:40.350570Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:26.798Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.874Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5f703935fdb559642d85b2088442ee55a557ae6d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2354d29986ebd138f89c2b73fecf8237e0a4ad6b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1389358bb008e7625942846e9f03554319b7fecc" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "kernel/trace/trace_osnoise.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5f703935fdb559642d85b2088442ee55a557ae6d", "status": "affected", "version": "e88ed227f639ebcb31ed4e5b88756b47d904584b", "versionType": "git" }, { "lessThan": "2354d29986ebd138f89c2b73fecf8237e0a4ad6b", "status": "affected", "version": "e88ed227f639ebcb31ed4e5b88756b47d904584b", "versionType": "git" }, { "lessThan": "1389358bb008e7625942846e9f03554319b7fecc", "status": "affected", "version": "e88ed227f639ebcb31ed4e5b88756b47d904584b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "kernel/trace/trace_osnoise.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.5" }, { "lessThan": "6.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/timerlat: Move hrtimer_init to timerlat_fd open()\n\nCurrently, the timerlat\u0027s hrtimer is initialized at the first read of\ntimerlat_fd, and destroyed at close(). It works, but it causes an error\nif the user program open() and close() the file without reading.\n\nHere\u0027s an example:\n\n # echo NO_OSNOISE_WORKLOAD \u003e /sys/kernel/debug/tracing/osnoise/options\n # echo timerlat \u003e /sys/kernel/debug/tracing/current_tracer\n\n # cat \u003c\u003cEOF \u003e ./timerlat_load.py\n # !/usr/bin/env python3\n\n timerlat_fd = open(\"/sys/kernel/tracing/osnoise/per_cpu/cpu0/timerlat_fd\", \u0027r\u0027)\n timerlat_fd.close();\n EOF\n\n # ./taskset -c 0 ./timerlat_load.py\n\u003cBOOM\u003e\n\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 2673 Comm: python3 Not tainted 6.6.13-200.fc39.x86_64 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014\n RIP: 0010:hrtimer_active+0xd/0x50\n Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 57 30 \u003c8b\u003e 42 10 a8 01 74 09 f3 90 8b 42 10 a8 01 75 f7 80 7f 38 00 75 1d\n RSP: 0018:ffffb031009b7e10 EFLAGS: 00010286\n RAX: 000000000002db00 RBX: ffff9118f786db08 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffff9117a0e64400 RDI: ffff9118f786db08\n RBP: ffff9118f786db80 R08: ffff9117a0ddd420 R09: ffff9117804d4f70\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff9118f786db08\n R13: ffff91178fdd5e20 R14: ffff9117840978c0 R15: 0000000000000000\n FS: 00007f2ffbab1740(0000) GS:ffff9118f7840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000010 CR3: 00000001b402e000 CR4: 0000000000750ee0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? srso_alias_return_thunk+0x5/0x7f\n ? avc_has_extended_perms+0x237/0x520\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? hrtimer_active+0xd/0x50\n hrtimer_cancel+0x15/0x40\n timerlat_fd_release+0x48/0xe0\n __fput+0xf5/0x290\n __x64_sys_close+0x3d/0x80\n do_syscall_64+0x60/0x90\n ? srso_alias_return_thunk+0x5/0x7f\n ? __x64_sys_ioctl+0x72/0xd0\n ? srso_alias_return_thunk+0x5/0x7f\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_syscall_64+0x6c/0x90\n ? srso_alias_return_thunk+0x5/0x7f\n ? exit_to_user_mode_prepare+0x142/0x1f0\n ? srso_alias_return_thunk+0x5/0x7f\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f2ffb321594\n Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 cd 0d 00 00 74 13 b8 03 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d\n RSP: 002b:00007ffe8d8eef18 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n RAX: ffffffffffffffda RBX: 00007f2ffba4e668 RCX: 00007f2ffb321594\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007ffe8d8eef40 R08: 0000000000000000 R09: 0000000000000000\n R10: 55c926e3167eae79 R11: 0000000000000202 R12: 0000000000000003\n R13: 00007ffe8d8ef030 R14: 0000000000000000 R15: 00007f2ffba4e668\n \u003c/TASK\u003e\n CR2: 0000000000000010\n ---[ end trace 0000000000000000 ]---\n\nMove hrtimer_init to timerlat_fd open() to avoid this problem." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:29.579Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5f703935fdb559642d85b2088442ee55a557ae6d" }, { "url": "https://git.kernel.org/stable/c/2354d29986ebd138f89c2b73fecf8237e0a4ad6b" }, { "url": "https://git.kernel.org/stable/c/1389358bb008e7625942846e9f03554319b7fecc" } ], "title": "tracing/timerlat: Move hrtimer_init to timerlat_fd open()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26703", "datePublished": "2024-04-03T14:55:01.838Z", "dateReserved": "2024-02-19T14:20:24.158Z", "dateUpdated": "2024-12-19T08:45:29.579Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26727
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not ASSERT() if the newly created subvolume already got read
[BUG]
There is a syzbot crash, triggered by the ASSERT() during subvolume
creation:
assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319
------------[ cut here ]------------
kernel BUG at fs/btrfs/disk-io.c:1319!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60
<TASK>
btrfs_get_new_fs_root+0xd3/0xf0
create_subvol+0xd02/0x1650
btrfs_mksubvol+0xe95/0x12b0
__btrfs_ioctl_snap_create+0x2f9/0x4f0
btrfs_ioctl_snap_create+0x16b/0x200
btrfs_ioctl+0x35f0/0x5cf0
__x64_sys_ioctl+0x19d/0x210
do_syscall_64+0x3f/0xe0
entry_SYSCALL_64_after_hwframe+0x63/0x6b
---[ end trace 0000000000000000 ]---
[CAUSE]
During create_subvol(), after inserting root item for the newly created
subvolume, we would trigger btrfs_get_new_fs_root() to get the
btrfs_root of that subvolume.
The idea here is, we have preallocated an anonymous device number for
the subvolume, thus we can assign it to the new subvolume.
But there is really nothing preventing things like backref walk to read
the new subvolume.
If that happens before we call btrfs_get_new_fs_root(), the subvolume
would be read out, with a new anonymous device number assigned already.
In that case, we would trigger ASSERT(), as we really expect no one to
read out that subvolume (which is not yet accessible from the fs).
But things like backref walk is still possible to trigger the read on
the subvolume.
Thus our assumption on the ASSERT() is not correct in the first place.
[FIX]
Fix it by removing the ASSERT(), and just free the @anon_dev, reset it
to 0, and continue.
If the subvolume tree is read out by something else, it should have
already get a new anon_dev assigned thus we only need to free the
preallocated one.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 Version: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 Version: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 Version: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 Version: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 Version: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26727", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T19:28:59.725318Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T19:29:08.159Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.984Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/disk-io.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3f5d47eb163bceb1b9e613c9003bae5fefc0046f", "status": "affected", "version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788", "versionType": "git" }, { "lessThan": "e31546b0f34af21738c4ceac47d662c00ee6382f", "status": "affected", "version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788", "versionType": "git" }, { "lessThan": "66b317a2fc45b2ef66527ee3f8fa08fb5beab88d", "status": "affected", "version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788", "versionType": "git" }, { "lessThan": "833775656d447c545133a744a0ed1e189ce61430", "status": "affected", "version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788", "versionType": "git" }, { "lessThan": "5a172344bfdabb46458e03708735d7b1a918c468", "status": "affected", "version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788", "versionType": "git" }, { "lessThan": "e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb", "status": "affected", "version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/btrfs/disk-io.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.9" }, { "lessThan": "5.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() if the newly created subvolume already got read\n\n[BUG]\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\ncreation:\n\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/disk-io.c:1319!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\n \u003cTASK\u003e\n btrfs_get_new_fs_root+0xd3/0xf0\n create_subvol+0xd02/0x1650\n btrfs_mksubvol+0xe95/0x12b0\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\n btrfs_ioctl_snap_create+0x16b/0x200\n btrfs_ioctl+0x35f0/0x5cf0\n __x64_sys_ioctl+0x19d/0x210\n do_syscall_64+0x3f/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nDuring create_subvol(), after inserting root item for the newly created\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\nbtrfs_root of that subvolume.\n\nThe idea here is, we have preallocated an anonymous device number for\nthe subvolume, thus we can assign it to the new subvolume.\n\nBut there is really nothing preventing things like backref walk to read\nthe new subvolume.\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\nwould be read out, with a new anonymous device number assigned already.\n\nIn that case, we would trigger ASSERT(), as we really expect no one to\nread out that subvolume (which is not yet accessible from the fs).\nBut things like backref walk is still possible to trigger the read on\nthe subvolume.\n\nThus our assumption on the ASSERT() is not correct in the first place.\n\n[FIX]\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\nto 0, and continue.\n\nIf the subvolume tree is read out by something else, it should have\nalready get a new anon_dev assigned thus we only need to free the\npreallocated one." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:58.338Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f" }, { "url": "https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f" }, { "url": "https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d" }, { "url": "https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430" }, { "url": "https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468" }, { "url": "https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb" } ], "title": "btrfs: do not ASSERT() if the newly created subvolume already got read", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26727", "datePublished": "2024-04-03T14:55:25.805Z", "dateReserved": "2024-02-19T14:20:24.164Z", "dateUpdated": "2024-12-19T08:45:58.338Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26790
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read
There is chip (ls1028a) errata:
The SoC may hang on 16 byte unaligned read transactions by QDMA.
Unaligned read transactions initiated by QDMA may stall in the NOC
(Network On-Chip), causing a deadlock condition. Stalled transactions will
trigger completion timeouts in PCIe controller.
Workaround:
Enable prefetch by setting the source descriptor prefetchable bit
( SD[PF] = 1 ).
Implement this workaround.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 Version: b092529e0aa09829a6404424ce167bf3ce3235e2 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26790", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T16:24:55.798835Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:16.312Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.493Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/518d78b4fac68cac29a263554d7f3b19da99d0da" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bb3a06e9b9a30e33d96aadc0e077be095a4f8580" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/106c1ac953a66556ec77456c46e818208d3a9bce" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5b696e9c388251f1c7373be92293769a489fd367" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ad2f8920c314e0a2d9e984fc94b729eca3cda471" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9d739bccf261dd93ec1babf82f5c5d71dd4caa3e" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/dma/fsl-qdma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "518d78b4fac68cac29a263554d7f3b19da99d0da", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "bb3a06e9b9a30e33d96aadc0e077be095a4f8580", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "106c1ac953a66556ec77456c46e818208d3a9bce", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "5b696e9c388251f1c7373be92293769a489fd367", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "ad2f8920c314e0a2d9e984fc94b729eca3cda471", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" }, { "lessThan": "9d739bccf261dd93ec1babf82f5c5d71dd4caa3e", "status": "affected", "version": "b092529e0aa09829a6404424ce167bf3ce3235e2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/dma/fsl-qdma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.1" }, { "lessThan": "5.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.271", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read\n\nThere is chip (ls1028a) errata:\n\nThe SoC may hang on 16 byte unaligned read transactions by QDMA.\n\nUnaligned read transactions initiated by QDMA may stall in the NOC\n(Network On-Chip), causing a deadlock condition. Stalled transactions will\ntrigger completion timeouts in PCIe controller.\n\nWorkaround:\nEnable prefetch by setting the source descriptor prefetchable bit\n( SD[PF] = 1 ).\n\nImplement this workaround." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:30.187Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/518d78b4fac68cac29a263554d7f3b19da99d0da" }, { "url": "https://git.kernel.org/stable/c/bb3a06e9b9a30e33d96aadc0e077be095a4f8580" }, { "url": "https://git.kernel.org/stable/c/106c1ac953a66556ec77456c46e818208d3a9bce" }, { "url": "https://git.kernel.org/stable/c/237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa" }, { "url": "https://git.kernel.org/stable/c/5b696e9c388251f1c7373be92293769a489fd367" }, { "url": "https://git.kernel.org/stable/c/ad2f8920c314e0a2d9e984fc94b729eca3cda471" }, { "url": "https://git.kernel.org/stable/c/9d739bccf261dd93ec1babf82f5c5d71dd4caa3e" } ], "title": "dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26790", "datePublished": "2024-04-04T08:20:21.742Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:30.187Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26756
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: Don't register sync_thread for reshape directly
Currently, if reshape is interrupted, then reassemble the array will
register sync_thread directly from pers->run(), in this case
'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee
that md_do_sync() will be executed, hence stop_sync_thread() will hang
because 'MD_RECOVERY_RUNNING' can't be cleared.
Last patch make sure that md_do_sync() will set MD_RECOVERY_DONE,
however, following hang can still be triggered by dm-raid test
shell/lvconvert-raid-reshape.sh occasionally:
[root@fedora ~]# cat /proc/1982/stack
[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]
[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]
[<0>] raid_presuspend+0x1e/0x70 [dm_raid]
[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]
[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]
[<0>] dm_destroy+0x16/0x30 [dm_mod]
[<0>] dev_remove+0x165/0x290 [dm_mod]
[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]
[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]
[<0>] vfs_ioctl+0x21/0x60
[<0>] __x64_sys_ioctl+0xb9/0xe0
[<0>] do_syscall_64+0xc6/0x230
[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74
Meanwhile mddev->recovery is:
MD_RECOVERY_RUNNING |
MD_RECOVERY_INTR |
MD_RECOVERY_RESHAPE |
MD_RECOVERY_FROZEN
Fix this problem by remove the code to register sync_thread directly
from raid10 and raid5. And let md_check_recovery() to register
sync_thread.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26756", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T19:28:01.094375Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T19:28:07.779Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.242Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/md.c", "drivers/md/raid10.c", "drivers/md/raid5.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "13b520fb62b772e408f9b79c5fe18ad414e90417", "status": "affected", "version": "f67055780caac6a99f43834795c43acf99eba6a6", "versionType": "git" }, { "lessThan": "ad39c08186f8a0f221337985036ba86731d6aafe", "status": "affected", "version": "f67055780caac6a99f43834795c43acf99eba6a6", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/md.c", "drivers/md/raid10.c", "drivers/md/raid5.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.17" }, { "lessThan": "2.6.17", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don\u0027t register sync_thread for reshape directly\n\nCurrently, if reshape is interrupted, then reassemble the array will\nregister sync_thread directly from pers-\u003erun(), in this case\n\u0027MD_RECOVERY_RUNNING\u0027 is set directly, however, there is no guarantee\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\nbecause \u0027MD_RECOVERY_RUNNING\u0027 can\u0027t be cleared.\n\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\nhowever, following hang can still be triggered by dm-raid test\nshell/lvconvert-raid-reshape.sh occasionally:\n\n[root@fedora ~]# cat /proc/1982/stack\n[\u003c0\u003e] stop_sync_thread+0x1ab/0x270 [md_mod]\n[\u003c0\u003e] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\n[\u003c0\u003e] raid_presuspend+0x1e/0x70 [dm_raid]\n[\u003c0\u003e] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\n[\u003c0\u003e] __dm_destroy+0x2a5/0x310 [dm_mod]\n[\u003c0\u003e] dm_destroy+0x16/0x30 [dm_mod]\n[\u003c0\u003e] dev_remove+0x165/0x290 [dm_mod]\n[\u003c0\u003e] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\n[\u003c0\u003e] dm_ctl_ioctl+0x11/0x20 [dm_mod]\n[\u003c0\u003e] vfs_ioctl+0x21/0x60\n[\u003c0\u003e] __x64_sys_ioctl+0xb9/0xe0\n[\u003c0\u003e] do_syscall_64+0xc6/0x230\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nMeanwhile mddev-\u003erecovery is:\nMD_RECOVERY_RUNNING |\nMD_RECOVERY_INTR |\nMD_RECOVERY_RESHAPE |\nMD_RECOVERY_FROZEN\n\nFix this problem by remove the code to register sync_thread directly\nfrom raid10 and raid5. And let md_check_recovery() to register\nsync_thread." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:34.016Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417" }, { "url": "https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe" } ], "title": "md: Don\u0027t register sync_thread for reshape directly", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26756", "datePublished": "2024-04-03T17:00:40.814Z", "dateReserved": "2024-02-19T14:20:24.170Z", "dateUpdated": "2024-12-19T08:46:34.016Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26803
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: veth: clear GRO when clearing XDP even when down
veth sets NETIF_F_GRO automatically when XDP is enabled,
because both features use the same NAPI machinery.
The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which
is called both on ndo_stop and when XDP is turned off.
To avoid the flag from being cleared when the device is brought
down, the clearing is skipped when IFF_UP is not set.
Bringing the device down should indeed not modify its features.
Unfortunately, this means that clearing is also skipped when
XDP is disabled _while_ the device is down. And there's nothing
on the open path to bring the device features back into sync.
IOW if user enables XDP, disables it and then brings the device
up we'll end up with a stray GRO flag set but no NAPI instances.
We don't depend on the GRO flag on the datapath, so the datapath
won't crash. We will crash (or hang), however, next time features
are sync'ed (either by user via ethtool or peer changing its config).
The GRO flag will go away, and veth will try to disable the NAPIs.
But the open path never created them since XDP was off, the GRO flag
was a stray. If NAPI was initialized before we'll hang in napi_disable().
If it never was we'll crash trying to stop uninitialized hrtimer.
Move the GRO flag updates to the XDP enable / disable paths,
instead of mixing them with the ndo_open / ndo_close paths.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c Version: d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c Version: d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c Version: d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c Version: d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.524Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26803", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:50:46.385244Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:47.163Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/veth.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f011c103e654d83dc85f057a7d1bd0960d02831c", "status": "affected", "version": "d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c", "versionType": "git" }, { "lessThan": "7985d73961bbb4e726c1be7b9cd26becc7be8325", "status": "affected", "version": "d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c", "versionType": "git" }, { "lessThan": "16edf51f33f52dff70ed455bc40a6cc443c04664", "status": "affected", "version": "d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c", "versionType": "git" }, { "lessThan": "8f7a3894e58e6f5d5815533cfde60e3838947941", "status": "affected", "version": "d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c", "versionType": "git" }, { "lessThan": "fe9f801355f0b47668419f30f1fac1cf4539e736", "status": "affected", "version": "d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/veth.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.13" }, { "lessThan": "5.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: veth: clear GRO when clearing XDP even when down\n\nveth sets NETIF_F_GRO automatically when XDP is enabled,\nbecause both features use the same NAPI machinery.\n\nThe logic to clear NETIF_F_GRO sits in veth_disable_xdp() which\nis called both on ndo_stop and when XDP is turned off.\nTo avoid the flag from being cleared when the device is brought\ndown, the clearing is skipped when IFF_UP is not set.\nBringing the device down should indeed not modify its features.\n\nUnfortunately, this means that clearing is also skipped when\nXDP is disabled _while_ the device is down. And there\u0027s nothing\non the open path to bring the device features back into sync.\nIOW if user enables XDP, disables it and then brings the device\nup we\u0027ll end up with a stray GRO flag set but no NAPI instances.\n\nWe don\u0027t depend on the GRO flag on the datapath, so the datapath\nwon\u0027t crash. We will crash (or hang), however, next time features\nare sync\u0027ed (either by user via ethtool or peer changing its config).\nThe GRO flag will go away, and veth will try to disable the NAPIs.\nBut the open path never created them since XDP was off, the GRO flag\nwas a stray. If NAPI was initialized before we\u0027ll hang in napi_disable().\nIf it never was we\u0027ll crash trying to stop uninitialized hrtimer.\n\nMove the GRO flag updates to the XDP enable / disable paths,\ninstead of mixing them with the ndo_open / ndo_close paths." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:46.069Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c" }, { "url": "https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325" }, { "url": "https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664" }, { "url": "https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941" }, { "url": "https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736" } ], "title": "net: veth: clear GRO when clearing XDP even when down", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26803", "datePublished": "2024-04-04T08:20:30.656Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:46.069Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26767
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: fixed integer types and null check locations
[why]:
issues fixed:
- comparison with wider integer type in loop condition which can cause
infinite loops
- pointer dereference before null check
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26767", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T19:27:45.666742Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T19:27:54.746Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.326Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c", "drivers/gpu/drm/amd/display/dc/link/link_validation.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "71783d1ff65204d69207fd156d4b2eb1d3882375", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "beea9ab9080cd2ef46296070bb327af066ee09d7", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "0484e05d048b66d01d1f3c1d2306010bb57d8738", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c", "drivers/gpu/drm/amd/display/dc/link/link_validation.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fixed integer types and null check locations\n\n[why]:\nissues fixed:\n- comparison with wider integer type in loop condition which can cause\ninfinite loops\n- pointer dereference before null check" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:02.173Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375" }, { "url": "https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7" }, { "url": "https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738" } ], "title": "drm/amd/display: fixed integer types and null check locations", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26767", "datePublished": "2024-04-03T17:00:49.315Z", "dateReserved": "2024-02-19T14:20:24.173Z", "dateUpdated": "2024-12-19T08:47:02.173Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26765
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: Disable IRQ before init_fn() for nonboot CPUs
Disable IRQ before init_fn() for nonboot CPUs when hotplug, in order to
silence such warnings (and also avoid potential errors due to unexpected
interrupts):
WARNING: CPU: 1 PID: 0 at kernel/rcu/tree.c:4503 rcu_cpu_starting+0x214/0x280
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198
pc 90000000048e3334 ra 90000000047bd56c tp 900000010039c000 sp 900000010039fdd0
a0 0000000000000001 a1 0000000000000006 a2 900000000802c040 a3 0000000000000000
a4 0000000000000001 a5 0000000000000004 a6 0000000000000000 a7 90000000048e3f4c
t0 0000000000000001 t1 9000000005c70968 t2 0000000004000000 t3 000000000005e56e
t4 00000000000002e4 t5 0000000000001000 t6 ffffffff80000000 t7 0000000000040000
t8 9000000007931638 u0 0000000000000006 s9 0000000000000004 s0 0000000000000001
s1 9000000006356ac0 s2 9000000007244000 s3 0000000000000001 s4 0000000000000001
s5 900000000636f000 s6 7fffffffffffffff s7 9000000002123940 s8 9000000001ca55f8
ra: 90000000047bd56c tlb_init+0x24c/0x528
ERA: 90000000048e3334 rcu_cpu_starting+0x214/0x280
CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
PRMD: 00000000 (PPLV0 -PIE -PWE)
EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
ECFG: 00071000 (LIE=12 VS=7)
ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)
PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198
Stack : 0000000000000000 9000000006375000 9000000005b61878 900000010039c000
900000010039fa30 0000000000000000 900000010039fa38 900000000619a140
9000000006456888 9000000006456880 900000010039f950 0000000000000001
0000000000000001 cb0cb028ec7e52e1 0000000002b90000 9000000100348700
0000000000000000 0000000000000001 ffffffff916d12f1 0000000000000003
0000000000040000 9000000007930370 0000000002b90000 0000000000000004
9000000006366000 900000000619a140 0000000000000000 0000000000000004
0000000000000000 0000000000000009 ffffffffffc681f2 9000000002123940
9000000001ca55f8 9000000006366000 90000000047a4828 00007ffff057ded8
00000000000000b0 0000000000000000 0000000000000000 0000000000071000
...
