Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-1607
Vulnerability from csaf_certbund
Published
2024-07-14 22:00
Modified
2025-01-20 23:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein lokaler Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder einen unspezifischen Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Der Kernel stellt den Kern des Linux Betriebssystems dar.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein lokaler Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder einen unspezifischen Angriff durchzuführen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-1607 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1607.json", }, { category: "self", summary: "WID-SEC-2024-1607 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1607", }, { category: "external", summary: "Linux CVE Announcement CVE-2023-52885 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071432-CVE-2023-52885-e934@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39494 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071259-CVE-2024-39494-119a@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39495 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071202-CVE-2024-39495-457b@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39496 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071202-CVE-2024-39496-7948@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39497 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071202-CVE-2024-39497-834c@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39498 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071203-CVE-2024-39498-8421@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39499 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071203-CVE-2024-39499-ed0a@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39500 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071203-CVE-2024-39500-eba6@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39501 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071204-CVE-2024-39501-058b@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39502 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071204-CVE-2024-39502-afe9@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39503 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071204-CVE-2024-39503-e604@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39504 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071204-CVE-2024-39504-1223@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39505 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071205-CVE-2024-39505-8e03@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39506 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071205-CVE-2024-39506-b0cc@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39507 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071205-CVE-2024-39507-cbc6@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39508 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071206-CVE-2024-39508-20c3@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39509 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071206-CVE-2024-39509-fce1@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-39510 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071206-CVE-2024-39510-9f8c@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40899 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071207-CVE-2024-40899-a342@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40900 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071207-CVE-2024-40900-7497@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40901 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071207-CVE-2024-40901-05c4@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40902 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071207-CVE-2024-40902-122a@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40903 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071208-CVE-2024-40903-8fd1@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40904 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071208-CVE-2024-40904-48b1@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40905 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071208-CVE-2024-40905-44f9@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40906 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071209-CVE-2024-40906-b9e3@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40907 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071209-CVE-2024-40907-5305@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40908 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071209-CVE-2024-40908-bdc0@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40909 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40909-1706@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40910 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40910-d7d9@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40911 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40911-2382@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40912 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40912-7286@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40913 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40913-5952@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40914 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40914-0e04@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40915 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071211-CVE-2024-40915-ba8c@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40916 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071211-CVE-2024-40916-845e@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40917 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071211-CVE-2024-40917-0a05@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40918 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071212-CVE-2024-40918-1830@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40919 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071212-CVE-2024-40919-2997@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40920 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071212-CVE-2024-40920-c766@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40921 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071213-CVE-2024-40921-b535@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40922 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071213-CVE-2024-40922-461c@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40923 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071213-CVE-2024-40923-5e9e@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40924 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071213-CVE-2024-40924-9b9b@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40925 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071214-CVE-2024-40925-d411@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40926 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071214-CVE-2024-40926-ccdf@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40927 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071214-CVE-2024-40927-3dcb@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40928 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071215-CVE-2024-40928-0331@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40929 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071215-CVE-2024-40929-e1cb@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40930 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071215-CVE-2024-40930-f6bb@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40931 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071216-CVE-2024-40931-77b2@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40932 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071216-CVE-2024-40932-2c2a@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40933 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071216-CVE-2024-40933-04c6@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40934 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071216-CVE-2024-40934-477a@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40935 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071217-CVE-2024-40935-4226@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40936 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071217-CVE-2024-40936-c3f0@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40937 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071217-CVE-2024-40937-fecf@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40938 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071218-CVE-2024-40938-1619@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40939 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071218-CVE-2024-40939-a56c@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40940 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071218-CVE-2024-40940-5b9e@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40941 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071219-CVE-2024-40941-9e5c@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40942 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071219-CVE-2024-40942-4af1@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40943 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071219-CVE-2024-40943-b7ee@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40944 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071219-CVE-2024-40944-98ef@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40945 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071220-CVE-2024-40945-79e6@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40946 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071221-CVE-2024-40946-e1fd@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40947 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071221-CVE-2024-40947-4782@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40948 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071222-CVE-2024-40948-e1a6@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40949 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071222-CVE-2024-40949-2d68@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40950 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071222-CVE-2024-40950-6155@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40951 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071222-CVE-2024-40951-677c@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40952 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071223-CVE-2024-40952-4ed1@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40953 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071223-CVE-2024-40953-8685@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40954 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071223-CVE-2024-40954-093b@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40955 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071224-CVE-2024-40955-43e2@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40956 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071224-CVE-2024-40956-b65d@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40957 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071224-CVE-2024-40957-94a5@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40958 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071225-CVE-2024-40958-8ed5@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40959 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071225-CVE-2024-40959-228e@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40960 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071225-CVE-2024-40960-d46f@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40961 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071225-CVE-2024-40961-19bd@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40962 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071226-CVE-2024-40962-9b97@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40963 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071226-CVE-2024-40963-6639@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40964 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071226-CVE-2024-40964-3f0d@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40965 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071227-CVE-2024-40965-d9b9@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40966 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071227-CVE-2024-40966-cea6@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40967 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071227-CVE-2024-40967-665f@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40968 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071228-CVE-2024-40968-5127@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40969 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071228-CVE-2024-40969-6507@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40970 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071228-CVE-2024-40970-e25d@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40971 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071228-CVE-2024-40971-c7bb@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40972 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071229-CVE-2024-40972-1569@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40973 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071229-CVE-2024-40973-ace1@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40974 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071229-CVE-2024-40974-afb3@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40975 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071230-CVE-2024-40975-f7d8@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40976 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071230-CVE-2024-40976-5e52@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40977 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071230-CVE-2024-40977-07c8@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40978 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071231-CVE-2024-40978-d135@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40979 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071231-CVE-2024-40979-4cfa@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40980 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071231-CVE-2024-40980-cbeb@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40981 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071232-CVE-2024-40981-3630@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40982 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071232-CVE-2024-40982-149b@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40983 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071201-CVE-2024-40983-e1b1@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40984 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071201-CVE-2024-40984-66b2@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40985 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071248-CVE-2024-40985-875b@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40986 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071248-CVE-2024-40986-f31c@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40987 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071248-CVE-2024-40987-a755@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40988 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071249-CVE-2024-40988-490e@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40989 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071249-CVE-2024-40989-c8da@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40990 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071249-CVE-2024-40990-bba5@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40991 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071250-CVE-2024-40991-34b6@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40992 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071250-CVE-2024-40992-6554@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40993 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071250-CVE-2024-40993-ee08@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40994 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071250-CVE-2024-40994-e16a@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40995 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071251-CVE-2024-40995-2a5c@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40996 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071251-CVE-2024-40996-3e04@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40997 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071251-CVE-2024-40997-df97@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40998 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071252-CVE-2024-40998-90d6@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-40999 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071252-CVE-2024-40999-8c1b@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-41000 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071252-CVE-2024-41000-7d55@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-41001 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071253-CVE-2024-41001-7879@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-41002 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071253-CVE-2024-41002-c21e@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-41003 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071244-CVE-2024-41003-792f@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-41004 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071244-CVE-2024-41004-0ce1@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-41005 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071244-CVE-2024-41005-b2a5@gregkh/", }, { category: "external", summary: "Linux CVE Announcement CVE-2024-41006 vom 2024-07-14", url: "https://lore.kernel.org/linux-cve-announce/2024071244-CVE-2024-41006-d24b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcements vom 2024-07-14", url: "https://kernel.org", }, { category: "external", summary: "Debian Security Advisory DSA-5730 vom 2024-07-16", url: "https://lists.debian.org/debian-security-announce/2024/msg00141.html", }, { category: "external", summary: "Debian Security Advisory DSA-5731 vom 2024-07-17", url: "https://lists.debian.org/debian-security-announce/2024/msg00142.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5066 vom 2024-08-07", url: "https://access.redhat.com/errata/RHSA-2024:5066", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5067 vom 2024-08-07", url: "https://access.redhat.com/errata/RHSA-2024:5067", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2802-1 vom 2024-08-07", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019133.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5101 vom 2024-08-08", url: "https://access.redhat.com/errata/RHSA-2024:5101", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5102 vom 2024-08-08", url: "https://access.redhat.com/errata/RHSA-2024:5102", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-5101 vom 2024-08-09", url: "https://linux.oracle.com/errata/ELSA-2024-5101.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5266 vom 2024-08-13", url: "https://access.redhat.com/errata/RHSA-2024:5266", }, { category: "external", summary: "Debian Security Advisory DSA-5747 vom 2024-08-12", url: "https://security-tracker.debian.org/tracker/DSA-5747-1", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5257 vom 2024-08-13", url: "https://access.redhat.com/errata/RHSA-2024:5257", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12581 vom 2024-08-13", url: "https://linux.oracle.com/errata/ELSA-2024-12581.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12584 vom 2024-08-13", url: "https://linux.oracle.com/errata/ELSA-2024-12584.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12585 vom 2024-08-13", url: "https://linux.oracle.com/errata/ELSA-2024-12585.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5281 vom 2024-08-13", url: "https://access.redhat.com/errata/RHSA-2024:5281", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2893-1 vom 2024-08-13", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019187.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2894-1 vom 2024-08-13", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019182.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2896-1 vom 2024-08-13", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019185.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2892-1 vom 2024-08-13", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019188.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5282 vom 2024-08-13", url: "https://access.redhat.com/errata/RHSA-2024:5282", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5363 vom 2024-08-14", url: "https://access.redhat.com/errata/RHSA-2024:5363", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2901-1 vom 2024-08-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019194.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2902-1 vom 2024-08-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019193.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-5363 vom 2024-08-15", url: "https://linux.oracle.com/errata/ELSA-2024-5363.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2923-1 vom 2024-08-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019201.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2929-1 vom 2024-08-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019209.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2939-1 vom 2024-08-16", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019211.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2947-1 vom 2024-08-16", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019220.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2948-1 vom 2024-08-16", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019219.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2940-1 vom 2024-08-16", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019212.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:2973-1 vom 2024-08-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019280.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5673 vom 2024-08-21", url: "https://access.redhat.com/errata/RHSA-2024:5673", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5672 vom 2024-08-21", url: "https://access.redhat.com/errata/RHSA-2024:5672", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:5928 vom 2024-08-28", url: "https://access.redhat.com/errata/RHSA-2024:5928", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-5928 vom 2024-08-29", url: "https://linux.oracle.com/errata/ELSA-2024-5928.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6156 vom 2024-09-03", url: "https://access.redhat.com/errata/RHSA-2024:6156", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6160 vom 2024-09-03", url: "https://access.redhat.com/errata/RHSA-2024:6160", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6206 vom 2024-09-03", url: "https://access.redhat.com/errata/RHSA-2024:6206", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6268 vom 2024-09-04", url: "https://access.redhat.com/errata/RHSA-2024:6268", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6267 vom 2024-09-04", url: "https://access.redhat.com/errata/RHSA-2024:6267", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3194-1 vom 2024-09-10", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019400.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3190-1 vom 2024-09-10", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019403.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3189-1 vom 2024-09-10", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019404.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6567 vom 2024-09-11", url: "https://access.redhat.com/errata/RHSA-2024:6567", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3195-1 vom 2024-09-10", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019407.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12612 vom 2024-09-12", url: "https://linux.oracle.com/errata/ELSA-2024-12612.html", }, { category: "external", summary: "Ubuntu Security Notice USN-6999-1 vom 2024-09-11", url: "https://ubuntu.com/security/notices/USN-6999-1", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-6567 vom 2024-09-12", url: "https://linux.oracle.com/errata/ELSA-2024-6567.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12618 vom 2024-09-12", url: "https://linux.oracle.com/errata/ELSA-2024-12618.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12611 vom 2024-09-11", url: "https://linux.oracle.com/errata/ELSA-2024-12611.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12610 vom 2024-09-12", url: "https://linux.oracle.com/errata/ELSA-2024-12610.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3209-1 vom 2024-09-11", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YNWVZVIFSX7PLBJX3I3PDZ4MIBERTN2Y/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6406 vom 2024-09-12", url: "https://access.redhat.com/errata/RHSA-2024:6406", }, { category: "external", summary: "Ubuntu Security Notice USN-7003-1 vom 2024-09-12", url: "https://ubuntu.com/security/notices/USN-7003-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7003-2 vom 2024-09-12", url: "https://ubuntu.com/security/notices/USN-7003-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7005-1 vom 2024-09-12", url: "https://ubuntu.com/security/notices/USN-7005-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7004-1 vom 2024-09-12", url: "https://ubuntu.com/security/notices/USN-7004-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7006-1 vom 2024-09-12", url: "https://ubuntu.com/security/notices/USN-7006-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3227-1 vom 2024-09-12", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019430.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3225-1 vom 2024-09-12", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019432.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7003-3 vom 2024-09-13", url: "https://ubuntu.com/security/notices/USN-7003-3", }, { category: "external", summary: "Ubuntu Security Notice USN-7007-1 vom 2024-09-13", url: "https://ubuntu.com/security/notices/USN-7007-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7008-1 vom 2024-09-13", url: "https://ubuntu.com/security/notices/USN-7008-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7005-2 vom 2024-09-13", url: "https://ubuntu.com/security/notices/USN-7005-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7009-1 vom 2024-09-13", url: "https://ubuntu.com/security/notices/USN-7009-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3249-1 vom 2024-09-16", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019438.html", }, { category: "external", summary: "Rocky Linux Security Advisory RLSA-2024:6567 vom 2024-09-17", url: "https://errata.build.resf.org/RLSA-2024:6567", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3252-1 vom 2024-09-16", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019436.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3251-1 vom 2024-09-16", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019435.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6745 vom 2024-09-18", url: "https://access.redhat.com/errata/RHSA-2024:6745", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6744 vom 2024-09-18", url: "https://access.redhat.com/errata/RHSA-2024:6744", }, { category: "external", summary: "Ubuntu Security Notice USN-7019-1 vom 2024-09-18", url: "https://ubuntu.com/security/notices/USN-7019-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7022-1 vom 2024-09-18", url: "https://ubuntu.com/security/notices/USN-7022-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7021-1 vom 2024-09-18", url: "https://ubuntu.com/security/notices/USN-7021-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3322-1 vom 2024-09-19", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019457.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3319-1 vom 2024-09-19", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019460.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3350-1 vom 2024-09-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019479.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7007-2 vom 2024-09-23", url: "https://ubuntu.com/security/notices/USN-7007-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7028-1 vom 2024-09-23", url: "https://ubuntu.com/security/notices/USN-7028-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7029-1 vom 2024-09-23", url: "https://ubuntu.com/security/notices/USN-7029-1", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6993 vom 2024-09-24", url: "https://access.redhat.com/errata/RHSA-2024:6993", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3383-1 vom 2024-09-23", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019497.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6997 vom 2024-09-24", url: "https://access.redhat.com/errata/RHSA-2024:6997", }, { category: "external", summary: "Ubuntu Security Notice USN-7021-2 vom 2024-09-23", url: "https://ubuntu.com/security/notices/USN-7021-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7007-3 vom 2024-09-23", url: "https://ubuntu.com/security/notices/USN-7007-3", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6991 vom 2024-09-24", url: "https://access.redhat.com/errata/RHSA-2024:6991", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:6990 vom 2024-09-24", url: "https://access.redhat.com/errata/RHSA-2024:6990", }, { category: "external", summary: "Ubuntu Security Notice USN-6999-2 vom 2024-09-23", url: "https://ubuntu.com/security/notices/USN-6999-2", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3387-1 vom 2024-09-23", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019495.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3398-1 vom 2024-09-23", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019500.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:7001 vom 2024-09-24", url: "https://access.redhat.com/errata/RHSA-2024:7001", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3408-1 vom 2024-09-24", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/TGC7PQ5QNGEZWYIHCKH2KPZMGYJ4VN6B/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:7000 vom 2024-09-24", url: "https://access.redhat.com/errata/RHSA-2024:7000", }, { category: "external", summary: "Ubuntu Security Notice USN-7009-2 vom 2024-09-25", url: "https://ubuntu.com/security/notices/USN-7009-2", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-7000 vom 2024-09-26", url: "https://linux.oracle.com/errata/ELSA-2024-7000.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-6997 vom 2024-09-26", url: "https://linux.oracle.com/errata/ELSA-2024-6997.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7003-4 vom 2024-09-26", url: "https://ubuntu.com/security/notices/USN-7003-4", }, { category: "external", summary: "Ubuntu Security Notice USN-7021-3 vom 2024-09-26", url: "https://ubuntu.com/security/notices/USN-7021-3", }, { category: "external", summary: "Ubuntu Security Notice USN-7039-1 vom 2024-09-26", url: "https://ubuntu.com/security/notices/USN-7039-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3468-1 vom 2024-09-27", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019531.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3483-1 vom 2024-09-29", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2HO244EHQ65DPDJ2NOBAXLG7QYWSCUMA/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3483-1 vom 2024-09-29", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2HO244EHQ65DPDJ2NOBAXLG7QYWSCUMA/", }, { category: "external", summary: "Rocky Linux Security Advisory RLSA-2024:7001 vom 2024-09-30", url: "https://errata.build.resf.org/RLSA-2024:7001", }, { category: "external", summary: "Ubuntu Security Notice USN-7022-2 vom 2024-10-01", url: "https://ubuntu.com/security/notices/USN-7022-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7003-5 vom 2024-10-01", url: "https://ubuntu.com/security/notices/USN-7003-5", }, { category: "external", summary: "Amazon Linux Security Advisory ALASKERNEL-5.10-2024-070 vom 2024-10-02", url: "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-070.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS-2024-1947 vom 2024-10-03", url: "https://alas.aws.amazon.com/ALAS-2024-1947.html", }, { category: "external", summary: "Debian Security Advisory DSA-5782 vom 2024-10-03", url: "https://lists.debian.org/debian-security-announce/2024/msg00195.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7021-4 vom 2024-10-03", url: "https://ubuntu.com/security/notices/USN-7021-4", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS-2024-2642 vom 2024-10-02", url: "https://alas.aws.amazon.com/AL2/ALAS-2024-2642.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALASKERNEL-5.4-2024-086 vom 2024-10-02", url: "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-086.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALASKERNEL-5.15-2024-055 vom 2024-10-02", url: "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-055.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3553-1 vom 2024-10-08", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019560.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3551-1 vom 2024-10-08", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/Q7MIMQMCXNGMVS32KLTADYTPQCKF5HWU/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3551-1 vom 2024-10-08", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019562.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3564-1 vom 2024-10-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/R7FS3QARF7WUPH5GFL22NW3G3SDO2C7Z/", }, { category: "external", summary: "Ubuntu Security Notice USN-7022-3 vom 2024-10-10", url: "https://ubuntu.com/security/notices/USN-7022-3", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3561-1 vom 2024-10-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LSUY4BSWS5WR46CHS4FPBIJIRLKHRDHV/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3566-1 vom 2024-10-09", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019578.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3569-1 vom 2024-10-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/6GBL67LQ3MUSYQCQRQH2AZH3XWILTO5A/", }, { category: "external", summary: "Dell Security Advisory DSA-2024-422 vom 2024-10-10", url: "https://www.dell.com/support/kbdoc/de-de/000234730/dsa-2024-422-security-update-for-dell-networker-vproxy-multiple-component-vulnerabilities", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3587-1 vom 2024-10-10", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019588.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3592-1 vom 2024-10-10", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019589.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8107 vom 2024-10-15", url: "https://access.redhat.com/errata/RHSA-2024:8107", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12779 vom 2024-10-14", url: "https://linux.oracle.com/errata/ELSA-2024-12779.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3617-1 vom 2024-10-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019595.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3623-1 vom 2024-10-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/TF6OKVTF5VSUGWWYIUXLV2YZK7NYELIN/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3627-1 vom 2024-10-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/EDC3MOOYJCFLEYCPOKSPUCADNYIO3EGI/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3624-1 vom 2024-10-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/V4GVQWREKLT3NIX5GMPMO26GXLKRGTXJ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3625-1 vom 2024-10-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/XCWDJ4VQNWRMZU52FZIMVKO3ZX7QR3L7/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3632-1 vom 2024-10-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/IMA2L435Y3DOAG6IL6IEIK2SUGPOUZXD/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3636-1 vom 2024-10-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/6PEVJU5FBJP53YMNJCB4SQC2P7VOWDEQ/", }, { category: "external", summary: "Ubuntu Security Notice USN-7069-1 vom 2024-10-16", url: "https://ubuntu.com/security/notices/USN-7069-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3639-1 vom 2024-10-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QREDIZHMC5MCDU7XHJHAPFFVPPIKTHWD/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8162 vom 2024-10-16", url: "https://access.redhat.com/errata/RHSA-2024:8162", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3631-1 vom 2024-10-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VBN5S6CN75ZWGV3ZNRLZRMQ5DF3HMBZE/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3638-1 vom 2024-10-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G5I2ZVAM4BJDGCYJE64AKFTDGHVIU5SH/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3635-1 vom 2024-10-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/BL3RXEW5VDVX6HS5GR4KUH6GDRT5OFQF/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3643-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VPMT5STAWY6BTO5OI2PZ7CG4AXOIQKZN/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3695-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/MOG44NUGCSJS6Q3AKMCV3X4IK2DN6CLL/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3655-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/P4LIA2SNUYEEYDFH7Q72CHUMA7X4NIY3/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3672-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/MGSVPDAL2ET3FWE6YAGBX3UOQOVXTPXB/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3666-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/EUYMTMU2SZQY2ZOCLHCYEZ2A2LJUYBHS/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3696-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YYPGEHXE3QJ5NBRD57VSRTM36AC5DISM/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3680-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4EP6HEEGSXRVOUJD4YZEG2C7DZBR6MK3/", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-8162 vom 2024-10-16", url: "https://linux.oracle.com/errata/ELSA-2024-8162.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3702-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/BPAXFMRC3YVPDHRGBWET3RB7YTYFYLZW/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3679-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RDWWWR2VCADWSQCCZNNFB4VWOMZDOC63/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3700-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G3EDKBVPHAPKDJ45CNEJLJ4KGJAHJ4R7/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3694-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/Y2P3R5HQ4Z7AYZLBXUGXBJMITFENT5NV/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3697-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/A6BRGXRVSUAODD2ZZSX5GJCV46W4N5YB/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3670-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/JVBPTC5SNYDIYERI2QA3SDI56HZRXTU4/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3701-1 vom 2024-10-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/SVZDNTNDPAUIILRXFRA47BDSDZ3IUQTH/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3708-1 vom 2024-10-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019653.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3707-1 vom 2024-10-17", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/7J6ZDLOHRJMVHJRG2ZXV377LZA73SWRG/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3710-1 vom 2024-10-17", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/CLMHYECK5YKZDDXZ7XKEL3G5JXCF5QRM/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3706-1 vom 2024-10-17", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/IUM757WJ43K7PF2K6A3UQHWG2QALK24F/", }, { category: "external", summary: "Ubuntu Security Notice USN-7069-2 vom 2024-10-17", url: "https://ubuntu.com/security/notices/USN-7069-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7028-2 vom 2024-10-17", url: "https://ubuntu.com/security/notices/USN-7028-2", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12796 vom 2024-10-21", url: "https://linux.oracle.com/errata/ELSA-2024-12796.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8318 vom 2024-10-23", url: "https://access.redhat.com/errata/RHSA-2024:8318", }, { category: "external", summary: "Rocky Linux Security Advisory RLSA-2024:8162 vom 2024-10-25", url: "https://errata.build.resf.org/RLSA-2024:8162", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3780-1 vom 2024-10-30", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZRFC54YJNAIE647NXDXGDHFV6UDF5EPM/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8617 vom 2024-10-30", url: "https://access.redhat.com/errata/RHSA-2024:8617", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8616 vom 2024-10-30", url: "https://access.redhat.com/errata/RHSA-2024:8616", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3780-1 vom 2024-10-30", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZRFC54YJNAIE647NXDXGDHFV6UDF5EPM/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8613 vom 2024-10-30", url: "https://access.redhat.com/errata/RHSA-2024:8613", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8614 vom 2024-10-30", url: "https://access.redhat.com/errata/RHSA-2024:8614", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3833-1 vom 2024-10-30", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/46CHUG3NHK74I7NL4E3MYL6M7O72UAE6/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3793-1 vom 2024-10-30", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019702.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3806-1 vom 2024-10-30", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/I22FOLEFZIBTJBTIPHH5GXPKMIXVDSDI/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3837-1 vom 2024-10-30", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VHXZ2BQRCVWQY2AVSULS6AN56SITZ273/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3836-1 vom 2024-10-30", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/766TFTKXVWJJPZQXXTFUC5YHPETQW3AH/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3831-1 vom 2024-10-30", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QK6PZZGVJB6TX4W6LKJNJW74SGTITNGD/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3815-1 vom 2024-10-30", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/JIUM76237NQIAK3CP7ENKHD5EOEBDHZH/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3835-1 vom 2024-10-30", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019721.