Call Trace:
[<90000000047a4828>] show_stack+0x48/0x1a0
[<9000000005b61874>] dump_stack_lvl+0x84/0xcc
[<90000000047f60ac>] __warn+0x8c/0x1e0
[<9000000005b0ab34>] report_bug+0x1b4/0x280
[<9000000005b63110>] do_bp+0x2d0/0x480
[<90000000047a2e20>] handle_bp+0x120/0x1c0
[<90000000048e3334>] rcu_cpu_starting+0x214/0x280
[<90000000047bd568>] tlb_init+0x248/0x528
[<90000000047a4c44>] per_cpu_trap_init+0x124/0x160
[<90000000047a19f4>] cpu_probe+0x494/0xa00
[<90000000047b551c>] start_secondary+0x3c/0xc0
[<9000000005b66134>] smpboot_entry+0x50/0x58
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.363Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a262b78dd085dbe9b3c75dc1d9c4cd102b110b53" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/dffdf7c783ef291eef38a5a0037584fd1a7fa464" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8bf2ca8c60712af288b88ba80f8e4df4573d923f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1001db6c42e4012b55e5ee19405490f23e033b5a" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26765", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:28.140835Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:11.854Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/loongarch/kernel/smp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a262b78dd085dbe9b3c75dc1d9c4cd102b110b53", "status": "affected", "version": "fa96b57c149061f71a70bd6582d995f6424fbbf4", "versionType": "git" }, { "lessThan": "dffdf7c783ef291eef38a5a0037584fd1a7fa464", "status": "affected", "version": "fa96b57c149061f71a70bd6582d995f6424fbbf4", "versionType": "git" }, { "lessThan": "8bf2ca8c60712af288b88ba80f8e4df4573d923f", "status": "affected", "version": "fa96b57c149061f71a70bd6582d995f6424fbbf4", "versionType": "git" }, { "lessThan": "1001db6c42e4012b55e5ee19405490f23e033b5a", "status": "affected", "version": "fa96b57c149061f71a70bd6582d995f6424fbbf4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/loongarch/kernel/smp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Disable IRQ before init_fn() for nonboot CPUs\n\nDisable IRQ before init_fn() for nonboot CPUs when hotplug, in order to\nsilence such warnings (and also avoid potential errors due to unexpected\ninterrupts):\n\nWARNING: CPU: 1 PID: 0 at kernel/rcu/tree.c:4503 rcu_cpu_starting+0x214/0x280\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\npc 90000000048e3334 ra 90000000047bd56c tp 900000010039c000 sp 900000010039fdd0\na0 0000000000000001 a1 0000000000000006 a2 900000000802c040 a3 0000000000000000\na4 0000000000000001 a5 0000000000000004 a6 0000000000000000 a7 90000000048e3f4c\nt0 0000000000000001 t1 9000000005c70968 t2 0000000004000000 t3 000000000005e56e\nt4 00000000000002e4 t5 0000000000001000 t6 ffffffff80000000 t7 0000000000040000\nt8 9000000007931638 u0 0000000000000006 s9 0000000000000004 s0 0000000000000001\ns1 9000000006356ac0 s2 9000000007244000 s3 0000000000000001 s4 0000000000000001\ns5 900000000636f000 s6 7fffffffffffffff s7 9000000002123940 s8 9000000001ca55f8\n ra: 90000000047bd56c tlb_init+0x24c/0x528\n ERA: 90000000048e3334 rcu_cpu_starting+0x214/0x280\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000000 (PPLV0 -PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071000 (LIE=12 VS=7)\nESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\nStack : 0000000000000000 9000000006375000 9000000005b61878 900000010039c000\n 900000010039fa30 0000000000000000 900000010039fa38 900000000619a140\n 9000000006456888 9000000006456880 900000010039f950 0000000000000001\n 0000000000000001 cb0cb028ec7e52e1 0000000002b90000 9000000100348700\n 0000000000000000 0000000000000001 ffffffff916d12f1 0000000000000003\n 0000000000040000 9000000007930370 0000000002b90000 0000000000000004\n 9000000006366000 900000000619a140 0000000000000000 0000000000000004\n 0000000000000000 0000000000000009 ffffffffffc681f2 9000000002123940\n 9000000001ca55f8 9000000006366000 90000000047a4828 00007ffff057ded8\n 00000000000000b0 0000000000000000 0000000000000000 0000000000071000\n ...\nCall Trace:\n[\u003c90000000047a4828\u003e] show_stack+0x48/0x1a0\n[\u003c9000000005b61874\u003e] dump_stack_lvl+0x84/0xcc\n[\u003c90000000047f60ac\u003e] __warn+0x8c/0x1e0\n[\u003c9000000005b0ab34\u003e] report_bug+0x1b4/0x280\n[\u003c9000000005b63110\u003e] do_bp+0x2d0/0x480\n[\u003c90000000047a2e20\u003e] handle_bp+0x120/0x1c0\n[\u003c90000000048e3334\u003e] rcu_cpu_starting+0x214/0x280\n[\u003c90000000047bd568\u003e] tlb_init+0x248/0x528\n[\u003c90000000047a4c44\u003e] per_cpu_trap_init+0x124/0x160\n[\u003c90000000047a19f4\u003e] cpu_probe+0x494/0xa00\n[\u003c90000000047b551c\u003e] start_secondary+0x3c/0xc0\n[\u003c9000000005b66134\u003e] smpboot_entry+0x50/0x58" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:59.745Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a262b78dd085dbe9b3c75dc1d9c4cd102b110b53" }, { "url": "https://git.kernel.org/stable/c/dffdf7c783ef291eef38a5a0037584fd1a7fa464" }, { "url": "https://git.kernel.org/stable/c/8bf2ca8c60712af288b88ba80f8e4df4573d923f" }, { "url": "https://git.kernel.org/stable/c/1001db6c42e4012b55e5ee19405490f23e033b5a" } ], "title": "LoongArch: Disable IRQ before init_fn() for nonboot CPUs", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26765", "datePublished": "2024-04-03T17:00:47.888Z", "dateReserved": "2024-02-19T14:20:24.172Z", "dateUpdated": "2024-12-19T08:46:59.745Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26722
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
There is a path in rt5645_jack_detect_work(), where rt5645->jd_mutex
is left locked forever. That may lead to deadlock
when rt5645_jack_detect_work() is called for the second time.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 48ce529c83522944f116f03884819051f44f0fb6 Version: b67005b284ddaf62043468d1ce5905c17d85b0e6 Version: ffe13302b8fd486f80c98019bdcb7f3e512d0eda Version: 7a3ff8a2bb2620ba6a806f0967c38be1a8d306d9 Version: 1613195bf31e68b192bc731bea71726773e3482f Version: 8f82f2e4d9c4966282e494ae67b0bc05a6c2b904 Version: cdba4301adda7c60a2064bf808e48fccd352aaa9 Version: cdba4301adda7c60a2064bf808e48fccd352aaa9 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26722", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T17:40:07.128865Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:40.322Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.917Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3dd2d99e2352903d0e0b8769e6c9b8293c7454b2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/422d5243b9f780abd3d39da2b746e3915677b07d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4a98bc739d0753a5810ce5630943cd7614c7717e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d14b8e2005f36319df9412d42037416d64827f6b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1f0d7792e9023e8658e901b7b76a555f6aa052ec" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/050ad2ca0ac169dd9e552075d2c6af1bbb46534c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ed5b8b735369b40d6c1f8ef3e62d369f74b4c491" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6ef5d5b92f7117b324efaac72b3db27ae8bb3082" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "sound/soc/codecs/rt5645.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3dd2d99e2352903d0e0b8769e6c9b8293c7454b2", "status": "affected", "version": "48ce529c83522944f116f03884819051f44f0fb6", "versionType": "git" }, { "lessThan": "422d5243b9f780abd3d39da2b746e3915677b07d", "status": "affected", "version": "b67005b284ddaf62043468d1ce5905c17d85b0e6", "versionType": "git" }, { "lessThan": "4a98bc739d0753a5810ce5630943cd7614c7717e", "status": "affected", "version": "ffe13302b8fd486f80c98019bdcb7f3e512d0eda", "versionType": "git" }, { "lessThan": "d14b8e2005f36319df9412d42037416d64827f6b", "status": "affected", "version": "7a3ff8a2bb2620ba6a806f0967c38be1a8d306d9", "versionType": "git" }, { "lessThan": "1f0d7792e9023e8658e901b7b76a555f6aa052ec", "status": "affected", "version": "1613195bf31e68b192bc731bea71726773e3482f", "versionType": "git" }, { "lessThan": "050ad2ca0ac169dd9e552075d2c6af1bbb46534c", "status": "affected", "version": "8f82f2e4d9c4966282e494ae67b0bc05a6c2b904", "versionType": "git" }, { "lessThan": "ed5b8b735369b40d6c1f8ef3e62d369f74b4c491", "status": "affected", "version": "cdba4301adda7c60a2064bf808e48fccd352aaa9", "versionType": "git" }, { "lessThan": "6ef5d5b92f7117b324efaac72b3db27ae8bb3082", "status": "affected", "version": "cdba4301adda7c60a2064bf808e48fccd352aaa9", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "sound/soc/codecs/rt5645.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.307", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.269", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()\n\nThere is a path in rt5645_jack_detect_work(), where rt5645-\u003ejd_mutex\nis left locked forever. That may lead to deadlock\nwhen rt5645_jack_detect_work() is called for the second time.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:51.979Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3dd2d99e2352903d0e0b8769e6c9b8293c7454b2" }, { "url": "https://git.kernel.org/stable/c/422d5243b9f780abd3d39da2b746e3915677b07d" }, { "url": "https://git.kernel.org/stable/c/4a98bc739d0753a5810ce5630943cd7614c7717e" }, { "url": "https://git.kernel.org/stable/c/d14b8e2005f36319df9412d42037416d64827f6b" }, { "url": "https://git.kernel.org/stable/c/1f0d7792e9023e8658e901b7b76a555f6aa052ec" }, { "url": "https://git.kernel.org/stable/c/050ad2ca0ac169dd9e552075d2c6af1bbb46534c" }, { "url": "https://git.kernel.org/stable/c/ed5b8b735369b40d6c1f8ef3e62d369f74b4c491" }, { "url": "https://git.kernel.org/stable/c/6ef5d5b92f7117b324efaac72b3db27ae8bb3082" } ], "title": "ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26722", "datePublished": "2024-04-03T14:55:21.709Z", "dateReserved": "2024-02-19T14:20:24.163Z", "dateUpdated": "2024-12-19T08:45:51.979Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26711
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: ad4130: zero-initialize clock init data
The clk_init_data struct does not have all its members
initialized, causing issues when trying to expose the internal
clock on the CLK pin.
Fix this by zero-initializing the clk_init_data struct.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.913Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0e0dab37750926d4fb0144edb1c1ea0612fea273" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/02876e2df02f8b17a593d77a0a7879a8109b27e1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a22b0a2be69a36511cb5b37d948b651ddf7debf3" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26711", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:32.878316Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:25.830Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/iio/adc/ad4130.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "0e0dab37750926d4fb0144edb1c1ea0612fea273", "status": "affected", "version": "62094060cf3acaf52e277457d807ea753269b89e", "versionType": "git" }, { "lessThan": "02876e2df02f8b17a593d77a0a7879a8109b27e1", "status": "affected", "version": "62094060cf3acaf52e277457d807ea753269b89e", "versionType": "git" }, { "lessThan": "a22b0a2be69a36511cb5b37d948b651ddf7debf3", "status": "affected", "version": "62094060cf3acaf52e277457d807ea753269b89e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/iio/adc/ad4130.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.2" }, { "lessThan": "6.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad4130: zero-initialize clock init data\n\nThe clk_init_data struct does not have all its members\ninitialized, causing issues when trying to expose the internal\nclock on the CLK pin.\n\nFix this by zero-initializing the clk_init_data struct." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:39.159Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/0e0dab37750926d4fb0144edb1c1ea0612fea273" }, { "url": "https://git.kernel.org/stable/c/02876e2df02f8b17a593d77a0a7879a8109b27e1" }, { "url": "https://git.kernel.org/stable/c/a22b0a2be69a36511cb5b37d948b651ddf7debf3" } ], "title": "iio: adc: ad4130: zero-initialize clock init data", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26711", "datePublished": "2024-04-03T14:55:13.488Z", "dateReserved": "2024-02-19T14:20:24.159Z", "dateUpdated": "2024-12-19T08:45:39.159Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26716
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: core: Prevent null pointer dereference in update_port_device_state
Currently, the function update_port_device_state gets the usb_hub from
udev->parent by calling usb_hub_to_struct_hub.
However, in case the actconfig or the maxchild is 0, the usb_hub would
be NULL and upon further accessing to get port_dev would result in null
pointer dereference.
Fix this by introducing an if check after the usb_hub is populated.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26716", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T19:29:15.448916Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T19:29:25.918Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.989Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ed85777c640cf9e6920bb1b60ed8cd48e1f4d873" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/465b545d1d7ef282192ddd4439b08279bdb13f6f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/12783c0b9e2c7915a50d5ec829630ff2da50472c" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/core/hub.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ed85777c640cf9e6920bb1b60ed8cd48e1f4d873", "status": "affected", "version": "83cb2604f641cecadc275ca18adbba4bf262320f", "versionType": "git" }, { "lessThan": "465b545d1d7ef282192ddd4439b08279bdb13f6f", "status": "affected", "version": "83cb2604f641cecadc275ca18adbba4bf262320f", "versionType": "git" }, { "lessThan": "12783c0b9e2c7915a50d5ec829630ff2da50472c", "status": "affected", "version": "83cb2604f641cecadc275ca18adbba4bf262320f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/core/hub.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.5" }, { "lessThan": "6.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: core: Prevent null pointer dereference in update_port_device_state\n\nCurrently, the function update_port_device_state gets the usb_hub from\nudev-\u003eparent by calling usb_hub_to_struct_hub.\nHowever, in case the actconfig or the maxchild is 0, the usb_hub would\nbe NULL and upon further accessing to get port_dev would result in null\npointer dereference.\n\nFix this by introducing an if check after the usb_hub is populated." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:44.966Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ed85777c640cf9e6920bb1b60ed8cd48e1f4d873" }, { "url": "https://git.kernel.org/stable/c/465b545d1d7ef282192ddd4439b08279bdb13f6f" }, { "url": "https://git.kernel.org/stable/c/12783c0b9e2c7915a50d5ec829630ff2da50472c" } ], "title": "usb: core: Prevent null pointer dereference in update_port_device_state", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26716", "datePublished": "2024-04-03T14:55:17.305Z", "dateReserved": "2024-02-19T14:20:24.160Z", "dateUpdated": "2024-12-19T08:45:44.966Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26797
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Prevent potential buffer overflow in map_hw_resources
Adds a check in the map_hw_resources function to prevent a potential
buffer overflow. The function was accessing arrays using an index that
could potentially be greater than the size of the arrays, leading to a
buffer overflow.
Adds a check to ensure that the index is within the bounds of the
arrays. If the index is out of bounds, an error message is printed and
break it will continue execution with just ignoring extra data early to
prevent the buffer overflow.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:79 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id' 6 <= 7
drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:81 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id' 6 <= 7
References
Impacted products
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "linux_kernel", "vendor": "linux", "versions": [ { "lessThan": "50a6302cf881", "status": "affected", "version": "7966f319c66d", "versionType": "custom" }, { "lessThan": "0f8ca019544a", "status": "affected", "version": "7966f319c66d", "versionType": "custom" }, { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "custom" }, { "lessThanOrEqual": "6.8", "status": "unaffected", "version": "6.79", "versionType": "custom" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "custom" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26797", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T16:00:44.653604Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-07-16T14:02:40.989Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.520Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/50a6302cf881f67f1410461a68fe9eabd00ff31d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0f8ca019544a252d1afb468ce840c6dcbac73af4" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "50a6302cf881f67f1410461a68fe9eabd00ff31d", "status": "affected", "version": "7966f319c66d9468623c6a6a017ecbc0dd79be75", "versionType": "git" }, { "lessThan": "0f8ca019544a252d1afb468ce840c6dcbac73af4", "status": "affected", "version": "7966f319c66d9468623c6a6a017ecbc0dd79be75", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent potential buffer overflow in map_hw_resources\n\nAdds a check in the map_hw_resources function to prevent a potential\nbuffer overflow. The function was accessing arrays using an index that\ncould potentially be greater than the size of the arrays, leading to a\nbuffer overflow.\n\nAdds a check to ensure that the index is within the bounds of the\narrays. If the index is out of bounds, an error message is printed and\nbreak it will continue execution with just ignoring extra data early to\nprevent the buffer overflow.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:79 map_hw_resources() error: buffer overflow \u0027dml2-\u003ev20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id\u0027 6 \u003c= 7\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:81 map_hw_resources() error: buffer overflow \u0027dml2-\u003ev20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id\u0027 6 \u003c= 7" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:38.757Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/50a6302cf881f67f1410461a68fe9eabd00ff31d" }, { "url": "https://git.kernel.org/stable/c/0f8ca019544a252d1afb468ce840c6dcbac73af4" } ], "title": "drm/amd/display: Prevent potential buffer overflow in map_hw_resources", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26797", "datePublished": "2024-04-04T08:20:26.558Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:38.757Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26737
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel
The following race is possible between bpf_timer_cancel_and_free
and bpf_timer_cancel. It will lead a UAF on the timer->timer.
bpf_timer_cancel();
spin_lock();
t = timer->time;
spin_unlock();
bpf_timer_cancel_and_free();
spin_lock();
t = timer->timer;
timer->timer = NULL;
spin_unlock();
hrtimer_cancel(&t->timer);
kfree(t);
/* UAF on t */
hrtimer_cancel(&t->timer);
In bpf_timer_cancel_and_free, this patch frees the timer->timer
after a rcu grace period. This requires a rcu_head addition
to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init,
this does not need a kfree_rcu because it is still under the
spin_lock and timer->timer has not been visible by others yet.
In bpf_timer_cancel, rcu_read_lock() is added because this helper
can be used in a non rcu critical section context (e.g. from
a sleepable bpf prog). Other timer->timer usages in helpers.c
have been audited, bpf_timer_cancel() is the only place where
timer->timer is used outside of the spin_lock.
Another solution considered is to mark a t->flag in bpf_timer_cancel
and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free,
it busy waits for the flag to be cleared before kfree(t). This patch
goes with a straight forward solution and frees timer->timer after
a rcu grace period.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b00628b1c7d595ae5b544e059c27b1f5828314b4 Version: b00628b1c7d595ae5b544e059c27b1f5828314b4 Version: b00628b1c7d595ae5b544e059c27b1f5828314b4 Version: b00628b1c7d595ae5b544e059c27b1f5828314b4 Version: b00628b1c7d595ae5b544e059c27b1f5828314b4 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26737", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T19:13:11.173900Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-04T18:51:47.375Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.230Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "kernel/bpf/helpers.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5268bb02107b9eedfdcd51db75b407d10043368c", "status": "affected", "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4", "versionType": "git" }, { "lessThan": "addf5e297e6cbf5341f9c07720693ca9ba0057b5", "status": "affected", "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4", "versionType": "git" }, { "lessThan": "8327ed12e8ebc5436bfaa1786c49988894f9c8a6", "status": "affected", "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4", "versionType": "git" }, { "lessThan": "7d80a9e745fa5b47da3bca001f186c02485c7c33", "status": "affected", "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4", "versionType": "git" }, { "lessThan": "0281b919e175bb9c3128bd3872ac2903e9436e3f", "status": "affected", "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "kernel/bpf/helpers.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\n\nThe following race is possible between bpf_timer_cancel_and_free\nand bpf_timer_cancel. It will lead a UAF on the timer-\u003etimer.\n\nbpf_timer_cancel();\n\tspin_lock();\n\tt = timer-\u003etime;\n\tspin_unlock();\n\n\t\t\t\t\tbpf_timer_cancel_and_free();\n\t\t\t\t\t\tspin_lock();\n\t\t\t\t\t\tt = timer-\u003etimer;\n\t\t\t\t\t\ttimer-\u003etimer = NULL;\n\t\t\t\t\t\tspin_unlock();\n\t\t\t\t\t\thrtimer_cancel(\u0026t-\u003etimer);\n\t\t\t\t\t\tkfree(t);\n\n\t/* UAF on t */\n\thrtimer_cancel(\u0026t-\u003etimer);\n\nIn bpf_timer_cancel_and_free, this patch frees the timer-\u003etimer\nafter a rcu grace period. This requires a rcu_head addition\nto the \"struct bpf_hrtimer\". Another kfree(t) happens in bpf_timer_init,\nthis does not need a kfree_rcu because it is still under the\nspin_lock and timer-\u003etimer has not been visible by others yet.\n\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\ncan be used in a non rcu critical section context (e.g. from\na sleepable bpf prog). Other timer-\u003etimer usages in helpers.c\nhave been audited, bpf_timer_cancel() is the only place where\ntimer-\u003etimer is used outside of the spin_lock.\n\nAnother solution considered is to mark a t-\u003eflag in bpf_timer_cancel\nand clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free,\nit busy waits for the flag to be cleared before kfree(t). This patch\ngoes with a straight forward solution and frees timer-\u003etimer after\na rcu grace period." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:10.867Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c" }, { "url": "https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5" }, { "url": "https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6" }, { "url": "https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33" }, { "url": "https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f" } ], "title": "bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26737", "datePublished": "2024-04-03T17:00:23.414Z", "dateReserved": "2024-02-19T14:20:24.166Z", "dateUpdated": "2024-12-19T08:46:10.867Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26746
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Ensure safe user copy of completion record
If CONFIG_HARDENED_USERCOPY is enabled, copying completion record from
event log cache to user triggers a kernel bug.
[ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)!
[ 1987.170845] ------------[ cut here ]------------
[ 1987.176086] kernel BUG at mm/usercopy.c:102!
[ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5
[ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023
[ 1987.206405] Workqueue: wq0.0 idxd_evl_fault_work [idxd]
[ 1987.212338] RIP: 0010:usercopy_abort+0x72/0x90
[ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff <0f> 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f
[ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246
[ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000
[ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff
[ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff
[ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a
[ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899
[ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000
[ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0
[ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[ 1987.324527] PKRU: 55555554
[ 1987.327622] Call Trace:
[ 1987.330424] <TASK>
[ 1987.332826] ? show_regs+0x6e/0x80
[ 1987.336703] ? die+0x3c/0xa0
[ 1987.339988] ? do_trap+0xd4/0xf0
[ 1987.343662] ? do_error_trap+0x75/0xa0
[ 1987.347922] ? usercopy_abort+0x72/0x90
[ 1987.352277] ? exc_invalid_op+0x57/0x80
[ 1987.356634] ? usercopy_abort+0x72/0x90
[ 1987.360988] ? asm_exc_invalid_op+0x1f/0x30
[ 1987.365734] ? usercopy_abort+0x72/0x90
[ 1987.370088] __check_heap_object+0xb7/0xd0
[ 1987.374739] __check_object_size+0x175/0x2d0
[ 1987.379588] idxd_copy_cr+0xa9/0x130 [idxd]
[ 1987.384341] idxd_evl_fault_work+0x127/0x390 [idxd]
[ 1987.389878] process_one_work+0x13e/0x300
[ 1987.394435] ? __pfx_worker_thread+0x10/0x10
[ 1987.399284] worker_thread+0x2f7/0x420
[ 1987.403544] ? _raw_spin_unlock_irqrestore+0x2b/0x50
[ 1987.409171] ? __pfx_worker_thread+0x10/0x10
[ 1987.414019] kthread+0x107/0x140
[ 1987.417693] ? __pfx_kthread+0x10/0x10
[ 1987.421954] ret_from_fork+0x3d/0x60
[ 1987.426019] ? __pfx_kthread+0x10/0x10
[ 1987.430281] ret_from_fork_asm+0x1b/0x30
[ 1987.434744] </TASK>
The issue arises because event log cache is created using
kmem_cache_create() which is not suitable for user copy.
Fix the issue by creating event log cache with
kmem_cache_create_usercopy(), ensuring safe user copy.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26746", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T16:00:23.530084Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:37.499Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.241Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5e3022ea42e490a36ec6f2cfa6fc603deb0bace4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bb71e040323175e18c233a9afef32ba14fa64eb7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d3ea125df37dc37972d581b74a5d3785c3f283ab" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/dma/idxd/init.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5e3022ea42e490a36ec6f2cfa6fc603deb0bace4", "status": "affected", "version": "c2f156bf168fb42cd6ecd0a8e2204dbe542b8516", "versionType": "git" }, { "lessThan": "bb71e040323175e18c233a9afef32ba14fa64eb7", "status": "affected", "version": "c2f156bf168fb42cd6ecd0a8e2204dbe542b8516", "versionType": "git" }, { "lessThan": "d3ea125df37dc37972d581b74a5d3785c3f283ab", "status": "affected", "version": "c2f156bf168fb42cd6ecd0a8e2204dbe542b8516", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/dma/idxd/init.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.4" }, { "lessThan": "6.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Ensure safe user copy of completion record\n\nIf CONFIG_HARDENED_USERCOPY is enabled, copying completion record from\nevent log cache to user triggers a kernel bug.\n\n[ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object \u0027dsa0\u0027 (offset 74, size 31)!\n[ 1987.170845] ------------[ cut here ]------------\n[ 1987.176086] kernel BUG at mm/usercopy.c:102!\n[ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5\n[ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n[ 1987.206405] Workqueue: wq0.0 idxd_evl_fault_work [idxd]\n[ 1987.212338] RIP: 0010:usercopy_abort+0x72/0x90\n[ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff \u003c0f\u003e 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f\n[ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246\n[ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000\n[ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff\n[ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff\n[ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a\n[ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899\n[ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000\n[ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0\n[ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1987.324527] PKRU: 55555554\n[ 1987.327622] Call Trace:\n[ 1987.330424] \u003cTASK\u003e\n[ 1987.332826] ? show_regs+0x6e/0x80\n[ 1987.336703] ? die+0x3c/0xa0\n[ 1987.339988] ? do_trap+0xd4/0xf0\n[ 1987.343662] ? do_error_trap+0x75/0xa0\n[ 1987.347922] ? usercopy_abort+0x72/0x90\n[ 1987.352277] ? exc_invalid_op+0x57/0x80\n[ 1987.356634] ? usercopy_abort+0x72/0x90\n[ 1987.360988] ? asm_exc_invalid_op+0x1f/0x30\n[ 1987.365734] ? usercopy_abort+0x72/0x90\n[ 1987.370088] __check_heap_object+0xb7/0xd0\n[ 1987.374739] __check_object_size+0x175/0x2d0\n[ 1987.379588] idxd_copy_cr+0xa9/0x130 [idxd]\n[ 1987.384341] idxd_evl_fault_work+0x127/0x390 [idxd]\n[ 1987.389878] process_one_work+0x13e/0x300\n[ 1987.394435] ? __pfx_worker_thread+0x10/0x10\n[ 1987.399284] worker_thread+0x2f7/0x420\n[ 1987.403544] ? _raw_spin_unlock_irqrestore+0x2b/0x50\n[ 1987.409171] ? __pfx_worker_thread+0x10/0x10\n[ 1987.414019] kthread+0x107/0x140\n[ 1987.417693] ? __pfx_kthread+0x10/0x10\n[ 1987.421954] ret_from_fork+0x3d/0x60\n[ 1987.426019] ? __pfx_kthread+0x10/0x10\n[ 1987.430281] ret_from_fork_asm+0x1b/0x30\n[ 1987.434744] \u003c/TASK\u003e\n\nThe issue arises because event log cache is created using\nkmem_cache_create() which is not suitable for user copy.\n\nFix the issue by creating event log cache with\nkmem_cache_create_usercopy(), ensuring safe user copy." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:21.834Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5e3022ea42e490a36ec6f2cfa6fc603deb0bace4" }, { "url": "https://git.kernel.org/stable/c/bb71e040323175e18c233a9afef32ba14fa64eb7" }, { "url": "https://git.kernel.org/stable/c/d3ea125df37dc37972d581b74a5d3785c3f283ab" } ], "title": "dmaengine: idxd: Ensure safe user copy of completion record", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26746", "datePublished": "2024-04-04T08:20:13.846Z", "dateReserved": "2024-02-19T14:20:24.168Z", "dateUpdated": "2024-12-19T08:46:21.834Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26741
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().
syzkaller reported a warning [0] in inet_csk_destroy_sock() with no
repro.
WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash);
However, the syzkaller's log hinted that connect() failed just before
the warning due to FAULT_INJECTION. [1]
When connect() is called for an unbound socket, we search for an
available ephemeral port. If a bhash bucket exists for the port, we
call __inet_check_established() or __inet6_check_established() to check
if the bucket is reusable.
If reusable, we add the socket into ehash and set inet_sk(sk)->inet_num.
Later, we look up the corresponding bhash2 bucket and try to allocate
it if it does not exist.
Although it rarely occurs in real use, if the allocation fails, we must
revert the changes by check_established(). Otherwise, an unconnected
socket could illegally occupy an ehash entry.
Note that we do not put tw back into ehash because sk might have
already responded to a packet for tw and it would be better to free
tw earlier under such memory presure.
[0]:
WARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)
Modules linked in:
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)
Code: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05
RSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40
RDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8
RBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0
R13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000
FS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
<TASK>
? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)
dccp_close (net/dccp/proto.c:1078)
inet_release (net/ipv4/af_inet.c:434)
__sock_release (net/socket.c:660)
sock_close (net/socket.c:1423)
__fput (fs/file_table.c:377)
__fput_sync (fs/file_table.c:462)
__x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
RIP: 0033:0x7f03e53852bb
Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44
RSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb
RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c
R10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000
R13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170
</TASK>
[1]:
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)
should_failslab (mm/slub.c:3748)
kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867)
inet_bind2_bucket_create
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.211Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/729bc77af438a6e67914c97f6f3d3af8f72c0131" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/334a8348b2df26526f3298848ad6864285592caf" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f8c4a6b850882bc47aaa864b720c7a2ee3102f39" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26741", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:47.535514Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:17.118Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/ipv4/inet_hashtables.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "729bc77af438a6e67914c97f6f3d3af8f72c0131", "status": "affected", "version": "28044fc1d4953b07acec0da4d2fc4784c57ea6fb", "versionType": "git" }, { "lessThan": "334a8348b2df26526f3298848ad6864285592caf", "status": "affected", "version": "28044fc1d4953b07acec0da4d2fc4784c57ea6fb", "versionType": "git" }, { "lessThan": "f8c4a6b850882bc47aaa864b720c7a2ee3102f39", "status": "affected", "version": "28044fc1d4953b07acec0da4d2fc4784c57ea6fb", "versionType": "git" }, { "lessThan": "66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f", "status": "affected", "version": "28044fc1d4953b07acec0da4d2fc4784c57ea6fb", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/ipv4/inet_hashtables.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.1" }, { "lessThan": "6.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().\n\nsyzkaller reported a warning [0] in inet_csk_destroy_sock() with no\nrepro.\n\n WARN_ON(inet_sk(sk)-\u003einet_num \u0026\u0026 !inet_csk(sk)-\u003eicsk_bind_hash);\n\nHowever, the syzkaller\u0027s log hinted that connect() failed just before\nthe warning due to FAULT_INJECTION. [1]\n\nWhen connect() is called for an unbound socket, we search for an\navailable ephemeral port. If a bhash bucket exists for the port, we\ncall __inet_check_established() or __inet6_check_established() to check\nif the bucket is reusable.\n\nIf reusable, we add the socket into ehash and set inet_sk(sk)-\u003einet_num.\n\nLater, we look up the corresponding bhash2 bucket and try to allocate\nit if it does not exist.\n\nAlthough it rarely occurs in real use, if the allocation fails, we must\nrevert the changes by check_established(). Otherwise, an unconnected\nsocket could illegally occupy an ehash entry.\n\nNote that we do not put tw back into ehash because sk might have\nalready responded to a packet for tw and it would be better to free\ntw earlier under such memory presure.\n\n[0]:\nWARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nModules linked in:\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nCode: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd \u003c0f\u003e 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05\nRSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40\nRDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8\nRBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000\nR10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0\nR13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000\nFS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\n dccp_close (net/dccp/proto.c:1078)\n inet_release (net/ipv4/af_inet.c:434)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:377)\n __fput_sync (fs/file_table.c:462)\n __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\nRIP: 0033:0x7f03e53852bb\nCode: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44\nRSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb\nRDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c\nR10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000\nR13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170\n \u003c/TASK\u003e\n\n[1]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3748)\n kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867)\n inet_bind2_bucket_create \n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:15.761Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/729bc77af438a6e67914c97f6f3d3af8f72c0131" }, { "url": "https://git.kernel.org/stable/c/334a8348b2df26526f3298848ad6864285592caf" }, { "url": "https://git.kernel.org/stable/c/f8c4a6b850882bc47aaa864b720c7a2ee3102f39" }, { "url": "https://git.kernel.org/stable/c/66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f" } ], "title": "dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26741", "datePublished": "2024-04-03T17:00:26.276Z", "dateReserved": "2024-02-19T14:20:24.167Z", "dateUpdated": "2024-12-19T08:46:15.761Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26792
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix double free of anonymous device after snapshot creation failure
When creating a snapshot we may do a double free of an anonymous device
in case there's an error committing the transaction. The second free may
result in freeing an anonymous device number that was allocated by some
other subsystem in the kernel or another btrfs filesystem.
The steps that lead to this:
1) At ioctl.c:create_snapshot() we allocate an anonymous device number
and assign it to pending_snapshot->anon_dev;
2) Then we call btrfs_commit_transaction() and end up at
transaction.c:create_pending_snapshot();
3) There we call btrfs_get_new_fs_root() and pass it the anonymous device
number stored in pending_snapshot->anon_dev;
4) btrfs_get_new_fs_root() frees that anonymous device number because
btrfs_lookup_fs_root() returned a root - someone else did a lookup
of the new root already, which could some task doing backref walking;
5) After that some error happens in the transaction commit path, and at
ioctl.c:create_snapshot() we jump to the 'fail' label, and after
that we free again the same anonymous device number, which in the
meanwhile may have been reallocated somewhere else, because
pending_snapshot->anon_dev still has the same value as in step 1.
Recently syzbot ran into this and reported the following trace:
------------[ cut here ]------------
ida_free called for id=51 which is not allocated.
WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525
Modules linked in:
CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525
Code: 10 42 80 3c 28 (...)
RSP: 0018:ffffc90015a67300 EFLAGS: 00010246
RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000
RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4
R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246
R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246
FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0
Call Trace:
<TASK>
btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346
create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837
create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931
btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404
create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848
btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998
btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044
__btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306
btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393
btrfs_ioctl+0xa74/0xd40
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fca3e67dda9
Code: 28 00 00 00 (...)
RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9
RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003
RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658
</TASK>
Where we get an explicit message where we attempt to free an anonymous
device number that is not currently allocated. It happens in a different
code path from the example below, at btrfs_get_root_ref(), so this change
may not fix the case triggered by sy
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 66b317a2fc45b2ef66527ee3f8fa08fb5beab88d Version: 833775656d447c545133a744a0ed1e189ce61430 Version: 5a172344bfdabb46458e03708735d7b1a918c468 Version: e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.341Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c34adc20b91a8e55e048b18d63f4f4ae003ecf8f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/eb3441093aad251418921246fc3b224fd1575701" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c8ab7521665bd0f8bc4a900244d1d5a7095cc3b9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e2b54eaf28df0c978626c9736b94f003b523b451" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26792", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:50:55.740284Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:49.282Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/disk-io.c", "fs/btrfs/disk-io.h", "fs/btrfs/ioctl.c", "fs/btrfs/transaction.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c34adc20b91a8e55e048b18d63f4f4ae003ecf8f", "status": "affected", "version": "66b317a2fc45b2ef66527ee3f8fa08fb5beab88d", "versionType": "git" }, { "lessThan": "eb3441093aad251418921246fc3b224fd1575701", "status": "affected", "version": "833775656d447c545133a744a0ed1e189ce61430", "versionType": "git" }, { "lessThan": "c8ab7521665bd0f8bc4a900244d1d5a7095cc3b9", "status": "affected", "version": "5a172344bfdabb46458e03708735d7b1a918c468", "versionType": "git" }, { "lessThan": "e2b54eaf28df0c978626c9736b94f003b523b451", "status": "affected", "version": "e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/disk-io.c", "fs/btrfs/disk-io.h", "fs/btrfs/ioctl.c", "fs/btrfs/transaction.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6.1.81", "status": "affected", "version": "6.1.79", "versionType": "semver" }, { "lessThan": "6.6.21", "status": "affected", "version": "6.6.18", "versionType": "semver" }, { "lessThan": "6.7.9", "status": "affected", "version": "6.7.6", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of anonymous device after snapshot creation failure\n\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there\u0027s an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\n\nThe steps that lead to this:\n\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n and assign it to pending_snapshot-\u003eanon_dev;\n\n2) Then we call btrfs_commit_transaction() and end up at\n transaction.c:create_pending_snapshot();\n\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n number stored in pending_snapshot-\u003eanon_dev;\n\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n btrfs_lookup_fs_root() returned a root - someone else did a lookup\n of the new root already, which could some task doing backref walking;\n\n5) After that some error happens in the transaction commit path, and at\n ioctl.c:create_snapshot() we jump to the \u0027fail\u0027 label, and after\n that we free again the same anonymous device number, which in the\n meanwhile may have been reallocated somewhere else, because\n pending_snapshot-\u003eanon_dev still has the same value as in step 1.\n\nRecently syzbot ran into this and reported the following trace:\n\n ------------[ cut here ]------------\n ida_free called for id=51 which is not allocated.\n WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n Modules linked in:\n CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n Code: 10 42 80 3c 28 (...)\n RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n Call Trace:\n \u003cTASK\u003e\n btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n btrfs_ioctl+0xa74/0xd40\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:871 [inline]\n __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7fca3e67dda9\n Code: 28 00 00 00 (...)\n RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n \u003c/TASK\u003e\n\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:32.555Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c34adc20b91a8e55e048b18d63f4f4ae003ecf8f" }, { "url": "https://git.kernel.org/stable/c/eb3441093aad251418921246fc3b224fd1575701" }, { "url": "https://git.kernel.org/stable/c/c8ab7521665bd0f8bc4a900244d1d5a7095cc3b9" }, { "url": "https://git.kernel.org/stable/c/e2b54eaf28df0c978626c9736b94f003b523b451" } ], "title": "btrfs: fix double free of anonymous device after snapshot creation failure", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26792", "datePublished": "2024-04-04T08:20:23.075Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:32.555Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26690
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: protect updates of 64-bit statistics counters
As explained by a comment in <linux/u64_stats_sync.h>, write side of struct
u64_stats_sync must ensure mutual exclusion, or one seqcount update could
be lost on 32-bit platforms, thus blocking readers forever. Such lockups
have been observed in real world after stmmac_xmit() on one CPU raced with
stmmac_napi_poll_tx() on another CPU.
To fix the issue without introducing a new lock, split the statics into
three parts:
1. fields updated only under the tx queue lock,
2. fields updated only during NAPI poll,
3. fields updated only from interrupt context,
Updates to fields in the first two groups are already serialized through
other locks. It is sufficient to split the existing struct u64_stats_sync
so that each group has its own.
Note that tx_set_ic_bit is updated from both contexts. Split this counter
so that each context gets its own, and calculate their sum to get the total
value in stmmac_get_ethtool_stats().
For the third group, multiple interrupts may be processed by different CPUs
at the same time, but interrupts on the same CPU will not nest. Move fields
from this group to a newly created per-cpu struct stmmac_pcpu_stats.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26690", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:17:50.464139Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T15:20:28.318Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.694Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9680b2ab54ba8d72581100e8c45471306101836e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e6af0f082a4b87b99ad033003be2a904a1791b3f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/38cc3c6dcc09dc3a1800b5ec22aef643ca11eab8" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/stmicro/stmmac/common.h", "drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c", "drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c", "drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c", "drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c", "drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c", "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "9680b2ab54ba8d72581100e8c45471306101836e", "status": "affected", "version": "133466c3bbe171f826294161db203f7670bb30c8", "versionType": "git" }, { "lessThan": "e6af0f082a4b87b99ad033003be2a904a1791b3f", "status": "affected", "version": "133466c3bbe171f826294161db203f7670bb30c8", "versionType": "git" }, { "lessThan": "38cc3c6dcc09dc3a1800b5ec22aef643ca11eab8", "status": "affected", "version": "133466c3bbe171f826294161db203f7670bb30c8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/stmicro/stmmac/common.h", "drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c", "drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c", "drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c", "drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c", "drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c", "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: protect updates of 64-bit statistics counters\n\nAs explained by a comment in \u003clinux/u64_stats_sync.h\u003e, write side of struct\nu64_stats_sync must ensure mutual exclusion, or one seqcount update could\nbe lost on 32-bit platforms, thus blocking readers forever. Such lockups\nhave been observed in real world after stmmac_xmit() on one CPU raced with\nstmmac_napi_poll_tx() on another CPU.\n\nTo fix the issue without introducing a new lock, split the statics into\nthree parts:\n\n1. fields updated only under the tx queue lock,\n2. fields updated only during NAPI poll,\n3. fields updated only from interrupt context,\n\nUpdates to fields in the first two groups are already serialized through\nother locks. It is sufficient to split the existing struct u64_stats_sync\nso that each group has its own.\n\nNote that tx_set_ic_bit is updated from both contexts. Split this counter\nso that each context gets its own, and calculate their sum to get the total\nvalue in stmmac_get_ethtool_stats().\n\nFor the third group, multiple interrupts may be processed by different CPUs\nat the same time, but interrupts on the same CPU will not nest. Move fields\nfrom this group to a newly created per-cpu struct stmmac_pcpu_stats." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:09.774Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/9680b2ab54ba8d72581100e8c45471306101836e" }, { "url": "https://git.kernel.org/stable/c/e6af0f082a4b87b99ad033003be2a904a1791b3f" }, { "url": "https://git.kernel.org/stable/c/38cc3c6dcc09dc3a1800b5ec22aef643ca11eab8" } ], "title": "net: stmmac: protect updates of 64-bit statistics counters", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26690", "datePublished": "2024-04-03T14:54:51.709Z", "dateReserved": "2024-02-19T14:20:24.154Z", "dateUpdated": "2024-12-19T08:45:09.774Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26793
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
The gtp_link_ops operations structure for the subsystem must be
registered after registering the gtp_net_ops pernet operations structure.
Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:
[ 1010.702740] gtp: GTP module unloaded
[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1
[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014
[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]
[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00
[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203
[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000
[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282
[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000
[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80
[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400
[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000
[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0
[ 1010.715968] PKRU: 55555554
[ 1010.715972] Call Trace:
[ 1010.715985] ? __die_body.cold+0x1a/0x1f
[ 1010.715995] ? die_addr+0x43/0x70
[ 1010.716002] ? exc_general_protection+0x199/0x2f0
[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30
[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp]
[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp]
[ 1010.716042] __rtnl_newlink+0x1063/0x1700
[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0
[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0
[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0
[ 1010.716076] ? __kernel_text_address+0x56/0xa0
[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0
[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30
[ 1010.716098] ? arch_stack_walk+0x9e/0xf0
[ 1010.716106] ? stack_trace_save+0x91/0xd0
[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170
[ 1010.716121] ? __lock_acquire+0x15c5/0x5380
[ 1010.716139] ? mark_held_locks+0x9e/0xe0
[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0
[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700
[ 1010.716160] rtnl_newlink+0x69/0xa0
[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50
[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0
[ 1010.716179] ? lock_acquire+0x1fe/0x560
[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50
[ 1010.716196] netlink_rcv_skb+0x14d/0x440
[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0
[ 1010.716208] ? netlink_ack+0xab0/0xab0
[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50
[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50
[ 1010.716226] ? __virt_addr_valid+0x30b/0x590
[ 1010.716233] netlink_unicast+0x54b/0x800
[ 1010.716240] ? netlink_attachskb+0x870/0x870
[ 1010.716248] ? __check_object_size+0x2de/0x3b0
[ 1010.716254] netlink_sendmsg+0x938/0xe40
[ 1010.716261] ? netlink_unicast+0x800/0x800
[ 1010.716269] ? __import_iovec+0x292/0x510
[ 1010.716276] ? netlink_unicast+0x800/0x800
[ 1010.716284] __sock_sendmsg+0x159/0x190
[ 1010.716290] ____sys_sendmsg+0x712/0x880
[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0
[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270
[ 1010.716309] ? lock_acquire+0x1fe/0x560
[ 1010.716315] ? drain_array_locked+0x90/0x90
[ 1010.716324] ___sys_sendmsg+0xf8/0x170
[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170
[ 1010.716337] ? lockdep_init_map
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 Version: 459aa660eb1d8ce67080da1983bb81d716aa5a69 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.475Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/01129059d5141d62fae692f7a336ae3bc712d3eb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e668b92a3a01429923fd5ca13e99642aab47de69" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9376d059a705c5dfaac566c2d09891242013ae16" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/abd32d7f5c0294c1b2454c5a3b13b18446bac627" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/93dd420bc41531c9a31498b9538ca83ba6ec191e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/616d82c3cfa2a2146dd7e3ae47bda7e877ee549e" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26793", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:50:52.672497Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:48.724Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/gtp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "01129059d5141d62fae692f7a336ae3bc712d3eb", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "e668b92a3a01429923fd5ca13e99642aab47de69", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "9376d059a705c5dfaac566c2d09891242013ae16", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "abd32d7f5c0294c1b2454c5a3b13b18446bac627", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "93dd420bc41531c9a31498b9538ca83ba6ec191e", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" }, { "lessThan": "616d82c3cfa2a2146dd7e3ae47bda7e877ee549e", "status": "affected", "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/gtp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.7" }, { "lessThan": "4.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.309", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.271", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_newlink()\n\nThe gtp_link_ops operations structure for the subsystem must be\nregistered after registering the gtp_net_ops pernet operations structure.\n\nSyzkaller hit \u0027general protection fault in gtp_genl_dump_pdp\u0027 bug:\n\n[ 1010.702740] gtp: GTP module unloaded\n[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI\n[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1\n[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\n[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00\n[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203\n[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000\n[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282\n[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000\n[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80\n[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400\n[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000\n[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0\n[ 1010.715968] PKRU: 55555554\n[ 1010.715972] Call Trace:\n[ 1010.715985] ? __die_body.cold+0x1a/0x1f\n[ 1010.715995] ? die_addr+0x43/0x70\n[ 1010.716002] ? exc_general_protection+0x199/0x2f0\n[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30\n[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp]\n[ 1010.716042] __rtnl_newlink+0x1063/0x1700\n[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0\n[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0\n[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0\n[ 1010.716076] ? __kernel_text_address+0x56/0xa0\n[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0\n[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30\n[ 1010.716098] ? arch_stack_walk+0x9e/0xf0\n[ 1010.716106] ? stack_trace_save+0x91/0xd0\n[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170\n[ 1010.716121] ? __lock_acquire+0x15c5/0x5380\n[ 1010.716139] ? mark_held_locks+0x9e/0xe0\n[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0\n[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700\n[ 1010.716160] rtnl_newlink+0x69/0xa0\n[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50\n[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716179] ? lock_acquire+0x1fe/0x560\n[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50\n[ 1010.716196] netlink_rcv_skb+0x14d/0x440\n[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716208] ? netlink_ack+0xab0/0xab0\n[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50\n[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50\n[ 1010.716226] ? __virt_addr_valid+0x30b/0x590\n[ 1010.716233] netlink_unicast+0x54b/0x800\n[ 1010.716240] ? netlink_attachskb+0x870/0x870\n[ 1010.716248] ? __check_object_size+0x2de/0x3b0\n[ 1010.716254] netlink_sendmsg+0x938/0xe40\n[ 1010.716261] ? netlink_unicast+0x800/0x800\n[ 1010.716269] ? __import_iovec+0x292/0x510\n[ 1010.716276] ? netlink_unicast+0x800/0x800\n[ 1010.716284] __sock_sendmsg+0x159/0x190\n[ 1010.716290] ____sys_sendmsg+0x712/0x880\n[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0\n[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270\n[ 1010.716309] ? lock_acquire+0x1fe/0x560\n[ 1010.716315] ? drain_array_locked+0x90/0x90\n[ 1010.716324] ___sys_sendmsg+0xf8/0x170\n[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170\n[ 1010.716337] ? lockdep_init_map\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:33.931Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/01129059d5141d62fae692f7a336ae3bc712d3eb" }, { "url": "https://git.kernel.org/stable/c/ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6" }, { "url": "https://git.kernel.org/stable/c/e668b92a3a01429923fd5ca13e99642aab47de69" }, { "url": "https://git.kernel.org/stable/c/9376d059a705c5dfaac566c2d09891242013ae16" }, { "url": "https://git.kernel.org/stable/c/abd32d7f5c0294c1b2454c5a3b13b18446bac627" }, { "url": "https://git.kernel.org/stable/c/93dd420bc41531c9a31498b9538ca83ba6ec191e" }, { "url": "https://git.kernel.org/stable/c/5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8" }, { "url": "https://git.kernel.org/stable/c/616d82c3cfa2a2146dd7e3ae47bda7e877ee549e" } ], "title": "gtp: fix use-after-free and null-ptr-deref in gtp_newlink()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26793", "datePublished": "2024-04-04T08:20:23.771Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:33.931Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26804
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ip_tunnel: prevent perpetual headroom growth
syzkaller triggered following kasan splat:
BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191
[..]
kasan_report+0xda/0x110 mm/kasan/report.c:588
__skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]
___skb_get_hash net/core/flow_dissector.c:1791 [inline]
__skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856
skb_get_hash include/linux/skbuff.h:1556 [inline]
ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748
ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline]
xmit_one net/core/dev.c:3548 [inline]
dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564
__dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592
...
ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235
ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
..
iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82
ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831
ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline]
xmit_one net/core/dev.c:3548 [inline]
dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564
...
The splat occurs because skb->data points past skb->head allocated area.
This is because neigh layer does:
__skb_pull(skb, skb_network_offset(skb));
... but skb_network_offset() returns a negative offset and __skb_pull()
arg is unsigned. IOW, we skb->data gets "adjusted" by a huge value.
The negative value is returned because skb->head and skb->data distance is
more than 64k and skb->network_header (u16) has wrapped around.
The bug is in the ip_tunnel infrastructure, which can cause
dev->needed_headroom to increment ad infinitum.
The syzkaller reproducer consists of packets getting routed via a gre
tunnel, and route of gre encapsulated packets pointing at another (ipip)
tunnel. The ipip encapsulation finds gre0 as next output device.
This results in the following pattern:
1). First packet is to be sent out via gre0.
Route lookup found an output device, ipip0.
2).
ip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future
output device, rt.dev->needed_headroom (ipip0).
3).
ip output / start_xmit moves skb on to ipip0. which runs the same
code path again (xmit recursion).
4).
Routing step for the post-gre0-encap packet finds gre0 as output device
to use for ipip0 encapsulated packet.
tunl0->needed_headroom is then incremented based on the (already bumped)
gre0 device headroom.
This repeats for every future packet:
gre0->needed_headroom gets inflated because previous packets' ipip0 step
incremented rt->dev (gre0) headroom, and ipip0 incremented because gre0
needed_headroom was increased.
For each subsequent packet, gre/ipip0->needed_headroom grows until
post-expand-head reallocations result in a skb->head/data distance of
more than 64k.
Once that happens, skb->network_header (u16) wraps around when
pskb_expand_head tries to make sure that skb_network_offset() is unchanged
after the headroom expansion/reallocation.
After this skb_network_offset(skb) returns a different (and negative)
result post headroom expansion.
The next trip to neigh layer (or anything else that would __skb_pull the
network header) makes skb->data point to a memory location outside
skb->head area.