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3829-1 vom 2024-10-30", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RMOWLUMWUZKBWNWZRVPCJY43YUOMCMJ7/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3830-1 vom 2024-10-30", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/5FIXDPPFE66BKRWS3X45YHODJJ57FQRT/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3840-1 vom 2024-10-31", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/O2CG2OGLBEZR2LX5UI6PTT5NVZOFNGQH/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3842-1 vom 2024-10-31", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VVJDY73ZQLYG6XTLPXQKV6DOXIBCWQNH/", }, { category: "external", summary: "Ubuntu Security Notice USN-7021-5 vom 2024-10-31", url: "https://ubuntu.com/security/notices/USN-7021-5", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3851-1 vom 2024-10-31", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/7YDAYBSAUUUZVVIKYWRRX5O6ZCOQ2K46/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3856-1 vom 2024-10-31", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2LSLV3QQQYIAV376IANSLYZETKMXDLVZ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3857-1 vom 2024-10-31", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/DM3QIZHKHG7AW6EAKKMMWCCUOYK4JU3R/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3855-1 vom 2024-10-31", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HVT4PHTMBZOBVPW2CI26GVIVJNWCBTVN/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3852-1 vom 2024-10-31", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/CJCHUFTBOJTQRE24NTRP6WMCK5BGPZ3N/", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-1 vom 2024-10-31", url: "https://ubuntu.com/security/notices/USN-7088-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3860-1 vom 2024-10-31", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/UFUASUPHAEZFWXKIMGZLIZD4LHGMJ5YW/", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-8617 vom 2024-10-31", url: "https://linux.oracle.com/errata/ELSA-2024-8617.html", }, { category: "external", summary: "IBM Security Bulletin", url: "https://www.ibm.com/support/pages/node/7174634", }, { category: "external", summary: "Ubuntu Security Notice USN-7089-1 vom 2024-11-01", url: "https://ubuntu.com/security/notices/USN-7089-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7090-1 vom 2024-11-01", url: "https://ubuntu.com/security/notices/USN-7090-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3882-1 vom 2024-11-04", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/GBH24SQSCU7UKVSH3JGQ4YLAU2LAG7KC/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3881-1 vom 2024-11-04", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZOOTWA362J2SG2EX2CE3LPBWPJ7GVK2B/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3880-1 vom 2024-11-04", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4FKA7N5AUZ6CDGAARMRU76MNKUZHMPAH/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3884-1 vom 2024-11-04", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HFDA5EL2PDP3X64LOHUHOMKEXWQUUF7E/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8870 vom 2024-11-05", url: "https://access.redhat.com/errata/RHSA-2024:8870", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8856 vom 2024-11-05", url: "https://access.redhat.com/errata/RHSA-2024:8856", }, { category: "external", summary: "Ubuntu Security Notice USN-7089-2 vom 2024-11-04", url: "https://ubuntu.com/security/notices/USN-7089-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-2 vom 2024-11-04", url: "https://ubuntu.com/security/notices/USN-7088-2", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-8856 vom 2024-11-06", url: "https://linux.oracle.com/errata/ELSA-2024-8856.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-3 vom 2024-11-06", url: "https://ubuntu.com/security/notices/USN-7088-3", }, { category: "external", summary: "Ubuntu Security Notice USN-7095-1 vom 2024-11-07", url: "https://ubuntu.com/security/notices/USN-7095-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7089-3 vom 2024-11-07", url: "https://ubuntu.com/security/notices/USN-7089-3", }, { category: "external", summary: "Rocky Linux Security Advisory RLSA-2024:8617 vom 2024-11-08", url: "https://errata.build.resf.org/RLSA-2024:8617", }, { category: "external", summary: "Rocky Linux Security Advisory RLSA-2024:8870 vom 2024-11-08", url: "https://errata.build.resf.org/RLSA-2024:8870", }, { category: "external", summary: "Ubuntu Security Notice USN-7100-1 vom 2024-11-11", url: "https://ubuntu.com/security/notices/USN-7100-1", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:9497 vom 2024-11-13", url: "https://access.redhat.com/errata/RHSA-2024:9497", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:9315 vom 2024-11-12", url: "https://access.redhat.com/errata/RHSA-2024:9315", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:9498 vom 2024-11-13", url: "https://access.redhat.com/errata/RHSA-2024:9498", }, { category: "external", summary: "Ubuntu Security Notice USN-7100-2 vom 2024-11-12", url: "https://ubuntu.com/security/notices/USN-7100-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7089-4 vom 2024-11-13", url: "https://ubuntu.com/security/notices/USN-7089-4", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:9546 vom 2024-11-13", url: "https://access.redhat.com/errata/RHSA-2024:9546", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3985-1 vom 2024-11-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KB6DG7QR5KXDQRV57H4IY2TB2LW42K4S/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3983-1 vom 2024-11-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QUOFKELDJYP3JMHIXPCVKVI4REVXAKTX/", }, { category: "external", summary: "Ubuntu Security Notice USN-7110-1 vom 2024-11-14", url: "https://ubuntu.com/security/notices/USN-7110-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-5 vom 2024-11-14", url: "https://ubuntu.com/security/notices/USN-7088-5", }, { category: "external", summary: "Ubuntu Security Notice USN-7089-5 vom 2024-11-14", url: "https://ubuntu.com/security/notices/USN-7089-5", }, { category: "external", summary: "Ubuntu Security Notice USN-7089-6 vom 2024-11-15", url: "https://ubuntu.com/security/notices/USN-7089-6", }, { category: "external", summary: "Ubuntu Security Notice USN-7089-7 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7089-7", }, { category: "external", summary: "Ubuntu Security Notice USN-7119-1 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7119-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7123-1 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7123-1", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10262 vom 2024-11-26", url: "https://access.redhat.com/errata/RHSA-2024:10262", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4100-1 vom 2024-11-28", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019864.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4128-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019880.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4127-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019881.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4139-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019889.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4123-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019884.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4122-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019885.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4124-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019883.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4125-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019882.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10773 vom 2024-12-04", url: "https://access.redhat.com/errata/RHSA-2024:10773", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10771 vom 2024-12-04", url: "https://access.redhat.com/errata/RHSA-2024:10771", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10772 vom 2024-12-04", url: "https://access.redhat.com/errata/RHSA-2024:10772", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4207-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KHOJJYPB3I2C5FKMLHD5WFCQI342KAXA/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4218-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4UVNDL3CU4NHVPE7QELR2N5HRCDSMYEV/", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12851 vom 2024-12-05", url: "http://linux.oracle.com/errata/ELSA-2024-12851.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4209-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VJP47EXIE7RQJ2MRSR6HYMNI52GICWOP/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4210-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/67TGK2LDMDGINETA7HTYVAUONB6OAZD5/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4208-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HJOOCIMJWVQXHEUVET7W2XBWXJY6XR6M/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4214-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/P4UZ4KLYIQHACIYR7LE2ANITUCPLWFYS/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4216-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KZC5ZXKVE5JSNEKEAICAO52WN7SOJCTX/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4234-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/B6RMLGICBLD3BNXSBS7J23W3GCEJMFJA/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4228-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/SUCQUP757AUWMZNCNQ2DGQICEYBRZUIC/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4236-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ODASOBSBN3UUGHNO44MK2K4MC35CPLXJ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4243-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/GDL3TRRFKGYVQIW7MMTUJS76GCW7B3JZ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4235-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LIMMCWFWYJUMJTABZZ7ZEYXOOVE5BZY7/", }, { category: "external", summary: "Ubuntu Security Notice USN-7144-1 vom 2024-12-09", url: "https://ubuntu.com/security/notices/USN-7144-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4266-1 vom 2024-12-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RRJRAM3LFR4MNOHCFB2XIOS6OJUDNUPE/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4262-1 vom 2024-12-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AF5MYHVYCHCM3AIO34JSXWJNP2WUCOHS/", }, { category: "external", summary: "ORACLE OVMSA-2024-0016 vom 2024-12-10", url: "https://oss.oracle.com/pipermail/oraclevm-errata/2024-December/001104.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4275-1 vom 2024-12-10", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YTZ2WGLML4Q6E3IG32UCJ6NFIDUTWN22/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4275-1 vom 2024-12-10", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YTZ2WGLML4Q6E3IG32UCJ6NFIDUTWN22/", }, { category: "external", summary: "Ubuntu Security Notice USN-7156-1 vom 2024-12-12", url: "https://ubuntu.com/security/notices/USN-7156-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4314-1 vom 2024-12-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/SARXL66CQHD5VSFG5PUBNBVBPVFUN4KT/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4316-1 vom 2024-12-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/S4I5Z6ALCJLHTP25U3HMJHEXN4DR2USM/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4315-1 vom 2024-12-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LQPWDP54GSTHYCV4CTCOE67D2ANVPPUW/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4318-1 vom 2024-12-13", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019999.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12884 vom 2024-12-17", url: "https://linux.oracle.com/errata/ELSA-2024-12884.html", }, { category: "external", summary: "IBM Security Bulletin 7179055 vom 2024-12-16", url: "https://www.ibm.com/support/pages/node/7179055", }, { category: "external", summary: "IBM Security Bulletin 7179045 vom 2024-12-16", url: "https://www.ibm.com/support/pages/node/7179045", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:11313 vom 2024-12-18", url: "https://access.redhat.com/errata/RHSA-2024:11313", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4364-1 vom 2024-12-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020019.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7173-1 vom 2024-12-17", url: "https://ubuntu.com/security/notices/USN-7173-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4376-1 vom 2024-12-18", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020028.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:11482 vom 2024-12-19", url: "https://access.redhat.com/errata/RHSA-2024:11482", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:11483 vom 2024-12-19", url: "https://access.redhat.com/errata/RHSA-2024:11483", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4376-1 vom 2024-12-18", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/WFOJHFFEHK42VPQ6XLZWB77H5OEJ3FF4/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4376-1 vom 2024-12-18", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WFOJHFFEHK42VPQ6XLZWB77H5OEJ3FF4/", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12887 vom 2024-12-18", url: "https://linux.oracle.com/errata/ELSA-2024-12887.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4387-1 vom 2024-12-19", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020032.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7173-2 vom 2024-12-20", url: "https://ubuntu.com/security/notices/USN-7173-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7179-1 vom 2024-12-20", url: "https://ubuntu.com/security/notices/USN-7179-1", }, { category: "external", summary: "Debian Security Advisory DLA-4008 vom 2025-01-03", url: "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7183-1 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7183-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7184-1 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7184-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7186-1 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7186-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7179-2 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7179-2", }, { category: "external", summary: "IBM Security Bulletin 7180361 vom 2025-01-07", url: "https://www.ibm.com/support/pages/node/7180361", }, { category: "external", summary: "Ubuntu Security Notice USN-7179-3 vom 2025-01-07", url: "https://ubuntu.com/security/notices/USN-7179-3", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0034-1 vom 2025-01-08", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020071.html", }, { category: "external", summary: "Juniper Security Advisory JSA92874 vom 2024-01-09", url: "https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos-Space-Multiple-vulnerabilities-resolved-in-24-1R2-release", }, { category: "external", summary: "Ubuntu Security Notice USN-7186-2 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7186-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7185-2 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7185-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7195-1 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7195-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7194-1 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7194-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0084-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020104.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-9315 vom 2025-01-13", url: "https://oss.oracle.com/pipermail/el-errata/2025-January/017000.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0109-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020110.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7195-2 vom 2025-01-14", url: "https://ubuntu.com/security/notices/USN-7195-2", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0107-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020112.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0114-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YC7MKFCHLBJHUQM2SLPOGVG4DUWP2J4E/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0110-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/PLWCG227VUGPKNXHW6FOCW727UUPVLLU/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0111-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2IXCN5JTEUUWORLKQVOQYQKMHTJ73CSG/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0115-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VK2D63Q2FKHJWXOLVAS7HPIWURVL3MQQ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0124-1 vom 2025-01-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020125.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7173-3 vom 2025-01-15", url: "https://ubuntu.com/security/notices/USN-7173-3", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0146-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/C6ANXHEO54VUUFEWI6QYB2M3L2SS7OOW/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0150-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/USHZQFRYGMLVCVQRQLPH4FARDBDAEC6G/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0138-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ET3TDUWYDTZV554NRC7LB5HGM4TCIIGZ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0164-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020153.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0168-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020165.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0158-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020154.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0188-1 vom 2025-01-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020169.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0187-1 vom 2025-01-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020170.html", }, ], source_lang: "en-US", title: "Linux Kernel: Mehrere Schwachstellen", tracking: { current_release_date: "2025-01-20T23:00:00.000+00:00", generator: { date: "2025-01-21T09:10:30.277+00:00", engine: { name: "BSI-WID", version: "1.3.10", }, }, id: "WID-SEC-W-2024-1607", initial_release_date: "2024-07-14T22:00:00.000+00:00", revision_history: [ { date: "2024-07-14T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-07-15T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Debian aufgenommen", }, { date: "2024-07-16T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Debian aufgenommen", }, { date: "2024-08-06T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-08-07T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-08-11T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-08-12T22:00:00.000+00:00", number: "7", summary: "Neue Updates von Red Hat und Debian aufgenommen", }, { date: "2024-08-13T22:00:00.000+00:00", number: "8", summary: "Neue Updates von Red Hat und SUSE aufgenommen", }, { date: "2024-08-14T22:00:00.000+00:00", number: "9", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-08-15T22:00:00.000+00:00", number: "10", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-08-18T22:00:00.000+00:00", number: "11", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-08-19T22:00:00.000+00:00", number: "12", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-08-20T22:00:00.000+00:00", number: "13", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-08-28T22:00:00.000+00:00", number: "14", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-08-29T22:00:00.000+00:00", number: "15", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-09-02T22:00:00.000+00:00", number: "16", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-09-03T22:00:00.000+00:00", number: "17", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-09-10T22:00:00.000+00:00", number: "18", summary: "Neue Updates von SUSE und Red Hat aufgenommen", }, { date: "2024-09-11T22:00:00.000+00:00", number: "19", summary: "Neue Updates von Oracle Linux, Ubuntu, SUSE und Red Hat aufgenommen", }, { date: "2024-09-12T22:00:00.000+00:00", number: "20", summary: "Neue Updates von Ubuntu und SUSE aufgenommen", }, { date: "2024-09-15T22:00:00.000+00:00", number: "21", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-09-16T22:00:00.000+00:00", number: "22", summary: "Neue Updates von SUSE und Rocky Enterprise Software Foundation aufgenommen", }, { date: "2024-09-17T22:00:00.000+00:00", number: "23", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-09-18T22:00:00.000+00:00", number: "24", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-09-19T22:00:00.000+00:00", number: "25", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-09-22T22:00:00.000+00:00", number: "26", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-09-23T22:00:00.000+00:00", number: "27", summary: "Neue Updates von Ubuntu, Red Hat und SUSE aufgenommen", }, { date: "2024-09-24T22:00:00.000+00:00", number: "28", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-09-25T22:00:00.000+00:00", number: "29", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-09-26T22:00:00.000+00:00", number: "30", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-09-29T22:00:00.000+00:00", number: "31", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-09-30T22:00:00.000+00:00", number: "32", summary: "Neue Updates von Rocky Enterprise Software Foundation aufgenommen", }, { date: "2024-10-01T22:00:00.000+00:00", number: "33", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-10-03T22:00:00.000+00:00", number: "34", summary: "Neue Updates von Amazon, Debian und Ubuntu aufgenommen", }, { date: "2024-10-08T22:00:00.000+00:00", number: "35", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-10-09T22:00:00.000+00:00", number: "36", summary: "Neue Updates von SUSE und Ubuntu aufgenommen", }, { date: "2024-10-10T22:00:00.000+00:00", number: "37", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-10-14T22:00:00.000+00:00", number: "38", summary: "Neue Updates von Red Hat, Oracle Linux und SUSE aufgenommen", }, { date: "2024-10-15T22:00:00.000+00:00", number: "39", summary: "Neue Updates von SUSE, Ubuntu und Red Hat aufgenommen", }, { date: "2024-10-16T22:00:00.000+00:00", number: "40", summary: "Neue Updates von SUSE und Oracle Linux aufgenommen", }, { date: "2024-10-17T22:00:00.000+00:00", number: "41", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-10-21T22:00:00.000+00:00", number: "42", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-10-23T22:00:00.000+00:00", number: "43", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-10-27T23:00:00.000+00:00", number: "44", summary: "Neue Updates von Rocky Enterprise Software Foundation aufgenommen", }, { date: "2024-10-29T23:00:00.000+00:00", number: "45", summary: "Neue Updates von SUSE und Red Hat aufgenommen", }, { date: "2024-10-30T23:00:00.000+00:00", number: "46", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-10-31T23:00:00.000+00:00", number: "47", summary: "Neue Updates von SUSE, Ubuntu und Oracle Linux aufgenommen", }, { date: "2024-11-03T23:00:00.000+00:00", number: "48", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-04T23:00:00.000+00:00", number: "49", summary: "Neue Updates von Red Hat und Ubuntu aufgenommen", }, { date: "2024-11-05T23:00:00.000+00:00", number: "50", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-11-06T23:00:00.000+00:00", number: "51", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-10T23:00:00.000+00:00", number: "52", summary: "Neue Updates von Rocky Enterprise Software Foundation aufgenommen", }, { date: "2024-11-11T23:00:00.000+00:00", number: "53", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-12T23:00:00.000+00:00", number: "54", summary: "Neue Updates von Red Hat und Ubuntu aufgenommen", }, { date: "2024-11-13T23:00:00.000+00:00", number: "55", summary: "Neue Updates von Red Hat und SUSE aufgenommen", }, { date: "2024-11-14T23:00:00.000+00:00", number: "56", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-19T23:00:00.000+00:00", number: "57", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-20T23:00:00.000+00:00", number: "58", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-25T23:00:00.000+00:00", number: "59", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-11-28T23:00:00.000+00:00", number: "60", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-02T23:00:00.000+00:00", number: "61", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-03T23:00:00.000+00:00", number: "62", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-12-05T23:00:00.000+00:00", number: "63", summary: "Neue Updates von SUSE und Oracle Linux aufgenommen", }, { date: "2024-12-08T23:00:00.000+00:00", number: "64", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-09T23:00:00.000+00:00", number: "65", summary: "Neue Updates von Ubuntu und SUSE aufgenommen", }, { date: "2024-12-10T23:00:00.000+00:00", number: "66", summary: "Neue Updates von ORACLE und SUSE aufgenommen", }, { date: "2024-12-12T23:00:00.000+00:00", number: "67", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-12-15T23:00:00.000+00:00", number: "68", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-16T23:00:00.000+00:00", number: "69", summary: "Neue Updates von Oracle Linux und IBM aufgenommen", }, { date: "2024-12-17T23:00:00.000+00:00", number: "70", summary: "Neue Updates von Red Hat, SUSE und Ubuntu aufgenommen", }, { date: "2024-12-18T23:00:00.000+00:00", number: "71", summary: "Neue Updates von SUSE, Red Hat und Oracle Linux aufgenommen", }, { date: "2024-12-19T23:00:00.000+00:00", number: "72", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-22T23:00:00.000+00:00", number: "73", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2025-01-02T23:00:00.000+00:00", number: "74", summary: "Neue Updates von Debian aufgenommen", }, { date: "2025-01-06T23:00:00.000+00:00", number: "75", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2025-01-07T23:00:00.000+00:00", number: "76", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2025-01-08T23:00:00.000+00:00", number: "77", summary: "Neue Updates von SUSE und Juniper aufgenommen", }, { date: "2025-01-09T23:00:00.000+00:00", number: "78", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2025-01-13T23:00:00.000+00:00", number: "79", summary: "Neue Updates von SUSE und Oracle Linux aufgenommen", }, { date: "2025-01-14T23:00:00.000+00:00", number: "80", summary: "Neue Updates von SUSE und Ubuntu aufgenommen", }, { date: "2025-01-15T23:00:00.000+00:00", number: "81", summary: "Neue Updates von SUSE und Ubuntu aufgenommen", }, { date: "2025-01-16T23:00:00.000+00:00", number: "82", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-19T23:00:00.000+00:00", number: "83", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-20T23:00:00.000+00:00", number: "84", summary: "Neue Updates von SUSE aufgenommen", }, ], status: "final", version: "84", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { category: "product_name", name: "Debian Linux", product: { name: "Debian Linux", product_id: "2951", product_identification_helper: { cpe: "cpe:/o:debian:debian_linux:-", }, }, }, ], category: "vendor", name: "Debian", }, { branches: [ { branches: [ { category: "product_version_range", name: "<7.5.0 UP10 IF01", product: { name: "IBM QRadar SIEM <7.5.0 UP10 IF01", product_id: "T038741", }, }, { category: "product_version", name: "7.5.0 UP10 IF01", product: { name: "IBM QRadar SIEM 7.5.0 UP10 IF01", product_id: "T038741-fixed", product_identification_helper: { cpe: "cpe:/a:ibm:qradar_siem:7.5.0_up10_if01", }, }, }, ], category: "product_name", name: "QRadar SIEM", }, { branches: [ { category: "product_version_range", name: "<10.1.6.4", product: { name: "IBM Spectrum Protect Plus <10.1.6.4", product_id: "T040030", }, }, { category: "product_version", name: "10.1.6.4", product: { name: "IBM Spectrum Protect Plus 10.1.6.4", product_id: "T040030-fixed", product_identification_helper: { cpe: "cpe:/a:ibm:spectrum_protect_plus:10.1.6.4", }, }, }, ], category: "product_name", name: "Spectrum Protect Plus", }, { branches: [ { category: "product_version_range", name: "<6.1.9.5", product: { name: "IBM Storage Scale <6.1.9.5", product_id: "T039851", }, }, { category: "product_version", name: "6.1.9.5", product: { name: "IBM Storage Scale 6.1.9.5", product_id: "T039851-fixed", product_identification_helper: { cpe: "cpe:/a:ibm:spectrum_scale:6.1.9.5", }, }, }, { category: "product_version_range", name: "<6.2.2.0", product: { name: "IBM Storage Scale <6.2.2.0", product_id: "T039852", }, }, { category: "product_version", name: "6.2.2.0", product: { name: "IBM Storage Scale 6.2.2.0", product_id: "T039852-fixed", product_identification_helper: { cpe: "cpe:/a:ibm:spectrum_scale:6.2.2.0", }, }, }, ], category: "product_name", name: "Storage Scale", }, ], category: "vendor", name: "IBM", }, { branches: [ { branches: [ { category: "product_version_range", name: "<24.1R2", product: { name: "Juniper Junos Space <24.1R2", product_id: "T040074", }, }, { category: "product_version", name: "24.1R2", product: { name: "Juniper Junos Space 24.1R2", product_id: "T040074-fixed", product_identification_helper: { cpe: "cpe:/a:juniper:junos_space:24.1r2", }, }, }, ], category: "product_name", name: "Junos Space", }, ], category: "vendor", name: "Juniper", }, { branches: [ { category: "product_name", name: "Open Source Linux Kernel", product: { name: "Open Source Linux Kernel", product_id: "T033473", product_identification_helper: { cpe: "cpe:/o:linux:linux_kernel:-", }, }, }, ], category: "vendor", name: "Open Source", }, { branches: [ { category: "product_name", name: "Oracle Linux", product: { name: "Oracle Linux", product_id: "T004914", product_identification_helper: { cpe: "cpe:/o:oracle:linux:-", }, }, }, { branches: [ { category: "product_version", name: "3", product: { name: "Oracle VM 3", product_id: "T030927", product_identification_helper: { cpe: "cpe:/a:oracle:vm:3", }, }, }, ], category: "product_name", name: "VM", }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "RESF Rocky Linux", product: { name: "RESF Rocky Linux", product_id: "T032255", product_identification_helper: { cpe: "cpe:/o:resf:rocky_linux:-", }, }, }, ], category: "vendor", name: "RESF", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2023-52885", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2023-52885", }, { cve: "CVE-2024-39494", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39494", }, { cve: "CVE-2024-39495", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39495", }, { cve: "CVE-2024-39496", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39496", }, { cve: "CVE-2024-39497", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39497", }, { cve: "CVE-2024-39498", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39498", }, { cve: "CVE-2024-39499", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39499", }, { cve: "CVE-2024-39500", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39500", }, { cve: "CVE-2024-39501", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39501", }, { cve: "CVE-2024-39502", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39502", }, { cve: "CVE-2024-39503", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39503", }, { cve: "CVE-2024-39504", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39504", }, { cve: "CVE-2024-39505", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39505", }, { cve: "CVE-2024-39506", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39506", }, { cve: "CVE-2024-39507", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39507", }, { cve: "CVE-2024-39508", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39508", }, { cve: "CVE-2024-39509", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39509", }, { cve: "CVE-2024-39510", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-39510", }, { cve: "CVE-2024-40899", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40899", }, { cve: "CVE-2024-40900", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40900", }, { cve: "CVE-2024-40901", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40901", }, { cve: "CVE-2024-40902", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40902", }, { cve: "CVE-2024-40903", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40903", }, { cve: "CVE-2024-40904", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40904", }, { cve: "CVE-2024-40905", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40905", }, { cve: "CVE-2024-40906", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40906", }, { cve: "CVE-2024-40907", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40907", }, { cve: "CVE-2024-40908", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40908", }, { cve: "CVE-2024-40909", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40909", }, { cve: "CVE-2024-40910", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40910", }, { cve: "CVE-2024-40911", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40911", }, { cve: "CVE-2024-40912", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40912", }, { cve: "CVE-2024-40913", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40913", }, { cve: "CVE-2024-40914", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40914", }, { cve: "CVE-2024-40915", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40915", }, { cve: "CVE-2024-40916", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40916", }, { cve: "CVE-2024-40917", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40917", }, { cve: "CVE-2024-40918", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40918", }, { cve: "CVE-2024-40919", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40919", }, { cve: "CVE-2024-40920", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40920", }, { cve: "CVE-2024-40921", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40921", }, { cve: "CVE-2024-40922", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40922", }, { cve: "CVE-2024-40923", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40923", }, { cve: "CVE-2024-40924", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40924", }, { cve: "CVE-2024-40925", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40925", }, { cve: "CVE-2024-40926", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40926", }, { cve: "CVE-2024-40927", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40927", }, { cve: "CVE-2024-40928", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40928", }, { cve: "CVE-2024-40929", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40929", }, { cve: "CVE-2024-40930", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40930", }, { cve: "CVE-2024-40931", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40931", }, { cve: "CVE-2024-40932", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40932", }, { cve: "CVE-2024-40933", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40933", }, { cve: "CVE-2024-40934", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40934", }, { cve: "CVE-2024-40935", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40935", }, { cve: "CVE-2024-40936", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40936", }, { cve: "CVE-2024-40937", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40937", }, { cve: "CVE-2024-40938", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40938", }, { cve: "CVE-2024-40939", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40939", }, { cve: "CVE-2024-40940", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40940", }, { cve: "CVE-2024-40941", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40941", }, { cve: "CVE-2024-40942", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40942", }, { cve: "CVE-2024-40943", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40943", }, { cve: "CVE-2024-40944", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40944", }, { cve: "CVE-2024-40945", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40945", }, { cve: "CVE-2024-40946", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40946", }, { cve: "CVE-2024-40947", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40947", }, { cve: "CVE-2024-40948", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40948", }, { cve: "CVE-2024-40949", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40949", }, { cve: "CVE-2024-40950", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40950", }, { cve: "CVE-2024-40951", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40951", }, { cve: "CVE-2024-40952", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40952", }, { cve: "CVE-2024-40953", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40953", }, { cve: "CVE-2024-40954", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40954", }, { cve: "CVE-2024-40955", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40955", }, { cve: "CVE-2024-40956", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40956", }, { cve: "CVE-2024-40957", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40957", }, { cve: "CVE-2024-40958", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40958", }, { cve: "CVE-2024-40959", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40959", }, { cve: "CVE-2024-40960", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40960", }, { cve: "CVE-2024-40961", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40961", }, { cve: "CVE-2024-40962", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40962", }, { cve: "CVE-2024-40963", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40963", }, { cve: "CVE-2024-40964", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40964", }, { cve: "CVE-2024-40965", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40965", }, { cve: "CVE-2024-40966", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40966", }, { cve: "CVE-2024-40967", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40967", }, { cve: "CVE-2024-40968", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40968", }, { cve: "CVE-2024-40969", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40969", }, { cve: "CVE-2024-40970", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40970", }, { cve: "CVE-2024-40971", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40971", }, { cve: "CVE-2024-40972", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40972", }, { cve: "CVE-2024-40973", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40973", }, { cve: "CVE-2024-40974", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40974", }, { cve: "CVE-2024-40975", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40975", }, { cve: "CVE-2024-40976", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40976", }, { cve: "CVE-2024-40977", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40977", }, { cve: "CVE-2024-40978", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40978", }, { cve: "CVE-2024-40979", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40979", }, { cve: "CVE-2024-40980", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40980", }, { cve: "CVE-2024-40981", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40981", }, { cve: "CVE-2024-40982", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40982", }, { cve: "CVE-2024-40983", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40983", }, { cve: "CVE-2024-40984", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40984", }, { cve: "CVE-2024-40985", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40985", }, { cve: "CVE-2024-40986", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40986", }, { cve: "CVE-2024-40987", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40987", }, { cve: "CVE-2024-40988", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40988", }, { cve: "CVE-2024-40989", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40989", }, { cve: "CVE-2024-40990", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40990", }, { cve: "CVE-2024-40991", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40991", }, { cve: "CVE-2024-40992", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40992", }, { cve: "CVE-2024-40993", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40993", }, { cve: "CVE-2024-40994", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40994", }, { cve: "CVE-2024-40995", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40995", }, { cve: "CVE-2024-40996", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40996", }, { cve: "CVE-2024-40997", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40997", }, { cve: "CVE-2024-40998", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40998", }, { cve: "CVE-2024-40999", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-40999", }, { cve: "CVE-2024-41000", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-41000", }, { cve: "CVE-2024-41001", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-41001", }, { cve: "CVE-2024-41002", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-41002", }, { cve: "CVE-2024-41003", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-41003", }, { cve: "CVE-2024-41004", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-41004", }, { cve: "CVE-2024-41005", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-41005", }, { cve: "CVE-2024-41006", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-41006", }, { cve: "CVE-2024-41007", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Cachedateien, Ionic oder WiFi, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer NULL- Pointer-Dereferenz oder einem Speicherleck und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen offenzulegen oder um einen Angriff mit unbekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "67646", "T004914", "T032255", "T033473", "T038741", "T039852", "T039851", "T040030", "T040074", "2951", "T002207", "T000126", "398363", "T030927", ], }, release_date: "2024-07-14T22:00:00.000+00:00", title: "CVE-2024-41007", }, ], }
cve-2024-40917
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2025-01-17 13:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memblock: make memblock_set_node() also warn about use of MAX_NUMNODES
On an (old) x86 system with SRAT just covering space above 4Gb:
ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0xfffffffff] hotplug
the commit referenced below leads to this NUMA configuration no longer
being refused by a CONFIG_NUMA=y kernel (previously
NUMA: nodes only cover 6144MB of your 8185MB e820 RAM. Not used.