v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to
prevent perpetual increase instead of dropping the headroom increment
completely.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 243aad830e8a4cdda261626fbaeddde16b08d04a Version: 243aad830e8a4cdda261626fbaeddde16b08d04a Version: 243aad830e8a4cdda261626fbaeddde16b08d04a Version: 243aad830e8a4cdda261626fbaeddde16b08d04a Version: 243aad830e8a4cdda261626fbaeddde16b08d04a Version: 243aad830e8a4cdda261626fbaeddde16b08d04a Version: 243aad830e8a4cdda261626fbaeddde16b08d04a |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26804", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-11-12T16:26:17.359512Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-12T16:40:15.613Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.557Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/ipv4/ip_tunnel.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f81e94d2dcd2397137edcb8b85f4c5bed5d22383", "status": "affected", "version": "243aad830e8a4cdda261626fbaeddde16b08d04a", "versionType": "git" }, { "lessThan": "2e95350fe9db9d53c701075060ac8ac883b68aee", "status": "affected", "version": "243aad830e8a4cdda261626fbaeddde16b08d04a", "versionType": "git" }, { "lessThan": "afec0c5cd2ed71ca95a8b36a5e6d03333bf34282", "status": "affected", "version": "243aad830e8a4cdda261626fbaeddde16b08d04a", "versionType": "git" }, { "lessThan": "ab63de24ebea36fe73ac7121738595d704b66d96", "status": "affected", "version": "243aad830e8a4cdda261626fbaeddde16b08d04a", "versionType": "git" }, { "lessThan": "a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9", "status": "affected", "version": "243aad830e8a4cdda261626fbaeddde16b08d04a", "versionType": "git" }, { "lessThan": "049d7989c67e8dd50f07a2096dbafdb41331fb9b", "status": "affected", "version": "243aad830e8a4cdda261626fbaeddde16b08d04a", "versionType": "git" }, { "lessThan": "5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f", "status": "affected", "version": "243aad830e8a4cdda261626fbaeddde16b08d04a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/ipv4/ip_tunnel.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.34" }, { "lessThan": "2.6.34", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.271", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: prevent perpetual headroom growth\n\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\n\nThe splat occurs because skb-\u003edata points past skb-\u003ehead allocated area.\nThis is because neigh layer does:\n __skb_pull(skb, skb_network_offset(skb));\n\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned. IOW, we skb-\u003edata gets \"adjusted\" by a huge value.\n\nThe negative value is returned because skb-\u003ehead and skb-\u003edata distance is\nmore than 64k and skb-\u003enetwork_header (u16) has wrapped around.\n\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev-\u003eneeded_headroom to increment ad infinitum.\n\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel. The ipip encapsulation finds gre0 as next output device.\n\nThis results in the following pattern:\n\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\n\n2).\nip_tunnel_xmit for gre0 bumps gre0-\u003eneeded_headroom based on the future\noutput device, rt.dev-\u003eneeded_headroom (ipip0).\n\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\n\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\n\ntunl0-\u003eneeded_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\n\nThis repeats for every future packet:\n\ngre0-\u003eneeded_headroom gets inflated because previous packets\u0027 ipip0 step\nincremented rt-\u003edev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\n\nFor each subsequent packet, gre/ipip0-\u003eneeded_headroom grows until\npost-expand-head reallocations result in a skb-\u003ehead/data distance of\nmore than 64k.\n\nOnce that happens, skb-\u003enetwork_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\n\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\n\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb-\u003edata point to a memory location outside\nskb-\u003ehead area.\n\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:47.405Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383" }, { "url": "https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee" }, { "url": "https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282" }, { "url": "https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96" }, { "url": "https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9" }, { "url": "https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b" }, { "url": "https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f" } ], "title": "net: ip_tunnel: prevent perpetual headroom growth", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26804", "datePublished": "2024-04-04T08:20:31.305Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:47.405Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26695
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked
The SEV platform device can be shutdown with a null psp_master,
e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN:
[ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002)
[ 137.162647] ccp 0000:23:00.1: no command queues available
[ 137.170598] ccp 0000:23:00.1: sev enabled
[ 137.174645] ccp 0000:23:00.1: psp enabled
[ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7]
[ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311
[ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180
[ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c
[ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216
[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e
[ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0
[ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66
[ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28
[ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8
[ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000
[ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0
[ 137.182693] Call Trace:
[ 137.182693] <TASK>
[ 137.182693] ? show_regs+0x6c/0x80
[ 137.182693] ? __die_body+0x24/0x70
[ 137.182693] ? die_addr+0x4b/0x80
[ 137.182693] ? exc_general_protection+0x126/0x230
[ 137.182693] ? asm_exc_general_protection+0x2b/0x30
[ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180
[ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80
[ 137.182693] sev_dev_destroy+0x49/0x100
[ 137.182693] psp_dev_destroy+0x47/0xb0
[ 137.182693] sp_destroy+0xbb/0x240
[ 137.182693] sp_pci_remove+0x45/0x60
[ 137.182693] pci_device_remove+0xaa/0x1d0
[ 137.182693] device_remove+0xc7/0x170
[ 137.182693] really_probe+0x374/0xbe0
[ 137.182693] ? srso_return_thunk+0x5/0x5f
[ 137.182693] __driver_probe_device+0x199/0x460
[ 137.182693] driver_probe_device+0x4e/0xd0
[ 137.182693] __driver_attach+0x191/0x3d0
[ 137.182693] ? __pfx___driver_attach+0x10/0x10
[ 137.182693] bus_for_each_dev+0x100/0x190
[ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10
[ 137.182693] ? __kasan_check_read+0x15/0x20
[ 137.182693] ? srso_return_thunk+0x5/0x5f
[ 137.182693] ? _raw_spin_unlock+0x27/0x50
[ 137.182693] driver_attach+0x41/0x60
[ 137.182693] bus_add_driver+0x2a8/0x580
[ 137.182693] driver_register+0x141/0x480
[ 137.182693] __pci_register_driver+0x1d6/0x2a0
[ 137.182693] ? srso_return_thunk+0x5/0x5f
[ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0
[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10
[ 137.182693] sp_pci_init+0x22/0x30
[ 137.182693] sp_mod_init+0x14/0x30
[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10
[ 137.182693] do_one_initcall+0xd1/0x470
[ 137.182693] ? __pfx_do_one_initcall+0x10/0x10
[ 137.182693] ? parameq+0x80/0xf0
[ 137.182693] ? srso_return_thunk+0x5/0x5f
[ 137.182693] ? __kmalloc+0x3b0/0x4e0
[ 137.182693] ? kernel_init_freeable+0x92d/0x1050
[ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190
[ 137.182693] ? srso_return_thunk+0x5/0x5f
[ 137.182693] kernel_init_freeable+0xa64/0x1050
[ 137.182693] ? __pfx_kernel_init+0x10/0x10
[ 137.182693] kernel_init+0x24/0x160
[ 137.182693] ? __switch_to_asm+0x3e/0x70
[ 137.182693] ret_from_fork+0x40/0x80
[ 137.182693] ? __pfx_kernel_init+0x1
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 87af9b0b45666ca3dd6b10c0ece691c740b0f750 Version: f831d2882c843d44100016aeb4332e9c4b560805 Version: 1b05ece0c931536c0a38a9385e243a7962e933f6 Version: 1b05ece0c931536c0a38a9385e243a7962e933f6 Version: 1b05ece0c931536c0a38a9385e243a7962e933f6 Version: 1b05ece0c931536c0a38a9385e243a7962e933f6 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.671Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/58054faf3bd29cd0b949b77efcb6157f66f401ed" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7535ec350a5f09b5756a7607f5582913f21200f4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8731fe001a60581794ed9cf65da8cd304846a6fb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/88aa493f393d2ee38ac140e1f6ac1881346e85d4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b5909f197f3b26aebedca7d8ac7b688fd993a266" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ccb88e9549e7cfd8bcd511c538f437e20026e983" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26695", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:57.346229Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:32:55.424Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/crypto/ccp/sev-dev.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "58054faf3bd29cd0b949b77efcb6157f66f401ed", "status": "affected", "version": "87af9b0b45666ca3dd6b10c0ece691c740b0f750", "versionType": "git" }, { "lessThan": "7535ec350a5f09b5756a7607f5582913f21200f4", "status": "affected", "version": "f831d2882c843d44100016aeb4332e9c4b560805", "versionType": "git" }, { "lessThan": "8731fe001a60581794ed9cf65da8cd304846a6fb", "status": "affected", "version": "1b05ece0c931536c0a38a9385e243a7962e933f6", "versionType": "git" }, { "lessThan": "88aa493f393d2ee38ac140e1f6ac1881346e85d4", "status": "affected", "version": "1b05ece0c931536c0a38a9385e243a7962e933f6", "versionType": "git" }, { "lessThan": "b5909f197f3b26aebedca7d8ac7b688fd993a266", "status": "affected", "version": "1b05ece0c931536c0a38a9385e243a7962e933f6", "versionType": "git" }, { "lessThan": "ccb88e9549e7cfd8bcd511c538f437e20026e983", "status": "affected", "version": "1b05ece0c931536c0a38a9385e243a7962e933f6", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/crypto/ccp/sev-dev.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.0" }, { "lessThan": "6.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked\n\nThe SEV platform device can be shutdown with a null psp_master,\ne.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN:\n\n[ 137.148210] ccp 0000:23:00.1: enabling device (0000 -\u003e 0002)\n[ 137.162647] ccp 0000:23:00.1: no command queues available\n[ 137.170598] ccp 0000:23:00.1: sev enabled\n[ 137.174645] ccp 0000:23:00.1: psp enabled\n[ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7]\n[ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311\n[ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180\n[ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 \u003c80\u003e 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c\n[ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216\n[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e\n[ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0\n[ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66\n[ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28\n[ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8\n[ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000\n[ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0\n[ 137.182693] Call Trace:\n[ 137.182693] \u003cTASK\u003e\n[ 137.182693] ? show_regs+0x6c/0x80\n[ 137.182693] ? __die_body+0x24/0x70\n[ 137.182693] ? die_addr+0x4b/0x80\n[ 137.182693] ? exc_general_protection+0x126/0x230\n[ 137.182693] ? asm_exc_general_protection+0x2b/0x30\n[ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180\n[ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80\n[ 137.182693] sev_dev_destroy+0x49/0x100\n[ 137.182693] psp_dev_destroy+0x47/0xb0\n[ 137.182693] sp_destroy+0xbb/0x240\n[ 137.182693] sp_pci_remove+0x45/0x60\n[ 137.182693] pci_device_remove+0xaa/0x1d0\n[ 137.182693] device_remove+0xc7/0x170\n[ 137.182693] really_probe+0x374/0xbe0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] __driver_probe_device+0x199/0x460\n[ 137.182693] driver_probe_device+0x4e/0xd0\n[ 137.182693] __driver_attach+0x191/0x3d0\n[ 137.182693] ? __pfx___driver_attach+0x10/0x10\n[ 137.182693] bus_for_each_dev+0x100/0x190\n[ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10\n[ 137.182693] ? __kasan_check_read+0x15/0x20\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? _raw_spin_unlock+0x27/0x50\n[ 137.182693] driver_attach+0x41/0x60\n[ 137.182693] bus_add_driver+0x2a8/0x580\n[ 137.182693] driver_register+0x141/0x480\n[ 137.182693] __pci_register_driver+0x1d6/0x2a0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0\n[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10\n[ 137.182693] sp_pci_init+0x22/0x30\n[ 137.182693] sp_mod_init+0x14/0x30\n[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10\n[ 137.182693] do_one_initcall+0xd1/0x470\n[ 137.182693] ? __pfx_do_one_initcall+0x10/0x10\n[ 137.182693] ? parameq+0x80/0xf0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? __kmalloc+0x3b0/0x4e0\n[ 137.182693] ? kernel_init_freeable+0x92d/0x1050\n[ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] kernel_init_freeable+0xa64/0x1050\n[ 137.182693] ? __pfx_kernel_init+0x10/0x10\n[ 137.182693] kernel_init+0x24/0x160\n[ 137.182693] ? __switch_to_asm+0x3e/0x70\n[ 137.182693] ret_from_fork+0x40/0x80\n[ 137.182693] ? __pfx_kernel_init+0x1\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:20.900Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/58054faf3bd29cd0b949b77efcb6157f66f401ed" }, { "url": "https://git.kernel.org/stable/c/7535ec350a5f09b5756a7607f5582913f21200f4" }, { "url": "https://git.kernel.org/stable/c/8731fe001a60581794ed9cf65da8cd304846a6fb" }, { "url": "https://git.kernel.org/stable/c/88aa493f393d2ee38ac140e1f6ac1881346e85d4" }, { "url": "https://git.kernel.org/stable/c/b5909f197f3b26aebedca7d8ac7b688fd993a266" }, { "url": "https://git.kernel.org/stable/c/ccb88e9549e7cfd8bcd511c538f437e20026e983" } ], "title": "crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26695", "datePublished": "2024-04-03T14:54:56.184Z", "dateReserved": "2024-02-19T14:20:24.156Z", "dateUpdated": "2024-12-19T08:45:20.900Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26702
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC
Recently, we encounter kernel crash in function rm3100_common_probe
caused by out of bound access of array rm3100_samp_rates (because of
underlying hardware failures). Add boundary check to prevent out of
bound access.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 121354b2eceb2669ebdffa76b105ad6c03413966 Version: 121354b2eceb2669ebdffa76b105ad6c03413966 Version: 121354b2eceb2669ebdffa76b105ad6c03413966 Version: 121354b2eceb2669ebdffa76b105ad6c03413966 Version: 121354b2eceb2669ebdffa76b105ad6c03413966 Version: 121354b2eceb2669ebdffa76b105ad6c03413966 Version: 121354b2eceb2669ebdffa76b105ad6c03413966 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26702", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:20:17.184977Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-05T15:06:19.230Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.653Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7200170e88e3ec54d9e9c63f07514c3cead11481" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/36a49290d7e6d554020057a409747a092b1d3b56" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8d5838a473e8e6d812257c69745f5920e4924a60" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/176256ff8abff29335ecff905a09fb49e8dcf513" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1d8c67e94e9e977603473a543d4f322cf2c4aa01" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/57d05dbbcd0b3dc0c252103b43012eef5d6430d1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/792595bab4925aa06532a14dd256db523eb4fa5e" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/iio/magnetometer/rm3100-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7200170e88e3ec54d9e9c63f07514c3cead11481", "status": "affected", "version": "121354b2eceb2669ebdffa76b105ad6c03413966", "versionType": "git" }, { "lessThan": "36a49290d7e6d554020057a409747a092b1d3b56", "status": "affected", "version": "121354b2eceb2669ebdffa76b105ad6c03413966", "versionType": "git" }, { "lessThan": "8d5838a473e8e6d812257c69745f5920e4924a60", "status": "affected", "version": "121354b2eceb2669ebdffa76b105ad6c03413966", "versionType": "git" }, { "lessThan": "176256ff8abff29335ecff905a09fb49e8dcf513", "status": "affected", "version": "121354b2eceb2669ebdffa76b105ad6c03413966", "versionType": "git" }, { "lessThan": "1d8c67e94e9e977603473a543d4f322cf2c4aa01", "status": "affected", "version": "121354b2eceb2669ebdffa76b105ad6c03413966", "versionType": "git" }, { "lessThan": "57d05dbbcd0b3dc0c252103b43012eef5d6430d1", "status": "affected", "version": "121354b2eceb2669ebdffa76b105ad6c03413966", "versionType": "git" }, { "lessThan": "792595bab4925aa06532a14dd256db523eb4fa5e", "status": "affected", "version": "121354b2eceb2669ebdffa76b105ad6c03413966", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/iio/magnetometer/rm3100-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.0" }, { "lessThan": "5.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.269", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC\n\nRecently, we encounter kernel crash in function rm3100_common_probe\ncaused by out of bound access of array rm3100_samp_rates (because of\nunderlying hardware failures). Add boundary check to prevent out of\nbound access." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:28.420Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7200170e88e3ec54d9e9c63f07514c3cead11481" }, { "url": "https://git.kernel.org/stable/c/36a49290d7e6d554020057a409747a092b1d3b56" }, { "url": "https://git.kernel.org/stable/c/8d5838a473e8e6d812257c69745f5920e4924a60" }, { "url": "https://git.kernel.org/stable/c/176256ff8abff29335ecff905a09fb49e8dcf513" }, { "url": "https://git.kernel.org/stable/c/1d8c67e94e9e977603473a543d4f322cf2c4aa01" }, { "url": "https://git.kernel.org/stable/c/57d05dbbcd0b3dc0c252103b43012eef5d6430d1" }, { "url": "https://git.kernel.org/stable/c/792595bab4925aa06532a14dd256db523eb4fa5e" } ], "title": "iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26702", "datePublished": "2024-04-03T14:55:01.025Z", "dateReserved": "2024-02-19T14:20:24.157Z", "dateUpdated": "2024-12-19T08:45:28.420Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26772
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()
Places the logic for checking if the group's block bitmap is corrupt under
the protection of the group lock to avoid allocating blocks from the group
with a corrupted block bitmap.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26772", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T19:16:02.816411Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-01T15:30:43.236Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.428Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5a6dcc4ad0f7f7fa8e8d127b5526e7c5f2d38a43" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6b92b1bc16d691c95b152c6dbf027ad64315668d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ffeb72a80a82aba59a6774b0611f792e0ed3b0b7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8de8305a25bfda607fc13475ebe84b978c96d7ff" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d639102f4cbd4cb65d1225dba3b9265596aab586" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d3bbe77a76bc52e9d4d0a120f1509be36e25c916" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/21dbe20589c7f48e9c5d336ce6402bcebfa6d76a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/832698373a25950942c04a512daa652c18a9b513" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ext4/mballoc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5a6dcc4ad0f7f7fa8e8d127b5526e7c5f2d38a43", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "6b92b1bc16d691c95b152c6dbf027ad64315668d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "ffeb72a80a82aba59a6774b0611f792e0ed3b0b7", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "8de8305a25bfda607fc13475ebe84b978c96d7ff", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d639102f4cbd4cb65d1225dba3b9265596aab586", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d3bbe77a76bc52e9d4d0a120f1509be36e25c916", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "21dbe20589c7f48e9c5d336ce6402bcebfa6d76a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "832698373a25950942c04a512daa652c18a9b513", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ext4/mballoc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\n\nPlaces the logic for checking if the group\u0027s block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:08.530Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5a6dcc4ad0f7f7fa8e8d127b5526e7c5f2d38a43" }, { "url": "https://git.kernel.org/stable/c/6b92b1bc16d691c95b152c6dbf027ad64315668d" }, { "url": "https://git.kernel.org/stable/c/ffeb72a80a82aba59a6774b0611f792e0ed3b0b7" }, { "url": "https://git.kernel.org/stable/c/8de8305a25bfda607fc13475ebe84b978c96d7ff" }, { "url": "https://git.kernel.org/stable/c/d639102f4cbd4cb65d1225dba3b9265596aab586" }, { "url": "https://git.kernel.org/stable/c/d3bbe77a76bc52e9d4d0a120f1509be36e25c916" }, { "url": "https://git.kernel.org/stable/c/21dbe20589c7f48e9c5d336ce6402bcebfa6d76a" }, { "url": "https://git.kernel.org/stable/c/832698373a25950942c04a512daa652c18a9b513" } ], "title": "ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26772", "datePublished": "2024-04-03T17:00:58.733Z", "dateReserved": "2024-02-19T14:20:24.176Z", "dateUpdated": "2024-12-19T08:47:08.530Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26779
Vulnerability from cvelistv5
Published
2024-04-03 17:01
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix race condition on enabling fast-xmit
fast-xmit must only be enabled after the sta has been uploaded to the driver,
otherwise it could end up passing the not-yet-uploaded sta via drv_tx calls
to the driver, leading to potential crashes because of uninitialized drv_priv
data.
Add a missing sta->uploaded check and re-check fast xmit after inserting a sta.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26779", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T19:22:50.891620Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T21:39:37.576Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.469Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/76fad1174a0cae6fc857b9f88b261a2e4f07d587" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/85720b69aef177318f4a18efbcc4302228a340e5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5ffab99e070b9f8ae0cf60c3c3602b84eee818dd" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/88c18fd06608b3adee547102505d715f21075c9d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/eb39bb548bf974acad7bd6780fe11f9e6652d696" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/54b79d8786964e2f840e8a2ec4a9f9a50f3d4954" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/281280276b70c822f55ce15b661f6d1d3228aaa9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/mac80211/sta_info.c", "net/mac80211/tx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "76fad1174a0cae6fc857b9f88b261a2e4f07d587", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "85720b69aef177318f4a18efbcc4302228a340e5", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "5ffab99e070b9f8ae0cf60c3c3602b84eee818dd", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "88c18fd06608b3adee547102505d715f21075c9d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "eb39bb548bf974acad7bd6780fe11f9e6652d696", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "54b79d8786964e2f840e8a2ec4a9f9a50f3d4954", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "281280276b70c822f55ce15b661f6d1d3228aaa9", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/mac80211/sta_info.c", "net/mac80211/tx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix race condition on enabling fast-xmit\n\nfast-xmit must only be enabled after the sta has been uploaded to the driver,\notherwise it could end up passing the not-yet-uploaded sta via drv_tx calls\nto the driver, leading to potential crashes because of uninitialized drv_priv\ndata.\nAdd a missing sta-\u003euploaded check and re-check fast xmit after inserting a sta." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:16.837Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/76fad1174a0cae6fc857b9f88b261a2e4f07d587" }, { "url": "https://git.kernel.org/stable/c/85720b69aef177318f4a18efbcc4302228a340e5" }, { "url": "https://git.kernel.org/stable/c/5ffab99e070b9f8ae0cf60c3c3602b84eee818dd" }, { "url": "https://git.kernel.org/stable/c/88c18fd06608b3adee547102505d715f21075c9d" }, { "url": "https://git.kernel.org/stable/c/eb39bb548bf974acad7bd6780fe11f9e6652d696" }, { "url": "https://git.kernel.org/stable/c/54b79d8786964e2f840e8a2ec4a9f9a50f3d4954" }, { "url": "https://git.kernel.org/stable/c/281280276b70c822f55ce15b661f6d1d3228aaa9" }, { "url": "https://git.kernel.org/stable/c/bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f" } ], "title": "wifi: mac80211: fix race condition on enabling fast-xmit", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26779", "datePublished": "2024-04-03T17:01:09.807Z", "dateReserved": "2024-02-19T14:20:24.177Z", "dateUpdated": "2024-12-19T08:47:16.837Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26776
Vulnerability from cvelistv5
Published
2024-04-03 17:01
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected
Return IRQ_NONE from the interrupt handler when no interrupt was
detected. Because an empty interrupt will cause a null pointer error:
Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000008
Call trace:
complete+0x54/0x100
hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]
__handle_irq_event_percpu+0x64/0x1e0
handle_irq_event+0x7c/0x1cc
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.413Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e94da8aca2e78ef9ecca02eb211869eacd5504e5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0399d7eba41d9b28f5bdd7757ec21a5b7046858d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f19361d570c67e7e014896fa2dacd7d721bf0aa8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d637b5118274701e8448f35953877daf04df18b4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e4168ac25b4bd378bd7dda322d589482a136c1fd" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/de8b6e1c231a95abf95ad097b993d34b31458ec9" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26776", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:14.790934Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:54.556Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/spi/spi-hisi-sfc-v3xx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e94da8aca2e78ef9ecca02eb211869eacd5504e5", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "0399d7eba41d9b28f5bdd7757ec21a5b7046858d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f19361d570c67e7e014896fa2dacd7d721bf0aa8", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d637b5118274701e8448f35953877daf04df18b4", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e4168ac25b4bd378bd7dda322d589482a136c1fd", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "de8b6e1c231a95abf95ad097b993d34b31458ec9", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/spi/spi-hisi-sfc-v3xx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected\n\nReturn IRQ_NONE from the interrupt handler when no interrupt was\ndetected. Because an empty interrupt will cause a null pointer error:\n\n Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000008\n Call trace:\n complete+0x54/0x100\n hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]\n __handle_irq_event_percpu+0x64/0x1e0\n handle_irq_event+0x7c/0x1cc" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:13.266Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e94da8aca2e78ef9ecca02eb211869eacd5504e5" }, { "url": "https://git.kernel.org/stable/c/0399d7eba41d9b28f5bdd7757ec21a5b7046858d" }, { "url": "https://git.kernel.org/stable/c/f19361d570c67e7e014896fa2dacd7d721bf0aa8" }, { "url": "https://git.kernel.org/stable/c/d637b5118274701e8448f35953877daf04df18b4" }, { "url": "https://git.kernel.org/stable/c/e4168ac25b4bd378bd7dda322d589482a136c1fd" }, { "url": "https://git.kernel.org/stable/c/de8b6e1c231a95abf95ad097b993d34b31458ec9" } ], "title": "spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26776", "datePublished": "2024-04-03T17:01:02.116Z", "dateReserved": "2024-02-19T14:20:24.177Z", "dateUpdated": "2024-12-19T08:47:13.266Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26785
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Fix protection fault in iommufd_test_syz_conv_iova
Syzkaller reported the following bug:
general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]
Call Trace:
lock_acquire
lock_acquire+0x1ce/0x4f0
down_read+0x93/0x4a0
iommufd_test_syz_conv_iova+0x56/0x1f0
iommufd_test_access_rw.isra.0+0x2ec/0x390
iommufd_test+0x1058/0x1e30
iommufd_fops_ioctl+0x381/0x510
vfs_ioctl
__do_sys_ioctl
__se_sys_ioctl
__x64_sys_ioctl+0x170/0x1e0
do_syscall_x64
do_syscall_64+0x71/0x140
This is because the new iommufd_access_change_ioas() sets access->ioas to
NULL during its process, so the lock might be gone in a concurrent racing
context.
Fix this by doing the same access->ioas sanity as iommufd_access_rw() and
iommufd_access_pin_pages() functions do.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26785", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:19:21.902975Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-07T18:54:48.729Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.352Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fc719ecbca45c9c046640d72baddba3d83e0bc0b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cf7c2789822db8b5efa34f5ebcf1621bc0008d48" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/iommu/iommufd/selftest.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "fd4d5cd7a2e8f08357c9bfc0905957cffe8ce568", "status": "affected", "version": "9227da7816dd1a42e20d41e2244cb63c205477ca", "versionType": "git" }, { "lessThan": "fc719ecbca45c9c046640d72baddba3d83e0bc0b", "status": "affected", "version": "9227da7816dd1a42e20d41e2244cb63c205477ca", "versionType": "git" }, { "lessThan": "cf7c2789822db8b5efa34f5ebcf1621bc0008d48", "status": "affected", "version": "9227da7816dd1a42e20d41e2244cb63c205477ca", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/iommu/iommufd/selftest.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.55", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix protection fault in iommufd_test_syz_conv_iova\n\nSyzkaller reported the following bug:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN\n KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]\n Call Trace:\n lock_acquire\n lock_acquire+0x1ce/0x4f0\n down_read+0x93/0x4a0\n iommufd_test_syz_conv_iova+0x56/0x1f0\n iommufd_test_access_rw.isra.0+0x2ec/0x390\n iommufd_test+0x1058/0x1e30\n iommufd_fops_ioctl+0x381/0x510\n vfs_ioctl\n __do_sys_ioctl\n __se_sys_ioctl\n __x64_sys_ioctl+0x170/0x1e0\n do_syscall_x64\n do_syscall_64+0x71/0x140\n\nThis is because the new iommufd_access_change_ioas() sets access-\u003eioas to\nNULL during its process, so the lock might be gone in a concurrent racing\ncontext.\n\nFix this by doing the same access-\u003eioas sanity as iommufd_access_rw() and\niommufd_access_pin_pages() functions do." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:24.042Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/fd4d5cd7a2e8f08357c9bfc0905957cffe8ce568" }, { "url": "https://git.kernel.org/stable/c/fc719ecbca45c9c046640d72baddba3d83e0bc0b" }, { "url": "https://git.kernel.org/stable/c/cf7c2789822db8b5efa34f5ebcf1621bc0008d48" } ], "title": "iommufd: Fix protection fault in iommufd_test_syz_conv_iova", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26785", "datePublished": "2024-04-04T08:20:18.467Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:24.042Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26768
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]
With default config, the value of NR_CPUS is 64. When HW platform has
more then 64 cpus, system will crash on these platforms. MAX_CORE_PIC
is the maximum cpu number in MADT table (max physical number) which can
exceed the supported maximum cpu number (NR_CPUS, max logical number),
but kernel should not crash. Kernel should boot cpus with NR_CPUS, let
the remainder cpus stay in BIOS.
The potential crash reason is that the array acpi_core_pic[NR_CPUS] can
be overflowed when parsing MADT table, and it is obvious that CORE_PIC
should be corresponding to physical core rather than logical core, so it
is better to define the array as acpi_core_pic[MAX_CORE_PIC].
With the patch, system can boot up 64 vcpus with qemu parameter -smp 128,
otherwise system will crash with the following message.
[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec
[ 0.000000] Oops[#1]:
[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192
[ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022
[ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60
[ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8
[ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005
[ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001
[ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063
[ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98
[ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90
[ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330
[ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250
[ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94
[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)
[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)
[ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)
[ 0.000000] BADV: 0000420000004259
[ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
[ 0.000000] Modules linked in:
[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))
[ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec
[ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000
[ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60
[ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000
[ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c
[ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08
[ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018
[ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000
[ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000
[ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000
[ 0.000000] ...
[ 0.000000] Call Trace:
[ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94
[ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250
[ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c
[ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670
[ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26768", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T19:30:26.181836Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-07T19:36:27.034Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.501Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/loongarch/include/asm/acpi.h", "arch/loongarch/kernel/acpi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "88e189bd16e5889e44a41b3309558ebab78b9280", "status": "affected", "version": "fa96b57c149061f71a70bd6582d995f6424fbbf4", "versionType": "git" }, { "lessThan": "0f6810e39898af2d2cabd9313e4dbc945fb5dfdd", "status": "affected", "version": "fa96b57c149061f71a70bd6582d995f6424fbbf4", "versionType": "git" }, { "lessThan": "4551b30525cf3d2f026b92401ffe241eb04dfebe", "status": "affected", "version": "fa96b57c149061f71a70bd6582d995f6424fbbf4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/loongarch/include/asm/acpi.h", "arch/loongarch/kernel/acpi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]\n\nWith default config, the value of NR_CPUS is 64. When HW platform has\nmore then 64 cpus, system will crash on these platforms. MAX_CORE_PIC\nis the maximum cpu number in MADT table (max physical number) which can\nexceed the supported maximum cpu number (NR_CPUS, max logical number),\nbut kernel should not crash. Kernel should boot cpus with NR_CPUS, let\nthe remainder cpus stay in BIOS.\n\nThe potential crash reason is that the array acpi_core_pic[NR_CPUS] can\nbe overflowed when parsing MADT table, and it is obvious that CORE_PIC\nshould be corresponding to physical core rather than logical core, so it\nis better to define the array as acpi_core_pic[MAX_CORE_PIC].\n\nWith the patch, system can boot up 64 vcpus with qemu parameter -smp 128,\notherwise system will crash with the following message.\n\n[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec\n[ 0.000000] Oops[#1]:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192\n[ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n[ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60\n[ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8\n[ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005\n[ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001\n[ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063\n[ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98\n[ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90\n[ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330\n[ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250\n[ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94\n[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)\n[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)\n[ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[ 0.000000] BADV: 0000420000004259\n[ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n[ 0.000000] Modules linked in:\n[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec\n[ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000\n[ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60\n[ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000\n[ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c\n[ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08\n[ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018\n[ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000\n[ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000\n[ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000\n[ 0.000000] ...\n[ 0.000000] Call Trace:\n[ 0.000000] [\u003c90000000037a5f0c\u003e] efi_runtime_init+0x30/0x94\n[ 0.000000] [\u003c90000000037a46ec\u003e] platform_init+0x214/0x250\n[ 0.000000] [\u003c90000000037a484c\u003e] setup_arch+0x124/0x45c\n[ 0.000000] [\u003c90000000037a0790\u003e] start_kernel+0x90/0x670\n[ 0.000000] [\u003c900000000378b0d8\u003e] kernel_entry+0xd8/0xdc" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:03.364Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280" }, { "url": "https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd" }, { "url": "https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe" } ], "title": "LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26768", "datePublished": "2024-04-03T17:00:50.135Z", "dateReserved": "2024-02-19T14:20:24.173Z", "dateUpdated": "2024-12-19T08:47:03.364Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26749
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()
...
cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request);
list_del_init(&priv_req->list);
...
'priv_req' actually free at cdns3_gadget_ep_free_request(). But
list_del_init() use priv_req->list after it.
[ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4
[ 1542.642868][ T534]
[ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3):
[ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4
[ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3]
[ 1542.671571][ T534] usb_ep_disable+0x44/0xe4
[ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8
[ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368
[ 1542.685478][ T534] ffs_func_disable+0x18/0x28
Move list_del_init() before cdns3_gadget_ep_free_request() to resolve this
problem.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.248Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cfa9abb5570c489dabf6f7fb3a066cc576fc8824" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b40328eea93c75a5645891408010141a0159f643" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4e5c73b15d95452c1ba9c771dd013a3fbe052ff3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2134e9906e17b1e5284300fab547869ebacfd7d9" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/29e42e1578a10c611b3f1a38f3229b2d664b5d16" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9a07244f614bc417de527b799da779dcae780b5d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26749", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:44.326857Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:16.869Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/cdns3/cdns3-gadget.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "cfa9abb5570c489dabf6f7fb3a066cc576fc8824", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "b40328eea93c75a5645891408010141a0159f643", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "4e5c73b15d95452c1ba9c771dd013a3fbe052ff3", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "2134e9906e17b1e5284300fab547869ebacfd7d9", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "29e42e1578a10c611b3f1a38f3229b2d664b5d16", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "9a07244f614bc417de527b799da779dcae780b5d", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" }, { "lessThan": "cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6", "status": "affected", "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/cdns3/cdns3-gadget.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.4" }, { "lessThan": "5.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()\n\n ...\n cdns3_gadget_ep_free_request(\u0026priv_ep-\u003eendpoint, \u0026priv_req-\u003erequest);\n list_del_init(\u0026priv_req-\u003elist);\n ...\n\n\u0027priv_req\u0027 actually free at cdns3_gadget_ep_free_request(). But\nlist_del_init() use priv_req-\u003elist after it.\n\n[ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4\n[ 1542.642868][ T534]\n[ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3):\n[ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4\n[ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3]\n[ 1542.671571][ T534] usb_ep_disable+0x44/0xe4\n[ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8\n[ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368\n[ 1542.685478][ T534] ffs_func_disable+0x18/0x28\n\nMove list_del_init() before cdns3_gadget_ep_free_request() to resolve this\nproblem." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:25.472Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/cfa9abb5570c489dabf6f7fb3a066cc576fc8824" }, { "url": "https://git.kernel.org/stable/c/b40328eea93c75a5645891408010141a0159f643" }, { "url": "https://git.kernel.org/stable/c/4e5c73b15d95452c1ba9c771dd013a3fbe052ff3" }, { "url": "https://git.kernel.org/stable/c/2134e9906e17b1e5284300fab547869ebacfd7d9" }, { "url": "https://git.kernel.org/stable/c/29e42e1578a10c611b3f1a38f3229b2d664b5d16" }, { "url": "https://git.kernel.org/stable/c/9a07244f614bc417de527b799da779dcae780b5d" }, { "url": "https://git.kernel.org/stable/c/cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6" } ], "title": "usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26749", "datePublished": "2024-04-03T17:00:35.762Z", "dateReserved": "2024-02-19T14:20:24.169Z", "dateUpdated": "2024-12-19T08:46:25.472Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26762
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cxl/pci: Skip to handle RAS errors if CXL.mem device is detached
The PCI AER model is an awkward fit for CXL error handling. While the
expectation is that a PCI device can escalate to link reset to recover
from an AER event, the same reset on CXL amounts to a surprise memory
hotplug of massive amounts of memory.
At present, the CXL error handler attempts some optimistic error
handling to unbind the device from the cxl_mem driver after reaping some
RAS register values. This results in a "hopeful" attempt to unplug the
memory, but there is no guarantee that will succeed.
A subsequent AER notification after the memdev unbind event can no
longer assume the registers are mapped. Check for memdev bind before
reaping status register values to avoid crashes of the form:
BUG: unable to handle page fault for address: ffa00000195e9100
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
[...]
RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core]
[...]
Call Trace:
<TASK>
? __die+0x24/0x70
? page_fault_oops+0x82/0x160
? kernelmode_fixup_or_oops+0x84/0x110
? exc_page_fault+0x113/0x170
? asm_exc_page_fault+0x26/0x30
? __pfx_dpc_reset_link+0x10/0x10
? __cxl_handle_ras+0x30/0x110 [cxl_core]
? find_cxl_port+0x59/0x80 [cxl_core]
cxl_handle_rp_ras+0xbc/0xd0 [cxl_core]
cxl_error_detected+0x6c/0xf0 [cxl_core]
report_error_detected+0xc7/0x1c0
pci_walk_bus+0x73/0x90
pcie_do_recovery+0x23f/0x330
Longer term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might
need to be replaced with a new PCI_ERS_RESULT_PANIC.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26762", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-05T18:38:38.263308Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:18.559Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.382Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/21e5e84f3f63fdf44e49642a6e45cd895e921a84" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/eef5c7b28dbecd6b141987a96db6c54e49828102" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/cxl/core/pci.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "21e5e84f3f63fdf44e49642a6e45cd895e921a84", "status": "affected", "version": "6ac07883dbb5f60f7bc56a13b7a84a382aa9c1ab", "versionType": "git" }, { "lessThan": "eef5c7b28dbecd6b141987a96db6c54e49828102", "status": "affected", "version": "6ac07883dbb5f60f7bc56a13b7a84a382aa9c1ab", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/cxl/core/pci.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Skip to handle RAS errors if CXL.mem device is detached\n\nThe PCI AER model is an awkward fit for CXL error handling. While the\nexpectation is that a PCI device can escalate to link reset to recover\nfrom an AER event, the same reset on CXL amounts to a surprise memory\nhotplug of massive amounts of memory.\n\nAt present, the CXL error handler attempts some optimistic error\nhandling to unbind the device from the cxl_mem driver after reaping some\nRAS register values. This results in a \"hopeful\" attempt to unplug the\nmemory, but there is no guarantee that will succeed.\n\nA subsequent AER notification after the memdev unbind event can no\nlonger assume the registers are mapped. Check for memdev bind before\nreaping status register values to avoid crashes of the form:\n\n BUG: unable to handle page fault for address: ffa00000195e9100\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n [...]\n RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core]\n [...]\n Call Trace:\n \u003cTASK\u003e\n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x160\n ? kernelmode_fixup_or_oops+0x84/0x110\n ? exc_page_fault+0x113/0x170\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_dpc_reset_link+0x10/0x10\n ? __cxl_handle_ras+0x30/0x110 [cxl_core]\n ? find_cxl_port+0x59/0x80 [cxl_core]\n cxl_handle_rp_ras+0xbc/0xd0 [cxl_core]\n cxl_error_detected+0x6c/0xf0 [cxl_core]\n report_error_detected+0xc7/0x1c0\n pci_walk_bus+0x73/0x90\n pcie_do_recovery+0x23f/0x330\n\nLonger term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might\nneed to be replaced with a new PCI_ERS_RESULT_PANIC." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:41.478Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/21e5e84f3f63fdf44e49642a6e45cd895e921a84" }, { "url": "https://git.kernel.org/stable/c/eef5c7b28dbecd6b141987a96db6c54e49828102" } ], "title": "cxl/pci: Skip to handle RAS errors if CXL.mem device is detached", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26762", "datePublished": "2024-04-03T17:00:45.655Z", "dateReserved": "2024-02-19T14:20:24.172Z", "dateUpdated": "2024-12-19T08:46:41.478Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26739
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_mirred: don't override retval if we already lost the skb
If we're redirecting the skb, and haven't called tcf_mirred_forward(),
yet, we need to tell the core to drop the skb by setting the retcode
to SHOT. If we have called tcf_mirred_forward(), however, the skb
is out of our hands and returning SHOT will lead to UaF.
Move the retval override to the error path which actually need it.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.024Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26739", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:53.930424Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:18.399Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sched/act_mirred.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "28cdbbd38a4413b8eff53399b3f872fd4e80db9d", "status": "affected", "version": "e5cf1baf92cb785b90390db1c624948e70c8b8bd", "versionType": "git" }, { "lessThan": "f4e294bbdca8ac8757db436fc82214f3882fc7e7", "status": "affected", "version": "e5cf1baf92cb785b90390db1c624948e70c8b8bd", "versionType": "git" }, { "lessThan": "166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210", "status": "affected", "version": "e5cf1baf92cb785b90390db1c624948e70c8b8bd", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sched/act_mirred.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.19" }, { "lessThan": "4.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: don\u0027t override retval if we already lost the skb\n\nIf we\u0027re redirecting the skb, and haven\u0027t called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\n\nMove the retval override to the error path which actually need it." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:13.334Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d" }, { "url": "https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7" }, { "url": "https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210" } ], "title": "net/sched: act_mirred: don\u0027t override retval if we already lost the skb", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26739", "datePublished": "2024-04-03T17:00:24.879Z", "dateReserved": "2024-02-19T14:20:24.166Z", "dateUpdated": "2024-12-19T08:46:13.334Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26689
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: prevent use-after-free in encode_cap_msg()
In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was
caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This
implies before the refcount could be increment here, it was freed.
In same file, in "handle_cap_grant()" refcount is decremented by this
line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race
occurred and resource was freed by the latter line before the former
line could increment it.
encode_cap_msg() is called by __send_cap() and __send_cap() is called by
ceph_check_caps() after calling __prep_cap(). __prep_cap() is where
arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where
the refcount must be increased to prevent "use after free" error.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.664Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8180d0c27b93a6eb60da1b08ea079e3926328214" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/70e329b440762390258a6fe8c0de93c9fdd56c77" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f3f98d7d84b31828004545e29fd7262b9f444139" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ae20db45e482303a20e56f2db667a9d9c54ac7e7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cda4672da1c26835dcbd7aec2bfed954eda9b5ef" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26689", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-15T19:26:55.316031Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-15T19:27:03.603Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ceph/caps.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8180d0c27b93a6eb60da1b08ea079e3926328214", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "70e329b440762390258a6fe8c0de93c9fdd56c77", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f3f98d7d84b31828004545e29fd7262b9f444139", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "ae20db45e482303a20e56f2db667a9d9c54ac7e7", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "cda4672da1c26835dcbd7aec2bfed954eda9b5ef", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ceph/caps.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: prevent use-after-free in encode_cap_msg()\n\nIn fs/ceph/caps.c, in encode_cap_msg(), \"use after free\" error was\ncaught by KASAN at this line - \u0027ceph_buffer_get(arg-\u003exattr_buf);\u0027. This\nimplies before the refcount could be increment here, it was freed.\n\nIn same file, in \"handle_cap_grant()\" refcount is decremented by this\nline - \u0027ceph_buffer_put(ci-\u003ei_xattrs.blob);\u0027. It appears that a race\noccurred and resource was freed by the latter line before the former\nline could increment it.\n\nencode_cap_msg() is called by __send_cap() and __send_cap() is called by\nceph_check_caps() after calling __prep_cap(). __prep_cap() is where\narg-\u003exattr_buf is assigned to ci-\u003ei_xattrs.blob. This is the spot where\nthe refcount must be increased to prevent \"use after free\" error." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:08.529Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8180d0c27b93a6eb60da1b08ea079e3926328214" }, { "url": "https://git.kernel.org/stable/c/70e329b440762390258a6fe8c0de93c9fdd56c77" }, { "url": "https://git.kernel.org/stable/c/f3f98d7d84b31828004545e29fd7262b9f444139" }, { "url": "https://git.kernel.org/stable/c/ae20db45e482303a20e56f2db667a9d9c54ac7e7" }, { "url": "https://git.kernel.org/stable/c/7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc" }, { "url": "https://git.kernel.org/stable/c/cda4672da1c26835dcbd7aec2bfed954eda9b5ef" } ], "title": "ceph: prevent use-after-free in encode_cap_msg()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26689", "datePublished": "2024-04-03T14:54:50.885Z", "dateReserved": "2024-02-19T14:20:24.154Z", "dateUpdated": "2024-12-19T08:45:08.529Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26720
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ "containers": { "cna": { "providerMetadata": { "dateUpdated": "2024-12-19T11:15:27.766Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "rejectedReasons": [ { "lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority." } ] } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26720", "datePublished": "2024-04-03T14:55:20.286Z", "dateRejected": "2024-12-19T11:15:27.766Z", "dateReserved": "2024-02-19T14:20:24.161Z", "dateUpdated": "2024-12-19T11:15:27.766Z", "state": "REJECTED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26701
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ "containers": { "cna": { "providerMetadata": { "dateUpdated": "2024-04-03T16:17:51.047Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "rejectedReasons": [ { "lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority." } ] } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26701", "dateRejected": "2024-04-03T16:17:51.047Z", "dateReserved": "2024-02-19T14:20:24.157Z", "dateUpdated": "2024-04-03T16:17:51.047Z", "state": "REJECTED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }
cve-2024-26708
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: really cope with fastopen race
Fastopen and PM-trigger subflow shutdown can race, as reported by
syzkaller.
In my first attempt to close such race, I missed the fact that
the subflow status can change again before the subflow_state_change
callback is invoked.
Address the issue additionally copying with all the states directly
reachable from TCP_FIN_WAIT1.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26708", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:54:23.010833Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-04T21:56:45.799Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.552Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4bfe217e075d04e63c092df9d40c608e598c2ef2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e158fb9679d15a2317ec13b4f6301bd26265df2f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/337cebbd850f94147cee05252778f8f78b8c337f" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/mptcp/protocol.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4bfe217e075d04e63c092df9d40c608e598c2ef2", "status": "affected", "version": "1e777f39b4d75e599a3aac8e0f67d739474f198c", "versionType": "git" }, { "lessThan": "e158fb9679d15a2317ec13b4f6301bd26265df2f", "status": "affected", "version": "1e777f39b4d75e599a3aac8e0f67d739474f198c", "versionType": "git" }, { "lessThan": "337cebbd850f94147cee05252778f8f78b8c337f", "status": "affected", "version": "1e777f39b4d75e599a3aac8e0f67d739474f198c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/mptcp/protocol.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.2" }, { "lessThan": "6.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: really cope with fastopen race\n\nFastopen and PM-trigger subflow shutdown can race, as reported by\nsyzkaller.\n\nIn my first attempt to close such race, I missed the fact that\nthe subflow status can change again before the subflow_state_change\ncallback is invoked.\n\nAddress the issue additionally copying with all the states directly\nreachable from TCP_FIN_WAIT1." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:35.642Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4bfe217e075d04e63c092df9d40c608e598c2ef2" }, { "url": "https://git.kernel.org/stable/c/e158fb9679d15a2317ec13b4f6301bd26265df2f" }, { "url": "https://git.kernel.org/stable/c/337cebbd850f94147cee05252778f8f78b8c337f" } ], "title": "mptcp: really cope with fastopen race", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26708", "datePublished": "2024-04-03T14:55:11.054Z", "dateReserved": "2024-02-19T14:20:24.158Z", "dateUpdated": "2024-12-19T08:45:35.642Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26693
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: fix a crash when we run out of stations
A DoS tool that injects loads of authentication frames made our AP
crash. The iwl_mvm_is_dup() function couldn't find the per-queue
dup_data which was not allocated.
The root cause for that is that we ran out of stations in the firmware
and we didn't really add the station to the firmware, yet we didn't
return an error to mac80211.
Mac80211 was thinking that we have the station and because of that,
sta_info::uploaded was set to 1. This allowed
ieee80211_find_sta_by_ifaddr() to return a valid station object, but
that ieee80211_sta didn't have any iwl_mvm_sta object initialized and
that caused the crash mentioned earlier when we got Rx on that station.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26693", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T17:46:36.382649Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:23.460Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.896Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/00f4eb31b8193f6070ce24df636883f9c104ca95" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c12f0f4d4caf23b1bfdc2602b6b70d56bdcd6aa7" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b7198383ef2debe748118996f627452281cf27d7" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c", "drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "00f4eb31b8193f6070ce24df636883f9c104ca95", "status": "affected", "version": "57974a55d995468a9a476e24693eb741c649b25f", "versionType": "git" }, { "lessThan": "c12f0f4d4caf23b1bfdc2602b6b70d56bdcd6aa7", "status": "affected", "version": "57974a55d995468a9a476e24693eb741c649b25f", "versionType": "git" }, { "lessThan": "b7198383ef2debe748118996f627452281cf27d7", "status": "affected", "version": "57974a55d995468a9a476e24693eb741c649b25f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c", "drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.4" }, { "lessThan": "6.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix a crash when we run out of stations\n\nA DoS tool that injects loads of authentication frames made our AP\ncrash. The iwl_mvm_is_dup() function couldn\u0027t find the per-queue\ndup_data which was not allocated.\n\nThe root cause for that is that we ran out of stations in the firmware\nand we didn\u0027t really add the station to the firmware, yet we didn\u0027t\nreturn an error to mac80211.\nMac80211 was thinking that we have the station and because of that,\nsta_info::uploaded was set to 1. This allowed\nieee80211_find_sta_by_ifaddr() to return a valid station object, but\nthat ieee80211_sta didn\u0027t have any iwl_mvm_sta object initialized and\nthat caused the crash mentioned earlier when we got Rx on that station." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:13.326Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/00f4eb31b8193f6070ce24df636883f9c104ca95" }, { "url": "https://git.kernel.org/stable/c/c12f0f4d4caf23b1bfdc2602b6b70d56bdcd6aa7" }, { "url": "https://git.kernel.org/stable/c/b7198383ef2debe748118996f627452281cf27d7" } ], "title": "wifi: iwlwifi: mvm: fix a crash when we run out of stations", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26693", "datePublished": "2024-04-03T14:54:54.165Z", "dateReserved": "2024-02-19T14:20:24.155Z", "dateUpdated": "2024-12-19T08:45:13.326Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26773
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()
Determine if the group block bitmap is corrupted before using ac_b_ex in
ext4_mb_try_best_found() to avoid allocating blocks from a group with a
corrupted block bitmap in the following concurrency and making the
situation worse.
ext4_mb_regular_allocator
ext4_lock_group(sb, group)
ext4_mb_good_group
// check if the group bbitmap is corrupted
ext4_mb_complex_scan_group
// Scan group gets ac_b_ex but doesn't use it
ext4_unlock_group(sb, group)
ext4_mark_group_bitmap_corrupted(group)
// The block bitmap was corrupted during
// the group unlock gap.
ext4_mb_try_best_found
ext4_lock_group(ac->ac_sb, group)
ext4_mb_use_best_found
mb_mark_used
// Allocating blocks in block bitmap corrupted group
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26773", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:50:26.209110Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:10.181Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.512Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/21f8cfe79f776287459343e9cfa6055af61328ea" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/260fc96283c0f594de18a1b045faf6d8fb42874d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/927794a02169778c9c2e7b25c768ab3ea8c1dc03" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4c21fa60a6f4606f6214a38f50612b17b2f738f5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f97e75fa4e12b0aa0224e83fcbda8853ac2adf36" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0184747b552d6b5a14db3b7fcc3b792ce64dedd1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a2576ae9a35c078e488f2c573e9e6821d651fbbe" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4530b3660d396a646aad91a787b6ab37cf604b53" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ext4/mballoc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "21f8cfe79f776287459343e9cfa6055af61328ea", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "260fc96283c0f594de18a1b045faf6d8fb42874d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "927794a02169778c9c2e7b25c768ab3ea8c1dc03", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "4c21fa60a6f4606f6214a38f50612b17b2f738f5", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f97e75fa4e12b0aa0224e83fcbda8853ac2adf36", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "0184747b552d6b5a14db3b7fcc3b792ce64dedd1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a2576ae9a35c078e488f2c573e9e6821d651fbbe", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "4530b3660d396a646aad91a787b6ab37cf604b53", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ext4/mballoc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\n\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\n\next4_mb_regular_allocator\n ext4_lock_group(sb, group)\n ext4_mb_good_group\n // check if the group bbitmap is corrupted\n ext4_mb_complex_scan_group\n // Scan group gets ac_b_ex but doesn\u0027t use it\n ext4_unlock_group(sb, group)\n ext4_mark_group_bitmap_corrupted(group)\n // The block bitmap was corrupted during\n // the group unlock gap.\n ext4_mb_try_best_found\n ext4_lock_group(ac-\u003eac_sb, group)\n ext4_mb_use_best_found\n mb_mark_used\n // Allocating blocks in block bitmap corrupted group" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:09.723Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/21f8cfe79f776287459343e9cfa6055af61328ea" }, { "url": "https://git.kernel.org/stable/c/260fc96283c0f594de18a1b045faf6d8fb42874d" }, { "url": "https://git.kernel.org/stable/c/927794a02169778c9c2e7b25c768ab3ea8c1dc03" }, { "url": "https://git.kernel.org/stable/c/4c21fa60a6f4606f6214a38f50612b17b2f738f5" }, { "url": "https://git.kernel.org/stable/c/f97e75fa4e12b0aa0224e83fcbda8853ac2adf36" }, { "url": "https://git.kernel.org/stable/c/0184747b552d6b5a14db3b7fcc3b792ce64dedd1" }, { "url": "https://git.kernel.org/stable/c/a2576ae9a35c078e488f2c573e9e6821d651fbbe" }, { "url": "https://git.kernel.org/stable/c/4530b3660d396a646aad91a787b6ab37cf604b53" } ], "title": "ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26773", "datePublished": "2024-04-03T17:00:59.757Z", "dateReserved": "2024-02-19T14:20:24.176Z", "dateUpdated": "2024-12-19T08:47:09.723Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26707
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()
Syzkaller reported [1] hitting a warning after failing to allocate
resources for skb in hsr_init_skb(). Since a WARN_ONCE() call will
not help much in this case, it might be prudent to switch to
netdev_warn_once(). At the very least it will suppress syzkaller
reports such as [1].
Just in case, use netdev_warn_once() in send_prp_supervision_frame()
for similar reasons.
[1]
HSR: Could not send supervision frame
WARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
RIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
...
Call Trace:
<IRQ>
hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382
call_timer_fn+0x193/0x590 kernel/time/timer.c:1700
expire_timers kernel/time/timer.c:1751 [inline]
__run_timers+0x764/0xb20 kernel/time/timer.c:2022
run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
__do_softirq+0x21a/0x8de kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
...
This issue is also found in older kernels (at least up to 5.10).
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 121c33b07b3127f501b366bc23d2a590e2f2b8ef Version: 121c33b07b3127f501b366bc23d2a590e2f2b8ef Version: 121c33b07b3127f501b366bc23d2a590e2f2b8ef Version: 121c33b07b3127f501b366bc23d2a590e2f2b8ef Version: 121c33b07b3127f501b366bc23d2a590e2f2b8ef Version: 121c33b07b3127f501b366bc23d2a590e2f2b8ef |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.854Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0d8011a878fdf96123bc0d6a12e2fe7ced5fddfb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/de769423b2f053182a41317c4db5a927e90622a0" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/56440799fc4621c279df16176f83a995d056023a" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/547545e50c913861219947ce490c68a1776b9b51" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/37e8c97e539015637cb920d3e6f1e404f707a06e" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26707", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:52:36.137987Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:32:53.817Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/hsr/hsr_device.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "0d8011a878fdf96123bc0d6a12e2fe7ced5fddfb", "status": "affected", "version": "121c33b07b3127f501b366bc23d2a590e2f2b8ef", "versionType": "git" }, { "lessThan": "de769423b2f053182a41317c4db5a927e90622a0", "status": "affected", "version": "121c33b07b3127f501b366bc23d2a590e2f2b8ef", "versionType": "git" }, { "lessThan": "56440799fc4621c279df16176f83a995d056023a", "status": "affected", "version": "121c33b07b3127f501b366bc23d2a590e2f2b8ef", "versionType": "git" }, { "lessThan": "923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8", "status": "affected", "version": "121c33b07b3127f501b366bc23d2a590e2f2b8ef", "versionType": "git" }, { "lessThan": "547545e50c913861219947ce490c68a1776b9b51", "status": "affected", "version": "121c33b07b3127f501b366bc23d2a590e2f2b8ef", "versionType": "git" }, { "lessThan": "37e8c97e539015637cb920d3e6f1e404f707a06e", "status": "affected", "version": "121c33b07b3127f501b366bc23d2a590e2f2b8ef", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/hsr/hsr_device.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.9" }, { "lessThan": "5.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()\n\nSyzkaller reported [1] hitting a warning after failing to allocate\nresources for skb in hsr_init_skb(). Since a WARN_ONCE() call will\nnot help much in this case, it might be prudent to switch to\nnetdev_warn_once(). At the very least it will suppress syzkaller\nreports such as [1].\n\nJust in case, use netdev_warn_once() in send_prp_supervision_frame()\nfor similar reasons.\n\n[1]\nHSR: Could not send supervision frame\nWARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\nRIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\n...\nCall Trace:\n \u003cIRQ\u003e\n hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382\n call_timer_fn+0x193/0x590 kernel/time/timer.c:1700\n expire_timers kernel/time/timer.c:1751 [inline]\n __run_timers+0x764/0xb20 kernel/time/timer.c:2022\n run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n invoke_softirq kernel/softirq.c:427 [inline]\n __irq_exit_rcu kernel/softirq.c:632 [inline]\n irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644\n sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649\n...\n\nThis issue is also found in older kernels (at least up to 5.10)." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:34.504Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/0d8011a878fdf96123bc0d6a12e2fe7ced5fddfb" }, { "url": "https://git.kernel.org/stable/c/de769423b2f053182a41317c4db5a927e90622a0" }, { "url": "https://git.kernel.org/stable/c/56440799fc4621c279df16176f83a995d056023a" }, { "url": "https://git.kernel.org/stable/c/923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8" }, { "url": "https://git.kernel.org/stable/c/547545e50c913861219947ce490c68a1776b9b51" }, { "url": "https://git.kernel.org/stable/c/37e8c97e539015637cb920d3e6f1e404f707a06e" } ], "title": "net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26707", "datePublished": "2024-04-03T14:55:10.262Z", "dateReserved": "2024-02-19T14:20:24.158Z", "dateUpdated": "2024-12-19T08:45:34.504Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26761
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window
The Linux CXL subsystem is built on the assumption that HPA == SPA.
That is, the host physical address (HPA) the HDM decoder registers are
programmed with are system physical addresses (SPA).
During HDM decoder setup, the DVSEC CXL range registers (cxl-3.1,
8.1.3.8) are checked if the memory is enabled and the CXL range is in
a HPA window that is described in a CFMWS structure of the CXL host
bridge (cxl-3.1, 9.18.1.3).
Now, if the HPA is not an SPA, the CXL range does not match a CFMWS
window and the CXL memory range will be disabled then. The HDM decoder
stops working which causes system memory being disabled and further a
system hang during HDM decoder initialization, typically when a CXL
enabled kernel boots.
Prevent a system hang and do not disable the HDM decoder if the
decoder's CXL range is not found in a CFMWS window.
Note the change only fixes a hardware hang, but does not implement
HPA/SPA translation. Support for this can be added in a follow on
patch series.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26761", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:38:51.943125Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:31.762Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.361Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/031217128990d7f0ab8c46db1afb3cf1e075fd29" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2cc1a530ab31c65b52daf3cb5d0883c8b614ea69" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3a3181a71935774bda2398451256d7441426420b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0cab687205986491302cd2e440ef1d253031c221" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/cxl/core/pci.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "031217128990d7f0ab8c46db1afb3cf1e075fd29", "status": "affected", "version": "34e37b4c432cd0f1842b352fde4b8878b4166888", "versionType": "git" }, { "lessThan": "2cc1a530ab31c65b52daf3cb5d0883c8b614ea69", "status": "affected", "version": "34e37b4c432cd0f1842b352fde4b8878b4166888", "versionType": "git" }, { "lessThan": "3a3181a71935774bda2398451256d7441426420b", "status": "affected", "version": "34e37b4c432cd0f1842b352fde4b8878b4166888", "versionType": "git" }, { "lessThan": "0cab687205986491302cd2e440ef1d253031c221", "status": "affected", "version": "34e37b4c432cd0f1842b352fde4b8878b4166888", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/cxl/core/pci.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window\n\nThe Linux CXL subsystem is built on the assumption that HPA == SPA.\nThat is, the host physical address (HPA) the HDM decoder registers are\nprogrammed with are system physical addresses (SPA).\n\nDuring HDM decoder setup, the DVSEC CXL range registers (cxl-3.1,\n8.1.3.8) are checked if the memory is enabled and the CXL range is in\na HPA window that is described in a CFMWS structure of the CXL host\nbridge (cxl-3.1, 9.18.1.3).\n\nNow, if the HPA is not an SPA, the CXL range does not match a CFMWS\nwindow and the CXL memory range will be disabled then. The HDM decoder\nstops working which causes system memory being disabled and further a\nsystem hang during HDM decoder initialization, typically when a CXL\nenabled kernel boots.\n\nPrevent a system hang and do not disable the HDM decoder if the\ndecoder\u0027s CXL range is not found in a CFMWS window.\n\nNote the change only fixes a hardware hang, but does not implement\nHPA/SPA translation. Support for this can be added in a follow on\npatch series." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:40.204Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/031217128990d7f0ab8c46db1afb3cf1e075fd29" }, { "url": "https://git.kernel.org/stable/c/2cc1a530ab31c65b52daf3cb5d0883c8b614ea69" }, { "url": "https://git.kernel.org/stable/c/3a3181a71935774bda2398451256d7441426420b" }, { "url": "https://git.kernel.org/stable/c/0cab687205986491302cd2e440ef1d253031c221" } ], "title": "cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26761", "datePublished": "2024-04-03T17:00:44.934Z", "dateReserved": "2024-02-19T14:20:24.171Z", "dateUpdated": "2024-12-19T08:46:40.204Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26747
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: roles: fix NULL pointer issue when put module's reference
In current design, usb role class driver will get usb_role_switch parent's
module reference after the user get usb_role_switch device and put the
reference after the user put the usb_role_switch device. However, the
parent device of usb_role_switch may be removed before the user put the
usb_role_switch. If so, then, NULL pointer issue will be met when the user
put the parent module's reference.
This will save the module pointer in structure of usb_role_switch. Then,
we don't need to find module by iterating long relations.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5c54fcac9a9de559b444ac63ec3cd82f1d157a0b Version: 5c54fcac9a9de559b444ac63ec3cd82f1d157a0b Version: 5c54fcac9a9de559b444ac63ec3cd82f1d157a0b Version: 5c54fcac9a9de559b444ac63ec3cd82f1d157a0b Version: 5c54fcac9a9de559b444ac63ec3cd82f1d157a0b Version: 5c54fcac9a9de559b444ac63ec3cd82f1d157a0b |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26747", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:42:38.862129Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-05T14:42:09.529Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.305Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e279bf8e51893e1fe160b3d8126ef2dd00f661e1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ef982fc41055fcebb361a92288d3225783d12913" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0158216805ca7e498d07de38840d2732166ae5fa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4b45829440b1b208948b39cc71f77a37a2536734" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/01f82de440f2ab07c259b7573371e1c42e5565db" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1c9be13846c0b2abc2480602f8ef421360e1ad9e" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/roles/class.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e279bf8e51893e1fe160b3d8126ef2dd00f661e1", "status": "affected", "version": "5c54fcac9a9de559b444ac63ec3cd82f1d157a0b", "versionType": "git" }, { "lessThan": "ef982fc41055fcebb361a92288d3225783d12913", "status": "affected", "version": "5c54fcac9a9de559b444ac63ec3cd82f1d157a0b", "versionType": "git" }, { "lessThan": "0158216805ca7e498d07de38840d2732166ae5fa", "status": "affected", "version": "5c54fcac9a9de559b444ac63ec3cd82f1d157a0b", "versionType": "git" }, { "lessThan": "4b45829440b1b208948b39cc71f77a37a2536734", "status": "affected", "version": "5c54fcac9a9de559b444ac63ec3cd82f1d157a0b", "versionType": "git" }, { "lessThan": "01f82de440f2ab07c259b7573371e1c42e5565db", "status": "affected", "version": "5c54fcac9a9de559b444ac63ec3cd82f1d157a0b", "versionType": "git" }, { "lessThan": "1c9be13846c0b2abc2480602f8ef421360e1ad9e", "status": "affected", "version": "5c54fcac9a9de559b444ac63ec3cd82f1d157a0b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/roles/class.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.19" }, { "lessThan": "4.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: roles: fix NULL pointer issue when put module\u0027s reference\n\nIn current design, usb role class driver will get usb_role_switch parent\u0027s\nmodule reference after the user get usb_role_switch device and put the\nreference after the user put the usb_role_switch device. However, the\nparent device of usb_role_switch may be removed before the user put the\nusb_role_switch. If so, then, NULL pointer issue will be met when the user\nput the parent module\u0027s reference.\n\nThis will save the module pointer in structure of usb_role_switch. Then,\nwe don\u0027t need to find module by iterating long relations." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:22.972Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e279bf8e51893e1fe160b3d8126ef2dd00f661e1" }, { "url": "https://git.kernel.org/stable/c/ef982fc41055fcebb361a92288d3225783d12913" }, { "url": "https://git.kernel.org/stable/c/0158216805ca7e498d07de38840d2732166ae5fa" }, { "url": "https://git.kernel.org/stable/c/4b45829440b1b208948b39cc71f77a37a2536734" }, { "url": "https://git.kernel.org/stable/c/01f82de440f2ab07c259b7573371e1c42e5565db" }, { "url": "https://git.kernel.org/stable/c/1c9be13846c0b2abc2480602f8ef421360e1ad9e" } ], "title": "usb: roles: fix NULL pointer issue when put module\u0027s reference", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26747", "datePublished": "2024-04-03T17:00:34.066Z", "dateReserved": "2024-02-19T14:20:24.168Z", "dateUpdated": "2024-12-19T08:46:22.972Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26777
Vulnerability from cvelistv5
Published
2024-04-03 17:01
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: sis: Error out if pixclock equals zero
The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of pixclock,
it may cause divide-by-zero error.
In sisfb_check_var(), var->pixclock is used as a divisor to caculate
drate before it is checked against zero. Fix this by checking it
at the beginning.
This is similar to CVE-2022-3061 in i740fb which was fixed by
commit 15cf0b8.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26777", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:10:58.840983Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:30.706Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.470Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/84246c35ca34207114055a87552a1c4289c8fd7e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6db07619d173765bd8622d63809cbfe361f04207" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cd36da760bd1f78c63c7078407baf01dd724f313" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/df6e2088c6f4cad539cf67cba2d6764461e798d1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f329523f6a65c3bbce913ad35473d83a319d5d99" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/99f1abc34a6dde248d2219d64aa493c76bbdd9eb" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1d11dd3ea5d039c7da089f309f39c4cd363b924b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e421946be7d9bf545147bea8419ef8239cb7ca52" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/video/fbdev/sis/sis_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "84246c35ca34207114055a87552a1c4289c8fd7e", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "6db07619d173765bd8622d63809cbfe361f04207", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "cd36da760bd1f78c63c7078407baf01dd724f313", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "df6e2088c6f4cad539cf67cba2d6764461e798d1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f329523f6a65c3bbce913ad35473d83a319d5d99", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "99f1abc34a6dde248d2219d64aa493c76bbdd9eb", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "1d11dd3ea5d039c7da089f309f39c4cd363b924b", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e421946be7d9bf545147bea8419ef8239cb7ca52", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/video/fbdev/sis/sis_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: sis: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn\u0027t check the value of pixclock,\nit may cause divide-by-zero error.\n\nIn sisfb_check_var(), var-\u003epixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:14.439Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/84246c35ca34207114055a87552a1c4289c8fd7e" }, { "url": "https://git.kernel.org/stable/c/6db07619d173765bd8622d63809cbfe361f04207" }, { "url": "https://git.kernel.org/stable/c/cd36da760bd1f78c63c7078407baf01dd724f313" }, { "url": "https://git.kernel.org/stable/c/df6e2088c6f4cad539cf67cba2d6764461e798d1" }, { "url": "https://git.kernel.org/stable/c/f329523f6a65c3bbce913ad35473d83a319d5d99" }, { "url": "https://git.kernel.org/stable/c/99f1abc34a6dde248d2219d64aa493c76bbdd9eb" }, { "url": "https://git.kernel.org/stable/c/1d11dd3ea5d039c7da089f309f39c4cd363b924b" }, { "url": "https://git.kernel.org/stable/c/e421946be7d9bf545147bea8419ef8239cb7ca52" } ], "title": "fbdev: sis: Error out if pixclock equals zero", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26777", "datePublished": "2024-04-03T17:01:02.935Z", "dateReserved": "2024-02-19T14:20:24.177Z", "dateUpdated": "2024-12-19T08:47:14.439Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26752
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: pass correct message length to ip6_append_data
l2tp_ip6_sendmsg needs to avoid accounting for the transport header
twice when splicing more data into an already partially-occupied skbuff.
To manage this, we check whether the skbuff contains data using
skb_queue_empty when deciding how much data to append using
ip6_append_data.
However, the code which performed the calculation was incorrect:
ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;
...due to C operator precedence, this ends up setting ulen to
transhdrlen for messages with a non-zero length, which results in
corrupted packets on the wire.
Add parentheses to correct the calculation in line with the original
intent.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 559d697c5d072593d22b3e0bd8b8081108aeaf59 Version: 1fc793d68d50dee4782ef2e808913d5dd880bcc6 Version: 96b2e1090397217839fcd6c9b6d8f5d439e705ed Version: cd1189956393bf850b2e275e37411855d3bd86bb Version: f6a7182179c0ed788e3755ee2ed18c888ddcc33f Version: 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 Version: 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 Version: 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26752", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T18:05:57.024676Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:58.719Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.330Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/l2tp/l2tp_ip6.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4c3ce64bc9d36ca9164dd6c77ff144c121011aae", "status": "affected", "version": "559d697c5d072593d22b3e0bd8b8081108aeaf59", "versionType": "git" }, { "lessThan": "c1d3a84a67db910ce28a871273c992c3d7f9efb5", "status": "affected", "version": "1fc793d68d50dee4782ef2e808913d5dd880bcc6", "versionType": "git" }, { "lessThan": "dcb4d14268595065c85dc5528056713928e17243", "status": "affected", "version": "96b2e1090397217839fcd6c9b6d8f5d439e705ed", "versionType": "git" }, { "lessThan": "0da15a70395182ee8cb75716baf00dddc0bea38d", "status": "affected", "version": "cd1189956393bf850b2e275e37411855d3bd86bb", "versionType": "git" }, { "lessThan": "13cd1daeea848614e585b2c6ecc11ca9c8ab2500", "status": "affected", "version": "f6a7182179c0ed788e3755ee2ed18c888ddcc33f", "versionType": "git" }, { "lessThan": "804bd8650a3a2bf3432375f8c97d5049d845ce56", "status": "affected", "version": "9d4c75800f61e5d75c1659ba201b6c0c7ead3070", "versionType": "git" }, { "lessThan": "83340c66b498e49353530e41542500fc8a4782d6", "status": "affected", "version": "9d4c75800f61e5d75c1659ba201b6c0c7ead3070", "versionType": "git" }, { "lessThan": "359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79", "status": "affected", "version": "9d4c75800f61e5d75c1659ba201b6c0c7ead3070", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/l2tp/l2tp_ip6.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pass correct message length to ip6_append_data\n\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\n\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\n\nHowever, the code which performed the calculation was incorrect:\n\n ulen = len + skb_queue_empty(\u0026sk-\u003esk_write_queue) ? transhdrlen : 0;\n\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\n\nAdd parentheses to correct the calculation in line with the original\nintent." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:29.156Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae" }, { "url": "https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5" }, { "url": "https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243" }, { "url": "https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d" }, { "url": "https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500" }, { "url": "https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56" }, { "url": "https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6" }, { "url": "https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79" } ], "title": "l2tp: pass correct message length to ip6_append_data", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26752", "datePublished": "2024-04-03T17:00:37.340Z", "dateReserved": "2024-02-19T14:20:24.169Z", "dateUpdated": "2024-12-19T08:46:29.156Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26750
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Drop oob_skb ref before purging queue in GC.
syzbot reported another task hung in __unix_gc(). [0]
The current while loop assumes that all of the left candidates
have oob_skb and calling kfree_skb(oob_skb) releases the remaining
candidates.
However, I missed a case that oob_skb has self-referencing fd and
another fd and the latter sk is placed before the former in the
candidate list. Then, the while loop never proceeds, resulting
the task hung.
__unix_gc() has the same loop just before purging the collected skb,
so we can call kfree_skb(oob_skb) there and let __skb_queue_purge()
release all inflight sockets.
[0]:
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: events_unbound __unix_gc
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200
Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70
RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287
RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84
R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee
R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
__unix_gc+0xe69/0xf40 net/unix/garbage.c:343
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 36f7371de977f805750748e80279be7e370df85c Version: 2a3d40b4025fcfe51b04924979f1653993b17669 Version: 69e0f04460f4037e01e29f0d9675544f62aafca3 Version: cb8890318dde26fc89c6ea67d6e9070ab50b6e91 Version: 25236c91b5ab4a26a56ba2e79b8060cf4e047839 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.217Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26750", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:11.547250Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:53.425Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/unix/garbage.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6c480d0f131862645d172ca9e25dc152b1a5c3a6", "status": "affected", "version": "36f7371de977f805750748e80279be7e370df85c", "versionType": "git" }, { "lessThan": "c4c795b21dd23d9514ae1c6646c3fb2c78b5be60", "status": "affected", "version": "2a3d40b4025fcfe51b04924979f1653993b17669", "versionType": "git" }, { "lessThan": "e9eac260369d0cf57ea53df95427125725507a0d", "status": "affected", "version": "69e0f04460f4037e01e29f0d9675544f62aafca3", "versionType": "git" }, { "lessThan": "43ba9e331559a30000c862eea313248707afa787", "status": "affected", "version": "cb8890318dde26fc89c6ea67d6e9070ab50b6e91", "versionType": "git" }, { "lessThan": "aa82ac51d63328714645c827775d64dbfd9941f3", "status": "affected", "version": "25236c91b5ab4a26a56ba2e79b8060cf4e047839", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/unix/garbage.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5.15.151", "status": "affected", "version": "5.15.149", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Drop oob_skb ref before purging queue in GC.\n\nsyzbot reported another task hung in __unix_gc(). [0]\n\nThe current while loop assumes that all of the left candidates\nhave oob_skb and calling kfree_skb(oob_skb) releases the remaining\ncandidates.\n\nHowever, I missed a case that oob_skb has self-referencing fd and\nanother fd and the latter sk is placed before the former in the\ncandidate list. Then, the while loop never proceeds, resulting\nthe task hung.\n\n__unix_gc() has the same loop just before purging the collected skb,\nso we can call kfree_skb(oob_skb) there and let __skb_queue_purge()\nrelease all inflight sockets.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: events_unbound __unix_gc\nRIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200\nCode: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 \u003cf3\u003e 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70\nRSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287\nRAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80\nRDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000\nRBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84\nR10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee\nR13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cNMI\u003e\n \u003c/NMI\u003e\n \u003cTASK\u003e\n __unix_gc+0xe69/0xf40 net/unix/garbage.c:343\n process_one_work kernel/workqueue.c:2633 [inline]\n process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706\n worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787\n kthread+0x2ef/0x390 kernel/kthread.c:388\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n \u003c/TASK\u003e" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:26.704Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6" }, { "url": "https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60" }, { "url": "https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d" }, { "url": "https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787" }, { "url": "https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3" } ], "title": "af_unix: Drop oob_skb ref before purging queue in GC.", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26750", "datePublished": "2024-04-04T08:20:14.494Z", "dateReserved": "2024-02-19T14:20:24.169Z", "dateUpdated": "2024-12-19T08:46:26.704Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26706
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Fix random data corruption from exception handler
The current exception handler implementation, which assists when accessing
user space memory, may exhibit random data corruption if the compiler decides
to use a different register than the specified register %r29 (defined in
ASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another
register, the fault handler will nevertheless store -EFAULT into %r29 and thus
trash whatever this register is used for.
Looking at the assembly I found that this happens sometimes in emulate_ldd().
To solve the issue, the easiest solution would be if it somehow is
possible to tell the fault handler which register is used to hold the error
code. Using %0 or %1 in the inline assembly is not posssible as it will show
up as e.g. %r29 (with the "%r" prefix), which the GNU assembler can not
convert to an integer.
This patch takes another, better and more flexible approach:
We extend the __ex_table (which is out of the execution path) by one 32-word.
In this word we tell the compiler to insert the assembler instruction
"or %r0,%r0,%reg", where %reg references the register which the compiler
choosed for the error return code.
In case of an access failure, the fault handler finds the __ex_table entry and
can examine the opcode. The used register is encoded in the lowest 5 bits, and
the fault handler can then store -EFAULT into this register.
Since we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT
config option any longer.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26706", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T19:29:32.394995Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T19:29:43.758Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.642Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/23027309b099ffc4efca5477009a11dccbdae592" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fa69a8063f8b27f3c7434a0d4f464a76a62f24d2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ce31d79aa1f13a2345791f84935281a2c194e003" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8b1d72395635af45410b66cc4c4ab37a12c4a831" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/parisc/Kconfig", "arch/parisc/include/asm/assembly.h", "arch/parisc/include/asm/extable.h", "arch/parisc/include/asm/special_insns.h", "arch/parisc/include/asm/uaccess.h", "arch/parisc/kernel/cache.c", "arch/parisc/kernel/unaligned.c", "arch/parisc/mm/fault.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "23027309b099ffc4efca5477009a11dccbdae592", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "fa69a8063f8b27f3c7434a0d4f464a76a62f24d2", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "ce31d79aa1f13a2345791f84935281a2c194e003", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "8b1d72395635af45410b66cc4c4ab37a12c4a831", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/parisc/Kconfig", "arch/parisc/include/asm/assembly.h", "arch/parisc/include/asm/extable.h", "arch/parisc/include/asm/special_insns.h", "arch/parisc/include/asm/uaccess.h", "arch/parisc/kernel/cache.c", "arch/parisc/kernel/unaligned.c", "arch/parisc/mm/fault.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.79", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix random data corruption from exception handler\n\nThe current exception handler implementation, which assists when accessing\nuser space memory, may exhibit random data corruption if the compiler decides\nto use a different register than the specified register %r29 (defined in\nASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another\nregister, the fault handler will nevertheless store -EFAULT into %r29 and thus\ntrash whatever this register is used for.\nLooking at the assembly I found that this happens sometimes in emulate_ldd().\n\nTo solve the issue, the easiest solution would be if it somehow is\npossible to tell the fault handler which register is used to hold the error\ncode. Using %0 or %1 in the inline assembly is not posssible as it will show\nup as e.g. %r29 (with the \"%r\" prefix), which the GNU assembler can not\nconvert to an integer.\n\nThis patch takes another, better and more flexible approach:\nWe extend the __ex_table (which is out of the execution path) by one 32-word.\nIn this word we tell the compiler to insert the assembler instruction\n\"or %r0,%r0,%reg\", where %reg references the register which the compiler\nchoosed for the error return code.\nIn case of an access failure, the fault handler finds the __ex_table entry and\ncan examine the opcode. The used register is encoded in the lowest 5 bits, and\nthe fault handler can then store -EFAULT into this register.\n\nSince we extend the __ex_table to 3 words we can\u0027t use the BUILDTIME_TABLE_SORT\nconfig option any longer." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:33.339Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/23027309b099ffc4efca5477009a11dccbdae592" }, { "url": "https://git.kernel.org/stable/c/fa69a8063f8b27f3c7434a0d4f464a76a62f24d2" }, { "url": "https://git.kernel.org/stable/c/ce31d79aa1f13a2345791f84935281a2c194e003" }, { "url": "https://git.kernel.org/stable/c/8b1d72395635af45410b66cc4c4ab37a12c4a831" } ], "title": "parisc: Fix random data corruption from exception handler", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26706", "datePublished": "2024-04-03T14:55:09.529Z", "dateReserved": "2024-02-19T14:20:24.158Z", "dateUpdated": "2024-12-19T08:45:33.339Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26753
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: virtio/akcipher - Fix stack overflow on memcpy
sizeof(struct virtio_crypto_akcipher_session_para) is less than
sizeof(struct virtio_crypto_op_ctrl_req::u), copying more bytes from
stack variable leads stack overflow. Clang reports this issue by
commands:
make -j CC=clang-14 mrproper >/dev/null 2>&1
make -j O=/tmp/crypto-build CC=clang-14 allmodconfig >/dev/null 2>&1
make -j O=/tmp/crypto-build W=1 CC=clang-14 drivers/crypto/virtio/
virtio_crypto_akcipher_algs.o
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1ff57428894fc4f5001d3df0762c1820295d6c4f Version: 59ca6c93387d325e96577d8bd4c23c78c1491c11 Version: 59ca6c93387d325e96577d8bd4c23c78c1491c11 Version: 59ca6c93387d325e96577d8bd4c23c78c1491c11 Version: 59ca6c93387d325e96577d8bd4c23c78c1491c11 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.229Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/37077ed16c7793e21b005979d33f8a61565b7e86" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/62f361bfea60c6afc3df09c1ad4152e6507f6f47" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b0365460e945e1117b47cf7329d86de752daff63" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ef1e47d50324e232d2da484fe55a54274eeb9bc1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c0ec2a712daf133d9996a8a1b7ee2d4996080363" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26753", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:40.958573Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:15.875Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/crypto/virtio/virtio_crypto_akcipher_algs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "37077ed16c7793e21b005979d33f8a61565b7e86", "status": "affected", "version": "1ff57428894fc4f5001d3df0762c1820295d6c4f", "versionType": "git" }, { "lessThan": "62f361bfea60c6afc3df09c1ad4152e6507f6f47", "status": "affected", "version": "59ca6c93387d325e96577d8bd4c23c78c1491c11", "versionType": "git" }, { "lessThan": "b0365460e945e1117b47cf7329d86de752daff63", "status": "affected", "version": "59ca6c93387d325e96577d8bd4c23c78c1491c11", "versionType": "git" }, { "lessThan": "ef1e47d50324e232d2da484fe55a54274eeb9bc1", "status": "affected", "version": "59ca6c93387d325e96577d8bd4c23c78c1491c11", "versionType": "git" }, { "lessThan": "c0ec2a712daf133d9996a8a1b7ee2d4996080363", "status": "affected", "version": "59ca6c93387d325e96577d8bd4c23c78c1491c11", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/crypto/virtio/virtio_crypto_akcipher_algs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.18" }, { "lessThan": "5.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: virtio/akcipher - Fix stack overflow on memcpy\n\nsizeof(struct virtio_crypto_akcipher_session_para) is less than\nsizeof(struct virtio_crypto_op_ctrl_req::u), copying more bytes from\nstack variable leads stack overflow. Clang reports this issue by\ncommands:\nmake -j CC=clang-14 mrproper \u003e/dev/null 2\u003e\u00261\nmake -j O=/tmp/crypto-build CC=clang-14 allmodconfig \u003e/dev/null 2\u003e\u00261\nmake -j O=/tmp/crypto-build W=1 CC=clang-14 drivers/crypto/virtio/\n virtio_crypto_akcipher_algs.o" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:30.413Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/37077ed16c7793e21b005979d33f8a61565b7e86" }, { "url": "https://git.kernel.org/stable/c/62f361bfea60c6afc3df09c1ad4152e6507f6f47" }, { "url": "https://git.kernel.org/stable/c/b0365460e945e1117b47cf7329d86de752daff63" }, { "url": "https://git.kernel.org/stable/c/ef1e47d50324e232d2da484fe55a54274eeb9bc1" }, { "url": "https://git.kernel.org/stable/c/c0ec2a712daf133d9996a8a1b7ee2d4996080363" } ], "title": "crypto: virtio/akcipher - Fix stack overflow on memcpy", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26753", "datePublished": "2024-04-03T17:00:38.148Z", "dateReserved": "2024-02-19T14:20:24.169Z", "dateUpdated": "2024-12-19T08:46:30.413Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26808
Vulnerability from cvelistv5
Published
2024-04-04 09:50
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain
Remove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER
event is reported, otherwise a stale reference to netdevice remains in
the hook list.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 60a3815da702fd9e4759945f26cce5c47d3967ad Version: 60a3815da702fd9e4759945f26cce5c47d3967ad Version: 60a3815da702fd9e4759945f26cce5c47d3967ad Version: 60a3815da702fd9e4759945f26cce5c47d3967ad Version: 60a3815da702fd9e4759945f26cce5c47d3967ad Version: 60a3815da702fd9e4759945f26cce5c47d3967ad |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.575Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9489e214ea8f2a90345516016aa51f2db3a8cc2f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/70f17b48c86622217a58d5099d29242fc9adac58" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/af149a46890e8285d1618bd68b8d159bdb87fdb3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e5888acbf1a3d8d021990ce6c6061fd5b2bb21b4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/36a0a80f32209238469deb481967d777a3d539ee" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/01acb2e8666a6529697141a6017edbf206921913" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26808", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-07T15:05:25.057476Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-01T15:13:04.455Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/netfilter/nft_chain_filter.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "9489e214ea8f2a90345516016aa51f2db3a8cc2f", "status": "affected", "version": "60a3815da702fd9e4759945f26cce5c47d3967ad", "versionType": "git" }, { "lessThan": "70f17b48c86622217a58d5099d29242fc9adac58", "status": "affected", "version": "60a3815da702fd9e4759945f26cce5c47d3967ad", "versionType": "git" }, { "lessThan": "af149a46890e8285d1618bd68b8d159bdb87fdb3", "status": "affected", "version": "60a3815da702fd9e4759945f26cce5c47d3967ad", "versionType": "git" }, { "lessThan": "e5888acbf1a3d8d021990ce6c6061fd5b2bb21b4", "status": "affected", "version": "60a3815da702fd9e4759945f26cce5c47d3967ad", "versionType": "git" }, { "lessThan": "36a0a80f32209238469deb481967d777a3d539ee", "status": "affected", "version": "60a3815da702fd9e4759945f26cce5c47d3967ad", "versionType": "git" }, { "lessThan": "01acb2e8666a6529697141a6017edbf206921913", "status": "affected", "version": "60a3815da702fd9e4759945f26cce5c47d3967ad", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/netfilter/nft_chain_filter.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.10" }, { "lessThan": "5.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.210", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.149", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.76", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.15", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain\n\nRemove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER\nevent is reported, otherwise a stale reference to netdevice remains in\nthe hook list." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:52.239Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/9489e214ea8f2a90345516016aa51f2db3a8cc2f" }, { "url": "https://git.kernel.org/stable/c/70f17b48c86622217a58d5099d29242fc9adac58" }, { "url": "https://git.kernel.org/stable/c/af149a46890e8285d1618bd68b8d159bdb87fdb3" }, { "url": "https://git.kernel.org/stable/c/e5888acbf1a3d8d021990ce6c6061fd5b2bb21b4" }, { "url": "https://git.kernel.org/stable/c/36a0a80f32209238469deb481967d777a3d539ee" }, { "url": "https://git.kernel.org/stable/c/01acb2e8666a6529697141a6017edbf206921913" } ], "title": "netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26808", "datePublished": "2024-04-04T09:50:26.672Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:52.239Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26805
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
syzbot reported the following uninit-value access issue [1]:
netlink_to_full_skb() creates a new `skb` and puts the `skb->data`
passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data
size is specified as `len` and passed to skb_put_data(). This `len`
is based on `skb->end` that is not data offset but buffer offset. The
`skb->end` contains data and tailroom. Since the tailroom is not
initialized when the new `skb` created, KMSAN detects uninitialized
memory area when copying the data.