No NUMA configuration found
Faking a node at [mem 0x0000000000000000-0x000000027fffffff]
was seen in the log directly after the message quoted above), because of
memblock_validate_numa_coverage() checking for NUMA_NO_NODE (only). This
in turn led to memblock_alloc_range_nid()'s warning about MAX_NUMNODES
triggering, followed by a NULL deref in memmap_init() when trying to
access node 64's (NODE_SHIFT=6) node data.
To compensate said change, make memblock_set_node() warn on and adjust
a passed in value of MAX_NUMNODES, just like various other functions
already do.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.350Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/22f742b8f738918f683198a18ec3c691acda14c4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e0eec24e2e199873f43df99ec39773ad3af2bff7", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40917", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:43.202207Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:04.005Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/memblock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4ddb7f966f3d06fcf1ba5ee298af6714b593584b", status: "affected", version: "6fdc770506eb8379bf68a49d4e193c8364ac64e0", versionType: "git", }, { lessThan: "22f742b8f738918f683198a18ec3c691acda14c4", status: "affected", version: "ff6c3d81f2e86b63a3a530683f89ef393882782a", versionType: "git", }, { lessThan: "e0eec24e2e199873f43df99ec39773ad3af2bff7", status: "affected", version: "ff6c3d81f2e86b63a3a530683f89ef393882782a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/memblock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.72", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmemblock: make memblock_set_node() also warn about use of MAX_NUMNODES\n\nOn an (old) x86 system with SRAT just covering space above 4Gb:\n\n ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0xfffffffff] hotplug\n\nthe commit referenced below leads to this NUMA configuration no longer\nbeing refused by a CONFIG_NUMA=y kernel (previously\n\n NUMA: nodes only cover 6144MB of your 8185MB e820 RAM. Not used.\n No NUMA configuration found\n Faking a node at [mem 0x0000000000000000-0x000000027fffffff]\n\nwas seen in the log directly after the message quoted above), because of\nmemblock_validate_numa_coverage() checking for NUMA_NO_NODE (only). This\nin turn led to memblock_alloc_range_nid()'s warning about MAX_NUMNODES\ntriggering, followed by a NULL deref in memmap_init() when trying to\naccess node 64's (NODE_SHIFT=6) node data.\n\nTo compensate said change, make memblock_set_node() warn on and adjust\na passed in value of MAX_NUMNODES, just like various other functions\nalready do.", }, ], providerMetadata: { dateUpdated: "2025-01-17T13:26:57.833Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4ddb7f966f3d06fcf1ba5ee298af6714b593584b", }, { url: "https://git.kernel.org/stable/c/22f742b8f738918f683198a18ec3c691acda14c4", }, { url: "https://git.kernel.org/stable/c/e0eec24e2e199873f43df99ec39773ad3af2bff7", }, ], title: "memblock: make memblock_set_node() also warn about use of MAX_NUMNODES", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40917", datePublished: "2024-07-12T12:25:00.175Z", dateReserved: "2024-07-12T12:17:45.581Z", dateUpdated: "2025-01-17T13:26:57.833Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40975
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2025-01-17 15:56
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: x86-android-tablets: Unregister devices in reverse order
Not all subsystems support a device getting removed while there are
still consumers of the device with a reference to the device.
One example of this is the regulator subsystem. If a regulator gets
unregistered while there are still drivers holding a reference
a WARN() at drivers/regulator/core.c:5829 triggers, e.g.:
WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister
Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015
RIP: 0010:regulator_unregister
Call Trace:
<TASK>
regulator_unregister
devres_release_group
i2c_device_remove
device_release_driver_internal
bus_remove_device
device_del
device_unregister
x86_android_tablet_remove
On the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides
a 5V boost converter output for powering USB devices connected to the micro
USB port, the bq24190-charger driver exports this as a Vbus regulator.
On the 830 (8") and 1050 ("10") models this regulator is controlled by
a platform_device and x86_android_tablet_remove() removes platform_device-s
before i2c_clients so the consumer gets removed first.
But on the 1380 (13") model there is a lc824206xa micro-USB switch
connected over I2C and the extcon driver for that controls the regulator.
The bq24190 i2c-client *must* be registered first, because that creates
the regulator with the lc824206xa listed as its consumer. If the regulator
has not been registered yet the lc824206xa driver will end up getting
a dummy regulator.
Since in this case both the regulator provider and consumer are I2C
devices, the only way to ensure that the consumer is unregistered first
is to unregister the I2C devices in reverse order of in which they were
created.
For consistency and to avoid similar problems in the future change
x86_android_tablet_remove() to unregister all device types in reverse
order.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.058Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f0c982853d665597d17e4995ff479fbbf79a9cf6", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3de0f2627ef849735f155c1818247f58404dddfe", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40975", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:40.847310Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:22.108Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/platform/x86/x86-android-tablets/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "36ff963c133a25ed1166a25c3ba8b357ea010fda", status: "affected", version: "55fa3c9665bfcf32b21af8ecdeb48d5c5177d8d7", versionType: "git", }, { lessThan: "f0c982853d665597d17e4995ff479fbbf79a9cf6", status: "affected", version: "55fa3c9665bfcf32b21af8ecdeb48d5c5177d8d7", versionType: "git", }, { lessThan: "3de0f2627ef849735f155c1818247f58404dddfe", status: "affected", version: "55fa3c9665bfcf32b21af8ecdeb48d5c5177d8d7", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/platform/x86/x86-android-tablets/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: x86-android-tablets: Unregister devices in reverse order\n\nNot all subsystems support a device getting removed while there are\nstill consumers of the device with a reference to the device.\n\nOne example of this is the regulator subsystem. If a regulator gets\nunregistered while there are still drivers holding a reference\na WARN() at drivers/regulator/core.c:5829 triggers, e.g.:\n\n WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister\n Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015\n RIP: 0010:regulator_unregister\n Call Trace:\n <TASK>\n regulator_unregister\n devres_release_group\n i2c_device_remove\n device_release_driver_internal\n bus_remove_device\n device_del\n device_unregister\n x86_android_tablet_remove\n\nOn the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides\na 5V boost converter output for powering USB devices connected to the micro\nUSB port, the bq24190-charger driver exports this as a Vbus regulator.\n\nOn the 830 (8\") and 1050 (\"10\") models this regulator is controlled by\na platform_device and x86_android_tablet_remove() removes platform_device-s\nbefore i2c_clients so the consumer gets removed first.\n\nBut on the 1380 (13\") model there is a lc824206xa micro-USB switch\nconnected over I2C and the extcon driver for that controls the regulator.\nThe bq24190 i2c-client *must* be registered first, because that creates\nthe regulator with the lc824206xa listed as its consumer. If the regulator\nhas not been registered yet the lc824206xa driver will end up getting\na dummy regulator.\n\nSince in this case both the regulator provider and consumer are I2C\ndevices, the only way to ensure that the consumer is unregistered first\nis to unregister the I2C devices in reverse order of in which they were\ncreated.\n\nFor consistency and to avoid similar problems in the future change\nx86_android_tablet_remove() to unregister all device types in reverse\norder.", }, ], providerMetadata: { dateUpdated: "2025-01-17T15:56:07.338Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/36ff963c133a25ed1166a25c3ba8b357ea010fda", }, { url: "https://git.kernel.org/stable/c/f0c982853d665597d17e4995ff479fbbf79a9cf6", }, { url: "https://git.kernel.org/stable/c/3de0f2627ef849735f155c1818247f58404dddfe", }, ], title: "platform/x86: x86-android-tablets: Unregister devices in reverse order", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40975", datePublished: "2024-07-12T12:32:12.099Z", dateReserved: "2024-07-12T12:17:45.603Z", dateUpdated: "2025-01-17T15:56:07.338Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39496
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: zoned: fix use-after-free due to race with dev replace
While loading a zone's info during creation of a block group, we can race
with a device replace operation and then trigger a use-after-free on the
device that was just replaced (source device of the replace operation).
This happens because at btrfs_load_zone_info() we extract a device from
the chunk map into a local variable and then use the device while not
under the protection of the device replace rwsem. So if there's a device
replace operation happening when we extract the device and that device
is the source of the replace operation, we will trigger a use-after-free
if before we finish using the device the replace operation finishes and
frees the device.
Fix this by enlarging the critical section under the protection of the
device replace rwsem so that all uses of the device are done inside the
critical section.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.593Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39496", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:07:26.275755Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:39.782Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/btrfs/zoned.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "17765964703b88d8befd899f8501150bb7e07e43", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "092571ef9a812566c8f2c9038d9c2a64c49788d6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a0cc006f4214b87e70983c692e05bb36c59b5752", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0090d6e1b210551e63cf43958dc7a1ec942cdde9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/btrfs/zoned.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free due to race with dev replace\n\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\n\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\n\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:18.901Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43", }, { url: "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6", }, { url: "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752", }, { url: "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9", }, ], title: "btrfs: zoned: fix use-after-free due to race with dev replace", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39496", datePublished: "2024-07-12T12:20:31.669Z", dateReserved: "2024-06-25T14:23:23.751Z", dateUpdated: "2024-12-19T09:07:18.901Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40986
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: xilinx: xdma: Fix data synchronisation in xdma_channel_isr()
Requests the vchan lock before using xdma->stop_request.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.848Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8e1f54e4a3f3207c9dc68bb5000603b75802e7f0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/462237d2d93fc9e9221d1cf9f773954d27da83c0", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40986", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:03.948638Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:20.818Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/dma/xilinx/xdma.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8e1f54e4a3f3207c9dc68bb5000603b75802e7f0", status: "affected", version: "6a40fb8245965b481b4dcce011cd63f20bf91ee0", versionType: "git", }, { lessThan: "462237d2d93fc9e9221d1cf9f773954d27da83c0", status: "affected", version: "6a40fb8245965b481b4dcce011cd63f20bf91ee0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/dma/xilinx/xdma.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: xilinx: xdma: Fix data synchronisation in xdma_channel_isr()\n\nRequests the vchan lock before using xdma->stop_request.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:30.267Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8e1f54e4a3f3207c9dc68bb5000603b75802e7f0", }, { url: "https://git.kernel.org/stable/c/462237d2d93fc9e9221d1cf9f773954d27da83c0", }, ], title: "dmaengine: xilinx: xdma: Fix data synchronisation in xdma_channel_isr()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40986", datePublished: "2024-07-12T12:37:31.800Z", dateReserved: "2024-07-12T12:17:45.605Z", dateUpdated: "2024-12-19T09:09:30.267Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40908
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Set run context for rawtp test_run callback
syzbot reported crash when rawtp program executed through the
test_run interface calls bpf_get_attach_cookie helper or any
other helper that touches task->bpf_ctx pointer.
Setting the run context (task->bpf_ctx pointer) for test_run
callback.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7adfc6c9b315e174cf8743b21b7b691c8766791b Version: 7adfc6c9b315e174cf8743b21b7b691c8766791b Version: 7adfc6c9b315e174cf8743b21b7b691c8766791b Version: 7adfc6c9b315e174cf8743b21b7b691c8766791b Version: 7adfc6c9b315e174cf8743b21b7b691c8766791b |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.386Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/789bd77c9342aa6125003871ae5c6034d0f6f9d2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3708b6c2546c9eb34aead8a34a17e8ae69004e4d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d387805d4b4a46ee01e3dae133c81b6d80195e5b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ae0ba0ab7475a129ef7d449966edf677367efeb4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d0d1df8ba18abc57f28fb3bc053b2bf319367f2c", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40908", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:12.373504Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:37.517Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bpf/test_run.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "789bd77c9342aa6125003871ae5c6034d0f6f9d2", status: "affected", version: "7adfc6c9b315e174cf8743b21b7b691c8766791b", versionType: "git", }, { lessThan: "3708b6c2546c9eb34aead8a34a17e8ae69004e4d", status: "affected", version: "7adfc6c9b315e174cf8743b21b7b691c8766791b", versionType: "git", }, { lessThan: "d387805d4b4a46ee01e3dae133c81b6d80195e5b", status: "affected", version: "7adfc6c9b315e174cf8743b21b7b691c8766791b", versionType: "git", }, { lessThan: "ae0ba0ab7475a129ef7d449966edf677367efeb4", status: "affected", version: "7adfc6c9b315e174cf8743b21b7b691c8766791b", versionType: "git", }, { lessThan: "d0d1df8ba18abc57f28fb3bc053b2bf319367f2c", status: "affected", version: "7adfc6c9b315e174cf8743b21b7b691c8766791b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/bpf/test_run.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Set run context for rawtp test_run callback\n\nsyzbot reported crash when rawtp program executed through the\ntest_run interface calls bpf_get_attach_cookie helper or any\nother helper that touches task->bpf_ctx pointer.\n\nSetting the run context (task->bpf_ctx pointer) for test_run\ncallback.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:47.043Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/789bd77c9342aa6125003871ae5c6034d0f6f9d2", }, { url: "https://git.kernel.org/stable/c/3708b6c2546c9eb34aead8a34a17e8ae69004e4d", }, { url: "https://git.kernel.org/stable/c/d387805d4b4a46ee01e3dae133c81b6d80195e5b", }, { url: "https://git.kernel.org/stable/c/ae0ba0ab7475a129ef7d449966edf677367efeb4", }, { url: "https://git.kernel.org/stable/c/d0d1df8ba18abc57f28fb3bc053b2bf319367f2c", }, ], title: "bpf: Set run context for rawtp test_run callback", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40908", datePublished: "2024-07-12T12:20:47.807Z", dateReserved: "2024-07-12T12:17:45.580Z", dateUpdated: "2024-12-19T09:07:47.043Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40904
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
The syzbot fuzzer found that the interrupt-URB completion callback in
the cdc-wdm driver was taking too long, and the driver's immediate
resubmission of interrupt URBs with -EPROTO status combined with the
dummy-hcd emulation to cause a CPU lockup:
cdc_wdm 1-1:1.0: nonzero urb status received: -71
cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes
watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]
CPU#0 Utilization every 4s during lockup:
#1: 98% system, 0% softirq, 3% hardirq, 0% idle
#2: 98% system, 0% softirq, 3% hardirq, 0% idle
#3: 98% system, 0% softirq, 3% hardirq, 0% idle
#4: 98% system, 0% softirq, 3% hardirq, 0% idle
#5: 98% system, 1% softirq, 3% hardirq, 0% idle
Modules linked in:
irq event stamp: 73096
hardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline]
hardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994
hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
softirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline]
softirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582
softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588
CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Testing showed that the problem did not occur if the two error
messages -- the first two lines above -- were removed; apparently adding
material to the kernel log takes a surprisingly large amount of time.
In any case, the best approach for preventing these lockups and to
avoid spamming the log with thousands of error messages per second is
to ratelimit the two dev_err() calls. Therefore we replace them with
dev_err_ratelimited().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9908a32e94de2141463e104c9924279ed3509447 Version: 9908a32e94de2141463e104c9924279ed3509447 Version: 9908a32e94de2141463e104c9924279ed3509447 Version: 9908a32e94de2141463e104c9924279ed3509447 Version: 9908a32e94de2141463e104c9924279ed3509447 Version: 9908a32e94de2141463e104c9924279ed3509447 Version: 9908a32e94de2141463e104c9924279ed3509447 Version: 9908a32e94de2141463e104c9924279ed3509447 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.365Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40904", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:25.015899Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:38.321Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/usb/class/cdc-wdm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "217d1f44fff560b3995a685a60aa66e55a7f0f56", status: "affected", version: "9908a32e94de2141463e104c9924279ed3509447", versionType: "git", }, { lessThan: "05b2cd6d33f700597e6f081b53c668a226a96d28", status: "affected", version: "9908a32e94de2141463e104c9924279ed3509447", versionType: "git", }, { lessThan: "c0747d76eb05542b5d49f67069b64ef5ff732c6c", status: "affected", version: "9908a32e94de2141463e104c9924279ed3509447", versionType: "git", }, { lessThan: "53250b54c92fe087fd4b0c48f85529efe1ebd879", status: "affected", version: "9908a32e94de2141463e104c9924279ed3509447", versionType: "git", }, { lessThan: "02a4c0499fc3a02e992b4c69a9809912af372d94", status: "affected", version: "9908a32e94de2141463e104c9924279ed3509447", versionType: "git", }, { lessThan: "72a3fe36cf9f0d030865e571f45a40f9c1e07e8a", status: "affected", version: "9908a32e94de2141463e104c9924279ed3509447", versionType: "git", }, { lessThan: "82075aff7ffccb1e72b0ac8aa349e473624d857c", status: "affected", version: "9908a32e94de2141463e104c9924279ed3509447", versionType: "git", }, { lessThan: "22f00812862564b314784167a89f27b444f82a46", status: "affected", version: "9908a32e94de2141463e104c9924279ed3509447", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/usb/class/cdc-wdm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.28", }, { lessThan: "2.6.28", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages\n\nThe syzbot fuzzer found that the interrupt-URB completion callback in\nthe cdc-wdm driver was taking too long, and the driver's immediate\nresubmission of interrupt URBs with -EPROTO status combined with the\ndummy-hcd emulation to cause a CPU lockup:\n\ncdc_wdm 1-1:1.0: nonzero urb status received: -71\ncdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes\nwatchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]\nCPU#0 Utilization every 4s during lockup:\n\t#1: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#2: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#3: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#4: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#5: 98% system,\t 1% softirq,\t 3% hardirq,\t 0% idle\nModules linked in:\nirq event stamp: 73096\nhardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline]\nhardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994\nhardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\nhardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\nsoftirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline]\nsoftirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582\nsoftirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588\nCPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n\nTesting showed that the problem did not occur if the two error\nmessages -- the first two lines above -- were removed; apparently adding\nmaterial to the kernel log takes a surprisingly large amount of time.\n\nIn any case, the best approach for preventing these lockups and to\navoid spamming the log with thousands of error messages per second is\nto ratelimit the two dev_err() calls. Therefore we replace them with\ndev_err_ratelimited().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:42.371Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56", }, { url: "https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28", }, { url: "https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c", }, { url: "https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879", }, { url: "https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94", }, { url: "https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a", }, { url: "https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c", }, { url: "https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46", }, ], title: "USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40904", datePublished: "2024-07-12T12:20:45.173Z", dateReserved: "2024-07-12T12:17:45.579Z", dateUpdated: "2024-12-19T09:07:42.371Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40956
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
Use list_for_each_entry_safe() to allow iterating through the list and
deleting the entry in the iteration process. The descriptor is freed via
idxd_desc_complete() and there's a slight chance may cause issue for
the list iterator when the descriptor is reused by another thread
without it being deleted from the list.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 16e19e11228ba660d9e322035635e7dcf160d5c2 Version: 16e19e11228ba660d9e322035635e7dcf160d5c2 Version: 16e19e11228ba660d9e322035635e7dcf160d5c2 Version: 16e19e11228ba660d9e322035635e7dcf160d5c2 Version: 16e19e11228ba660d9e322035635e7dcf160d5c2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.606Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1b08bf5a17c66ab7dbb628df5344da53c8e7ab33", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/83163667d881100a485b6c2daa30301b7f68d9b5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/faa35db78b058a2ab6e074ee283f69fa398c36a8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a14968921486793f2a956086895c3793761309dd", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e3215deca4520773cd2b155bed164c12365149a7", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40956", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:42.094021Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:24.154Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/dma/idxd/irq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1b08bf5a17c66ab7dbb628df5344da53c8e7ab33", status: "affected", version: "16e19e11228ba660d9e322035635e7dcf160d5c2", versionType: "git", }, { lessThan: "83163667d881100a485b6c2daa30301b7f68d9b5", status: "affected", version: "16e19e11228ba660d9e322035635e7dcf160d5c2", versionType: "git", }, { lessThan: "faa35db78b058a2ab6e074ee283f69fa398c36a8", status: "affected", version: "16e19e11228ba660d9e322035635e7dcf160d5c2", versionType: "git", }, { lessThan: "a14968921486793f2a956086895c3793761309dd", status: "affected", version: "16e19e11228ba660d9e322035635e7dcf160d5c2", versionType: "git", }, { lessThan: "e3215deca4520773cd2b155bed164c12365149a7", status: "affected", version: "16e19e11228ba660d9e322035635e7dcf160d5c2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/dma/idxd/irq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.11", }, { lessThan: "5.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list\n\nUse list_for_each_entry_safe() to allow iterating through the list and\ndeleting the entry in the iteration process. The descriptor is freed via\nidxd_desc_complete() and there's a slight chance may cause issue for\nthe list iterator when the descriptor is reused by another thread\nwithout it being deleted from the list.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:53.992Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1b08bf5a17c66ab7dbb628df5344da53c8e7ab33", }, { url: "https://git.kernel.org/stable/c/83163667d881100a485b6c2daa30301b7f68d9b5", }, { url: "https://git.kernel.org/stable/c/faa35db78b058a2ab6e074ee283f69fa398c36a8", }, { url: "https://git.kernel.org/stable/c/a14968921486793f2a956086895c3793761309dd", }, { url: "https://git.kernel.org/stable/c/e3215deca4520773cd2b155bed164c12365149a7", }, ], title: "dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40956", datePublished: "2024-07-12T12:31:59.027Z", dateReserved: "2024-07-12T12:17:45.593Z", dateUpdated: "2024-12-19T09:08:53.992Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40923
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vmxnet3: disable rx data ring on dma allocation failure
When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base,
the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset
rq->data_ring.desc_size for the data ring that failed, which presumably
causes the hypervisor to reference it on packet reception.
To fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell
the hypervisor to disable this feature.
[ 95.436876] kernel BUG at net/core/skbuff.c:207!
[ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1
[ 95.441558] Hardware name: VMware, Inc. VMware Virtual
Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
[ 95.443481] RIP: 0010:skb_panic+0x4d/0x4f
[ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50
ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9
ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24
[ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246
[ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f
[ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f
[ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60
[ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000
[ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0
[ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000
[ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0
[ 95.459791] Call Trace:
[ 95.460515] <IRQ>
[ 95.461180] ? __die_body.cold+0x19/0x27
[ 95.462150] ? die+0x2e/0x50
[ 95.462976] ? do_trap+0xca/0x110
[ 95.463973] ? do_error_trap+0x6a/0x90
[ 95.464966] ? skb_panic+0x4d/0x4f
[ 95.465901] ? exc_invalid_op+0x50/0x70
[ 95.466849] ? skb_panic+0x4d/0x4f
[ 95.467718] ? asm_exc_invalid_op+0x1a/0x20
[ 95.468758] ? skb_panic+0x4d/0x4f
[ 95.469655] skb_put.cold+0x10/0x10
[ 95.470573] vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3]
[ 95.471853] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3]
[ 95.473185] __napi_poll+0x2b/0x160
[ 95.474145] net_rx_action+0x2c6/0x3b0
[ 95.475115] handle_softirqs+0xe7/0x2a0
[ 95.476122] __irq_exit_rcu+0x97/0xb0
[ 95.477109] common_interrupt+0x85/0xa0
[ 95.478102] </IRQ>
[ 95.478846] <TASK>
[ 95.479603] asm_common_interrupt+0x26/0x40
[ 95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20
[ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
[ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246
[ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000
[ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001
[ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3
[ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260
[ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000
[ 95.495035] acpi_safe_halt+0x14/0x20
[ 95.496127] acpi_idle_do_entry+0x2f/0x50
[ 95.497221] acpi_idle_enter+0x7f/0xd0
[ 95.498272] cpuidle_enter_state+0x81/0x420
[ 95.499375] cpuidle_enter+0x2d/0x40
[ 95.500400] do_idle+0x1e5/0x240
[ 95.501385] cpu_startup_entry+0x29/0x30
[ 95.502422] start_secondary+0x11c/0x140
[ 95.503454] common_startup_64+0x13e/0x141
[ 95.504466] </TASK>
[ 95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4
nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip
---truncated---
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.850Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9ee14af24e67ef170108db547f7d1f701b3f2bc5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/aa116ae9d169e28b692292460aed27fc44f4a017", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ffbe335b8d471f79b259e950cb20999700670456", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40923", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:24.017476Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:28.476Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/vmxnet3/vmxnet3_drv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9ee14af24e67ef170108db547f7d1f701b3f2bc5", status: "affected", version: "6f4833383e8514ea796d094e05c24889b8997fde", versionType: "git", }, { lessThan: "aa116ae9d169e28b692292460aed27fc44f4a017", status: "affected", version: "6f4833383e8514ea796d094e05c24889b8997fde", versionType: "git", }, { lessThan: "ffbe335b8d471f79b259e950cb20999700670456", status: "affected", version: "6f4833383e8514ea796d094e05c24889b8997fde", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/vmxnet3/vmxnet3_drv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.3", }, { lessThan: "6.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: disable rx data ring on dma allocation failure\n\nWhen vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base,\nthe subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset\nrq->data_ring.desc_size for the data ring that failed, which presumably\ncauses the hypervisor to reference it on packet reception.\n\nTo fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell\nthe hypervisor to disable this feature.\n\n[ 95.436876] kernel BUG at net/core/skbuff.c:207!\n[ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1\n[ 95.441558] Hardware name: VMware, Inc. VMware Virtual\nPlatform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018\n[ 95.443481] RIP: 0010:skb_panic+0x4d/0x4f\n[ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50\nff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9\nff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24\n[ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246\n[ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f\n[ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f\n[ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60\n[ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000\n[ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0\n[ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000\n[ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0\n[ 95.459791] Call Trace:\n[ 95.460515] <IRQ>\n[ 95.461180] ? __die_body.cold+0x19/0x27\n[ 95.462150] ? die+0x2e/0x50\n[ 95.462976] ? do_trap+0xca/0x110\n[ 95.463973] ? do_error_trap+0x6a/0x90\n[ 95.464966] ? skb_panic+0x4d/0x4f\n[ 95.465901] ? exc_invalid_op+0x50/0x70\n[ 95.466849] ? skb_panic+0x4d/0x4f\n[ 95.467718] ? asm_exc_invalid_op+0x1a/0x20\n[ 95.468758] ? skb_panic+0x4d/0x4f\n[ 95.469655] skb_put.cold+0x10/0x10\n[ 95.470573] vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3]\n[ 95.471853] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3]\n[ 95.473185] __napi_poll+0x2b/0x160\n[ 95.474145] net_rx_action+0x2c6/0x3b0\n[ 95.475115] handle_softirqs+0xe7/0x2a0\n[ 95.476122] __irq_exit_rcu+0x97/0xb0\n[ 95.477109] common_interrupt+0x85/0xa0\n[ 95.478102] </IRQ>\n[ 95.478846] <TASK>\n[ 95.479603] asm_common_interrupt+0x26/0x40\n[ 95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20\n[ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90\n[ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246\n[ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000\n[ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001\n[ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3\n[ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260\n[ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000\n[ 95.495035] acpi_safe_halt+0x14/0x20\n[ 95.496127] acpi_idle_do_entry+0x2f/0x50\n[ 95.497221] acpi_idle_enter+0x7f/0xd0\n[ 95.498272] cpuidle_enter_state+0x81/0x420\n[ 95.499375] cpuidle_enter+0x2d/0x40\n[ 95.500400] do_idle+0x1e5/0x240\n[ 95.501385] cpu_startup_entry+0x29/0x30\n[ 95.502422] start_secondary+0x11c/0x140\n[ 95.503454] common_startup_64+0x13e/0x141\n[ 95.504466] </TASK>\n[ 95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4\nnft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:16.349Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9ee14af24e67ef170108db547f7d1f701b3f2bc5", }, { url: "https://git.kernel.org/stable/c/aa116ae9d169e28b692292460aed27fc44f4a017", }, { url: "https://git.kernel.org/stable/c/ffbe335b8d471f79b259e950cb20999700670456", }, ], title: "vmxnet3: disable rx data ring on dma allocation failure", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40923", datePublished: "2024-07-12T12:25:04.245Z", dateReserved: "2024-07-12T12:17:45.582Z", dateUpdated: "2024-12-19T09:08:16.349Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40931
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: ensure snd_una is properly initialized on connect
This is strictly related to commit fb7a0d334894 ("mptcp: ensure snd_nxt
is properly initialized on connect"). It turns out that syzkaller can
trigger the retransmit after fallback and before processing any other
incoming packet - so that snd_una is still left uninitialized.