This patch resolved this issue by correct the len from `skb->end` to
`skb->len`, which is the actual data offset.
BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:29 [inline]
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
_copy_to_iter+0x364/0x2520 lib/iov_iter.c:186
copy_to_iter include/linux/uio.h:197 [inline]
simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg net/socket.c:1066 [inline]
sock_read_iter+0x467/0x580 net/socket.c:1136
call_read_iter include/linux/fs.h:2014 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x8f6/0xe00 fs/read_write.c:470
ksys_read+0x20f/0x4c0 fs/read_write.c:613
__do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline]
__x64_sys_read+0x93/0xd0 fs/read_write.c:621
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was stored to memory at:
skb_put_data include/linux/skbuff.h:2622 [inline]
netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]
__netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]
__netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325
netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]
netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
free_pages_prepare mm/page_alloc.c:1087 [inline]
free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347
free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533
release_pages+0x23d3/0x2410 mm/swap.c:1042
free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316
tlb_batch_pages
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1853c949646005b5959c483becde86608f548f24 Version: 1853c949646005b5959c483becde86608f548f24 Version: 1853c949646005b5959c483becde86608f548f24 Version: 1853c949646005b5959c483becde86608f548f24 Version: 1853c949646005b5959c483becde86608f548f24 Version: 1853c949646005b5959c483becde86608f548f24 Version: 1853c949646005b5959c483becde86608f548f24 Version: 1853c949646005b5959c483becde86608f548f24 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26805", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-21T16:06:14.957747Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-21T16:06:26.202Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.525Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ec343a55b687a452f5e87f3b52bf9f155864df65" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9ae51361da43270f4ba0eb924427a07e87e48777" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f19d1f98e60e68b11fc60839105dd02a30ec0d77" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c71ed29d15b1a1ed6c464f8c3536996963046285" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0b27bf4c494d61e5663baa34c3edd7ccebf0ea44" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d3ada42e534a83b618bbc1e490d23bf0fdae4736" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/661779e1fcafe1b74b3f3fe8e980c1e207fea1fd" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/netlink/af_netlink.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ec343a55b687a452f5e87f3b52bf9f155864df65", "status": "affected", "version": "1853c949646005b5959c483becde86608f548f24", "versionType": "git" }, { "lessThan": "9ae51361da43270f4ba0eb924427a07e87e48777", "status": "affected", "version": "1853c949646005b5959c483becde86608f548f24", "versionType": "git" }, { "lessThan": "f19d1f98e60e68b11fc60839105dd02a30ec0d77", "status": "affected", "version": "1853c949646005b5959c483becde86608f548f24", "versionType": "git" }, { "lessThan": "c71ed29d15b1a1ed6c464f8c3536996963046285", "status": "affected", "version": "1853c949646005b5959c483becde86608f548f24", "versionType": "git" }, { "lessThan": "0b27bf4c494d61e5663baa34c3edd7ccebf0ea44", "status": "affected", "version": "1853c949646005b5959c483becde86608f548f24", "versionType": "git" }, { "lessThan": "d3ada42e534a83b618bbc1e490d23bf0fdae4736", "status": "affected", "version": "1853c949646005b5959c483becde86608f548f24", "versionType": "git" }, { "lessThan": "59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d", "status": "affected", "version": "1853c949646005b5959c483becde86608f548f24", "versionType": "git" }, { "lessThan": "661779e1fcafe1b74b3f3fe8e980c1e207fea1fd", "status": "affected", "version": "1853c949646005b5959c483becde86608f548f24", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/netlink/af_netlink.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.3" }, { "lessThan": "4.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.309", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.271", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\n\nsyzbot reported the following uninit-value access issue [1]:\n\nnetlink_to_full_skb() creates a new `skb` and puts the `skb-\u003edata`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb-\u003eend` that is not data offset but buffer offset. The\n`skb-\u003eend` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\n\nThis patch resolved this issue by correct the len from `skb-\u003eend` to\n`skb-\u003elen`, which is the actual data offset.\n\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:48.563Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ec343a55b687a452f5e87f3b52bf9f155864df65" }, { "url": "https://git.kernel.org/stable/c/9ae51361da43270f4ba0eb924427a07e87e48777" }, { "url": "https://git.kernel.org/stable/c/f19d1f98e60e68b11fc60839105dd02a30ec0d77" }, { "url": "https://git.kernel.org/stable/c/c71ed29d15b1a1ed6c464f8c3536996963046285" }, { "url": "https://git.kernel.org/stable/c/0b27bf4c494d61e5663baa34c3edd7ccebf0ea44" }, { "url": "https://git.kernel.org/stable/c/d3ada42e534a83b618bbc1e490d23bf0fdae4736" }, { "url": "https://git.kernel.org/stable/c/59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d" }, { "url": "https://git.kernel.org/stable/c/661779e1fcafe1b74b3f3fe8e980c1e207fea1fd" } ], "title": "netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26805", "datePublished": "2024-04-04T08:20:32.250Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:48.563Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26694
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: fix double-free bug
The storage for the TLV PC register data wasn't done like all
the other storage in the drv->fw area, which is cleared at the
end of deallocation. Therefore, the freeing must also be done
differently, explicitly NULL'ing it out after the free, since
otherwise there's a nasty double-free bug here if a file fails
to load after this has been parsed, and we get another free
later (e.g. because no other file exists.) Fix that by adding
the missing NULL assignment.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26694", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T19:29:52.861166Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T19:30:17.789Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.834Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/iwl-drv.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad", "status": "affected", "version": "5e31b3df86ec6fbb925eee77fe2c450099c61dff", "versionType": "git" }, { "lessThan": "d24eb9a27bea8fe5237fa71be274391d9d51eff2", "status": "affected", "version": "5e31b3df86ec6fbb925eee77fe2c450099c61dff", "versionType": "git" }, { "lessThan": "353d321f63f7dbfc9ef58498cc732c9fe886a596", "status": "affected", "version": "5e31b3df86ec6fbb925eee77fe2c450099c61dff", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/iwl-drv.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.4" }, { "lessThan": "6.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix double-free bug\n\nThe storage for the TLV PC register data wasn\u0027t done like all\nthe other storage in the drv-\u003efw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL\u0027ing it out after the free, since\notherwise there\u0027s a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:14.627Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad" }, { "url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2" }, { "url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596" } ], "title": "wifi: iwlwifi: fix double-free bug", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26694", "datePublished": "2024-04-03T14:54:55.138Z", "dateReserved": "2024-02-19T14:20:24.156Z", "dateUpdated": "2024-12-19T08:45:14.627Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26782
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix double-free on socket dismantle
when MPTCP server accepts an incoming connection, it clones its listener
socket. However, the pointer to 'inet_opt' for the new socket has the same
value as the original one: as a consequence, on program exit it's possible
to observe the following splat:
BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0
Free of addr ffff888485950880 by task swapper/25/0
CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609
Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013
Call Trace:
<IRQ>
dump_stack_lvl+0x32/0x50
print_report+0xca/0x620
kasan_report_invalid_free+0x64/0x90
__kasan_slab_free+0x1aa/0x1f0
kfree+0xed/0x2e0
inet_sock_destruct+0x54f/0x8b0
__sk_destruct+0x48/0x5b0
rcu_do_batch+0x34e/0xd90
rcu_core+0x559/0xac0
__do_softirq+0x183/0x5a4
irq_exit_rcu+0x12d/0x170
sysvec_apic_timer_interrupt+0x6b/0x80
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20
RIP: 0010:cpuidle_enter_state+0x175/0x300
Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b
RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202
RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000
RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588
RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080
R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0
R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80
cpuidle_enter+0x4a/0xa0
do_idle+0x310/0x410
cpu_startup_entry+0x51/0x60
start_secondary+0x211/0x270
secondary_startup_64_no_verify+0x184/0x18b
</TASK>
Allocated by task 6853:
kasan_save_stack+0x1c/0x40
kasan_save_track+0x10/0x30
__kasan_kmalloc+0xa6/0xb0
__kmalloc+0x1eb/0x450
cipso_v4_sock_setattr+0x96/0x360
netlbl_sock_setattr+0x132/0x1f0
selinux_netlbl_socket_post_create+0x6c/0x110
selinux_socket_post_create+0x37b/0x7f0
security_socket_post_create+0x63/0xb0
__sock_create+0x305/0x450
__sys_socket_create.part.23+0xbd/0x130
__sys_socket+0x37/0xb0
__x64_sys_socket+0x6f/0xb0
do_syscall_64+0x83/0x160
entry_SYSCALL_64_after_hwframe+0x6e/0x76
Freed by task 6858:
kasan_save_stack+0x1c/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x12c/0x1f0
kfree+0xed/0x2e0
inet_sock_destruct+0x54f/0x8b0
__sk_destruct+0x48/0x5b0
subflow_ulp_release+0x1f0/0x250
tcp_cleanup_ulp+0x6e/0x110
tcp_v4_destroy_sock+0x5a/0x3a0
inet_csk_destroy_sock+0x135/0x390
tcp_fin+0x416/0x5c0
tcp_data_queue+0x1bc8/0x4310
tcp_rcv_state_process+0x15a3/0x47b0
tcp_v4_do_rcv+0x2c1/0x990
tcp_v4_rcv+0x41fb/0x5ed0
ip_protocol_deliver_rcu+0x6d/0x9f0
ip_local_deliver_finish+0x278/0x360
ip_local_deliver+0x182/0x2c0
ip_rcv+0xb5/0x1c0
__netif_receive_skb_one_core+0x16e/0x1b0
process_backlog+0x1e3/0x650
__napi_poll+0xa6/0x500
net_rx_action+0x740/0xbb0
__do_softirq+0x183/0x5a4
The buggy address belongs to the object at ffff888485950880
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffff888485950880, ffff8884859508c0)
The buggy address belongs to the physical page:
page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950
flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006
raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888485950780: fa fb fb
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be Version: cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be Version: cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be Version: cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be Version: cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be Version: cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.370Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26782", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:51:05.325955Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:51.835Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/mptcp/protocol.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f74362a004225df935863dea6eb7d82daaa5b16e", "status": "affected", "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be", "versionType": "git" }, { "lessThan": "4a4eeb6912538c2d0b158e8d11b62d96c1dada4e", "status": "affected", "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be", "versionType": "git" }, { "lessThan": "d93fd40c62397326046902a2c5cb75af50882a85", "status": "affected", "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be", "versionType": "git" }, { "lessThan": "ce0809ada38dca8d6d41bb57ab40494855c30582", "status": "affected", "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be", "versionType": "git" }, { "lessThan": "85933e80d077c9ae2227226beb86c22f464059cc", "status": "affected", "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be", "versionType": "git" }, { "lessThan": "10048689def7e40a4405acda16fdc6477d4ecc5c", "status": "affected", "version": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/mptcp/protocol.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.6" }, { "lessThan": "5.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix double-free on socket dismantle\n\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to \u0027inet_opt\u0027 for the new socket has the same\nvalue as the original one: as a consequence, on program exit it\u0027s possible\nto observe the following splat:\n\n BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n Free of addr ffff888485950880 by task swapper/25/0\n\n CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013\n Call Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x32/0x50\n print_report+0xca/0x620\n kasan_report_invalid_free+0x64/0x90\n __kasan_slab_free+0x1aa/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n rcu_do_batch+0x34e/0xd90\n rcu_core+0x559/0xac0\n __do_softirq+0x183/0x5a4\n irq_exit_rcu+0x12d/0x170\n sysvec_apic_timer_interrupt+0x6b/0x80\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_sysvec_apic_timer_interrupt+0x16/0x20\n RIP: 0010:cpuidle_enter_state+0x175/0x300\n Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed \u003c0f\u003e 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n cpuidle_enter+0x4a/0xa0\n do_idle+0x310/0x410\n cpu_startup_entry+0x51/0x60\n start_secondary+0x211/0x270\n secondary_startup_64_no_verify+0x184/0x18b\n \u003c/TASK\u003e\n\n Allocated by task 6853:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0xa6/0xb0\n __kmalloc+0x1eb/0x450\n cipso_v4_sock_setattr+0x96/0x360\n netlbl_sock_setattr+0x132/0x1f0\n selinux_netlbl_socket_post_create+0x6c/0x110\n selinux_socket_post_create+0x37b/0x7f0\n security_socket_post_create+0x63/0xb0\n __sock_create+0x305/0x450\n __sys_socket_create.part.23+0xbd/0x130\n __sys_socket+0x37/0xb0\n __x64_sys_socket+0x6f/0xb0\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 6858:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x12c/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n subflow_ulp_release+0x1f0/0x250\n tcp_cleanup_ulp+0x6e/0x110\n tcp_v4_destroy_sock+0x5a/0x3a0\n inet_csk_destroy_sock+0x135/0x390\n tcp_fin+0x416/0x5c0\n tcp_data_queue+0x1bc8/0x4310\n tcp_rcv_state_process+0x15a3/0x47b0\n tcp_v4_do_rcv+0x2c1/0x990\n tcp_v4_rcv+0x41fb/0x5ed0\n ip_protocol_deliver_rcu+0x6d/0x9f0\n ip_local_deliver_finish+0x278/0x360\n ip_local_deliver+0x182/0x2c0\n ip_rcv+0xb5/0x1c0\n __netif_receive_skb_one_core+0x16e/0x1b0\n process_backlog+0x1e3/0x650\n __napi_poll+0xa6/0x500\n net_rx_action+0x740/0xbb0\n __do_softirq+0x183/0x5a4\n\n The buggy address belongs to the object at ffff888485950880\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes inside of\n 64-byte region [ffff888485950880, ffff8884859508c0)\n\n The buggy address belongs to the physical page:\n page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888485950780: fa fb fb\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:20.456Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e" }, { "url": "https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e" }, { "url": "https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85" }, { "url": "https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582" }, { "url": "https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc" }, { "url": "https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c" } ], "title": "mptcp: fix double-free on socket dismantle", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26782", "datePublished": "2024-04-04T08:20:16.472Z", "dateReserved": "2024-02-19T14:20:24.177Z", "dateUpdated": "2024-12-19T08:47:20.456Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26736
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:46
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
afs: Increase buffer size in afs_update_volume_status()
The max length of volume->vid value is 20 characters.
So increase idbuf[] size up to 24 to avoid overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d2ddc776a4581d900fc3bdc7803b403daae64d88 Version: d2ddc776a4581d900fc3bdc7803b403daae64d88 Version: d2ddc776a4581d900fc3bdc7803b403daae64d88 Version: d2ddc776a4581d900fc3bdc7803b403daae64d88 Version: d2ddc776a4581d900fc3bdc7803b403daae64d88 Version: d2ddc776a4581d900fc3bdc7803b403daae64d88 Version: d2ddc776a4581d900fc3bdc7803b403daae64d88 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26736", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-05T17:35:04.677455Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:32.562Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.959Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5c27d85a69fa16a08813ba37ddfb4bbc9a1ed6b5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d9b5e2b7a8196850383c70d099bfd39e81ab6637" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e56662160fc24d28cb75ac095cc6415ae1bda43e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e8530b170e464017203e3b8c6c49af6e916aece1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6e6065dd25b661420fac19c34282b6c626fcd35e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d34a5e57632bb5ff825196ddd9a48ca403626dfa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/afs/volume.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5c27d85a69fa16a08813ba37ddfb4bbc9a1ed6b5", "status": "affected", "version": "d2ddc776a4581d900fc3bdc7803b403daae64d88", "versionType": "git" }, { "lessThan": "d9b5e2b7a8196850383c70d099bfd39e81ab6637", "status": "affected", "version": "d2ddc776a4581d900fc3bdc7803b403daae64d88", "versionType": "git" }, { "lessThan": "e56662160fc24d28cb75ac095cc6415ae1bda43e", "status": "affected", "version": "d2ddc776a4581d900fc3bdc7803b403daae64d88", "versionType": "git" }, { "lessThan": "e8530b170e464017203e3b8c6c49af6e916aece1", "status": "affected", "version": "d2ddc776a4581d900fc3bdc7803b403daae64d88", "versionType": "git" }, { "lessThan": "6e6065dd25b661420fac19c34282b6c626fcd35e", "status": "affected", "version": "d2ddc776a4581d900fc3bdc7803b403daae64d88", "versionType": "git" }, { "lessThan": "d34a5e57632bb5ff825196ddd9a48ca403626dfa", "status": "affected", "version": "d2ddc776a4581d900fc3bdc7803b403daae64d88", "versionType": "git" }, { "lessThan": "6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d", "status": "affected", "version": "d2ddc776a4581d900fc3bdc7803b403daae64d88", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/afs/volume.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.15" }, { "lessThan": "4.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Increase buffer size in afs_update_volume_status()\n\nThe max length of volume-\u003evid value is 20 characters.\nSo increase idbuf[] size up to 24 to avoid overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[DH: Actually, it\u0027s 20 + NUL, so increase it to 24 and use snprintf()]" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:46:09.522Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5c27d85a69fa16a08813ba37ddfb4bbc9a1ed6b5" }, { "url": "https://git.kernel.org/stable/c/d9b5e2b7a8196850383c70d099bfd39e81ab6637" }, { "url": "https://git.kernel.org/stable/c/e56662160fc24d28cb75ac095cc6415ae1bda43e" }, { "url": "https://git.kernel.org/stable/c/e8530b170e464017203e3b8c6c49af6e916aece1" }, { "url": "https://git.kernel.org/stable/c/6e6065dd25b661420fac19c34282b6c626fcd35e" }, { "url": "https://git.kernel.org/stable/c/d34a5e57632bb5ff825196ddd9a48ca403626dfa" }, { "url": "https://git.kernel.org/stable/c/6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d" } ], "title": "afs: Increase buffer size in afs_update_volume_status()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26736", "datePublished": "2024-04-03T17:00:22.693Z", "dateReserved": "2024-02-19T14:20:24.166Z", "dateUpdated": "2024-12-19T08:46:09.522Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26795
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: Sparse-Memory/vmemmap out-of-bounds fix
Offset vmemmap so that the first page of vmemmap will be mapped
to the first page of physical memory in order to ensure that
vmemmap’s bounds will be respected during
pfn_to_page()/page_to_pfn() operations.
The conversion macros will produce correct SV39/48/57 addresses
for every possible/valid DRAM_BASE inside the physical memory limits.
v2:Address Alex's comments
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d95f1a542c3df396137afa217ef9bd39cb8931ca Version: d95f1a542c3df396137afa217ef9bd39cb8931ca Version: d95f1a542c3df396137afa217ef9bd39cb8931ca Version: d95f1a542c3df396137afa217ef9bd39cb8931ca Version: d95f1a542c3df396137afa217ef9bd39cb8931ca Version: d95f1a542c3df396137afa217ef9bd39cb8931ca |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26795", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T19:27:22.580328Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T19:27:29.143Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.470Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8af1c121b0102041809bc137ec600d1865eaeedd" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/riscv/include/asm/pgtable.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8af1c121b0102041809bc137ec600d1865eaeedd", "status": "affected", "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca", "versionType": "git" }, { "lessThan": "5941a90c55d3bfba732b32208d58d997600b44ef", "status": "affected", "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca", "versionType": "git" }, { "lessThan": "8310080799b40fd9f2a8b808c657269678c149af", "status": "affected", "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca", "versionType": "git" }, { "lessThan": "a278d5c60f21aa15d540abb2f2da6e6d795c3e6e", "status": "affected", "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca", "versionType": "git" }, { "lessThan": "2a1728c15ec4f45ed9248ae22f626541c179bfbe", "status": "affected", "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca", "versionType": "git" }, { "lessThan": "a11dd49dcb9376776193e15641f84fcc1e5980c9", "status": "affected", "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/riscv/include/asm/pgtable.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.4" }, { "lessThan": "5.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.212", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sparse-Memory/vmemmap out-of-bounds fix\n\nOffset vmemmap so that the first page of vmemmap will be mapped\nto the first page of physical memory in order to ensure that\nvmemmap\u2019s bounds will be respected during\npfn_to_page()/page_to_pfn() operations.\nThe conversion macros will produce correct SV39/48/57 addresses\nfor every possible/valid DRAM_BASE inside the physical memory limits.\n\nv2:Address Alex\u0027s comments" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:36.408Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8af1c121b0102041809bc137ec600d1865eaeedd" }, { "url": "https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef" }, { "url": "https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af" }, { "url": "https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e" }, { "url": "https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe" }, { "url": "https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9" } ], "title": "riscv: Sparse-Memory/vmemmap out-of-bounds fix", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26795", "datePublished": "2024-04-04T08:20:25.063Z", "dateReserved": "2024-02-19T14:20:24.178Z", "dateUpdated": "2024-12-19T08:47:36.408Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26806
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks
The ->runtime_suspend() and ->runtime_resume() callbacks are not
expected to call spi_controller_suspend() and spi_controller_resume().
Remove calls to those in the cadence-qspi driver.
Those helpers have two roles currently:
- They stop/start the queue, including dealing with the kworker.
- They toggle the SPI controller SPI_CONTROLLER_SUSPENDED flag. It
requires acquiring ctlr->bus_lock_mutex.
Step one is irrelevant because cadence-qspi is not queued. Step two
however has two implications:
- A deadlock occurs, because ->runtime_resume() is called in a context
where the lock is already taken (in the ->exec_op() callback, where
the usage count is incremented).
- It would disallow all operations once the device is auto-suspended.
Here is a brief call tree highlighting the mutex deadlock:
spi_mem_exec_op()
...
spi_mem_access_start()
mutex_lock(&ctlr->bus_lock_mutex)
cqspi_exec_mem_op()
pm_runtime_resume_and_get()
cqspi_resume()
spi_controller_resume()
mutex_lock(&ctlr->bus_lock_mutex)
...
spi_mem_access_end()
mutex_unlock(&ctlr->bus_lock_mutex)
...
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26806", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-05T17:28:20.913168Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:23.037Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.643Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/041562ebc4759c9932b59a06527f8753b86da365" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/959043afe53ae80633e810416cee6076da6e91c6" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/spi/spi-cadence-quadspi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "041562ebc4759c9932b59a06527f8753b86da365", "status": "affected", "version": "0578a6dbfe7514db7134501cf93acc21cf13e479", "versionType": "git" }, { "lessThan": "959043afe53ae80633e810416cee6076da6e91c6", "status": "affected", "version": "0578a6dbfe7514db7134501cf93acc21cf13e479", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/spi/spi-cadence-quadspi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks\n\nThe -\u003eruntime_suspend() and -\u003eruntime_resume() callbacks are not\nexpected to call spi_controller_suspend() and spi_controller_resume().\nRemove calls to those in the cadence-qspi driver.\n\nThose helpers have two roles currently:\n - They stop/start the queue, including dealing with the kworker.\n - They toggle the SPI controller SPI_CONTROLLER_SUSPENDED flag. It\n requires acquiring ctlr-\u003ebus_lock_mutex.\n\nStep one is irrelevant because cadence-qspi is not queued. Step two\nhowever has two implications:\n - A deadlock occurs, because -\u003eruntime_resume() is called in a context\n where the lock is already taken (in the -\u003eexec_op() callback, where\n the usage count is incremented).\n - It would disallow all operations once the device is auto-suspended.\n\nHere is a brief call tree highlighting the mutex deadlock:\n\nspi_mem_exec_op()\n ...\n spi_mem_access_start()\n mutex_lock(\u0026ctlr-\u003ebus_lock_mutex)\n\n cqspi_exec_mem_op()\n pm_runtime_resume_and_get()\n cqspi_resume()\n spi_controller_resume()\n mutex_lock(\u0026ctlr-\u003ebus_lock_mutex)\n ...\n\n spi_mem_access_end()\n mutex_unlock(\u0026ctlr-\u003ebus_lock_mutex)\n ..." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:49.882Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/041562ebc4759c9932b59a06527f8753b86da365" }, { "url": "https://git.kernel.org/stable/c/959043afe53ae80633e810416cee6076da6e91c6" } ], "title": "spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26806", "datePublished": "2024-04-04T08:20:33.512Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:49.882Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26769
Vulnerability from cvelistv5
Published
2024-04-03 17:00
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-fc: avoid deadlock on delete association path
When deleting an association the shutdown path is deadlocking because we
try to flush the nvmet_wq nested. Avoid this by deadlock by deferring
the put work into its own work item.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-26769", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-16T14:13:29.356049Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-01T15:27:15.624Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.328Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5e0bc09a52b6169ce90f7ac6e195791adb16cec4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1d86f79287206deec36d63b89c741cf542b6cadd" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/710c69dbaccdac312e32931abcb8499c1525d397" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/nvme/target/fc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5e0bc09a52b6169ce90f7ac6e195791adb16cec4", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "1d86f79287206deec36d63b89c741cf542b6cadd", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "710c69dbaccdac312e32931abcb8499c1525d397", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/nvme/target/fc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid deadlock on delete association path\n\nWhen deleting an association the shutdown path is deadlocking because we\ntry to flush the nvmet_wq nested. Avoid this by deadlock by deferring\nthe put work into its own work item." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:04.557Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5e0bc09a52b6169ce90f7ac6e195791adb16cec4" }, { "url": "https://git.kernel.org/stable/c/9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8" }, { "url": "https://git.kernel.org/stable/c/eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30" }, { "url": "https://git.kernel.org/stable/c/1d86f79287206deec36d63b89c741cf542b6cadd" }, { "url": "https://git.kernel.org/stable/c/710c69dbaccdac312e32931abcb8499c1525d397" } ], "title": "nvmet-fc: avoid deadlock on delete association path", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26769", "datePublished": "2024-04-03T17:00:56.019Z", "dateReserved": "2024-02-19T14:20:24.175Z", "dateUpdated": "2024-12-19T08:47:04.557Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26802
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
stmmac: Clear variable when destroying workqueue
Currently when suspending driver and stopping workqueue it is checked whether
workqueue is not NULL and if so, it is destroyed.