Address the issue explicitly initializing snd_una together with snd_nxt
and write_seq.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8fd738049ac3d67a937d36577763b47180aae1ad Version: 8fd738049ac3d67a937d36577763b47180aae1ad Version: 8fd738049ac3d67a937d36577763b47180aae1ad Version: 8fd738049ac3d67a937d36577763b47180aae1ad Version: 8fd738049ac3d67a937d36577763b47180aae1ad Version: 8fd738049ac3d67a937d36577763b47180aae1ad |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.803Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/208cd22ef5e57f82d38ec11c1a1703f9401d6dde", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7b9c7fc8600b64a86e4b47b2d190bba380267726", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f03c46eabb3a67bd2993e237ab5517f00a5f1813", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f1f0a46f8bb8890b90ab7194f0a0c8fe2a3fb57f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ef473bf1dd7e8dd08bcc04b9e2d1bfed69a0a7ce", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40931", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:58.880895Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:02.638Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/mptcp/protocol.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "208cd22ef5e57f82d38ec11c1a1703f9401d6dde", status: "affected", version: "8fd738049ac3d67a937d36577763b47180aae1ad", versionType: "git", }, { lessThan: "7b9c7fc8600b64a86e4b47b2d190bba380267726", status: "affected", version: "8fd738049ac3d67a937d36577763b47180aae1ad", versionType: "git", }, { lessThan: "f03c46eabb3a67bd2993e237ab5517f00a5f1813", status: "affected", version: "8fd738049ac3d67a937d36577763b47180aae1ad", versionType: "git", }, { lessThan: "f1f0a46f8bb8890b90ab7194f0a0c8fe2a3fb57f", status: "affected", version: "8fd738049ac3d67a937d36577763b47180aae1ad", versionType: "git", }, { lessThan: "ef473bf1dd7e8dd08bcc04b9e2d1bfed69a0a7ce", status: "affected", version: "8fd738049ac3d67a937d36577763b47180aae1ad", versionType: "git", }, { lessThan: "8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3", status: "affected", version: "8fd738049ac3d67a937d36577763b47180aae1ad", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/mptcp/protocol.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.9", }, { lessThan: "5.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_una is properly initialized on connect\n\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\n\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:25.727Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/208cd22ef5e57f82d38ec11c1a1703f9401d6dde", }, { url: "https://git.kernel.org/stable/c/7b9c7fc8600b64a86e4b47b2d190bba380267726", }, { url: "https://git.kernel.org/stable/c/f03c46eabb3a67bd2993e237ab5517f00a5f1813", }, { url: "https://git.kernel.org/stable/c/f1f0a46f8bb8890b90ab7194f0a0c8fe2a3fb57f", }, { url: "https://git.kernel.org/stable/c/ef473bf1dd7e8dd08bcc04b9e2d1bfed69a0a7ce", }, { url: "https://git.kernel.org/stable/c/8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3", }, ], title: "mptcp: ensure snd_una is properly initialized on connect", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40931", datePublished: "2024-07-12T12:25:09.778Z", dateReserved: "2024-07-12T12:17:45.583Z", dateUpdated: "2024-12-19T09:08:25.727Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40914
Vulnerability from cvelistv5
Published
2024-07-12 12:24
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/huge_memory: don't unpoison huge_zero_folio
When I did memory failure tests recently, below panic occurs:
kernel BUG at include/linux/mm.h:1135!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14
RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0
RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246
RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0
RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492
R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00
FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0
Call Trace:
<TASK>
do_shrink_slab+0x14f/0x6a0
shrink_slab+0xca/0x8c0
shrink_node+0x2d0/0x7d0
balance_pgdat+0x33a/0x720
kswapd+0x1f3/0x410
kthread+0xd5/0x100
ret_from_fork+0x2f/0x50
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: mce_inject hwpoison_inject
---[ end trace 0000000000000000 ]---
RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0
RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246
RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0
RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492
R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00
FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0
The root cause is that HWPoison flag will be set for huge_zero_folio
without increasing the folio refcnt. But then unpoison_memory() will
decrease the folio refcnt unexpectedly as it appears like a successfully
hwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when
releasing huge_zero_folio.
Skip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue.
We're not prepared to unpoison huge_zero_folio yet.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f8f836100fff594cea8a0a027affb9d5520f09a7 Version: 478d134e9506c7e9bfe2830ed03dd85e97966313 Version: 478d134e9506c7e9bfe2830ed03dd85e97966313 Version: 478d134e9506c7e9bfe2830ed03dd85e97966313 Version: 478d134e9506c7e9bfe2830ed03dd85e97966313 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.283Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40914", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:52.834846Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:39.386Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/memory-failure.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "688bb46ad339497b5b7f527b6636d2afe04b46af", status: "affected", version: "f8f836100fff594cea8a0a027affb9d5520f09a7", versionType: "git", }, { lessThan: "b2494506f30675245a3e6787281f79601af087bf", status: "affected", version: "478d134e9506c7e9bfe2830ed03dd85e97966313", versionType: "git", }, { lessThan: "0d73477af964dbd7396163a13817baf13940bca9", status: "affected", version: "478d134e9506c7e9bfe2830ed03dd85e97966313", versionType: "git", }, { lessThan: "d72b7711919de49d92a67dfc844a6cf4c23dd794", status: "affected", version: "478d134e9506c7e9bfe2830ed03dd85e97966313", versionType: "git", }, { lessThan: "fe6f86f4b40855a130a19aa589f9ba7f650423f4", status: "affected", version: "478d134e9506c7e9bfe2830ed03dd85e97966313", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/memory-failure.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: don't unpoison huge_zero_folio\n\nWhen I did memory failure tests recently, below panic occurs:\n\n kernel BUG at include/linux/mm.h:1135!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n Call Trace:\n <TASK>\n do_shrink_slab+0x14f/0x6a0\n shrink_slab+0xca/0x8c0\n shrink_node+0x2d0/0x7d0\n balance_pgdat+0x33a/0x720\n kswapd+0x1f3/0x410\n kthread+0xd5/0x100\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n Modules linked in: mce_inject hwpoison_inject\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n\nThe root cause is that HWPoison flag will be set for huge_zero_folio\nwithout increasing the folio refcnt. But then unpoison_memory() will\ndecrease the folio refcnt unexpectedly as it appears like a successfully\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\nreleasing huge_zero_folio.\n\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \nWe're not prepared to unpoison huge_zero_folio yet.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:55.080Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af", }, { url: "https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf", }, { url: "https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9", }, { url: "https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794", }, { url: "https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4", }, ], title: "mm/huge_memory: don't unpoison huge_zero_folio", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40914", datePublished: "2024-07-12T12:24:58.055Z", dateReserved: "2024-07-12T12:17:45.581Z", dateUpdated: "2024-12-19T09:07:55.080Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40940
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix tainted pointer delete is case of flow rules creation fail
In case of flow rule creation fail in mlx5_lag_create_port_sel_table(),
instead of previously created rules, the tainted pointer is deleted
deveral times.
Fix this bug by using correct flow rules pointers.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.350Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/531eab2da27dd42d68dfb841d82e987f4a6738b8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d857df86837ac1c30592e8a068204d16feac9930", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a03a3fa12769e25f4385bee587afe1445aee7f7a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/229bedbf62b13af5aba6525ad10b62ad38d9ccb5", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40940", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:30.416293Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:02.181Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "531eab2da27dd42d68dfb841d82e987f4a6738b8", status: "affected", version: "352899f384d4aefa77ede6310d08c1b515612a8f", versionType: "git", }, { lessThan: "d857df86837ac1c30592e8a068204d16feac9930", status: "affected", version: "352899f384d4aefa77ede6310d08c1b515612a8f", versionType: "git", }, { lessThan: "a03a3fa12769e25f4385bee587afe1445aee7f7a", status: "affected", version: "352899f384d4aefa77ede6310d08c1b515612a8f", versionType: "git", }, { lessThan: "229bedbf62b13af5aba6525ad10b62ad38d9ccb5", status: "affected", version: "352899f384d4aefa77ede6310d08c1b515612a8f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix tainted pointer delete is case of flow rules creation fail\n\nIn case of flow rule creation fail in mlx5_lag_create_port_sel_table(),\ninstead of previously created rules, the tainted pointer is deleted\ndeveral times.\nFix this bug by using correct flow rules pointers.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:36.282Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/531eab2da27dd42d68dfb841d82e987f4a6738b8", }, { url: "https://git.kernel.org/stable/c/d857df86837ac1c30592e8a068204d16feac9930", }, { url: "https://git.kernel.org/stable/c/a03a3fa12769e25f4385bee587afe1445aee7f7a", }, { url: "https://git.kernel.org/stable/c/229bedbf62b13af5aba6525ad10b62ad38d9ccb5", }, ], title: "net/mlx5: Fix tainted pointer delete is case of flow rules creation fail", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40940", datePublished: "2024-07-12T12:25:15.808Z", dateReserved: "2024-07-12T12:17:45.587Z", dateUpdated: "2024-12-19T09:08:36.282Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40993
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: Fix suspicious rcu_dereference_protected()
When destroying all sets, we are either in pernet exit phase or
are executing a "destroy all sets command" from userspace. The latter
was taken into account in ip_set_dereference() (nfnetlink mutex is held),
but the former was not. The patch adds the required check to
rcu_dereference_protected() in ip_set_dereference().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3 Version: 93b53c202b51a69e42ca57f5a183f7e008e19f83 Version: 0f1bb77c6d837c9513943bc7c08f04c5cc5c6568 Version: 390b353d1a1da3e9c6c0fd14fe650d69063c95d6 Version: 2ba35b37f780c6410bb4bba9c3072596d8576702 Version: 90ae20d47de602198eb69e6cd7a3db3420abfc08 Version: 4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.065Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3799d02ae4208af08e81310770d8754863a246a1", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/72d9611968867cc4c5509e7708b1507d692b797a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/523bed6489e089dd8040e72453fb79da47b144c2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/788d585e62f487bc4536d454937f737b70d39a33", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/94dd411c18d7fff9e411555d5c662d29416501e4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3fc09e1ca854bc234e007a56e0f7431f5e2defb5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8ecd06277a7664f4ef018abae3abd3451d64e7a6", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40993", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:41.687653Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:20.022Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/netfilter/ipset/ip_set_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3799d02ae4208af08e81310770d8754863a246a1", status: "affected", version: "c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3", versionType: "git", }, { lessThan: "72d9611968867cc4c5509e7708b1507d692b797a", status: "affected", version: "93b53c202b51a69e42ca57f5a183f7e008e19f83", versionType: "git", }, { lessThan: "523bed6489e089dd8040e72453fb79da47b144c2", status: "affected", version: "0f1bb77c6d837c9513943bc7c08f04c5cc5c6568", versionType: "git", }, { lessThan: "788d585e62f487bc4536d454937f737b70d39a33", status: "affected", version: "390b353d1a1da3e9c6c0fd14fe650d69063c95d6", versionType: "git", }, { lessThan: "94dd411c18d7fff9e411555d5c662d29416501e4", status: "affected", version: "2ba35b37f780c6410bb4bba9c3072596d8576702", versionType: "git", }, { lessThan: "3fc09e1ca854bc234e007a56e0f7431f5e2defb5", status: "affected", version: "90ae20d47de602198eb69e6cd7a3db3420abfc08", versionType: "git", }, { lessThan: "8ecd06277a7664f4ef018abae3abd3451d64e7a6", status: "affected", version: "4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10", versionType: "git", }, ], }, { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/netfilter/ipset/ip_set_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6.1.96", status: "affected", version: "6.1.95", versionType: "semver", }, { lessThan: "6.6.36", status: "affected", version: "6.6.35", versionType: "semver", }, { lessThan: "6.9.7", status: "affected", version: "6.9.6", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Fix suspicious rcu_dereference_protected()\n\nWhen destroying all sets, we are either in pernet exit phase or\nare executing a \"destroy all sets command\" from userspace. The latter\nwas taken into account in ip_set_dereference() (nfnetlink mutex is held),\nbut the former was not. The patch adds the required check to\nrcu_dereference_protected() in ip_set_dereference().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:38.815Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3799d02ae4208af08e81310770d8754863a246a1", }, { url: "https://git.kernel.org/stable/c/72d9611968867cc4c5509e7708b1507d692b797a", }, { url: "https://git.kernel.org/stable/c/523bed6489e089dd8040e72453fb79da47b144c2", }, { url: "https://git.kernel.org/stable/c/788d585e62f487bc4536d454937f737b70d39a33", }, { url: "https://git.kernel.org/stable/c/94dd411c18d7fff9e411555d5c662d29416501e4", }, { url: "https://git.kernel.org/stable/c/3fc09e1ca854bc234e007a56e0f7431f5e2defb5", }, { url: "https://git.kernel.org/stable/c/8ecd06277a7664f4ef018abae3abd3451d64e7a6", }, ], title: "netfilter: ipset: Fix suspicious rcu_dereference_protected()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40993", datePublished: "2024-07-12T12:37:36.453Z", dateReserved: "2024-07-12T12:17:45.606Z", dateUpdated: "2024-12-19T09:09:38.815Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-41000
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block/ioctl: prefer different overflow check
Running syzkaller with the newly reintroduced signed integer overflow
sanitizer shows this report:
[ 62.982337] ------------[ cut here ]------------
[ 62.985692] cgroup: Invalid name
[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46
[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1
[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'
[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1
[ 62.999369] random: crng reseeded on system resumption
[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)
[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 63.000682] Call Trace:
[ 63.000686] <TASK>
[ 63.000731] dump_stack_lvl+0x93/0xd0
[ 63.000919] __get_user_pages+0x903/0xd30
[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0
[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50
[ 63.001072] ? try_get_folio+0x29c/0x2d0
[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530
[ 63.001109] iov_iter_extract_pages+0x23b/0x580
[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220
[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410
[ 63.001297] __iomap_dio_rw+0xab4/0x1810
[ 63.001316] iomap_dio_rw+0x45/0xa0
[ 63.001328] ext4_file_write_iter+0xdde/0x1390
[ 63.001372] vfs_write+0x599/0xbd0
[ 63.001394] ksys_write+0xc8/0x190
[ 63.001403] do_syscall_64+0xd4/0x1b0
[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60
[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77
[ 63.001535] RIP: 0033:0x7f7fd3ebf539
[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539
[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004
[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000
[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8
...
[ 63.018142] ---[ end trace ]---
Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang; It was re-enabled in the
kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
sanitizer").
Let's rework this overflow checking logic to not actually perform an
overflow during the check itself, thus avoiding the UBSAN splat.
[1]: https://github.com/llvm/llvm-project/pull/82432
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.991Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-41000", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:19.374759Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:19.237Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "block/ioctl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "58706e482bf45c4db48b0c53aba2468c97adda24", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3220c90f4dbdc6d20d0608b164d964434a810d66", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "61ec76ec930709b7bcd69029ef1fe90491f20cf9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "54160fb1db2de367485f21e30196c42f7ee0be4e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "block/ioctl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/ioctl: prefer different overflow check\n\nRunning syzkaller with the newly reintroduced signed integer overflow\nsanitizer shows this report:\n\n[ 62.982337] ------------[ cut here ]------------\n[ 62.985692] cgroup: Invalid name\n[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46\n[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1\n[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'\n[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1\n[ 62.999369] random: crng reseeded on system resumption\n[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)\n[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 63.000682] Call Trace:\n[ 63.000686] <TASK>\n[ 63.000731] dump_stack_lvl+0x93/0xd0\n[ 63.000919] __get_user_pages+0x903/0xd30\n[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0\n[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50\n[ 63.001072] ? try_get_folio+0x29c/0x2d0\n[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530\n[ 63.001109] iov_iter_extract_pages+0x23b/0x580\n[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220\n[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410\n[ 63.001297] __iomap_dio_rw+0xab4/0x1810\n[ 63.001316] iomap_dio_rw+0x45/0xa0\n[ 63.001328] ext4_file_write_iter+0xdde/0x1390\n[ 63.001372] vfs_write+0x599/0xbd0\n[ 63.001394] ksys_write+0xc8/0x190\n[ 63.001403] do_syscall_64+0xd4/0x1b0\n[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60\n[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77\n[ 63.001535] RIP: 0033:0x7f7fd3ebf539\n[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\n[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539\n[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004\n[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000\n[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8\n...\n[ 63.018142] ---[ end trace ]---\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang; It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rework this overflow checking logic to not actually perform an\noverflow during the check itself, thus avoiding the UBSAN splat.\n\n[1]: https://github.com/llvm/llvm-project/pull/82432", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:47.360Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24", }, { url: "https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66", }, { url: "https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9", }, { url: "https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e", }, { url: "https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e", }, { url: "https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9", }, ], title: "block/ioctl: prefer different overflow check", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-41000", datePublished: "2024-07-12T12:37:41.189Z", dateReserved: "2024-07-12T12:17:45.608Z", dateUpdated: "2024-12-19T09:09:47.360Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40987
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix UBSAN warning in kv_dpm.c
Adds bounds check for sumo_vid_mapping_entry.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.996Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4ad7d49059358ceadd352b4e2511425bdb68f400", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1c44f7759a5650acf8f13d3e0a184d09e03be9e4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d8a04a6bfa75251ba7bcc3651ed211e82f13f388", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4d020c1dbd2b2304f44d003e6de956ae570049dc", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fc5cb952e6723c5c55e47b8cf94a891bd4af1a86", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b065d79ed06a0bb4377bc6dcc2ff0cb1f55a798f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b0d612619ed70cab476c77b19e00d13aa414e14f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f0d576f840153392d04b2d52cf3adab8f62e8cb6", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40987", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:00.830583Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:20.703Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4ad7d49059358ceadd352b4e2511425bdb68f400", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1c44f7759a5650acf8f13d3e0a184d09e03be9e4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d8a04a6bfa75251ba7bcc3651ed211e82f13f388", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4d020c1dbd2b2304f44d003e6de956ae570049dc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fc5cb952e6723c5c55e47b8cf94a891bd4af1a86", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b065d79ed06a0bb4377bc6dcc2ff0cb1f55a798f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b0d612619ed70cab476c77b19e00d13aa414e14f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f0d576f840153392d04b2d52cf3adab8f62e8cb6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:31.400Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4ad7d49059358ceadd352b4e2511425bdb68f400", }, { url: "https://git.kernel.org/stable/c/1c44f7759a5650acf8f13d3e0a184d09e03be9e4", }, { url: "https://git.kernel.org/stable/c/d8a04a6bfa75251ba7bcc3651ed211e82f13f388", }, { url: "https://git.kernel.org/stable/c/4d020c1dbd2b2304f44d003e6de956ae570049dc", }, { url: "https://git.kernel.org/stable/c/fc5cb952e6723c5c55e47b8cf94a891bd4af1a86", }, { url: "https://git.kernel.org/stable/c/b065d79ed06a0bb4377bc6dcc2ff0cb1f55a798f", }, { url: "https://git.kernel.org/stable/c/b0d612619ed70cab476c77b19e00d13aa414e14f", }, { url: "https://git.kernel.org/stable/c/f0d576f840153392d04b2d52cf3adab8f62e8cb6", }, ], title: "drm/amdgpu: fix UBSAN warning in kv_dpm.c", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40987", datePublished: "2024-07-12T12:37:32.490Z", dateReserved: "2024-07-12T12:17:45.605Z", dateUpdated: "2024-12-19T09:09:31.400Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40991
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: k3-udma-glue: Fix of_k3_udma_glue_parse_chn_by_id()
The of_k3_udma_glue_parse_chn_by_id() helper function erroneously
invokes "of_node_put()" on the "udmax_np" device-node passed to it,
without having incremented its reference count at any point. Fix it.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.059Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a5ab5f413d1e4c7ed5f64271b025f0726374509e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ba27e9d2207784da748b19170a2e56bd7770bd81", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40991", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:48.045329Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:20.263Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/dma/ti/k3-udma-glue.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a5ab5f413d1e4c7ed5f64271b025f0726374509e", status: "affected", version: "81a1f90f20af71728f900f245aa69e9425fdef84", versionType: "git", }, { lessThan: "ba27e9d2207784da748b19170a2e56bd7770bd81", status: "affected", version: "81a1f90f20af71728f900f245aa69e9425fdef84", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/dma/ti/k3-udma-glue.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma-glue: Fix of_k3_udma_glue_parse_chn_by_id()\n\nThe of_k3_udma_glue_parse_chn_by_id() helper function erroneously\ninvokes \"of_node_put()\" on the \"udmax_np\" device-node passed to it,\nwithout having incremented its reference count at any point. Fix it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:36.351Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a5ab5f413d1e4c7ed5f64271b025f0726374509e", }, { url: "https://git.kernel.org/stable/c/ba27e9d2207784da748b19170a2e56bd7770bd81", }, ], title: "dmaengine: ti: k3-udma-glue: Fix of_k3_udma_glue_parse_chn_by_id()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40991", datePublished: "2024-07-12T12:37:35.138Z", dateReserved: "2024-07-12T12:17:45.605Z", dateUpdated: "2024-12-19T09:09:36.351Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40999
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ena: Add validation for completion descriptors consistency
Validate that `first` flag is set only for the first
descriptor in multi-buffer packets.
In case of an invalid descriptor, a reset will occur.
A new reset reason for RX data corruption has been added.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.158Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/42146ee5286f16f1674a84f7c274dcca65c6ff2e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40999", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:22.448911Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:19.348Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/amazon/ena/ena_eth_com.c", "drivers/net/ethernet/amazon/ena/ena_netdev.c", "drivers/net/ethernet/amazon/ena/ena_regs_defs.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "42146ee5286f16f1674a84f7c274dcca65c6ff2e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/amazon/ena/ena_eth_com.c", "drivers/net/ethernet/amazon/ena/ena_netdev.c", "drivers/net/ethernet/amazon/ena/ena_regs_defs.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Add validation for completion descriptors consistency\n\nValidate that `first` flag is set only for the first\ndescriptor in multi-buffer packets.\nIn case of an invalid descriptor, a reset will occur.\nA new reset reason for RX data corruption has been added.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:46.181Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/42146ee5286f16f1674a84f7c274dcca65c6ff2e", }, { url: "https://git.kernel.org/stable/c/b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7", }, ], title: "net: ena: Add validation for completion descriptors consistency", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40999", datePublished: "2024-07-12T12:37:40.507Z", dateReserved: "2024-07-12T12:17:45.608Z", dateUpdated: "2024-12-19T09:09:46.181Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40902
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: xattr: fix buffer overflow for invalid xattr
When an xattr size is not what is expected, it is printed out to the
kernel log in hex format as a form of debugging. But when that xattr
size is bigger than the expected size, printing it out can cause an
access off the end of the buffer.
Fix this all up by properly restricting the size of the debug hex dump
in the kernel log.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.415Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1e84c9b1838152a87cf453270a5fa75c5037e83a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fc745f6e83cb650f9a5f2c864158e3a5ea76dad0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/480e5bc21f2c42d90c2c16045d64d824dcdd5ec7", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/33aecc5799c93d3ee02f853cb94e201f9731f123", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4598233d9748fe4db4e13b9f473588aa25e87d69", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b537cb2f4c4a1357479716a9c339c0bda03d873f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7c55b78818cfb732680c4a72ab270cc2d2ee3d0f", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "linux_kernel", vendor: "linux", versions: [ { lessThan: "f0dedb5c511e", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "1e84c9b18381", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "fc745f6e83cb", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "480e5bc21f2c", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "33aecc5799c9", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "4598233d9748", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "b537cb2f4c4a", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "7c55b78818cf", status: "affected", version: "1da177e4c3f4", versionType: "git", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-40902", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-08-16T04:02:10.264268Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-121", description: "CWE-121 Stack-based Buffer Overflow", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-20T14:03:35.925Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/jfs/xattr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f0dedb5c511ed82cbaff4997a8decf2351ba549f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1e84c9b1838152a87cf453270a5fa75c5037e83a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fc745f6e83cb650f9a5f2c864158e3a5ea76dad0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "480e5bc21f2c42d90c2c16045d64d824dcdd5ec7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "33aecc5799c93d3ee02f853cb94e201f9731f123", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4598233d9748fe4db4e13b9f473588aa25e87d69", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b537cb2f4c4a1357479716a9c339c0bda03d873f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7c55b78818cfb732680c4a72ab270cc2d2ee3d0f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/jfs/xattr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: xattr: fix buffer overflow for invalid xattr\n\nWhen an xattr size is not what is expected, it is printed out to the\nkernel log in hex format as a form of debugging. But when that xattr\nsize is bigger than the expected size, printing it out can cause an\naccess off the end of the buffer.\n\nFix this all up by properly restricting the size of the debug hex dump\nin the kernel log.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:40.030Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f", }, { url: "https://git.kernel.org/stable/c/1e84c9b1838152a87cf453270a5fa75c5037e83a", }, { url: "https://git.kernel.org/stable/c/fc745f6e83cb650f9a5f2c864158e3a5ea76dad0", }, { url: "https://git.kernel.org/stable/c/480e5bc21f2c42d90c2c16045d64d824dcdd5ec7", }, { url: "https://git.kernel.org/stable/c/33aecc5799c93d3ee02f853cb94e201f9731f123", }, { url: "https://git.kernel.org/stable/c/4598233d9748fe4db4e13b9f473588aa25e87d69", }, { url: "https://git.kernel.org/stable/c/b537cb2f4c4a1357479716a9c339c0bda03d873f", }, { url: "https://git.kernel.org/stable/c/7c55b78818cfb732680c4a72ab270cc2d2ee3d0f", }, ], title: "jfs: xattr: fix buffer overflow for invalid xattr", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40902", datePublished: "2024-07-12T12:20:43.508Z", dateReserved: "2024-07-12T12:17:45.579Z", dateUpdated: "2024-12-19T09:07:40.030Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40963
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mips: bmips: BCM6358: make sure CBR is correctly set
It was discovered that some device have CBR address set to 0 causing
kernel panic when arch_sync_dma_for_cpu_all is called.
This was notice in situation where the system is booted from TP1 and
BMIPS_GET_CBR() returns 0 instead of a valid address and
!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.
The current check whether RAC flush should be disabled or not are not
enough hence lets check if CBR is a valid address or not.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d65de5ee8b72868fbbbd39ca73017d0e526fa13a Version: 47a449ec09b4479b89dcc6b27ec3829fc82ffafb Version: 65b723644294f1d79770704162c0e8d1f700b6f1 Version: 2cdbcff99f15db86a10672fb220379a1ae46ccae Version: ab327f8acdf8d06601fbf058859a539a9422afff Version: ab327f8acdf8d06601fbf058859a539a9422afff Version: ab327f8acdf8d06601fbf058859a539a9422afff |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.958Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/10afe5f7d30f6fe50c2b1177549d0e04921fc373", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/36d771ce6028b886e18a4a8956a5d23688e4e13d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/89167072fd249e5f23ae2f8093f87da5925cef27", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6c0f6ccd939166f56a904c792d7fcadae43b9085", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2cd4854ef14a487bcfb76c7980675980cad27b52", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/da895fd6da438af8d9326b8f02d715a9c76c3b5b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ce5cdd3b05216b704a704f466fb4c2dff3778caf", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40963", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:19.862197Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:01.545Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/mips/bmips/setup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "10afe5f7d30f6fe50c2b1177549d0e04921fc373", status: "affected", version: "d65de5ee8b72868fbbbd39ca73017d0e526fa13a", versionType: "git", }, { lessThan: "36d771ce6028b886e18a4a8956a5d23688e4e13d", status: "affected", version: "47a449ec09b4479b89dcc6b27ec3829fc82ffafb", versionType: "git", }, { lessThan: "89167072fd249e5f23ae2f8093f87da5925cef27", status: "affected", version: "65b723644294f1d79770704162c0e8d1f700b6f1", versionType: "git", }, { lessThan: "6c0f6ccd939166f56a904c792d7fcadae43b9085", status: "affected", version: "2cdbcff99f15db86a10672fb220379a1ae46ccae", versionType: "git", }, { lessThan: "2cd4854ef14a487bcfb76c7980675980cad27b52", status: "affected", version: "ab327f8acdf8d06601fbf058859a539a9422afff", versionType: "git", }, { lessThan: "da895fd6da438af8d9326b8f02d715a9c76c3b5b", status: "affected", version: "ab327f8acdf8d06601fbf058859a539a9422afff", versionType: "git", }, { lessThan: "ce5cdd3b05216b704a704f466fb4c2dff3778caf", status: "affected", version: "ab327f8acdf8d06601fbf058859a539a9422afff", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/mips/bmips/setup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.3", }, { lessThan: "6.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: bmips: BCM6358: make sure CBR is correctly set\n\nIt was discovered that some device have CBR address set to 0 causing\nkernel panic when arch_sync_dma_for_cpu_all is called.\n\nThis was notice in situation where the system is booted from TP1 and\nBMIPS_GET_CBR() returns 0 instead of a valid address and\n!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.\n\nThe current check whether RAC flush should be disabled or not are not\nenough hence lets check if CBR is a valid address or not.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:02.564Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/10afe5f7d30f6fe50c2b1177549d0e04921fc373", }, { url: "https://git.kernel.org/stable/c/36d771ce6028b886e18a4a8956a5d23688e4e13d", }, { url: "https://git.kernel.org/stable/c/89167072fd249e5f23ae2f8093f87da5925cef27", }, { url: "https://git.kernel.org/stable/c/6c0f6ccd939166f56a904c792d7fcadae43b9085", }, { url: "https://git.kernel.org/stable/c/2cd4854ef14a487bcfb76c7980675980cad27b52", }, { url: "https://git.kernel.org/stable/c/da895fd6da438af8d9326b8f02d715a9c76c3b5b", }, { url: "https://git.kernel.org/stable/c/ce5cdd3b05216b704a704f466fb4c2dff3778caf", }, ], title: "mips: bmips: BCM6358: make sure CBR is correctly set", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40963", datePublished: "2024-07-12T12:32:04.019Z", dateReserved: "2024-07-12T12:17:45.602Z", dateUpdated: "2024-12-19T09:09:02.564Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-41001
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/sqpoll: work around a potential audit memory leak
kmemleak complains that there's a memory leak related to connect
handling:
unreferenced object 0xffff0001093bdf00 (size 128):
comm "iou-sqp-455", pid 457, jiffies 4294894164
hex dump (first 32 bytes):
02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 2e481b1a):
[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38
[<000000009c30bb45>] kmalloc_trace+0x228/0x358
[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138
[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8
[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4
[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48
[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4
[<00000000d999b491>] ret_from_fork+0x10/0x20
which can can happen if:
1) The command type does something on the prep side that triggers an
audit call.
2) The thread hasn't done any operations before this that triggered
an audit call inside ->issue(), where we have audit_uring_entry()
and audit_uring_exit().
Work around this by issuing a blanket NOP operation before the SQPOLL
does anything.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.072Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/55c22375cbaa24f77dd13f9ae0642915444a1227", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9e810bd995823786ea30543e480e8a573e5e5667", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a40e90d9304629002fb17200f7779823a81191d3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c4ce0ab27646f4206a9eb502d6fe45cb080e1cae", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-41001", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:15.228345Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:19.127Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "io_uring/sqpoll.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "55c22375cbaa24f77dd13f9ae0642915444a1227", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9e810bd995823786ea30543e480e8a573e5e5667", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a40e90d9304629002fb17200f7779823a81191d3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c4ce0ab27646f4206a9eb502d6fe45cb080e1cae", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "io_uring/sqpoll.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: work around a potential audit memory leak\n\nkmemleak complains that there's a memory leak related to connect\nhandling:\n\nunreferenced object 0xffff0001093bdf00 (size 128):\ncomm \"iou-sqp-455\", pid 457, jiffies 4294894164\nhex dump (first 32 bytes):\n02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace (crc 2e481b1a):\n[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38\n[<000000009c30bb45>] kmalloc_trace+0x228/0x358\n[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138\n[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8\n[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4\n[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48\n[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4\n[<00000000d999b491>] ret_from_fork+0x10/0x20\n\nwhich can can happen if:\n\n1) The command type does something on the prep side that triggers an\n audit call.\n2) The thread hasn't done any operations before this that triggered\n an audit call inside ->issue(), where we have audit_uring_entry()\n and audit_uring_exit().\n\nWork around this by issuing a blanket NOP operation before the SQPOLL\ndoes anything.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:48.553Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/55c22375cbaa24f77dd13f9ae0642915444a1227", }, { url: "https://git.kernel.org/stable/c/9e810bd995823786ea30543e480e8a573e5e5667", }, { url: "https://git.kernel.org/stable/c/a40e90d9304629002fb17200f7779823a81191d3", }, { url: "https://git.kernel.org/stable/c/c4ce0ab27646f4206a9eb502d6fe45cb080e1cae", }, ], title: "io_uring/sqpoll: work around a potential audit memory leak", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-41001", datePublished: "2024-07-12T12:37:41.850Z", dateReserved: "2024-07-12T12:17:45.609Z", dateUpdated: "2024-12-19T09:09:48.553Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40938
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
landlock: Fix d_parent walk
The WARN_ON_ONCE() in collect_domain_accesses() can be triggered when
trying to link a root mount point. This cannot work in practice because
this directory is mounted, but the VFS check is done after the call to
security_path_link().
Do not use source directory's d_parent when the source directory is the
mount point.
[mic: Fix commit message]
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.945Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b6e5e696435832b33e40775f060ef5c95f4fda1f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cc30d05b34f9a087a6928d09b131f7b491e9ab11", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c7618c7b0b8c45bcef34410cc1d1e953eb17f8f6", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/88da52ccd66e65f2e63a6c35c9dff55d448ef4dc", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40938", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:36.699030Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:26.368Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "security/landlock/fs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b6e5e696435832b33e40775f060ef5c95f4fda1f", status: "affected", version: "b91c3e4ea756b12b7d992529226edce1cfd854d7", versionType: "git", }, { lessThan: "cc30d05b34f9a087a6928d09b131f7b491e9ab11", status: "affected", version: "b91c3e4ea756b12b7d992529226edce1cfd854d7", versionType: "git", }, { lessThan: "c7618c7b0b8c45bcef34410cc1d1e953eb17f8f6", status: "affected", version: "b91c3e4ea756b12b7d992529226edce1cfd854d7", versionType: "git", }, { lessThan: "88da52ccd66e65f2e63a6c35c9dff55d448ef4dc", status: "affected", version: "b91c3e4ea756b12b7d992529226edce1cfd854d7", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "security/landlock/fs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Fix d_parent walk\n\nThe WARN_ON_ONCE() in collect_domain_accesses() can be triggered when\ntrying to link a root mount point. This cannot work in practice because\nthis directory is mounted, but the VFS check is done after the call to\nsecurity_path_link().\n\nDo not use source directory's d_parent when the source directory is the\nmount point.\n\n[mic: Fix commit message]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:33.855Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b6e5e696435832b33e40775f060ef5c95f4fda1f", }, { url: "https://git.kernel.org/stable/c/cc30d05b34f9a087a6928d09b131f7b491e9ab11", }, { url: "https://git.kernel.org/stable/c/c7618c7b0b8c45bcef34410cc1d1e953eb17f8f6", }, { url: "https://git.kernel.org/stable/c/88da52ccd66e65f2e63a6c35c9dff55d448ef4dc", }, ], title: "landlock: Fix d_parent walk", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40938", datePublished: "2024-07-12T12:25:14.463Z", dateReserved: "2024-07-12T12:17:45.584Z", dateUpdated: "2024-12-19T09:08:33.855Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39507
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: fix kernel crash problem in concurrent scenario
When link status change, the nic driver need to notify the roce
driver to handle this event, but at this time, the roce driver
may uninit, then cause kernel crash.
To fix the problem, when link status change, need to check
whether the roce registered, and when uninit, need to wait link
update finish.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab Version: 45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab Version: 45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab Version: 45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab Version: 45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.929Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39507", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:51.352211Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:39.150Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "62b5dfb67bfa8bd0301bf3442004563495f9ee48", status: "affected", version: "45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab", versionType: "git", }, { lessThan: "6d0007f7b69d684879a0f598a042e40244d3cf63", status: "affected", version: "45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab", versionType: "git", }, { lessThan: "689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa", status: "affected", version: "45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab", versionType: "git", }, { lessThan: "b2c5024b771cd1dd8175d5f6949accfadbab7edd", status: "affected", version: "45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab", versionType: "git", }, { lessThan: "12cda920212a49fa22d9e8b9492ac4ea013310a4", status: "affected", version: "45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.1", }, { lessThan: "5.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash problem in concurrent scenario\n\nWhen link status change, the nic driver need to notify the roce\ndriver to handle this event, but at this time, the roce driver\nmay uninit, then cause kernel crash.\n\nTo fix the problem, when link status change, need to check\nwhether the roce registered, and when uninit, need to wait link\nupdate finish.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:31.814Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48", }, { url: "https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63", }, { url: "https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa", }, { url: "https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd", }, { url: "https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4", }, ], title: "net: hns3: fix kernel crash problem in concurrent scenario", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39507", datePublished: "2024-07-12T12:20:38.954Z", dateReserved: "2024-06-25T14:23:23.752Z", dateUpdated: "2024-12-19T09:07:31.814Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39502
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ionic: fix use after netif_napi_del()
When queues are started, netif_napi_add() and napi_enable() are called.
If there are 4 queues and only 3 queues are used for the current
configuration, only 3 queues' napi should be registered and enabled.
The ionic_qcq_enable() checks whether the .poll pointer is not NULL for
enabling only the using queue' napi. Unused queues' napi will not be
registered by netif_napi_add(), so the .poll pointer indicates NULL.
But it couldn't distinguish whether the napi was unregistered or not
because netif_napi_del() doesn't reset the .poll pointer to NULL.
So, ionic_qcq_enable() calls napi_enable() for the queue, which was
unregistered by netif_napi_del().
Reproducer:
ethtool -L <interface name> rx 1 tx 1 combined 0
ethtool -L <interface name> rx 0 tx 0 combined 1
ethtool -L <interface name> rx 0 tx 0 combined 4
Splat looks like:
kernel BUG at net/core/dev.c:6666!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16
Workqueue: events ionic_lif_deferred_work [ionic]
RIP: 0010:napi_enable+0x3b/0x40
Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f
RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28
RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20
FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
<TASK>
? die+0x33/0x90
? do_trap+0xd9/0x100
? napi_enable+0x3b/0x40
? do_error_trap+0x83/0xb0
? napi_enable+0x3b/0x40
? napi_enable+0x3b/0x40
? exc_invalid_op+0x4e/0x70
? napi_enable+0x3b/0x40
? asm_exc_invalid_op+0x16/0x20
? napi_enable+0x3b/0x40
ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
process_one_work+0x145/0x360
worker_thread+0x2bb/0x3d0
? __pfx_worker_thread+0x10/0x10
kthread+0xcc/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2d/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 Version: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 Version: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 Version: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 Version: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 Version: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 Version: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.603Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39502", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:07:07.252622Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:40.350Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/pensando/ionic/ionic_lif.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0d19267cb150e8f76ade210e16ee820a77f684e7", status: "affected", version: "0f3154e6bcb354968cc04f7cd86ce466f7b9a814", versionType: "git", }, { lessThan: "ff9c2a9426ecf5b9631e9fd74993b357262387d6", status: "affected", version: "0f3154e6bcb354968cc04f7cd86ce466f7b9a814", versionType: "git", }, { lessThan: "8edd18dab443863e9e48f084e7f123fca3065e4e", status: "affected", version: "0f3154e6bcb354968cc04f7cd86ce466f7b9a814", versionType: "git", }, { lessThan: "60cd714871cd5a683353a355cbb17a685245cf84", status: "affected", version: "0f3154e6bcb354968cc04f7cd86ce466f7b9a814", versionType: "git", }, { lessThan: "183ebc167a8a19e916b885d4bb61a3491991bfa5", status: "affected", version: "0f3154e6bcb354968cc04f7cd86ce466f7b9a814", versionType: "git", }, { lessThan: "a87d72b37b9ec2c1e18fe36b09241d8b30334a2e", status: "affected", version: "0f3154e6bcb354968cc04f7cd86ce466f7b9a814", versionType: "git", }, { lessThan: "79f18a41dd056115d685f3b0a419c7cd40055e13", status: "affected", version: "0f3154e6bcb354968cc04f7cd86ce466f7b9a814", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/pensando/ionic/ionic_lif.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.4", }, { lessThan: "5.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L <interface name> rx 1 tx 1 combined 0\n ethtool -L <interface name> rx 0 tx 0 combined 1\n ethtool -L <interface name> rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:25.991Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7", }, { url: "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6", }, { url: "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e", }, { url: "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84", }, { url: "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5", }, { url: "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e", }, { url: "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13", }, ], title: "ionic: fix use after netif_napi_del()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39502", datePublished: "2024-07-12T12:20:35.635Z", dateReserved: "2024-06-25T14:23:23.752Z", dateUpdated: "2024-12-19T09:07:25.991Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40932
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/exynos/vidi: fix memory leak in .get_modes()
The duplicated EDID is never freed. Fix it.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.474Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/540ca99729e28dbe902b01039a3b4bd74520a819", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ebcf81504fef03f701b9711e43fea4fe2d82ebc8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0acc356da8546b5c55aabfc2e2c5caa0ac9b0003", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/777838c9b571674ef14dbddf671f372265879226", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/dcba6bedb439581145d8aa6b0925209f23184ae1", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a269c5701244db2722ae0fce5d1854f5d8f31224", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cb3ac233434dba130281db330c4b15665b2d2c4d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/38e3825631b1f314b21e3ade00b5a4d737eb054e", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40932", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:55.807236Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:27.263Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/exynos/exynos_drm_vidi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "540ca99729e28dbe902b01039a3b4bd74520a819", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ebcf81504fef03f701b9711e43fea4fe2d82ebc8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0acc356da8546b5c55aabfc2e2c5caa0ac9b0003", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "777838c9b571674ef14dbddf671f372265879226", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "dcba6bedb439581145d8aa6b0925209f23184ae1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a269c5701244db2722ae0fce5d1854f5d8f31224", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cb3ac233434dba130281db330c4b15665b2d2c4d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "38e3825631b1f314b21e3ade00b5a4d737eb054e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/exynos/exynos_drm_vidi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos/vidi: fix memory leak in .get_modes()\n\nThe duplicated EDID is never freed. Fix it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:26.907Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/540ca99729e28dbe902b01039a3b4bd74520a819", }, { url: "https://git.kernel.org/stable/c/ebcf81504fef03f701b9711e43fea4fe2d82ebc8", }, { url: "https://git.kernel.org/stable/c/0acc356da8546b5c55aabfc2e2c5caa0ac9b0003", }, { url: "https://git.kernel.org/stable/c/777838c9b571674ef14dbddf671f372265879226", }, { url: "https://git.kernel.org/stable/c/dcba6bedb439581145d8aa6b0925209f23184ae1", }, { url: "https://git.kernel.org/stable/c/a269c5701244db2722ae0fce5d1854f5d8f31224", }, { url: "https://git.kernel.org/stable/c/cb3ac233434dba130281db330c4b15665b2d2c4d", }, { url: "https://git.kernel.org/stable/c/38e3825631b1f314b21e3ade00b5a4d737eb054e", }, ], title: "drm/exynos/vidi: fix memory leak in .get_modes()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40932", datePublished: "2024-07-12T12:25:10.444Z", dateReserved: "2024-07-12T12:17:45.583Z", dateUpdated: "2024-12-19T09:08:26.907Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40996
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Avoid splat in pskb_pull_reason
syzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug
hint in pskb_may_pull.
We'd like to retain this debug check because it might hint at integer
overflows and other issues (kernel code should pull headers, not huge
value).
In bpf case, this splat isn't interesting at all: such (nonsensical)
bpf programs are typically generated by a fuzzer anyway.
Do what Eric suggested and suppress such warning.
For CONFIG_DEBUG_NET=n we don't need the extra check because
pskb_may_pull will do the right thing: return an error without the
WARN() backtrace.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.075Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/dacc15e9cb248d19e5fc63c54bef0b9b55007761", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7f9644782c559635bd676c12c59389a34ed7c866", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5e90258303a358e88737afb5048bee9113beea3a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2bbe3e5a2f4ef69d13be54f1cf895b4658287080", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40996", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:32.111725Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:19.679Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/core/filter.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "dacc15e9cb248d19e5fc63c54bef0b9b55007761", status: "affected", version: "8af60bb2b215f478b886f1d6d302fefa7f0b917d", versionType: "git", }, { lessThan: "7f9644782c559635bd676c12c59389a34ed7c866", status: "affected", version: "1b2b26595bb09febf14c5444c873ac4ec90a5a77", versionType: "git", }, { lessThan: "5e90258303a358e88737afb5048bee9113beea3a", status: "affected", version: "219eee9c0d16f1b754a8b85275854ab17df0850a", versionType: "git", }, { lessThan: "2bbe3e5a2f4ef69d13be54f1cf895b4658287080", status: "affected", version: "219eee9c0d16f1b754a8b85275854ab17df0850a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/core/filter.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Avoid splat in pskb_pull_reason\n\nsyzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug\nhint in pskb_may_pull.\n\nWe'd like to retain this debug check because it might hint at integer\noverflows and other issues (kernel code should pull headers, not huge\nvalue).\n\nIn bpf case, this splat isn't interesting at all: such (nonsensical)\nbpf programs are typically generated by a fuzzer anyway.\n\nDo what Eric suggested and suppress such warning.\n\nFor CONFIG_DEBUG_NET=n we don't need the extra check because\npskb_may_pull will do the right thing: return an error without the\nWARN() backtrace.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:42.443Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/dacc15e9cb248d19e5fc63c54bef0b9b55007761", }, { url: "https://git.kernel.org/stable/c/7f9644782c559635bd676c12c59389a34ed7c866", }, { url: "https://git.kernel.org/stable/c/5e90258303a358e88737afb5048bee9113beea3a", }, { url: "https://git.kernel.org/stable/c/2bbe3e5a2f4ef69d13be54f1cf895b4658287080", }, ], title: "bpf: Avoid splat in pskb_pull_reason", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40996", datePublished: "2024-07-12T12:37:38.454Z", dateReserved: "2024-07-12T12:17:45.607Z", dateUpdated: "2024-12-19T09:09:42.443Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40954
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: do not leave a dangling sk pointer, when socket creation fails
It is possible to trigger a use-after-free by:
* attaching an fentry probe to __sock_release() and the probe calling the
bpf_get_socket_cookie() helper
* running traceroute -I 1.1.1.1 on a freshly booted VM
A KASAN enabled kernel will log something like below (decoded and stripped):
==================================================================
BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
Read of size 8 at addr ffff888007110dd8 by task traceroute/299
CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))
print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
kasan_report (mm/kasan/report.c:603)
? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)
bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e
bpf_trampoline_6442506592+0x47/0xaf
__sock_release (net/socket.c:652)
__sock_create (net/socket.c:1601)
...
Allocated by task 299 on cpu 2 at 78.328492s:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:68)
__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)
kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)
sk_prot_alloc (net/core/sock.c:2075)
sk_alloc (net/core/sock.c:2134)
inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)
__sock_create (net/socket.c:1572)
__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
__x64_sys_socket (net/socket.c:1718)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Freed by task 299 on cpu 2 at 78.328502s:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:68)
kasan_save_free_info (mm/kasan/generic.c:582)
poison_slab_object (mm/kasan/common.c:242)
__kasan_slab_free (mm/kasan/common.c:256)
kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)
__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)
inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)
__sock_create (net/socket.c:1572)
__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
__x64_sys_socket (net/socket.c:1718)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Fix this by clearing the struct socket reference in sk_common_release() to cover
all protocol families create functions, which may already attached the
reference to the sk object with sock_init_data().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd Version: c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd Version: c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd Version: c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd Version: c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.910Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40954", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:48.944366Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:24.382Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/core/sock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "78e4aa528a7b1204219d808310524344f627d069", status: "affected", version: "c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd", versionType: "git", }, { lessThan: "893eeba94c40d513cd0fe6539330ebdaea208c0e", status: "affected", version: "c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd", versionType: "git", }, { lessThan: "454c454ed645fed051216b79622f7cb69c1638f5", status: "affected", version: "c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd", versionType: "git", }, { lessThan: "5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9", status: "affected", version: "c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd", versionType: "git", }, { lessThan: "6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2", status: "affected", version: "c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/core/sock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.12", }, { lessThan: "5.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not leave a dangling sk pointer, when socket creation fails\n\nIt is possible to trigger a use-after-free by:\n * attaching an fentry probe to __sock_release() and the probe calling the\n bpf_get_socket_cookie() helper\n * running traceroute -I 1.1.1.1 on a freshly booted VM\n\nA KASAN enabled kernel will log something like below (decoded and stripped):\n==================================================================\nBUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nRead of size 8 at addr ffff888007110dd8 by task traceroute/299\n\nCPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n <TASK>\ndump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\nprint_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_report (mm/kasan/report.c:603)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)\n__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nbpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)\nbpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e\nbpf_trampoline_6442506592+0x47/0xaf\n__sock_release (net/socket.c:652)\n__sock_create (net/socket.c:1601)\n...\nAllocated by task 299 on cpu 2 at 78.328492s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\n__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)\nkmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)\nsk_prot_alloc (net/core/sock.c:2075)\nsk_alloc (net/core/sock.c:2134)\ninet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFreed by task 299 on cpu 2 at 78.328502s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\nkasan_save_free_info (mm/kasan/generic.c:582)\npoison_slab_object (mm/kasan/common.c:242)\n__kasan_slab_free (mm/kasan/common.c:256)\nkmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)\n__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)\ninet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by clearing the struct socket reference in sk_common_release() to cover\nall protocol families create functions, which may already attached the\nreference to the sk object with sock_init_data().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:51.663Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069", }, { url: "https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e", }, { url: "https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5", }, { url: "https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9", }, { url: "https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2", }, ], title: "net: do not leave a dangling sk pointer, when socket creation fails", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40954", datePublished: "2024-07-12T12:31:57.517Z", dateReserved: "2024-07-12T12:17:45.592Z", dateUpdated: "2024-12-19T09:08:51.663Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39506
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,
but then it is unconditionally passed to skb_add_rx_frag() which looks
strange and could lead to null pointer dereference.
lio_vf_rep_copy_packet() call trace looks like:
octeon_droq_process_packets
octeon_droq_fast_process_packets
octeon_droq_dispatch_pkt
octeon_create_recv_info
...search in the dispatch_list...
->disp_fn(rdisp->rinfo, ...)
lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)
In this path there is no code which sets pg_info->page to NULL.
So this check looks unneeded and doesn't solve potential problem.
But I guess the author had reason to add a check and I have no such card
and can't do real test.
In addition, the code in the function liquidio_push_packet() in
liquidio/lio_core.c does exactly the same.
Based on this, I consider the most acceptable compromise solution to
adjust this issue by moving skb_add_rx_frag() into conditional scope.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1f233f327913f3dee0602cba9c64df1903772b55 Version: 1f233f327913f3dee0602cba9c64df1903772b55 Version: 1f233f327913f3dee0602cba9c64df1903772b55 Version: 1f233f327913f3dee0602cba9c64df1903772b55 Version: 1f233f327913f3dee0602cba9c64df1903772b55 Version: 1f233f327913f3dee0602cba9c64df1903772b55 Version: 1f233f327913f3dee0602cba9c64df1903772b55 Version: 1f233f327913f3dee0602cba9c64df1903772b55 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.306Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989b42bbfa", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c44711b78608c98a3e6b49ce91678cd0917d5349", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39506", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:54.651829Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:32:47.871Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2", status: "affected", version: "1f233f327913f3dee0602cba9c64df1903772b55", versionType: "git", }, { lessThan: "dcc7440f32c7a26b067aff6e7d931ec593024a79", status: "affected", version: "1f233f327913f3dee0602cba9c64df1903772b55", versionType: "git", }, { lessThan: "cbf18d8128a753cb632bef39470d19befd9c7347", status: "affected", version: "1f233f327913f3dee0602cba9c64df1903772b55", versionType: "git", }, { lessThan: "a86490a3712cc513113440a606a0e77130abd47c", status: "affected", version: "1f233f327913f3dee0602cba9c64df1903772b55", versionType: "git", }, { lessThan: "f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee", status: "affected", version: "1f233f327913f3dee0602cba9c64df1903772b55", versionType: "git", }, { lessThan: "fd2b613bc4c508e55c1221c6595bb889812a4fea", status: "affected", version: "1f233f327913f3dee0602cba9c64df1903772b55", versionType: "git", }, { lessThan: "a6f4d0ec170a46b5f453cacf55dff5989b42bbfa", status: "affected", version: "1f233f327913f3dee0602cba9c64df1903772b55", versionType: "git", }, { lessThan: "c44711b78608c98a3e6b49ce91678cd0917d5349", status: "affected", version: "1f233f327913f3dee0602cba9c64df1903772b55", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.15", }, { lessThan: "4.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nliquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet\n\nIn lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,\nbut then it is unconditionally passed to skb_add_rx_frag() which looks\nstrange and could lead to null pointer dereference.\n\nlio_vf_rep_copy_packet() call trace looks like:\n\tocteon_droq_process_packets\n\t octeon_droq_fast_process_packets\n\t octeon_droq_dispatch_pkt\n\t octeon_create_recv_info\n\t ...search in the dispatch_list...\n\t ->disp_fn(rdisp->rinfo, ...)\n\t lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)\nIn this path there is no code which sets pg_info->page to NULL.\nSo this check looks unneeded and doesn't solve potential problem.\nBut I guess the author had reason to add a check and I have no such card\nand can't do real test.\nIn addition, the code in the function liquidio_push_packet() in\nliquidio/lio_core.c does exactly the same.\n\nBased on this, I consider the most acceptable compromise solution to\nadjust this issue by moving skb_add_rx_frag() into conditional scope.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:30.669Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2", }, { url: "https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79", }, { url: "https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347", }, { url: "https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c", }, { url: "https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee", }, { url: "https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea", }, { url: "https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989b42bbfa", }, { url: "https://git.kernel.org/stable/c/c44711b78608c98a3e6b49ce91678cd0917d5349", }, ], title: "liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39506", datePublished: "2024-07-12T12:20:38.298Z", dateReserved: "2024-06-25T14:23:23.752Z", dateUpdated: "2024-12-19T09:07:30.669Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40961
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: prevent possible NULL deref in fib6_nh_init()
syzbot reminds us that in6_dev_get() can return NULL.
fib6_nh_init()
ip6_validate_gw( &idev )
ip6_route_check_nh( idev )
*idev = in6_dev_get(dev); // can be NULL
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]
CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606
Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b
RSP: 0018:ffffc900032775a0 EFLAGS: 00010202
RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8
RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000
R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8
R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000
FS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809
ip6_route_add+0x28/0x160 net/ipv6/route.c:3853
ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483
inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579
sock_do_ioctl+0x158/0x460 net/socket.c:1222
sock_ioctl+0x629/0x8e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f940f07cea9
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 428604fb118facce1309670779a35baf27ad044c Version: 428604fb118facce1309670779a35baf27ad044c Version: 428604fb118facce1309670779a35baf27ad044c Version: 428604fb118facce1309670779a35baf27ad044c Version: 428604fb118facce1309670779a35baf27ad044c Version: 428604fb118facce1309670779a35baf27ad044c Version: 428604fb118facce1309670779a35baf27ad044c |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.671Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40961", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:26.191957Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:23.580Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv6/route.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade", status: "affected", version: "428604fb118facce1309670779a35baf27ad044c", versionType: "git", }, { lessThan: "de5ad4d45cd0128a2a37555f48ab69aa19d78adc", status: "affected", version: "428604fb118facce1309670779a35baf27ad044c", versionType: "git", }, { lessThan: "4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668", status: "affected", version: "428604fb118facce1309670779a35baf27ad044c", versionType: "git", }, { lessThan: "88b9a55e2e35ea846d41f4efdc29d23345bd1aa4", status: "affected", version: "428604fb118facce1309670779a35baf27ad044c", versionType: "git", }, { lessThan: "b6947723c9eabcab58cfb33cdb0a565a6aee6727", status: "affected", version: "428604fb118facce1309670779a35baf27ad044c", versionType: "git", }, { lessThan: "ae8d3d39efe366c2198f530e01e4bf07830bf403", status: "affected", version: "428604fb118facce1309670779a35baf27ad044c", versionType: "git", }, { lessThan: "2eab4543a2204092c3a7af81d7d6c506e59a03a6", status: "affected", version: "428604fb118facce1309670779a35baf27ad044c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv6/route.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.17", }, { lessThan: "4.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL deref in fib6_nh_init()\n\nsyzbot reminds us that in6_dev_get() can return NULL.\n\nfib6_nh_init()\n ip6_validate_gw( &idev )\n ip6_route_check_nh( idev )\n *idev = in6_dev_get(dev); // can be NULL\n\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606\nCode: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b\nRSP: 0018:ffffc900032775a0 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8\nRBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000\nR10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8\nR13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000\nFS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809\n ip6_route_add+0x28/0x160 net/ipv6/route.c:3853\n ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483\n inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f940f07cea9", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:00.212Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade", }, { url: "https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc", }, { url: "https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668", }, { url: "https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4", }, { url: "https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727", }, { url: "https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403", }, { url: "https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6", }, ], title: "ipv6: prevent possible NULL deref in fib6_nh_init()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40961", datePublished: "2024-07-12T12:32:02.654Z", dateReserved: "2024-07-12T12:17:45.594Z", dateUpdated: "2024-12-19T09:09:00.212Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39495
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
greybus: Fix use-after-free bug in gb_interface_release due to race condition.