Function destroy_workqueue() does drain queue and does clear variable, but
it does not set workqueue variable to NULL. This can cause kernel/module
panic if code attempts to clear workqueue that was not initialized.
This scenario is possible when resuming suspended driver in stmmac_resume(),
because there is no handling for failed stmmac_hw_setup(),
which can fail and return if DMA engine has failed to initialize,
and workqueue is initialized after DMA engine.
Should DMA engine fail to initialize, resume will proceed normally,
but interface won't work and TX queue will eventually timeout,
causing 'Reset adapter' error.
This then does destroy workqueue during reset process.
And since workqueue is initialized after DMA engine and can be skipped,
it will cause kernel/module panic.
To secure against this possible crash, set workqueue variable to NULL when
destroying workqueue.
Log/backtrace from crash goes as follows:
[88.031977]------------[ cut here ]------------
[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out
[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398
<Skipping backtrace for watchdog timeout>
[88.032251]---[ end trace e70de432e4d5c2c0 ]---
[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.
[88.036359]------------[ cut here ]------------
[88.036519]Call trace:
[88.036523] flush_workqueue+0x3e4/0x430
[88.036528] drain_workqueue+0xc4/0x160
[88.036533] destroy_workqueue+0x40/0x270
[88.036537] stmmac_fpe_stop_wq+0x4c/0x70
[88.036541] stmmac_release+0x278/0x280
[88.036546] __dev_close_many+0xcc/0x158
[88.036551] dev_close_many+0xbc/0x190
[88.036555] dev_close.part.0+0x70/0xc0
[88.036560] dev_close+0x24/0x30
[88.036564] stmmac_service_task+0x110/0x140
[88.036569] process_one_work+0x1d8/0x4a0
[88.036573] worker_thread+0x54/0x408
[88.036578] kthread+0x164/0x170
[88.036583] ret_from_fork+0x10/0x20
[88.036588]---[ end trace e70de432e4d5c2c1 ]---
[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5a5586112b929546e16029261a987c9197bfdfa2 Version: 5a5586112b929546e16029261a987c9197bfdfa2 Version: 5a5586112b929546e16029261a987c9197bfdfa2 Version: 5a5586112b929546e16029261a987c9197bfdfa2 Version: 5a5586112b929546e16029261a987c9197bfdfa2 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26802", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-05T18:39:40.644650Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:39.143Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.590Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8e99556301172465c8fe33c7f78c39a3d4ce8462", "status": "affected", "version": "5a5586112b929546e16029261a987c9197bfdfa2", "versionType": "git" }, { "lessThan": "17ccd9798fe0beda3db212cfa3ebe373f605cbd6", "status": "affected", "version": "5a5586112b929546e16029261a987c9197bfdfa2", "versionType": "git" }, { "lessThan": "699b103e48ce32d03fc86c35b37ee8ae4288c7e3", "status": "affected", "version": "5a5586112b929546e16029261a987c9197bfdfa2", "versionType": "git" }, { "lessThan": "f72cf22dccc94038cbbaa1029cb575bf52e5cbc8", "status": "affected", "version": "5a5586112b929546e16029261a987c9197bfdfa2", "versionType": "git" }, { "lessThan": "8af411bbba1f457c33734795f024d0ef26d0963f", "status": "affected", "version": "5a5586112b929546e16029261a987c9197bfdfa2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.13" }, { "lessThan": "5.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.151", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.81", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.21", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstmmac: Clear variable when destroying workqueue\n\nCurrently when suspending driver and stopping workqueue it is checked whether\nworkqueue is not NULL and if so, it is destroyed.\nFunction destroy_workqueue() does drain queue and does clear variable, but\nit does not set workqueue variable to NULL. This can cause kernel/module\npanic if code attempts to clear workqueue that was not initialized.\n\nThis scenario is possible when resuming suspended driver in stmmac_resume(),\nbecause there is no handling for failed stmmac_hw_setup(),\nwhich can fail and return if DMA engine has failed to initialize,\nand workqueue is initialized after DMA engine.\nShould DMA engine fail to initialize, resume will proceed normally,\nbut interface won\u0027t work and TX queue will eventually timeout,\ncausing \u0027Reset adapter\u0027 error.\nThis then does destroy workqueue during reset process.\nAnd since workqueue is initialized after DMA engine and can be skipped,\nit will cause kernel/module panic.\n\nTo secure against this possible crash, set workqueue variable to NULL when\ndestroying workqueue.\n\nLog/backtrace from crash goes as follows:\n[88.031977]------------[ cut here ]------------\n[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out\n[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398\n \u003cSkipping backtrace for watchdog timeout\u003e\n[88.032251]---[ end trace e70de432e4d5c2c0 ]---\n[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.\n[88.036359]------------[ cut here ]------------\n[88.036519]Call trace:\n[88.036523] flush_workqueue+0x3e4/0x430\n[88.036528] drain_workqueue+0xc4/0x160\n[88.036533] destroy_workqueue+0x40/0x270\n[88.036537] stmmac_fpe_stop_wq+0x4c/0x70\n[88.036541] stmmac_release+0x278/0x280\n[88.036546] __dev_close_many+0xcc/0x158\n[88.036551] dev_close_many+0xbc/0x190\n[88.036555] dev_close.part.0+0x70/0xc0\n[88.036560] dev_close+0x24/0x30\n[88.036564] stmmac_service_task+0x110/0x140\n[88.036569] process_one_work+0x1d8/0x4a0\n[88.036573] worker_thread+0x54/0x408\n[88.036578] kthread+0x164/0x170\n[88.036583] ret_from_fork+0x10/0x20\n[88.036588]---[ end trace e70de432e4d5c2c1 ]---\n[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:44.770Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462" }, { "url": "https://git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6" }, { "url": "https://git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3" }, { "url": "https://git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8" }, { "url": "https://git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f" } ], "title": "stmmac: Clear variable when destroying workqueue", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26802", "datePublished": "2024-04-04T08:20:29.919Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:44.770Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26809
Vulnerability from cvelistv5
Published
2024-04-04 09:51
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: release elements in clone only from destroy path
Clone already always provides a current view of the lookup table, use it
to destroy the set, otherwise it is possible to destroy elements twice.
This fix requires:
212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol")
which came after:
9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path").
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4a6430b99f67842617c7208ca55a411e903ba03a Version: 5ccecafc728b0df48263d5ac198220bcd79830bc Version: 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e Version: 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e Version: 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e Version: 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e Version: 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.546Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-26809", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:50:40.137148Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:44.659Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/netfilter/nft_set_pipapo.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b36b83297ff4910dfc8705402c8abffd4bbf8144", "status": "affected", "version": "4a6430b99f67842617c7208ca55a411e903ba03a", "versionType": "git" }, { "lessThan": "362508506bf545e9ce18c72a2c48dcbfb891ab9c", "status": "affected", "version": "5ccecafc728b0df48263d5ac198220bcd79830bc", "versionType": "git" }, { "lessThan": "5ad233dc731ab64cdc47b84a5c1f78fff6c024af", "status": "affected", "version": "9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e", "versionType": "git" }, { "lessThan": "ff90050771412b91e928093ccd8736ae680063c2", "status": "affected", "version": "9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e", "versionType": "git" }, { "lessThan": "821e28d5b506e6a73ccc367ff792bd894050d48b", "status": "affected", "version": "9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e", "versionType": "git" }, { "lessThan": "9384b4d85c46ce839f51af01374062ce6318b2f2", "status": "affected", "version": "9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e", "versionType": "git" }, { "lessThan": "b0e256f3dd2ba6532f37c5c22e07cb07a36031ee", "status": "affected", "version": "9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/netfilter/nft_set_pipapo.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.214", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.153", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.83", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.23", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.11", "versionType": "semver" }, { "lessThanOrEqual": "6.8.*", "status": "unaffected", "version": "6.8.2", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\n\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\n\nThis fix requires:\n\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\n\nwhich came after:\n\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\")." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:53.466Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144" }, { "url": "https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c" }, { "url": "https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af" }, { "url": "https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2" }, { "url": "https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b" }, { "url": "https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2" }, { "url": "https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee" } ], "title": "netfilter: nft_set_pipapo: release elements in clone only from destroy path", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26809", "datePublished": "2024-04-04T09:51:51.245Z", "dateReserved": "2024-02-19T14:20:24.179Z", "dateUpdated": "2024-12-19T08:47:53.466Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26783
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index
With numa balancing on, when a numa system is running where a numa node
doesn't have its local memory so it has no managed zones, the following
oops has been observed. It's because wakeup_kswapd() is called with a
wrong zone index, -1. Fixed it by checking the index before calling
wakeup_kswapd().
> BUG: unable to handle page fault for address: 00000000000033f3
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP NOPTI
> CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812)
> Code: (omitted)
> RSP: 0000:ffffc90004257d58 EFLAGS: 00010286
> RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480
> RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff
> R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003
> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940
> FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> <TASK>
> ? __die
> ? page_fault_oops
> ? __pte_offset_map_lock
> ? exc_page_fault
> ? asm_exc_page_fault
> ? wakeup_kswapd
> migrate_misplaced_page
> __handle_mm_fault
> handle_mm_fault
> do_user_addr_fault
> exc_page_fault
> asm_exc_page_fault
> RIP: 0033:0x55b897ba0808
> Code: (omitted)
> RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287
> RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0
> RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0
> RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075
> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
> R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000
> </TASK>
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26783", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T16:20:18.928013Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:21.039Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.473Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d6159bd4c00594249e305bfe02304c67c506264e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bdd21eed8b72f9e28d6c279f6db258e090c79080" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2774f256e7c0219e2b0a0894af1c76bdabc4f974" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/migrate.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d6159bd4c00594249e305bfe02304c67c506264e", "status": "affected", "version": "c574bbe917036c8968b984c82c7b13194fe5ce98", "versionType": "git" }, { "lessThan": "bdd21eed8b72f9e28d6c279f6db258e090c79080", "status": "affected", "version": "c574bbe917036c8968b984c82c7b13194fe5ce98", "versionType": "git" }, { "lessThan": "2774f256e7c0219e2b0a0894af1c76bdabc4f974", "status": "affected", "version": "c574bbe917036c8968b984c82c7b13194fe5ce98", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/migrate.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.18" }, { "lessThan": "5.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.22", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index\n\nWith numa balancing on, when a numa system is running where a numa node\ndoesn\u0027t have its local memory so it has no managed zones, the following\noops has been observed. It\u0027s because wakeup_kswapd() is called with a\nwrong zone index, -1. Fixed it by checking the index before calling\nwakeup_kswapd().\n\n\u003e BUG: unable to handle page fault for address: 00000000000033f3\n\u003e #PF: supervisor read access in kernel mode\n\u003e #PF: error_code(0x0000) - not-present page\n\u003e PGD 0 P4D 0\n\u003e Oops: 0000 [#1] PREEMPT SMP NOPTI\n\u003e CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255\n\u003e Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n\u003e rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n\u003e RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812)\n\u003e Code: (omitted)\n\u003e RSP: 0000:ffffc90004257d58 EFLAGS: 00010286\n\u003e RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003\n\u003e RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480\n\u003e RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff\n\u003e R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003\n\u003e R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940\n\u003e FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000\n\u003e CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\u003e CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0\n\u003e DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n\u003e DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\u003e PKRU: 55555554\n\u003e Call Trace:\n\u003e \u003cTASK\u003e\n\u003e ? __die\n\u003e ? page_fault_oops\n\u003e ? __pte_offset_map_lock\n\u003e ? exc_page_fault\n\u003e ? asm_exc_page_fault\n\u003e ? wakeup_kswapd\n\u003e migrate_misplaced_page\n\u003e __handle_mm_fault\n\u003e handle_mm_fault\n\u003e do_user_addr_fault\n\u003e exc_page_fault\n\u003e asm_exc_page_fault\n\u003e RIP: 0033:0x55b897ba0808\n\u003e Code: (omitted)\n\u003e RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287\n\u003e RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0\n\u003e RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0\n\u003e RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075\n\u003e R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n\u003e R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000\n\u003e \u003c/TASK\u003e" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:21.652Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d6159bd4c00594249e305bfe02304c67c506264e" }, { "url": "https://git.kernel.org/stable/c/bdd21eed8b72f9e28d6c279f6db258e090c79080" }, { "url": "https://git.kernel.org/stable/c/2774f256e7c0219e2b0a0894af1c76bdabc4f974" } ], "title": "mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26783", "datePublished": "2024-04-04T08:20:17.118Z", "dateReserved": "2024-02-19T14:20:24.177Z", "dateUpdated": "2024-12-19T08:47:21.652Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26784
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: arm: Fix NULL dereference on scmi_perf_domain removal
On unloading of the scmi_perf_domain module got the below splat, when in
the DT provided to the system under test the '#power-domain-cells' property
was missing. Indeed, this particular setup causes the probe to bail out
early without giving any error, which leads to the ->remove() callback gets
to run too, but without all the expected initialized structures in place.
Add a check and bail out early on remove too.
Call trace:
scmi_perf_domain_remove+0x28/0x70 [scmi_perf_domain]
scmi_dev_remove+0x28/0x40 [scmi_core]
device_remove+0x54/0x90
device_release_driver_internal+0x1dc/0x240
driver_detach+0x58/0xa8
bus_remove_driver+0x78/0x108
driver_unregister+0x38/0x70
scmi_driver_unregister+0x28/0x180 [scmi_core]
scmi_perf_domain_driver_exit+0x18/0xb78 [scmi_perf_domain]
__arm64_sys_delete_module+0x1a8/0x2c0
invoke_syscall+0x50/0x128
el0_svc_common.constprop.0+0x48/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x34/0xb8
el0t_64_sync_handler+0x100/0x130
el0t_64_sync+0x190/0x198
Code: a90153f3 f9403c14 f9414800 955f8a05 (b9400a80)
---[ end trace 0000000000000000 ]---
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26784", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T19:27:05.325313Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T19:27:12.883Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.469Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f6aaf131e4d4a9a26040ecc018eb70ab8b3d355d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/eb5555d422d0fc325e1574a7353d3c616f82d8b5" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/pmdomain/arm/scmi_perf_domain.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f6aaf131e4d4a9a26040ecc018eb70ab8b3d355d", "status": "affected", "version": "2af23ceb8624a419eaf40295c11fcb86ec9ee303", "versionType": "git" }, { "lessThan": "eb5555d422d0fc325e1574a7353d3c616f82d8b5", "status": "affected", "version": "2af23ceb8624a419eaf40295c11fcb86ec9ee303", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/pmdomain/arm/scmi_perf_domain.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: arm: Fix NULL dereference on scmi_perf_domain removal\n\nOn unloading of the scmi_perf_domain module got the below splat, when in\nthe DT provided to the system under test the \u0027#power-domain-cells\u0027 property\nwas missing. Indeed, this particular setup causes the probe to bail out\nearly without giving any error, which leads to the -\u003eremove() callback gets\nto run too, but without all the expected initialized structures in place.\n\nAdd a check and bail out early on remove too.\n\n Call trace:\n scmi_perf_domain_remove+0x28/0x70 [scmi_perf_domain]\n scmi_dev_remove+0x28/0x40 [scmi_core]\n device_remove+0x54/0x90\n device_release_driver_internal+0x1dc/0x240\n driver_detach+0x58/0xa8\n bus_remove_driver+0x78/0x108\n driver_unregister+0x38/0x70\n scmi_driver_unregister+0x28/0x180 [scmi_core]\n scmi_perf_domain_driver_exit+0x18/0xb78 [scmi_perf_domain]\n __arm64_sys_delete_module+0x1a8/0x2c0\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x34/0xb8\n el0t_64_sync_handler+0x100/0x130\n el0t_64_sync+0x190/0x198\n Code: a90153f3 f9403c14 f9414800 955f8a05 (b9400a80)\n ---[ end trace 0000000000000000 ]---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:22.845Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f6aaf131e4d4a9a26040ecc018eb70ab8b3d355d" }, { "url": "https://git.kernel.org/stable/c/eb5555d422d0fc325e1574a7353d3c616f82d8b5" } ], "title": "pmdomain: arm: Fix NULL dereference on scmi_perf_domain removal", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26784", "datePublished": "2024-04-04T08:20:17.836Z", "dateReserved": "2024-02-19T14:20:24.177Z", "dateUpdated": "2024-12-19T08:47:22.845Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26778
Vulnerability from cvelistv5
Published
2024-04-03 17:01
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: savage: Error out if pixclock equals zero
The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of pixclock,
it may cause divide-by-zero error.
Although pixclock is checked in savagefb_decode_var(), but it is not
checked properly in savagefb_probe(). Fix this by checking whether
pixclock is zero in the function savagefb_check_var() before
info->var.pixclock is used as the divisor.
This is similar to CVE-2022-3061 in i740fb which was fixed by
commit 15cf0b8.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26778", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-21T16:06:44.068367Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-21T16:06:55.000Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.314Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/224453de8505aede1890f007be973925a3edf6a1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/84dce0f6a4cc5b7bfd7242ef9290db8ac1dd77ff" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/512ee6d6041e007ef5bf200c6e388e172a2c5b24" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8c54acf33e5adaad6374bf3ec1e3aff0591cc8e1" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/070398d32c5f3ab0e890374904ad94551c76aec4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/bc3c2e58d73b28b9a8789fca84778ee165a72d13" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a9ca4e80d23474f90841251f4ac0d941fa337a01" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/video/fbdev/savage/savagefb_driver.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "224453de8505aede1890f007be973925a3edf6a1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "84dce0f6a4cc5b7bfd7242ef9290db8ac1dd77ff", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "512ee6d6041e007ef5bf200c6e388e172a2c5b24", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "8c54acf33e5adaad6374bf3ec1e3aff0591cc8e1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "070398d32c5f3ab0e890374904ad94551c76aec4", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "bc3c2e58d73b28b9a8789fca84778ee165a72d13", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a9ca4e80d23474f90841251f4ac0d941fa337a01", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/video/fbdev/savage/savagefb_driver.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.308", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.270", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.211", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.150", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.80", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.19", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn\u0027t check the value of pixclock,\nit may cause divide-by-zero error.\n\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo-\u003evar.pixclock is used as the divisor.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:15.602Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/224453de8505aede1890f007be973925a3edf6a1" }, { "url": "https://git.kernel.org/stable/c/84dce0f6a4cc5b7bfd7242ef9290db8ac1dd77ff" }, { "url": "https://git.kernel.org/stable/c/512ee6d6041e007ef5bf200c6e388e172a2c5b24" }, { "url": "https://git.kernel.org/stable/c/8c54acf33e5adaad6374bf3ec1e3aff0591cc8e1" }, { "url": "https://git.kernel.org/stable/c/070398d32c5f3ab0e890374904ad94551c76aec4" }, { "url": "https://git.kernel.org/stable/c/bc3c2e58d73b28b9a8789fca84778ee165a72d13" }, { "url": "https://git.kernel.org/stable/c/a9ca4e80d23474f90841251f4ac0d941fa337a01" }, { "url": "https://git.kernel.org/stable/c/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288" } ], "title": "fbdev: savage: Error out if pixclock equals zero", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26778", "datePublished": "2024-04-03T17:01:08.782Z", "dateReserved": "2024-02-19T14:20:24.177Z", "dateUpdated": "2024-12-19T08:47:15.602Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26781
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-12-19 08:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix possible deadlock in subflow diag
Syzbot and Eric reported a lockdep splat in the subflow diag:
WARNING: possible circular locking dependency detected
6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted
syz-executor.2/24141 is trying to acquire lock:
ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:
tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137
but task is already holding lock:
ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock
include/linux/spinlock.h:351 [inline]
ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at:
inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
__inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743
inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261
__inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217
inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239
rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316
rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577
ops_init+0x352/0x610 net/core/net_namespace.c:136
__register_pernet_operations net/core/net_namespace.c:1214 [inline]
register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283
register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370
rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735
do_one_initcall+0x238/0x830 init/main.c:1236
do_initcall_level+0x157/0x210 init/main.c:1298
do_initcalls+0x3f/0x80 init/main.c:1314
kernel_init_freeable+0x42f/0x5d0 init/main.c:1551
kernel_init+0x1d/0x2a0 init/main.c:1441
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
-> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
lock_sock_fast include/net/sock.h:1723 [inline]
subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345
inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061
__inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263
inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371
netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264
__netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370
netlink_dump_start include/linux/netlink.h:338 [inline]
inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405
sock_diag_rcv_msg+0xe7/0x410
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
As noted by Eric we can break the lock dependency chain avoid
dumping
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8affdbb3e2ef6b6a3a467b87dc336dc601dc2ed9 Version: 7d6e8d7ee13b876e762b11f4ec210876ab7aec84 Version: 71787c665d09a970b9280c285181d3a2d1bf3bb0 Version: e074c8297ee421e7ff352404262fe0e042954ab7 Version: 298ac00da8e6bc2dcd690b45108acbd944c347d3 Version: b8adb69a7d29c2d33eb327bca66476fb6066516b |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26781", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-04T15:25:28.472646Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:49:22.582Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:13.451Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/mptcp/diag.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "70e5b013538d5e4cb421afed431a5fcd2a5d49ee", "status": "affected", "version": "8affdbb3e2ef6b6a3a467b87dc336dc601dc2ed9", "versionType": "git" }, { "lessThan": "cc32ba2fdf3f8b136619fff551f166ba51ec856d", "status": "affected", "version": "7d6e8d7ee13b876e762b11f4ec210876ab7aec84", "versionType": "git" }, { "lessThan": "f27d319df055629480b84b9288a502337b6f2a2e", "status": "affected", "version": "71787c665d09a970b9280c285181d3a2d1bf3bb0", "versionType": "git" }, { "lessThan": "fa8c776f4c323a9fbc8ddf25edcb962083391430", "status": "affected", "version": "e074c8297ee421e7ff352404262fe0e042954ab7", "versionType": "git" }, { "lessThan": "d487e7ba1bc7444d5f062c4930ef8436c47c7e63", "status": "affected", "version": "298ac00da8e6bc2dcd690b45108acbd944c347d3", "versionType": "git" }, { "lessThan": "d6a9608af9a75d13243d217f6ce1e30e57d56ffe", "status": "affected", "version": "b8adb69a7d29c2d33eb327bca66476fb6066516b", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/mptcp/diag.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5.10.212", "status": "affected", "version": "5.10.211", "versionType": "semver" }, { "lessThan": "5.15.151", "status": "affected", "version": "5.15.150", "versionType": "semver" }, { "lessThan": "6.1.81", "status": "affected", "version": "6.1.80", "versionType": "semver" }, { "lessThan": "6.6.21", "status": "affected", "version": "6.6.19", "versionType": "semver" }, { "lessThan": "6.7.9", "status": "affected", "version": "6.7.7", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix possible deadlock in subflow diag\n\nSyzbot and Eric reported a lockdep splat in the subflow diag:\n\n WARNING: possible circular locking dependency detected\n 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted\n\n syz-executor.2/24141 is trying to acquire lock:\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n\n but task is already holding lock:\n ffffc9000135e488 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}, at: spin_lock\n include/linux/spinlock.h:351 [inline]\n ffffc9000135e488 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}, at:\n inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -\u003e #1 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\n _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154\n spin_lock include/linux/spinlock.h:351 [inline]\n __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743\n inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261\n __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217\n inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239\n rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316\n rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577\n ops_init+0x352/0x610 net/core/net_namespace.c:136\n __register_pernet_operations net/core/net_namespace.c:1214 [inline]\n register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283\n register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370\n rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735\n do_one_initcall+0x238/0x830 init/main.c:1236\n do_initcall_level+0x157/0x210 init/main.c:1298\n do_initcalls+0x3f/0x80 init/main.c:1314\n kernel_init_freeable+0x42f/0x5d0 init/main.c:1551\n kernel_init+0x1d/0x2a0 init/main.c:1441\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n\n -\u003e #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_fast include/net/sock.h:1723 [inline]\n subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345\n inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061\n __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263\n inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371\n netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264\n __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370\n netlink_dump_start include/linux/netlink.h:338 [inline]\n inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405\n sock_diag_rcv_msg+0xe7/0x410\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nAs noted by Eric we can break the lock dependency chain avoid\ndumping \n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:47:19.247Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee" }, { "url": "https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d" }, { "url": "https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e" }, { "url": "https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430" }, { "url": "https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63" }, { "url": "https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe" } ], "title": "mptcp: fix possible deadlock in subflow diag", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26781", "datePublished": "2024-04-04T08:20:15.775Z", "dateReserved": "2024-02-19T14:20:24.177Z", "dateUpdated": "2024-12-19T08:47:19.247Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26705
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: BTLB: Fix crash when setting up BTLB at CPU bringup
When using hotplug and bringing up a 32-bit CPU, ask the firmware about the
BTLB information to set up the static (block) TLB entries.
For that write access to the static btlb_info struct is needed, but
since it is marked __ro_after_init the kernel segfaults with missing
write permissions.
Fix the crash by dropping the __ro_after_init annotation.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-26705", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T17:48:41.158959Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:48:58.261Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:14:12.680Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/54944f45470af5965fb9c28cf962ec30f38a8f5b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/aa52be55276614d33f22fbe7da36c40d6432d10b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/913b9d443a0180cf0de3548f1ab3149378998486" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/parisc/kernel/cache.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "54944f45470af5965fb9c28cf962ec30f38a8f5b", "status": "affected", "version": "e5ef93d02d6c9cc3a14e7348481c9e41a528caa1", "versionType": "git" }, { "lessThan": "aa52be55276614d33f22fbe7da36c40d6432d10b", "status": "affected", "version": "e5ef93d02d6c9cc3a14e7348481c9e41a528caa1", "versionType": "git" }, { "lessThan": "913b9d443a0180cf0de3548f1ab3149378998486", "status": "affected", "version": "e5ef93d02d6c9cc3a14e7348481c9e41a528caa1", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/parisc/kernel/cache.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.18", "versionType": "semver" }, { "lessThanOrEqual": "6.7.*", "status": "unaffected", "version": "6.7.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: BTLB: Fix crash when setting up BTLB at CPU bringup\n\nWhen using hotplug and bringing up a 32-bit CPU, ask the firmware about the\nBTLB information to set up the static (block) TLB entries.\n\nFor that write access to the static btlb_info struct is needed, but\nsince it is marked __ro_after_init the kernel segfaults with missing\nwrite permissions.\n\nFix the crash by dropping the __ro_after_init annotation." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:45:32.071Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/54944f45470af5965fb9c28cf962ec30f38a8f5b" }, { "url": "https://git.kernel.org/stable/c/aa52be55276614d33f22fbe7da36c40d6432d10b" }, { "url": "https://git.kernel.org/stable/c/913b9d443a0180cf0de3548f1ab3149378998486" } ], "title": "parisc: BTLB: Fix crash when setting up BTLB at CPU bringup", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-26705", "datePublished": "2024-04-03T14:55:08.733Z", "dateReserved": "2024-02-19T14:20:24.158Z", "dateUpdated": "2024-12-19T08:45:32.071Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.