In gb_interface_create, &intf->mode_switch_completion is bound with
gb_interface_mode_switch_work. Then it will be started by
gb_interface_request_mode_switch. Here is the relevant code.
if (!queue_work(system_long_wq, &intf->mode_switch_work)) {
...
}
If we call gb_interface_release to make cleanup, there may be an
unfinished work. This function will call kfree to free the object
"intf". However, if gb_interface_mode_switch_work is scheduled to
run after kfree, it may cause use-after-free error as
gb_interface_mode_switch_work will use the object "intf".
The possible execution flow that may lead to the issue is as follows:
CPU0 CPU1
| gb_interface_create
| gb_interface_request_mode_switch
gb_interface_release |
kfree(intf) (free) |
| gb_interface_mode_switch_work
| mutex_lock(&intf->mutex) (use)
Fix it by canceling the work before kfree.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.499Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "linux_kernel", vendor: "linux", versions: [ { lessThan: "74cd0a421896", status: "affected", version: "0", versionType: "git", }, { lessThan: "2b6bb0b4abfd", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "fb071f5c75d4", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "9a733d69a4a5", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "0b8fba38bdfb", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "03ea2b129344", status: "affected", version: "1da177e4c3f4", versionType: "git", }, { lessThan: "5c9c5d7f26ac", status: "affected", version: "1da177e4c3f4", versionType: "git", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-39495", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-08-16T04:02:11.550513Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-416", description: "CWE-416 Use After Free", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-20T14:16:51.245Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/greybus/interface.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "74cd0a421896b2e07eafe7da4275302bfecef201", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fb071f5c75d4b1c177824de74ee75f9dd34123b9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9a733d69a4a59c2d08620e6589d823c24be773dc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0b8fba38bdfb848fac52e71270b2aa3538c996ea", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "03ea2b129344152157418929f06726989efc0445", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/greybus/interface.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: Fix use-after-free bug in gb_interface_release due to race condition.\n\nIn gb_interface_create, &intf->mode_switch_completion is bound with\ngb_interface_mode_switch_work. Then it will be started by\ngb_interface_request_mode_switch. Here is the relevant code.\nif (!queue_work(system_long_wq, &intf->mode_switch_work)) {\n\t...\n}\n\nIf we call gb_interface_release to make cleanup, there may be an\nunfinished work. This function will call kfree to free the object\n\"intf\". However, if gb_interface_mode_switch_work is scheduled to\nrun after kfree, it may cause use-after-free error as\ngb_interface_mode_switch_work will use the object \"intf\".\nThe possible execution flow that may lead to the issue is as follows:\n\nCPU0 CPU1\n\n | gb_interface_create\n | gb_interface_request_mode_switch\ngb_interface_release |\nkfree(intf) (free) |\n | gb_interface_mode_switch_work\n | mutex_lock(&intf->mutex) (use)\n\nFix it by canceling the work before kfree.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:17.729Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201", }, { url: "https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83", }, { url: "https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9", }, { url: "https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc", }, { url: "https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea", }, { url: "https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445", }, { url: "https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce", }, ], title: "greybus: Fix use-after-free bug in gb_interface_release due to race condition.", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39495", datePublished: "2024-07-12T12:20:31.022Z", dateReserved: "2024-06-25T14:23:23.751Z", dateUpdated: "2024-12-19T09:07:17.729Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40929
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: check n_ssids before accessing the ssids
In some versions of cfg80211, the ssids poinet might be a valid one even
though n_ssids is 0. Accessing the pointer in this case will cuase an
out-of-bound access. Fix this by checking n_ssids first.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c1a7515393e403758a684fd0a2372af466675b15 Version: c1a7515393e403758a684fd0a2372af466675b15 Version: c1a7515393e403758a684fd0a2372af466675b15 Version: c1a7515393e403758a684fd0a2372af466675b15 Version: c1a7515393e403758a684fd0a2372af466675b15 Version: c1a7515393e403758a684fd0a2372af466675b15 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.376Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3c4771091ea8016c8601399078916f722dd8833b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f777792952d03bbaf8329fdfa99393a5a33e2640", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9e719ae3abad60e245ce248ba3f08148f375a614", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/29a18d56bd64b95bd10bda4afda512558471382a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/62e007bdeb91c6879a4652c3426aef1cd9d2937b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/60d62757df30b74bf397a2847a6db7385c6ee281", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40929", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:05.324309Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:02.938Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/intel/iwlwifi/mvm/scan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3c4771091ea8016c8601399078916f722dd8833b", status: "affected", version: "c1a7515393e403758a684fd0a2372af466675b15", versionType: "git", }, { lessThan: "f777792952d03bbaf8329fdfa99393a5a33e2640", status: "affected", version: "c1a7515393e403758a684fd0a2372af466675b15", versionType: "git", }, { lessThan: "9e719ae3abad60e245ce248ba3f08148f375a614", status: "affected", version: "c1a7515393e403758a684fd0a2372af466675b15", versionType: "git", }, { lessThan: "29a18d56bd64b95bd10bda4afda512558471382a", status: "affected", version: "c1a7515393e403758a684fd0a2372af466675b15", versionType: "git", }, { lessThan: "62e007bdeb91c6879a4652c3426aef1cd9d2937b", status: "affected", version: "c1a7515393e403758a684fd0a2372af466675b15", versionType: "git", }, { lessThan: "60d62757df30b74bf397a2847a6db7385c6ee281", status: "affected", version: "c1a7515393e403758a684fd0a2372af466675b15", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/intel/iwlwifi/mvm/scan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.17", }, { lessThan: "4.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: check n_ssids before accessing the ssids\n\nIn some versions of cfg80211, the ssids poinet might be a valid one even\nthough n_ssids is 0. Accessing the pointer in this case will cuase an\nout-of-bound access. Fix this by checking n_ssids first.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:23.310Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3c4771091ea8016c8601399078916f722dd8833b", }, { url: "https://git.kernel.org/stable/c/f777792952d03bbaf8329fdfa99393a5a33e2640", }, { url: "https://git.kernel.org/stable/c/9e719ae3abad60e245ce248ba3f08148f375a614", }, { url: "https://git.kernel.org/stable/c/29a18d56bd64b95bd10bda4afda512558471382a", }, { url: "https://git.kernel.org/stable/c/62e007bdeb91c6879a4652c3426aef1cd9d2937b", }, { url: "https://git.kernel.org/stable/c/60d62757df30b74bf397a2847a6db7385c6ee281", }, ], title: "wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40929", datePublished: "2024-07-12T12:25:08.434Z", dateReserved: "2024-07-12T12:17:45.583Z", dateUpdated: "2024-12-19T09:08:23.310Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40981
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: bypass empty buckets in batadv_purge_orig_ref()
Many syzbot reports are pointing to soft lockups in
batadv_purge_orig_ref() [1]
Root cause is unknown, but we can avoid spending too much
time there and perhaps get more interesting reports.
[1]
watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]
Modules linked in:
irq event stamp: 6182794
hardirqs last enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386
hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
softirqs last enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287
softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline]
softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271
CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: bat_events batadv_purge_orig
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]
pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388
lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386
sp : ffff800099007970
x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000
x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001
x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4
x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0
x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001
x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003
x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000
Call trace:
__daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]
arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]
__local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287
batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300
process_one_work+0x694/0x1204 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2787
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51
lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103
sp : ffff800093a17d30
x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4
x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002
x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000
x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396
x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.062Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/79636f636126775436a11ee9cf00a9253a33ac11", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/154e3f862ba33675cf3f4abf0a0a309a89df87d2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/82cdea8f3af1e36543c937df963d108c60bea030", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/92176caf9896572f00e741a93cecc0ef1172da07", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fed7914858a1f1f3e6350bb0f620d6ef15107d16", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2685008a5f9a636434a8508419cee8158a2f52c8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ae7f3cffe86aea3da0e8e079525a1ae619b8862a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/40dc8ab605894acae1473e434944924a22cfaaa0", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40981", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:19.871778Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:21.396Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/batman-adv/originator.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "79636f636126775436a11ee9cf00a9253a33ac11", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "154e3f862ba33675cf3f4abf0a0a309a89df87d2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "82cdea8f3af1e36543c937df963d108c60bea030", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "92176caf9896572f00e741a93cecc0ef1172da07", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fed7914858a1f1f3e6350bb0f620d6ef15107d16", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2685008a5f9a636434a8508419cee8158a2f52c8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ae7f3cffe86aea3da0e8e079525a1ae619b8862a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "40dc8ab605894acae1473e434944924a22cfaaa0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/batman-adv/originator.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bypass empty buckets in batadv_purge_orig_ref()\n\nMany syzbot reports are pointing to soft lockups in\nbatadv_purge_orig_ref() [1]\n\nRoot cause is unknown, but we can avoid spending too much\ntime there and perhaps get more interesting reports.\n\n[1]\n\nwatchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]\nModules linked in:\nirq event stamp: 6182794\n hardirqs last enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\n hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline]\n softirqs last enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline]\n softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271\nCPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_purge_orig\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]\n pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388\n lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\nsp : ffff800099007970\nx29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000\nx26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001\nx23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4\nx20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0\nx17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001\nx14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003\nx11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000\nCall trace:\n __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]\n arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]\n __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51\n lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103\nsp : ffff800093a17d30\nx29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4\nx26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002\nx23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000\nx20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396\nx17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:24.027Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/79636f636126775436a11ee9cf00a9253a33ac11", }, { url: "https://git.kernel.org/stable/c/154e3f862ba33675cf3f4abf0a0a309a89df87d2", }, { url: "https://git.kernel.org/stable/c/82cdea8f3af1e36543c937df963d108c60bea030", }, { url: "https://git.kernel.org/stable/c/92176caf9896572f00e741a93cecc0ef1172da07", }, { url: "https://git.kernel.org/stable/c/fed7914858a1f1f3e6350bb0f620d6ef15107d16", }, { url: "https://git.kernel.org/stable/c/2685008a5f9a636434a8508419cee8158a2f52c8", }, { url: "https://git.kernel.org/stable/c/ae7f3cffe86aea3da0e8e079525a1ae619b8862a", }, { url: "https://git.kernel.org/stable/c/40dc8ab605894acae1473e434944924a22cfaaa0", }, ], title: "batman-adv: bypass empty buckets in batadv_purge_orig_ref()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40981", datePublished: "2024-07-12T12:32:16.277Z", dateReserved: "2024-07-12T12:17:45.604Z", dateUpdated: "2024-12-19T09:09:24.027Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40907
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ionic: fix kernel panic in XDP_TX action
In the XDP_TX path, ionic driver sends a packet to the TX path with rx
page and corresponding dma address.
After tx is done, ionic_tx_clean() frees that page.
But RX ring buffer isn't reset to NULL.
So, it uses a freed page, which causes kernel panic.
BUG: unable to handle page fault for address: ffff8881576c110c
PGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060
Oops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
CPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11
Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021
RIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f
Code: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8
RSP: 0018:ffff888104e6fa28 EFLAGS: 00010283
RAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002
RDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e
RBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8
R13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100
FS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x20/0x70
? page_fault_oops+0x254/0x790
? __pfx_page_fault_oops+0x10/0x10
? __pfx_is_prefetch.constprop.0+0x10/0x10
? search_bpf_extables+0x165/0x260
? fixup_exception+0x4a/0x970
? exc_page_fault+0xcb/0xe0
? asm_exc_page_fault+0x22/0x30
? 0xffffffffc0051f64
? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f
? do_raw_spin_unlock+0x54/0x220
ionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
ionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
ionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
__napi_poll.constprop.0+0xa0/0x440
net_rx_action+0x7e7/0xc30
? __pfx_net_rx_action+0x10/0x10
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.283Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40907", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:15.613289Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:37.786Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/pensando/ionic/ionic_txrx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8812aa35f3e930f61074b9c1ecea26f354992c21", status: "affected", version: "8eeed8373e1cca836799bf8e4a05cffa8e444908", versionType: "git", }, { lessThan: "491aee894a08bc9b8bb52e7363b9d4bc6403f363", status: "affected", version: "8eeed8373e1cca836799bf8e4a05cffa8e444908", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/pensando/ionic/ionic_txrx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix kernel panic in XDP_TX action\n\nIn the XDP_TX path, ionic driver sends a packet to the TX path with rx\npage and corresponding dma address.\nAfter tx is done, ionic_tx_clean() frees that page.\nBut RX ring buffer isn't reset to NULL.\nSo, it uses a freed page, which causes kernel panic.\n\nBUG: unable to handle page fault for address: ffff8881576c110c\nPGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060\nOops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\nCPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nRIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\nCode: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8\nRSP: 0018:ffff888104e6fa28 EFLAGS: 00010283\nRAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002\nRDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e\nRBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8\nR13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100\nFS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n<TASK>\n? __die+0x20/0x70\n? page_fault_oops+0x254/0x790\n? __pfx_page_fault_oops+0x10/0x10\n? __pfx_is_prefetch.constprop.0+0x10/0x10\n? search_bpf_extables+0x165/0x260\n? fixup_exception+0x4a/0x970\n? exc_page_fault+0xcb/0xe0\n? asm_exc_page_fault+0x22/0x30\n? 0xffffffffc0051f64\n? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\n? do_raw_spin_unlock+0x54/0x220\nionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n__napi_poll.constprop.0+0xa0/0x440\nnet_rx_action+0x7e7/0xc30\n? __pfx_net_rx_action+0x10/0x10", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:45.915Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21", }, { url: "https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363", }, ], title: "ionic: fix kernel panic in XDP_TX action", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40907", datePublished: "2024-07-12T12:20:47.151Z", dateReserved: "2024-07-12T12:17:45.580Z", dateUpdated: "2024-12-19T09:07:45.915Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-41006
Vulnerability from cvelistv5
Published
2024-07-12 12:44
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netrom: Fix a memory leak in nr_heartbeat_expiry()
syzbot reported a memory leak in nr_create() [0].
Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
added sock_hold() to the nr_heartbeat_expiry() function, where
a) a socket has a SOCK_DESTROY flag or
b) a listening socket has a SOCK_DEAD flag.
But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
has already been closed and the nr_release() function has been called.
So it makes no sense to hold the reference count because no one will
call another nr_destroy_socket() and put it as in the case "b."
nr_connect
nr_establish_data_link
nr_start_heartbeat
nr_release
switch (nr->state)
case NR_STATE_3
nr->state = NR_STATE_2
sock_set_flag(sk, SOCK_DESTROY);
nr_rx_frame
nr_process_rx_frame
switch (nr->state)
case NR_STATE_2
nr_state2_machine()
nr_disconnect()
nr_sk(sk)->state = NR_STATE_0
sock_set_flag(sk, SOCK_DEAD)
nr_heartbeat_expiry
switch (nr->state)
case NR_STATE_0
if (sock_flag(sk, SOCK_DESTROY) ||
(sk->sk_state == TCP_LISTEN
&& sock_flag(sk, SOCK_DEAD)))
sock_hold() // ( !!! )
nr_destroy_socket()
To fix the memory leak, let's call sock_hold() only for a listening socket.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.
[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a31caf5779ace8fa98b0d454133808e082ee7a1b Version: fe9b9e621cebe6b7e83f7e954c70f8bb430520e5 Version: 7de16d75b20ab13b75a7291f449a1b00090edfea Version: d2d3ab1b1de3302de2c85769121fd4f890e47ceb Version: 51e394c6f81adbfe7c34d15f58b3d4d44f144acf Version: 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 Version: 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 Version: 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.157Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-41006", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:00:58.734577Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:18.546Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/netrom/nr_timer.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d616876256b38ecf9a1a1c7d674192c5346bc69c", status: "affected", version: "a31caf5779ace8fa98b0d454133808e082ee7a1b", versionType: "git", }, { lessThan: "e07a9c2a850cdebf625e7a1b8171bd23a8554313", status: "affected", version: "fe9b9e621cebe6b7e83f7e954c70f8bb430520e5", versionType: "git", }, { lessThan: "5391f9db2cab5ef1cb411be1ab7dbec728078fba", status: "affected", version: "7de16d75b20ab13b75a7291f449a1b00090edfea", versionType: "git", }, { lessThan: "280cf1173726a7059b628c610c71050d5c0b6937", status: "affected", version: "d2d3ab1b1de3302de2c85769121fd4f890e47ceb", versionType: "git", }, { lessThan: "a02fd5d775cf9787ee7698c797e20f2fa13d2e2b", status: "affected", version: "51e394c6f81adbfe7c34d15f58b3d4d44f144acf", versionType: "git", }, { lessThan: "b6ebe4fed73eedeb73f4540f8edc4871945474c8", status: "affected", version: "409db27e3a2eb5e8ef7226ca33be33361b3ed1c9", versionType: "git", }, { lessThan: "d377f5a28332954b19e373d36823e59830ab1712", status: "affected", version: "409db27e3a2eb5e8ef7226ca33be33361b3ed1c9", versionType: "git", }, { lessThan: "0b9130247f3b6a1122478471ff0e014ea96bb735", status: "affected", version: "409db27e3a2eb5e8ef7226ca33be33361b3ed1c9", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/netrom/nr_timer.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n nr_establish_data_link\n nr_start_heartbeat\n\nnr_release\n switch (nr->state)\n case NR_STATE_3\n nr->state = NR_STATE_2\n sock_set_flag(sk, SOCK_DESTROY);\n\n nr_rx_frame\n nr_process_rx_frame\n switch (nr->state)\n case NR_STATE_2\n nr_state2_machine()\n nr_disconnect()\n nr_sk(sk)->state = NR_STATE_0\n sock_set_flag(sk, SOCK_DEAD)\n\n nr_heartbeat_expiry\n switch (nr->state)\n case NR_STATE_0\n if (sock_flag(sk, SOCK_DESTROY) ||\n (sk->sk_state == TCP_LISTEN\n && sock_flag(sk, SOCK_DEAD)))\n sock_hold() // ( !!! )\n nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:54.799Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c", }, { url: "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313", }, { url: "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba", }, { url: "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937", }, { url: "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b", }, { url: "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8", }, { url: "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712", }, { url: "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735", }, ], title: "netrom: Fix a memory leak in nr_heartbeat_expiry()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-41006", datePublished: "2024-07-12T12:44:41.176Z", dateReserved: "2024-07-12T12:17:45.610Z", dateUpdated: "2024-12-19T09:09:54.799Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40947
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: Avoid blocking in RCU read-side critical section
A panic happens in ima_match_policy:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 42f873067 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 5 PID: 1286325 Comm: kubeletmonit.sh
Kdump: loaded Tainted: P
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 0.0.0 02/06/2015
RIP: 0010:ima_match_policy+0x84/0x450
Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39
7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d
f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea
44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
FS: 00007f5195b51740(0000)
GS:ff3e278b12d40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ima_get_action+0x22/0x30
process_measurement+0xb0/0x830
? page_add_file_rmap+0x15/0x170
? alloc_set_pte+0x269/0x4c0
? prep_new_page+0x81/0x140
? simple_xattr_get+0x75/0xa0
? selinux_file_open+0x9d/0xf0
ima_file_check+0x64/0x90
path_openat+0x571/0x1720
do_filp_open+0x9b/0x110
? page_counter_try_charge+0x57/0xc0
? files_cgroup_alloc_fd+0x38/0x60
? __alloc_fd+0xd4/0x250
? do_sys_open+0x1bd/0x250
do_sys_open+0x1bd/0x250
do_syscall_64+0x5d/0x1d0
entry_SYSCALL_64_after_hwframe+0x65/0xca
Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
RCU read-side critical section which contains kmalloc with GFP_KERNEL.
This implies a possible sleep and violates limitations of RCU read-side
critical sections on non-PREEMPT systems.
Sleeping within RCU read-side critical section might cause
synchronize_rcu() returning early and break RCU protection, allowing a
UAF to happen.
The root cause of this issue could be described as follows:
| Thread A | Thread B |
| |ima_match_policy |
| | rcu_read_lock |
|ima_lsm_update_rule | |
| synchronize_rcu | |
| | kmalloc(GFP_KERNEL)|
| | sleep |
==> synchronize_rcu returns early
| kfree(entry) | |
| | entry = entry->next|
==> UAF happens and entry now becomes NULL (or could be anything).
| | entry->action |
==> Accessing entry might cause panic.
To fix this issue, we are converting all kmalloc that is called within
RCU read-side critical section to use GFP_ATOMIC.
[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c4b035b1f036ddd53fbfced49046e586c5ad8a3e Version: 2d4bc60693c4206c64723e94ae5f7a04c0b8f18f Version: 8008f1691c15f353f5a53dc5d450b8262cb57421 Version: c7423dbdbc9ecef7fff5239d144cad4b9887f4de Version: c7423dbdbc9ecef7fff5239d144cad4b9887f4de Version: c7423dbdbc9ecef7fff5239d144cad4b9887f4de |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.943Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a6176a802c4bfb83bf7524591aa75f44a639a853", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a38e02265c681b51997a264aaf743095e2ee400a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9c3906c3738562b1fedc6f1cfc81756a7cfefff0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/58275455893066149e9f4df2223ab2fdbdc59f9c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9a95c5bfbf02a0a7f5983280fe284a0ff0836c34", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40947", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:11.306292Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:25.214Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/lsm_hook_defs.h", "include/linux/security.h", "kernel/auditfilter.c", "security/apparmor/audit.c", "security/apparmor/include/audit.h", "security/integrity/ima/ima.h", "security/integrity/ima/ima_policy.c", "security/security.c", "security/selinux/include/audit.h", "security/selinux/ss/services.c", "security/smack/smack_lsm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a6176a802c4bfb83bf7524591aa75f44a639a853", status: "affected", version: "c4b035b1f036ddd53fbfced49046e586c5ad8a3e", versionType: "git", }, { lessThan: "a38e02265c681b51997a264aaf743095e2ee400a", status: "affected", version: "2d4bc60693c4206c64723e94ae5f7a04c0b8f18f", versionType: "git", }, { lessThan: "9c3906c3738562b1fedc6f1cfc81756a7cfefff0", status: "affected", version: "8008f1691c15f353f5a53dc5d450b8262cb57421", versionType: "git", }, { lessThan: "28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88", status: "affected", version: "c7423dbdbc9ecef7fff5239d144cad4b9887f4de", versionType: "git", }, { lessThan: "58275455893066149e9f4df2223ab2fdbdc59f9c", status: "affected", version: "c7423dbdbc9ecef7fff5239d144cad4b9887f4de", versionType: "git", }, { lessThan: "9a95c5bfbf02a0a7f5983280fe284a0ff0836c34", status: "affected", version: "c7423dbdbc9ecef7fff5239d144cad4b9887f4de", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/lsm_hook_defs.h", "include/linux/security.h", "kernel/auditfilter.c", "security/apparmor/audit.c", "security/apparmor/include/audit.h", "security/integrity/ima/ima.h", "security/integrity/ima/ima_policy.c", "security/security.c", "security/selinux/include/audit.h", "security/selinux/ss/services.c", "security/smack/smack_lsm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.222", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.163", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.98", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.39", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Avoid blocking in RCU read-side critical section\n\nA panic happens in ima_match_policy:\n\nBUG: unable to handle kernel NULL pointer dereference at 0000000000000010\nPGD 42f873067 P4D 0\nOops: 0000 [#1] SMP NOPTI\nCPU: 5 PID: 1286325 Comm: kubeletmonit.sh\nKdump: loaded Tainted: P\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n BIOS 0.0.0 02/06/2015\nRIP: 0010:ima_match_policy+0x84/0x450\nCode: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39\n 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d\n f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea\n 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f\nRSP: 0018:ff71570009e07a80 EFLAGS: 00010207\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200\nRDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000\nRBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739\nR10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970\nR13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001\nFS: 00007f5195b51740(0000)\nGS:ff3e278b12d40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ima_get_action+0x22/0x30\n process_measurement+0xb0/0x830\n ? page_add_file_rmap+0x15/0x170\n ? alloc_set_pte+0x269/0x4c0\n ? prep_new_page+0x81/0x140\n ? simple_xattr_get+0x75/0xa0\n ? selinux_file_open+0x9d/0xf0\n ima_file_check+0x64/0x90\n path_openat+0x571/0x1720\n do_filp_open+0x9b/0x110\n ? page_counter_try_charge+0x57/0xc0\n ? files_cgroup_alloc_fd+0x38/0x60\n ? __alloc_fd+0xd4/0x250\n ? do_sys_open+0x1bd/0x250\n do_sys_open+0x1bd/0x250\n do_syscall_64+0x5d/0x1d0\n entry_SYSCALL_64_after_hwframe+0x65/0xca\n\nCommit c7423dbdbc9e (\"ima: Handle -ESTALE returned by\nima_filter_rule_match()\") introduced call to ima_lsm_copy_rule within a\nRCU read-side critical section which contains kmalloc with GFP_KERNEL.\nThis implies a possible sleep and violates limitations of RCU read-side\ncritical sections on non-PREEMPT systems.\n\nSleeping within RCU read-side critical section might cause\nsynchronize_rcu() returning early and break RCU protection, allowing a\nUAF to happen.\n\nThe root cause of this issue could be described as follows:\n|\tThread A\t|\tThread B\t|\n|\t\t\t|ima_match_policy\t|\n|\t\t\t| rcu_read_lock\t|\n|ima_lsm_update_rule\t|\t\t\t|\n| synchronize_rcu\t|\t\t\t|\n|\t\t\t| kmalloc(GFP_KERNEL)|\n|\t\t\t| sleep\t\t|\n==> synchronize_rcu returns early\n| kfree(entry)\t\t|\t\t\t|\n|\t\t\t| entry = entry->next|\n==> UAF happens and entry now becomes NULL (or could be anything).\n|\t\t\t| entry->action\t|\n==> Accessing entry might cause panic.\n\nTo fix this issue, we are converting all kmalloc that is called within\nRCU read-side critical section to use GFP_ATOMIC.\n\n[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:43.328Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a6176a802c4bfb83bf7524591aa75f44a639a853", }, { url: "https://git.kernel.org/stable/c/a38e02265c681b51997a264aaf743095e2ee400a", }, { url: "https://git.kernel.org/stable/c/9c3906c3738562b1fedc6f1cfc81756a7cfefff0", }, { url: "https://git.kernel.org/stable/c/28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88", }, { url: "https://git.kernel.org/stable/c/58275455893066149e9f4df2223ab2fdbdc59f9c", }, { url: "https://git.kernel.org/stable/c/9a95c5bfbf02a0a7f5983280fe284a0ff0836c34", }, ], title: "ima: Avoid blocking in RCU read-side critical section", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40947", datePublished: "2024-07-12T12:31:52.810Z", dateReserved: "2024-07-12T12:17:45.589Z", dateUpdated: "2024-12-19T09:08:43.328Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-41003
Vulnerability from cvelistv5
Published
2024-07-12 12:44
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix reg_set_min_max corruption of fake_reg
Juan reported that after doing some changes to buzzer [0] and implementing
a new fuzzing strategy guided by coverage, they noticed the following in
one of the probes:
[...]
13: (79) r6 = *(u64 *)(r0 +0) ; R0=map_value(ks=4,vs=8) R6_w=scalar()
14: (b7) r0 = 0 ; R0_w=0
15: (b4) w0 = -1 ; R0_w=0xffffffff
16: (74) w0 >>= 1 ; R0_w=0x7fffffff
17: (5c) w6 &= w0 ; R0_w=0x7fffffff R6_w=scalar(smin=smin32=0,smax=umax=umax32=0x7fffffff,var_off=(0x0; 0x7fffffff))
18: (44) w6 |= 2 ; R6_w=scalar(smin=umin=smin32=umin32=2,smax=umax=umax32=0x7fffffff,var_off=(0x2; 0x7ffffffd))
19: (56) if w6 != 0x7ffffffd goto pc+1
REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)
REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)
REG INVARIANTS VIOLATION (false_reg2): const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] u32=[0x0, 0xffffffff] s32=[0x80000000, 0x7fffffff] var_off=(0x7fffffff, 0x0)
19: R6_w=0x7fffffff
20: (95) exit
from 19 to 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
21: (14) w6 -= 2147483632 ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=14,var_off=(0x2; 0xfffffffd))
22: (76) if w6 s>= 0xe goto pc+1 ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=13,var_off=(0x2; 0xfffffffd))
23: (95) exit
from 22 to 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
24: (14) w6 -= 14 ; R6_w=0
[...]
What can be seen here is a register invariant violation on line 19. After
the binary-or in line 18, the verifier knows that bit 2 is set but knows
nothing about the rest of the content which was loaded from a map value,
meaning, range is [2,0x7fffffff] with var_off=(0x2; 0x7ffffffd). When in
line 19 the verifier analyzes the branch, it splits the register states
in reg_set_min_max() into the registers of the true branch (true_reg1,
true_reg2) and the registers of the false branch (false_reg1, false_reg2).
Since the test is w6 != 0x7ffffffd, the src_reg is a known constant.
Internally, the verifier creates a "fake" register initialized as scalar
to the value of 0x7ffffffd, and then passes it onto reg_set_min_max(). Now,
for line 19, it is mathematically impossible to take the false branch of
this program, yet the verifier analyzes it. It is impossible because the
second bit of r6 will be set due to the prior or operation and the
constant in the condition has that bit unset (hex(fd) == binary(1111 1101).
When the verifier first analyzes the false / fall-through branch, it will
compute an intersection between the var_off of r6 and of the constant. This
is because the verifier creates a "fake" register initialized to the value
of the constant. The intersection result later refines both registers in
regs_refine_cond_op():
[...]
t = tnum_intersect(tnum_subreg(reg1->var_off), tnum_subreg(reg2->var_off));
reg1->var_o
---truncated---
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.068Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/41e8ab428a9964df378fa45760a660208712145b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/92424801261d1564a0bb759da3cf3ccd69fdf5a2", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-41003", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:08.608294Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:18.907Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/bpf_verifier.h", "kernel/bpf/verifier.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "41e8ab428a9964df378fa45760a660208712145b", status: "affected", version: "67420501e8681ae18f9f0ea0a69cd2f432100e70", versionType: "git", }, { lessThan: "92424801261d1564a0bb759da3cf3ccd69fdf5a2", status: "affected", version: "67420501e8681ae18f9f0ea0a69cd2f432100e70", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/bpf_verifier.h", "kernel/bpf/verifier.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reg_set_min_max corruption of fake_reg\n\nJuan reported that after doing some changes to buzzer [0] and implementing\na new fuzzing strategy guided by coverage, they noticed the following in\none of the probes:\n\n [...]\n 13: (79) r6 = *(u64 *)(r0 +0) ; R0=map_value(ks=4,vs=8) R6_w=scalar()\n 14: (b7) r0 = 0 ; R0_w=0\n 15: (b4) w0 = -1 ; R0_w=0xffffffff\n 16: (74) w0 >>= 1 ; R0_w=0x7fffffff\n 17: (5c) w6 &= w0 ; R0_w=0x7fffffff R6_w=scalar(smin=smin32=0,smax=umax=umax32=0x7fffffff,var_off=(0x0; 0x7fffffff))\n 18: (44) w6 |= 2 ; R6_w=scalar(smin=umin=smin32=umin32=2,smax=umax=umax32=0x7fffffff,var_off=(0x2; 0x7ffffffd))\n 19: (56) if w6 != 0x7ffffffd goto pc+1\n REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)\n REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)\n REG INVARIANTS VIOLATION (false_reg2): const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] u32=[0x0, 0xffffffff] s32=[0x80000000, 0x7fffffff] var_off=(0x7fffffff, 0x0)\n 19: R6_w=0x7fffffff\n 20: (95) exit\n\n from 19 to 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm\n 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm\n 21: (14) w6 -= 2147483632 ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=14,var_off=(0x2; 0xfffffffd))\n 22: (76) if w6 s>= 0xe goto pc+1 ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=13,var_off=(0x2; 0xfffffffd))\n 23: (95) exit\n\n from 22 to 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm\n 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm\n 24: (14) w6 -= 14 ; R6_w=0\n [...]\n\nWhat can be seen here is a register invariant violation on line 19. After\nthe binary-or in line 18, the verifier knows that bit 2 is set but knows\nnothing about the rest of the content which was loaded from a map value,\nmeaning, range is [2,0x7fffffff] with var_off=(0x2; 0x7ffffffd). When in\nline 19 the verifier analyzes the branch, it splits the register states\nin reg_set_min_max() into the registers of the true branch (true_reg1,\ntrue_reg2) and the registers of the false branch (false_reg1, false_reg2).\n\nSince the test is w6 != 0x7ffffffd, the src_reg is a known constant.\nInternally, the verifier creates a \"fake\" register initialized as scalar\nto the value of 0x7ffffffd, and then passes it onto reg_set_min_max(). Now,\nfor line 19, it is mathematically impossible to take the false branch of\nthis program, yet the verifier analyzes it. It is impossible because the\nsecond bit of r6 will be set due to the prior or operation and the\nconstant in the condition has that bit unset (hex(fd) == binary(1111 1101).\n\nWhen the verifier first analyzes the false / fall-through branch, it will\ncompute an intersection between the var_off of r6 and of the constant. This\nis because the verifier creates a \"fake\" register initialized to the value\nof the constant. The intersection result later refines both registers in\nregs_refine_cond_op():\n\n [...]\n t = tnum_intersect(tnum_subreg(reg1->var_off), tnum_subreg(reg2->var_off));\n reg1->var_o\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:51.035Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/41e8ab428a9964df378fa45760a660208712145b", }, { url: "https://git.kernel.org/stable/c/92424801261d1564a0bb759da3cf3ccd69fdf5a2", }, ], title: "bpf: Fix reg_set_min_max corruption of fake_reg", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-41003", datePublished: "2024-07-12T12:44:39.110Z", dateReserved: "2024-07-12T12:17:45.609Z", dateUpdated: "2024-12-19T09:09:51.035Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40955
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()
We can trigger a slab-out-of-bounds with the following commands:
mkfs.ext4 -F /dev/$disk 10G
mount /dev/$disk /tmp/test
echo 2147483647 > /sys/fs/ext4/$disk/mb_group_prealloc
echo test > /tmp/test/file && sync
==================================================================
BUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]
Read of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11
CPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521
Call Trace:
dump_stack_lvl+0x2c/0x50
kasan_report+0xb6/0xf0
ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]
ext4_mb_regular_allocator+0x19e9/0x2370 [ext4]
ext4_mb_new_blocks+0x88a/0x1370 [ext4]
ext4_ext_map_blocks+0x14f7/0x2390 [ext4]
ext4_map_blocks+0x569/0xea0 [ext4]
ext4_do_writepages+0x10f6/0x1bc0 [ext4]
[...]
==================================================================
The flow of issue triggering is as follows:
// Set s_mb_group_prealloc to 2147483647 via sysfs
ext4_mb_new_blocks
ext4_mb_normalize_request
ext4_mb_normalize_group_request
ac->ac_g_ex.fe_len = EXT4_SB(sb)->s_mb_group_prealloc
ext4_mb_regular_allocator
ext4_mb_choose_next_group
ext4_mb_choose_next_group_best_avail
mb_avg_fragment_size_order
order = fls(len) - 2 = 29
ext4_mb_find_good_group_avg_frag_lists
frag_list = &sbi->s_mb_avg_fragment_size[order]
if (list_empty(frag_list)) // Trigger SOOB!
At 4k block size, the length of the s_mb_avg_fragment_size list is 14,
but an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds
to be triggered by an attempt to access an element at index 29.
Add a new attr_id attr_clusters_in_group with values in the range
[0, sbi->s_clusters_per_group] and declare mb_group_prealloc as
that type to fix the issue. In addition avoid returning an order
from mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb)
and reduce some useless loops.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.960Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/677ff4589f1501578fa903a25bb14831d0607992", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b829687ae1229224262bcabf49accfa2dbf8db06", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/13df4d44a3aaabe61cd01d277b6ee23ead2a5206", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40955", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:45.786138Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:24.264Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/mballoc.c", "fs/ext4/sysfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "677ff4589f1501578fa903a25bb14831d0607992", status: "affected", version: "7e170922f06bf46effa7c57f6035fc463d6edc7e", versionType: "git", }, { lessThan: "b829687ae1229224262bcabf49accfa2dbf8db06", status: "affected", version: "7e170922f06bf46effa7c57f6035fc463d6edc7e", versionType: "git", }, { lessThan: "13df4d44a3aaabe61cd01d277b6ee23ead2a5206", status: "affected", version: "7e170922f06bf46effa7c57f6035fc463d6edc7e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/mballoc.c", "fs/ext4/sysfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.5", }, { lessThan: "6.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()\n\nWe can trigger a slab-out-of-bounds with the following commands:\n\n mkfs.ext4 -F /dev/$disk 10G\n mount /dev/$disk /tmp/test\n echo 2147483647 > /sys/fs/ext4/$disk/mb_group_prealloc\n echo test > /tmp/test/file && sync\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]\nRead of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11\nCPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521\nCall Trace:\n dump_stack_lvl+0x2c/0x50\n kasan_report+0xb6/0xf0\n ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]\n ext4_mb_regular_allocator+0x19e9/0x2370 [ext4]\n ext4_mb_new_blocks+0x88a/0x1370 [ext4]\n ext4_ext_map_blocks+0x14f7/0x2390 [ext4]\n ext4_map_blocks+0x569/0xea0 [ext4]\n ext4_do_writepages+0x10f6/0x1bc0 [ext4]\n[...]\n==================================================================\n\nThe flow of issue triggering is as follows:\n\n// Set s_mb_group_prealloc to 2147483647 via sysfs\next4_mb_new_blocks\n ext4_mb_normalize_request\n ext4_mb_normalize_group_request\n ac->ac_g_ex.fe_len = EXT4_SB(sb)->s_mb_group_prealloc\n ext4_mb_regular_allocator\n ext4_mb_choose_next_group\n ext4_mb_choose_next_group_best_avail\n mb_avg_fragment_size_order\n order = fls(len) - 2 = 29\n ext4_mb_find_good_group_avg_frag_lists\n frag_list = &sbi->s_mb_avg_fragment_size[order]\n if (list_empty(frag_list)) // Trigger SOOB!\n\nAt 4k block size, the length of the s_mb_avg_fragment_size list is 14,\nbut an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds\nto be triggered by an attempt to access an element at index 29.\n\nAdd a new attr_id attr_clusters_in_group with values in the range\n[0, sbi->s_clusters_per_group] and declare mb_group_prealloc as\nthat type to fix the issue. In addition avoid returning an order\nfrom mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb)\nand reduce some useless loops.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:52.819Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/677ff4589f1501578fa903a25bb14831d0607992", }, { url: "https://git.kernel.org/stable/c/b829687ae1229224262bcabf49accfa2dbf8db06", }, { url: "https://git.kernel.org/stable/c/13df4d44a3aaabe61cd01d277b6ee23ead2a5206", }, ], title: "ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40955", datePublished: "2024-07-12T12:31:58.328Z", dateReserved: "2024-07-12T12:17:45.592Z", dateUpdated: "2024-12-19T09:08:52.819Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40984
Vulnerability from cvelistv5
Published
2024-07-12 12:33
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
Undo the modifications made in commit d410ee5109a1 ("ACPICA: avoid
"Info: mapping multiple BARs. Your kernel is fine.""). The initial
purpose of this commit was to stop memory mappings for operation
regions from overlapping page boundaries, as it can trigger warnings
if different page attributes are present.
However, it was found that when this situation arises, mapping
continues until the boundary's end, but there is still an attempt to
read/write the entire length of the map, leading to a NULL pointer
deference. For example, if a four-byte mapping request is made but
only one byte is mapped because it hits the current page boundary's
end, a four-byte read/write attempt is still made, resulting in a NULL
pointer deference.
Instead, map the entire length, as the ACPI specification does not
mandate that it must be within the same page boundary. It is
permissible for it to be mapped across different regions.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d410ee5109a1633a686a5663c6743a92e1181f9b Version: d410ee5109a1633a686a5663c6743a92e1181f9b Version: d410ee5109a1633a686a5663c6743a92e1181f9b Version: d410ee5109a1633a686a5663c6743a92e1181f9b Version: d410ee5109a1633a686a5663c6743a92e1181f9b Version: d410ee5109a1633a686a5663c6743a92e1181f9b Version: d410ee5109a1633a686a5663c6743a92e1181f9b Version: d410ee5109a1633a686a5663c6743a92e1181f9b |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.027Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/435ecc978c3d5d0c4e172ec5b956dc1904061d98", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ae465109d82f4fb03c5adbe85f2d6a6a3d59124c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6eca23100e9030725f69c1babacd58803f29ec8d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ddc1f5f124479360a1fd43f73be950781d172239", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/434c6b924e1f4c219aab2d9e05fe79c5364e37d3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e21a4c9129c72fa54dd00f5ebf71219b41d43c04", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a83e1385b780d41307433ddbc86e3c528db031f0", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40984", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:10.333733Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:21.046Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/acpi/acpica/exregion.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "435ecc978c3d5d0c4e172ec5b956dc1904061d98", status: "affected", version: "d410ee5109a1633a686a5663c6743a92e1181f9b", versionType: "git", }, { lessThan: "ae465109d82f4fb03c5adbe85f2d6a6a3d59124c", status: "affected", version: "d410ee5109a1633a686a5663c6743a92e1181f9b", versionType: "git", }, { lessThan: "6eca23100e9030725f69c1babacd58803f29ec8d", status: "affected", version: "d410ee5109a1633a686a5663c6743a92e1181f9b", versionType: "git", }, { lessThan: "dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f", status: "affected", version: "d410ee5109a1633a686a5663c6743a92e1181f9b", versionType: "git", }, { lessThan: "ddc1f5f124479360a1fd43f73be950781d172239", status: "affected", version: "d410ee5109a1633a686a5663c6743a92e1181f9b", versionType: "git", }, { lessThan: "434c6b924e1f4c219aab2d9e05fe79c5364e37d3", status: "affected", version: "d410ee5109a1633a686a5663c6743a92e1181f9b", versionType: "git", }, { lessThan: "e21a4c9129c72fa54dd00f5ebf71219b41d43c04", status: "affected", version: "d410ee5109a1633a686a5663c6743a92e1181f9b", versionType: "git", }, { lessThan: "a83e1385b780d41307433ddbc86e3c528db031f0", status: "affected", version: "d410ee5109a1633a686a5663c6743a92e1181f9b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/acpi/acpica/exregion.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.32", }, { lessThan: "2.6.32", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\"\n\nUndo the modifications made in commit d410ee5109a1 (\"ACPICA: avoid\n\"Info: mapping multiple BARs. Your kernel is fine.\"\"). The initial\npurpose of this commit was to stop memory mappings for operation\nregions from overlapping page boundaries, as it can trigger warnings\nif different page attributes are present.\n\nHowever, it was found that when this situation arises, mapping\ncontinues until the boundary's end, but there is still an attempt to\nread/write the entire length of the map, leading to a NULL pointer\ndeference. For example, if a four-byte mapping request is made but\nonly one byte is mapped because it hits the current page boundary's\nend, a four-byte read/write attempt is still made, resulting in a NULL\npointer deference.\n\nInstead, map the entire length, as the ACPI specification does not\nmandate that it must be within the same page boundary. It is\npermissible for it to be mapped across different regions.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:27.943Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/435ecc978c3d5d0c4e172ec5b956dc1904061d98", }, { url: "https://git.kernel.org/stable/c/ae465109d82f4fb03c5adbe85f2d6a6a3d59124c", }, { url: "https://git.kernel.org/stable/c/6eca23100e9030725f69c1babacd58803f29ec8d", }, { url: "https://git.kernel.org/stable/c/dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f", }, { url: "https://git.kernel.org/stable/c/ddc1f5f124479360a1fd43f73be950781d172239", }, { url: "https://git.kernel.org/stable/c/434c6b924e1f4c219aab2d9e05fe79c5364e37d3", }, { url: "https://git.kernel.org/stable/c/e21a4c9129c72fa54dd00f5ebf71219b41d43c04", }, { url: "https://git.kernel.org/stable/c/a83e1385b780d41307433ddbc86e3c528db031f0", }, ], title: "ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\"", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40984", datePublished: "2024-07-12T12:33:57.947Z", dateReserved: "2024-07-12T12:17:45.604Z", dateUpdated: "2024-12-19T09:09:27.943Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40919
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()
In case of token is released due to token->state == BNXT_HWRM_DEFERRED,
released token (set to NULL) is used in log messages. This issue is
expected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But
this error code is returned by recent firmware. So some firmware may not
return it. This may lead to NULL pointer dereference.
Adjust this issue by adding token pointer check.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.976Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cde177fa235cd36f981012504a6376315bac03c9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ca6660c956242623b4cfe9be2a1abc67907c44bf", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8b65eaeae88d4e9f999e806e196dd887b90bfed9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a9b9741854a9fe9df948af49ca5514e0ed0429df", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40919", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:36.863787Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:03.738Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cde177fa235cd36f981012504a6376315bac03c9", status: "affected", version: "8fa4219dba8e621aa1e78dfa7eeab10f55acb3c0", versionType: "git", }, { lessThan: "ca6660c956242623b4cfe9be2a1abc67907c44bf", status: "affected", version: "8fa4219dba8e621aa1e78dfa7eeab10f55acb3c0", versionType: "git", }, { lessThan: "8b65eaeae88d4e9f999e806e196dd887b90bfed9", status: "affected", version: "8fa4219dba8e621aa1e78dfa7eeab10f55acb3c0", versionType: "git", }, { lessThan: "a9b9741854a9fe9df948af49ca5514e0ed0429df", status: "affected", version: "8fa4219dba8e621aa1e78dfa7eeab10f55acb3c0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()\n\nIn case of token is released due to token->state == BNXT_HWRM_DEFERRED,\nreleased token (set to NULL) is used in log messages. This issue is\nexpected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But\nthis error code is returned by recent firmware. So some firmware may not\nreturn it. This may lead to NULL pointer dereference.\nAdjust this issue by adding token pointer check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:11.670Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cde177fa235cd36f981012504a6376315bac03c9", }, { url: "https://git.kernel.org/stable/c/ca6660c956242623b4cfe9be2a1abc67907c44bf", }, { url: "https://git.kernel.org/stable/c/8b65eaeae88d4e9f999e806e196dd887b90bfed9", }, { url: "https://git.kernel.org/stable/c/a9b9741854a9fe9df948af49ca5514e0ed0429df", }, ], title: "bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40919", datePublished: "2024-07-12T12:25:01.521Z", dateReserved: "2024-07-12T12:17:45.582Z", dateUpdated: "2024-12-19T09:08:11.670Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40941
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: don't read past the mfuart notifcation
In case the firmware sends a notification that claims it has more data
than it has, we will read past that was allocated for the notification.
Remove the print of the buffer, we won't see it by default. If needed,
we can see the content with tracing.
This was reported by KFENCE.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87 Version: bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87 Version: bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87 Version: bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87 Version: bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87 Version: bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87 Version: bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87 Version: bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.378Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/15b37c6fab9d5e40ac399fa1c725118588ed649c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6532f18e66b384b8d4b7e5c9caca042faaa9e8de", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/46c59a25337049a2a230ce7f7c3b9f21d0aaaad7", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/65686118845d427df27ee83a6ddd4885596b0805", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a8bc8276af9aeacabb773f0c267cfcdb847c6f2d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a05018739a5e6b9dc112c95bd4c59904062c8940", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/acdfa33c3cf5e1cd185cc1e0486bd0ea9f09c154", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4bb95f4535489ed830cf9b34b0a891e384d1aee4", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40941", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:27.174658Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:02.057Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/intel/iwlwifi/mvm/fw.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "15b37c6fab9d5e40ac399fa1c725118588ed649c", status: "affected", version: "bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87", versionType: "git", }, { lessThan: "6532f18e66b384b8d4b7e5c9caca042faaa9e8de", status: "affected", version: "bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87", versionType: "git", }, { lessThan: "46c59a25337049a2a230ce7f7c3b9f21d0aaaad7", status: "affected", version: "bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87", versionType: "git", }, { lessThan: "65686118845d427df27ee83a6ddd4885596b0805", status: "affected", version: "bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87", versionType: "git", }, { lessThan: "a8bc8276af9aeacabb773f0c267cfcdb847c6f2d", status: "affected", version: "bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87", versionType: "git", }, { lessThan: "a05018739a5e6b9dc112c95bd4c59904062c8940", status: "affected", version: "bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87", versionType: "git", }, { lessThan: "acdfa33c3cf5e1cd185cc1e0486bd0ea9f09c154", status: "affected", version: "bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87", versionType: "git", }, { lessThan: "4bb95f4535489ed830cf9b34b0a891e384d1aee4", status: "affected", version: "bdccdb854f2fb473f2ac4a6108df3cbfcedd5a87", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/intel/iwlwifi/mvm/fw.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.12", }, { lessThan: "4.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't read past the mfuart notifcation\n\nIn case the firmware sends a notification that claims it has more data\nthan it has, we will read past that was allocated for the notification.\nRemove the print of the buffer, we won't see it by default. If needed,\nwe can see the content with tracing.\n\nThis was reported by KFENCE.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:37.416Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/15b37c6fab9d5e40ac399fa1c725118588ed649c", }, { url: "https://git.kernel.org/stable/c/6532f18e66b384b8d4b7e5c9caca042faaa9e8de", }, { url: "https://git.kernel.org/stable/c/46c59a25337049a2a230ce7f7c3b9f21d0aaaad7", }, { url: "https://git.kernel.org/stable/c/65686118845d427df27ee83a6ddd4885596b0805", }, { url: "https://git.kernel.org/stable/c/a8bc8276af9aeacabb773f0c267cfcdb847c6f2d", }, { url: "https://git.kernel.org/stable/c/a05018739a5e6b9dc112c95bd4c59904062c8940", }, { url: "https://git.kernel.org/stable/c/acdfa33c3cf5e1cd185cc1e0486bd0ea9f09c154", }, { url: "https://git.kernel.org/stable/c/4bb95f4535489ed830cf9b34b0a891e384d1aee4", }, ], title: "wifi: iwlwifi: mvm: don't read past the mfuart notifcation", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40941", datePublished: "2024-07-12T12:25:16.471Z", dateReserved: "2024-07-12T12:17:45.587Z", dateUpdated: "2024-12-19T09:08:37.416Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40936
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cxl/region: Fix memregion leaks in devm_cxl_add_region()
Move the mode verification to __create_region() before allocating the
memregion to avoid the memregion leaks.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.888Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d8316838aa0686da63a8be4194b7a17b0103ae4a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/bbb5d8746381c82f7e0fb6171094d375b492f266", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/49ba7b515c4c0719b866d16f068e62d16a8a3dd1", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40936", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:43.140500Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:02.302Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/cxl/core/region.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d8316838aa0686da63a8be4194b7a17b0103ae4a", status: "affected", version: "6e099264185d05f50400ea494f5029264a4fe995", versionType: "git", }, { lessThan: "bbb5d8746381c82f7e0fb6171094d375b492f266", status: "affected", version: "6e099264185d05f50400ea494f5029264a4fe995", versionType: "git", }, { lessThan: "49ba7b515c4c0719b866d16f068e62d16a8a3dd1", status: "affected", version: "6e099264185d05f50400ea494f5029264a4fe995", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/cxl/core/region.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.3", }, { lessThan: "6.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix memregion leaks in devm_cxl_add_region()\n\nMove the mode verification to __create_region() before allocating the\nmemregion to avoid the memregion leaks.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:31.480Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d8316838aa0686da63a8be4194b7a17b0103ae4a", }, { url: "https://git.kernel.org/stable/c/bbb5d8746381c82f7e0fb6171094d375b492f266", }, { url: "https://git.kernel.org/stable/c/49ba7b515c4c0719b866d16f068e62d16a8a3dd1", }, ], title: "cxl/region: Fix memregion leaks in devm_cxl_add_region()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40936", datePublished: "2024-07-12T12:25:13.155Z", dateReserved: "2024-07-12T12:17:45.584Z", dateUpdated: "2024-12-19T09:08:31.480Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39510
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()
We got the following issue in a fuzz test of randomly issuing the restore
command:
==================================================================
BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60
Read of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963
CPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564
Call Trace:
kasan_report+0x93/0xc0
cachefiles_ondemand_daemon_read+0xb41/0xb60
vfs_read+0x169/0xb50
ksys_read+0xf5/0x1e0
Allocated by task 116:
kmem_cache_alloc+0x140/0x3a0
cachefiles_lookup_cookie+0x140/0xcd0
fscache_cookie_state_machine+0x43c/0x1230
[...]
Freed by task 792:
kmem_cache_free+0xfe/0x390
cachefiles_put_object+0x241/0x480
fscache_cookie_state_machine+0x5c8/0x1230
[...]
==================================================================
Following is the process that triggers the issue:
mount | daemon_thread1 | daemon_thread2
------------------------------------------------------------
cachefiles_withdraw_cookie
cachefiles_ondemand_clean_object(object)
cachefiles_ondemand_send_req
REQ_A = kzalloc(sizeof(*req) + data_len)
wait_for_completion(&REQ_A->done)
cachefiles_daemon_read
cachefiles_ondemand_daemon_read
REQ_A = cachefiles_ondemand_select_req
msg->object_id = req->object->ondemand->ondemand_id
------ restore ------
cachefiles_ondemand_restore
xas_for_each(&xas, req, ULONG_MAX)
xas_set_mark(&xas, CACHEFILES_REQ_NEW)
cachefiles_daemon_read
cachefiles_ondemand_daemon_read
REQ_A = cachefiles_ondemand_select_req
copy_to_user(_buffer, msg, n)
xa_erase(&cache->reqs, id)
complete(&REQ_A->done)
------ close(fd) ------
cachefiles_ondemand_fd_release
cachefiles_put_object
cachefiles_put_object
kmem_cache_free(cachefiles_object_jar, object)
REQ_A->object->ondemand->ondemand_id
// object UAF !!!
When we see the request within xa_lock, req->object must not have been
freed yet, so grab the reference count of object before xa_unlock to
avoid the above issue.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.474Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39510", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:40.868593Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:38.916Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/cachefiles/ondemand.c", "include/trace/events/cachefiles.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cb55625f8eb9d2de8be4da0c4580d48cbb32058e", status: "affected", version: "f17443d52d805c9a7fab5e67a4e8b973626fe1cd", versionType: "git", }, { lessThan: "3958679c49152391209b32be3357193300a51abd", status: "affected", version: "f740fd943bb1fbf79b7eaba3c71eb7536f437f51", versionType: "git", }, { lessThan: "93064676a2820420a2d37d7c8289f277fe20793d", status: "affected", version: "0a7e54c1959c0feb2de23397ec09c7692364313e", versionType: "git", }, { lessThan: "da4a827416066191aafeeccee50a8836a826ba10", status: "affected", version: "0a7e54c1959c0feb2de23397ec09c7692364313e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/cachefiles/ondemand.c", "include/trace/events/cachefiles.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60\nRead of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963\n\nCPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564\nCall Trace:\n kasan_report+0x93/0xc0\n cachefiles_ondemand_daemon_read+0xb41/0xb60\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 116:\n kmem_cache_alloc+0x140/0x3a0\n cachefiles_lookup_cookie+0x140/0xcd0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 792:\n kmem_cache_free+0xfe/0x390\n cachefiles_put_object+0x241/0x480\n fscache_cookie_state_machine+0x5c8/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\ncachefiles_withdraw_cookie\n cachefiles_ondemand_clean_object(object)\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n msg->object_id = req->object->ondemand->ondemand_id\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n copy_to_user(_buffer, msg, n)\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n ------ close(fd) ------\n cachefiles_ondemand_fd_release\n cachefiles_put_object\n cachefiles_put_object\n kmem_cache_free(cachefiles_object_jar, object)\n REQ_A->object->ondemand->ondemand_id\n // object UAF !!!\n\nWhen we see the request within xa_lock, req->object must not have been\nfreed yet, so grab the reference count of object before xa_unlock to\navoid the above issue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:35.408Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e", }, { url: "https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd", }, { url: "https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d", }, { url: "https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10", }, ], title: "cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39510", datePublished: "2024-07-12T12:20:40.901Z", dateReserved: "2024-06-25T14:23:23.753Z", dateUpdated: "2024-12-19T09:07:35.408Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-41007
Vulnerability from cvelistv5
Published
2024-07-15 08:48
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: avoid too many retransmit packets
If a TCP socket is using TCP_USER_TIMEOUT, and the other peer
retracted its window to zero, tcp_retransmit_timer() can
retransmit a packet every two jiffies (2 ms for HZ=1000),
for about 4 minutes after TCP_USER_TIMEOUT has 'expired'.
The fix is to make sure tcp_rtx_probe0_timed_out() takes
icsk->icsk_user_timeout into account.
Before blamed commit, the socket would not timeout after
icsk->icsk_user_timeout, but would use standard exponential
backoff for the retransmits.
Also worth noting that before commit e89688e3e978 ("net: tcp:
fix unexcepted socket die when snd_wnd is 0"), the issue
would last 2 minutes instead of 4.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.161Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-41007", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:00:52.460807Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:18.296Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv4/tcp_timer.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4", status: "affected", version: "b701a99e431db784714c32fc6b68123045714679", versionType: "git", }, { lessThan: "d2346fca5bed130dc712f276ac63450201d52969", status: "affected", version: "b701a99e431db784714c32fc6b68123045714679", versionType: "git", }, { lessThan: "5d7e64d70a11d988553a08239c810a658e841982", status: "affected", version: "b701a99e431db784714c32fc6b68123045714679", versionType: "git", }, { lessThan: "04317a2471c2f637b4c49cbd0e9c0d04a519f570", status: "affected", version: "b701a99e431db784714c32fc6b68123045714679", versionType: "git", }, { lessThan: "e113cddefa27bbf5a79f72387b8fbd432a61a466", status: "affected", version: "b701a99e431db784714c32fc6b68123045714679", versionType: "git", }, { lessThan: "dfcdd7f89e401d2c6616be90c76c2fac3fa98fde", status: "affected", version: "b701a99e431db784714c32fc6b68123045714679", versionType: "git", }, { lessThan: "66cb64a1d2239cd0309f9b5038b05462570a5be1", status: "affected", version: "b701a99e431db784714c32fc6b68123045714679", versionType: "git", }, { lessThan: "97a9063518f198ec0adb2ecb89789de342bb8283", status: "affected", version: "b701a99e431db784714c32fc6b68123045714679", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv4/tcp_timer.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.19", }, { lessThan: "4.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.318", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.280", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.222", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.163", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.100", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.41", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.10", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: avoid too many retransmit packets\n\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\nretracted its window to zero, tcp_retransmit_timer() can\nretransmit a packet every two jiffies (2 ms for HZ=1000),\nfor about 4 minutes after TCP_USER_TIMEOUT has 'expired'.\n\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\nicsk->icsk_user_timeout into account.\n\nBefore blamed commit, the socket would not timeout after\nicsk->icsk_user_timeout, but would use standard exponential\nbackoff for the retransmits.\n\nAlso worth noting that before commit e89688e3e978 (\"net: tcp:\nfix unexcepted socket die when snd_wnd is 0\"), the issue\nwould last 2 minutes instead of 4.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:56.186Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4", }, { url: "https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969", }, { url: "https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982", }, { url: "https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570", }, { url: "https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466", }, { url: "https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde", }, { url: "https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1", }, { url: "https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283", }, ], title: "tcp: avoid too many retransmit packets", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-41007", datePublished: "2024-07-15T08:48:10.174Z", dateReserved: "2024-07-12T12:17:45.610Z", dateUpdated: "2024-12-19T09:09:56.186Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40989
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Disassociate vcpus from redistributor region on teardown
When tearing down a redistributor region, make sure we don't have
any dangling pointer to that region stored in a vcpu.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.897Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40989", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:54.595799Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:20.480Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/arm64/kvm/vgic/vgic-init.c", "arch/arm64/kvm/vgic/vgic-mmio-v3.c", "arch/arm64/kvm/vgic/vgic.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "68df4fc449fcc24347209e500ce26d5816705a77", status: "affected", version: "e5a35635464bc5304674b84ea42615a3fd0bd949", versionType: "git", }, { lessThan: "48bb62859d47c5c4197a8c01128d0fa4f46ee58c", status: "affected", version: "e5a35635464bc5304674b84ea42615a3fd0bd949", versionType: "git", }, { lessThan: "152b4123f21e6aff31cea01158176ad96a999c76", status: "affected", version: "e5a35635464bc5304674b84ea42615a3fd0bd949", versionType: "git", }, { lessThan: "0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8", status: "affected", version: "e5a35635464bc5304674b84ea42615a3fd0bd949", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/arm64/kvm/vgic/vgic-init.c", "arch/arm64/kvm/vgic/vgic-mmio-v3.c", "arch/arm64/kvm/vgic/vgic.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.13", }, { lessThan: "5.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\n\nWhen tearing down a redistributor region, make sure we don't have\nany dangling pointer to that region stored in a vcpu.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:33.924Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77", }, { url: "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c", }, { url: "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76", }, { url: "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8", }, ], title: "KVM: arm64: Disassociate vcpus from redistributor region on teardown", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40989", datePublished: "2024-07-12T12:37:33.823Z", dateReserved: "2024-07-12T12:17:45.605Z", dateUpdated: "2024-12-19T09:09:33.924Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40988
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: fix UBSAN warning in kv_dpm.c
Adds bounds check for sumo_vid_mapping_entry.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.064Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/07e8f15fa16695cf4c90e89854e59af4a760055b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a8c6df9fe5bc390645d1e96eff14ffe414951aad", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/febe794b83693257f21a23d2e03ea695a62449c8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cf1cc8fcfe517e108794fb711f7faabfca0dc855", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f803532bc3825384100dfc58873e035d77248447", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9e57611182a817824a17b1c3dd300ee74a174b42", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/468a50fd46a09bba7ba18a11054ae64b6479ecdc", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a498df5421fd737d11bfd152428ba6b1c8538321", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40988", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:57.675980Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:20.590Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/radeon/sumo_dpm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "07e8f15fa16695cf4c90e89854e59af4a760055b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a8c6df9fe5bc390645d1e96eff14ffe414951aad", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "febe794b83693257f21a23d2e03ea695a62449c8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cf1cc8fcfe517e108794fb711f7faabfca0dc855", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f803532bc3825384100dfc58873e035d77248447", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9e57611182a817824a17b1c3dd300ee74a174b42", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "468a50fd46a09bba7ba18a11054ae64b6479ecdc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a498df5421fd737d11bfd152428ba6b1c8538321", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/radeon/sumo_dpm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:32.566Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/07e8f15fa16695cf4c90e89854e59af4a760055b", }, { url: "https://git.kernel.org/stable/c/a8c6df9fe5bc390645d1e96eff14ffe414951aad", }, { url: "https://git.kernel.org/stable/c/febe794b83693257f21a23d2e03ea695a62449c8", }, { url: "https://git.kernel.org/stable/c/cf1cc8fcfe517e108794fb711f7faabfca0dc855", }, { url: "https://git.kernel.org/stable/c/f803532bc3825384100dfc58873e035d77248447", }, { url: "https://git.kernel.org/stable/c/9e57611182a817824a17b1c3dd300ee74a174b42", }, { url: "https://git.kernel.org/stable/c/468a50fd46a09bba7ba18a11054ae64b6479ecdc", }, { url: "https://git.kernel.org/stable/c/a498df5421fd737d11bfd152428ba6b1c8538321", }, ], title: "drm/radeon: fix UBSAN warning in kv_dpm.c", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40988", datePublished: "2024-07-12T12:37:33.133Z", dateReserved: "2024-07-12T12:17:45.605Z", dateUpdated: "2024-12-19T09:09:32.566Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40915
Vulnerability from cvelistv5
Published
2024-07-12 12:24
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context
__kernel_map_pages() is a debug function which clears the valid bit in page
table entry for deallocated pages to detect illegal memory accesses to
freed pages.
This function set/clear the valid bit using __set_memory(). __set_memory()
acquires init_mm's semaphore, and this operation may sleep. This is
problematic, because __kernel_map_pages() can be called in atomic context,
and thus is illegal to sleep. An example warning that this causes:
BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd
preempt_count: 2, expected: 0
CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff800060dc>] dump_backtrace+0x1c/0x24
[<ffffffff8091ef6e>] show_stack+0x2c/0x38
[<ffffffff8092baf8>] dump_stack_lvl+0x5a/0x72
[<ffffffff8092bb24>] dump_stack+0x14/0x1c
[<ffffffff8003b7ac>] __might_resched+0x104/0x10e
[<ffffffff8003b7f4>] __might_sleep+0x3e/0x62
[<ffffffff8093276a>] down_write+0x20/0x72
[<ffffffff8000cf00>] __set_memory+0x82/0x2fa
[<ffffffff8000d324>] __kernel_map_pages+0x5a/0xd4
[<ffffffff80196cca>] __alloc_pages_bulk+0x3b2/0x43a
[<ffffffff8018ee82>] __vmalloc_node_range+0x196/0x6ba
[<ffffffff80011904>] copy_process+0x72c/0x17ec
[<ffffffff80012ab4>] kernel_clone+0x60/0x2fe
[<ffffffff80012f62>] kernel_thread+0x82/0xa0
[<ffffffff8003552c>] kthreadd+0x14a/0x1be
[<ffffffff809357de>] ret_from_fork+0xe/0x1c
Rewrite this function with apply_to_existing_page_range(). It is fine to
not have any locking, because __kernel_map_pages() works with pages being
allocated/deallocated and those pages are not changed by anyone else in the
meantime.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.508Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40915", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:49.659920Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:39.270Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/riscv/mm/pageattr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "919f8626099d9909b9a9620b05e8c8ab06581876", status: "affected", version: "5fde3db5eb028b95aeefa1ab192d36800414e8b8", versionType: "git", }, { lessThan: "8661a7af04991201640863ad1a0983173f84b5eb", status: "affected", version: "5fde3db5eb028b95aeefa1ab192d36800414e8b8", versionType: "git", }, { lessThan: "d5257ceb19d92069195254866421f425aea42915", status: "affected", version: "5fde3db5eb028b95aeefa1ab192d36800414e8b8", versionType: "git", }, { lessThan: "fb1cf0878328fe75d47f0aed0a65b30126fcefc4", status: "affected", version: "5fde3db5eb028b95aeefa1ab192d36800414e8b8", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/riscv/mm/pageattr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.7", }, { lessThan: "5.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: rewrite __kernel_map_pages() to fix sleeping in invalid context\n\n__kernel_map_pages() is a debug function which clears the valid bit in page\ntable entry for deallocated pages to detect illegal memory accesses to\nfreed pages.\n\nThis function set/clear the valid bit using __set_memory(). __set_memory()\nacquires init_mm's semaphore, and this operation may sleep. This is\nproblematic, because __kernel_map_pages() can be called in atomic context,\nand thus is illegal to sleep. An example warning that this causes:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\npreempt_count: 2, expected: 0\nCPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[<ffffffff800060dc>] dump_backtrace+0x1c/0x24\n[<ffffffff8091ef6e>] show_stack+0x2c/0x38\n[<ffffffff8092baf8>] dump_stack_lvl+0x5a/0x72\n[<ffffffff8092bb24>] dump_stack+0x14/0x1c\n[<ffffffff8003b7ac>] __might_resched+0x104/0x10e\n[<ffffffff8003b7f4>] __might_sleep+0x3e/0x62\n[<ffffffff8093276a>] down_write+0x20/0x72\n[<ffffffff8000cf00>] __set_memory+0x82/0x2fa\n[<ffffffff8000d324>] __kernel_map_pages+0x5a/0xd4\n[<ffffffff80196cca>] __alloc_pages_bulk+0x3b2/0x43a\n[<ffffffff8018ee82>] __vmalloc_node_range+0x196/0x6ba\n[<ffffffff80011904>] copy_process+0x72c/0x17ec\n[<ffffffff80012ab4>] kernel_clone+0x60/0x2fe\n[<ffffffff80012f62>] kernel_thread+0x82/0xa0\n[<ffffffff8003552c>] kthreadd+0x14a/0x1be\n[<ffffffff809357de>] ret_from_fork+0xe/0x1c\n\nRewrite this function with apply_to_existing_page_range(). It is fine to\nnot have any locking, because __kernel_map_pages() works with pages being\nallocated/deallocated and those pages are not changed by anyone else in the\nmeantime.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:56.583Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876", }, { url: "https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb", }, { url: "https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915", }, { url: "https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4", }, ], title: "riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40915", datePublished: "2024-07-12T12:24:58.770Z", dateReserved: "2024-07-12T12:17:45.581Z", dateUpdated: "2024-12-19T09:07:56.583Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40943
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix races between hole punching and AIO+DIO
After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block",
fstests/generic/300 become from always failed to sometimes failed:
========================================================================
[ 473.293420 ] run fstests generic/300
[ 475.296983 ] JBD2: Ignoring recovery information on journal
[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.
[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found
[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.
[ 494.292018 ] OCFS2: File system is now read-only.
[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30
[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3
fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072
=========================================================================
In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten
extents to a list. extents are also inserted into extent tree in
ocfs2_write_begin_nolock. Then another thread call fallocate to puch a
hole at one of the unwritten extent. The extent at cpos was removed by
ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list
found there is no such extent at the cpos.
T1 T2 T3
inode lock
...
insert extents
...
inode unlock
ocfs2_fallocate
__ocfs2_change_file_space
inode lock
lock ip_alloc_sem
ocfs2_remove_inode_range inode
ocfs2_remove_btree_range
ocfs2_remove_extent
^---remove the extent at cpos 78723
...
unlock ip_alloc_sem
inode unlock
ocfs2_dio_end_io
ocfs2_dio_end_io_write
lock ip_alloc_sem
ocfs2_mark_extent_written
ocfs2_change_extent_flag
ocfs2_search_extent_list
^---failed to find extent
...
unlock ip_alloc_sem
In most filesystems, fallocate is not compatible with racing with AIO+DIO,
so fix it by adding to wait for all dio before fallocate/punch_hole like
ext4.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b25801038da5823bba1b5440a57ca68afc51b6bd Version: b25801038da5823bba1b5440a57ca68afc51b6bd Version: b25801038da5823bba1b5440a57ca68afc51b6bd Version: b25801038da5823bba1b5440a57ca68afc51b6bd Version: b25801038da5823bba1b5440a57ca68afc51b6bd Version: b25801038da5823bba1b5440a57ca68afc51b6bd Version: b25801038da5823bba1b5440a57ca68afc51b6bd Version: b25801038da5823bba1b5440a57ca68afc51b6bd |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.471Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3c26b5d21b1239e9c7fd31ba7d9b2d7bdbaa68d9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e8e2db1adac47970a6a9225f3858e9aa0e86287f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/050ce8af6838c71e872e982b50d3f1bec21da40e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/38825ff9da91d2854dcf6d9ac320a7e641e10f25", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ea042dc2bea19d72e37c298bf65a9c341ef3fff3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3c361f313d696df72f9bccf058510e9ec737b9b1", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/117b9c009b72a6c2ebfd23484354dfee2d9570d2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/952b023f06a24b2ad6ba67304c4c84d45bea2f18", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40943", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:20.780555Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:25.580Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ocfs2/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3c26b5d21b1239e9c7fd31ba7d9b2d7bdbaa68d9", status: "affected", version: "b25801038da5823bba1b5440a57ca68afc51b6bd", versionType: "git", }, { lessThan: "e8e2db1adac47970a6a9225f3858e9aa0e86287f", status: "affected", version: "b25801038da5823bba1b5440a57ca68afc51b6bd", versionType: "git", }, { lessThan: "050ce8af6838c71e872e982b50d3f1bec21da40e", status: "affected", version: "b25801038da5823bba1b5440a57ca68afc51b6bd", versionType: "git", }, { lessThan: "38825ff9da91d2854dcf6d9ac320a7e641e10f25", status: "affected", version: "b25801038da5823bba1b5440a57ca68afc51b6bd", versionType: "git", }, { lessThan: "ea042dc2bea19d72e37c298bf65a9c341ef3fff3", status: "affected", version: "b25801038da5823bba1b5440a57ca68afc51b6bd", versionType: "git", }, { lessThan: "3c361f313d696df72f9bccf058510e9ec737b9b1", status: "affected", version: "b25801038da5823bba1b5440a57ca68afc51b6bd", versionType: "git", }, { lessThan: "117b9c009b72a6c2ebfd23484354dfee2d9570d2", status: "affected", version: "b25801038da5823bba1b5440a57ca68afc51b6bd", versionType: "git", }, { lessThan: "952b023f06a24b2ad6ba67304c4c84d45bea2f18", status: "affected", version: "b25801038da5823bba1b5440a57ca68afc51b6bd", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ocfs2/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.23", }, { lessThan: "2.6.23", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix races between hole punching and AIO+DIO\n\nAfter commit \"ocfs2: return real error code in ocfs2_dio_wr_get_block\",\nfstests/generic/300 become from always failed to sometimes failed:\n\n========================================================================\n[ 473.293420 ] run fstests generic/300\n\n[ 475.296983 ] JBD2: Ignoring recovery information on journal\n[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.\n[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found\n[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.\n[ 494.292018 ] OCFS2: File system is now read-only.\n[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30\n[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3\nfio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072\n=========================================================================\n\nIn __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten\nextents to a list. extents are also inserted into extent tree in\nocfs2_write_begin_nolock. Then another thread call fallocate to puch a\nhole at one of the unwritten extent. The extent at cpos was removed by\nocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list\nfound there is no such extent at the cpos.\n\n T1 T2 T3\n inode lock\n ...\n insert extents\n ...\n inode unlock\nocfs2_fallocate\n __ocfs2_change_file_space\n inode lock\n lock ip_alloc_sem\n ocfs2_remove_inode_range inode\n ocfs2_remove_btree_range\n ocfs2_remove_extent\n ^---remove the extent at cpos 78723\n ...\n unlock ip_alloc_sem\n inode unlock\n ocfs2_dio_end_io\n ocfs2_dio_end_io_write\n lock ip_alloc_sem\n ocfs2_mark_extent_written\n ocfs2_change_extent_flag\n ocfs2_search_extent_list\n ^---failed to find extent\n ...\n unlock ip_alloc_sem\n\nIn most filesystems, fallocate is not compatible with racing with AIO+DIO,\nso fix it by adding to wait for all dio before fallocate/punch_hole like\next4.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:39.819Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3c26b5d21b1239e9c7fd31ba7d9b2d7bdbaa68d9", }, { url: "https://git.kernel.org/stable/c/e8e2db1adac47970a6a9225f3858e9aa0e86287f", }, { url: "https://git.kernel.org/stable/c/050ce8af6838c71e872e982b50d3f1bec21da40e", }, { url: "https://git.kernel.org/stable/c/38825ff9da91d2854dcf6d9ac320a7e641e10f25", }, { url: "https://git.kernel.org/stable/c/ea042dc2bea19d72e37c298bf65a9c341ef3fff3", }, { url: "https://git.kernel.org/stable/c/3c361f313d696df72f9bccf058510e9ec737b9b1", }, { url: "https://git.kernel.org/stable/c/117b9c009b72a6c2ebfd23484354dfee2d9570d2", }, { url: "https://git.kernel.org/stable/c/952b023f06a24b2ad6ba67304c4c84d45bea2f18", }, ], title: "ocfs2: fix races between hole punching and AIO+DIO", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40943", datePublished: "2024-07-12T12:25:17.813Z", dateReserved: "2024-07-12T12:17:45.588Z", dateUpdated: "2024-12-19T09:08:39.819Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40926
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: don't attempt to schedule hpd_work on headless cards
If the card doesn't have display hardware, hpd_work and hpd_lock are
left uninitialized which causes BUG when attempting to schedule hpd_work
on runtime PM resume.
Fix it by adding headless flag to DRM and skip any hpd if it's set.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.933Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/227349998e5740f14d531b0f0d704e66b1ed3c2f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b96a225377b6602299a03d2ce3c289b68cd41bb7", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40926", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:14.721298Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:27.878Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/nouveau/dispnv04/disp.c", "drivers/gpu/drm/nouveau/dispnv50/disp.c", "drivers/gpu/drm/nouveau/nouveau_display.c", "drivers/gpu/drm/nouveau/nouveau_drv.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "227349998e5740f14d531b0f0d704e66b1ed3c2f", status: "affected", version: "ae1aadb1eb8d3cbc52e42bee71d67bd4a71f9f07", versionType: "git", }, { lessThan: "b96a225377b6602299a03d2ce3c289b68cd41bb7", status: "affected", version: "ae1aadb1eb8d3cbc52e42bee71d67bd4a71f9f07", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/nouveau/dispnv04/disp.c", "drivers/gpu/drm/nouveau/dispnv50/disp.c", "drivers/gpu/drm/nouveau/nouveau_display.c", "drivers/gpu/drm/nouveau/nouveau_drv.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.7", }, { lessThan: "6.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: don't attempt to schedule hpd_work on headless cards\n\nIf the card doesn't have display hardware, hpd_work and hpd_lock are\nleft uninitialized which causes BUG when attempting to schedule hpd_work\non runtime PM resume.\n\nFix it by adding headless flag to DRM and skip any hpd if it's set.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:19.866Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/227349998e5740f14d531b0f0d704e66b1ed3c2f", }, { url: "https://git.kernel.org/stable/c/b96a225377b6602299a03d2ce3c289b68cd41bb7", }, ], title: "drm/nouveau: don't attempt to schedule hpd_work on headless cards", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40926", datePublished: "2024-07-12T12:25:06.435Z", dateReserved: "2024-07-12T12:17:45.583Z", dateUpdated: "2024-12-19T09:08:19.866Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40980
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drop_monitor: replace spin_lock by raw_spin_lock
trace_drop_common() is called with preemption disabled, and it acquires
a spin_lock. This is problematic for RT kernels because spin_locks are
sleeping locks in this configuration, which causes the following splat:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47
preempt_count: 1, expected: 0
RCU nest depth: 2, expected: 2
5 locks held by rcuc/47/449:
#0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210
#1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130
#2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210
#3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70
#4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290
irq event stamp: 139909
hardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80
hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290
softirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170
softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0
Preemption disabled at:
[<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0
CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7
Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022
Call Trace:
<TASK>
dump_stack_lvl+0x8c/0xd0
dump_stack+0x14/0x20
__might_resched+0x21e/0x2f0
rt_spin_lock+0x5e/0x130
? trace_drop_common.constprop.0+0xb5/0x290
? skb_queue_purge_reason.part.0+0x1bf/0x230
trace_drop_common.constprop.0+0xb5/0x290
? preempt_count_sub+0x1c/0xd0
? _raw_spin_unlock_irqrestore+0x4a/0x80
? __pfx_trace_drop_common.constprop.0+0x10/0x10
? rt_mutex_slowunlock+0x26a/0x2e0
? skb_queue_purge_reason.part.0+0x1bf/0x230
? __pfx_rt_mutex_slowunlock+0x10/0x10
? skb_queue_purge_reason.part.0+0x1bf/0x230
trace_kfree_skb_hit+0x15/0x20
trace_kfree_skb+0xe9/0x150
kfree_skb_reason+0x7b/0x110
skb_queue_purge_reason.part.0+0x1bf/0x230
? __pfx_skb_queue_purge_reason.part.0+0x10/0x10
? mark_lock.part.0+0x8a/0x520
...
trace_drop_common() also disables interrupts, but this is a minor issue
because we could easily replace it with a local_lock.
Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic
context.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.936Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40980", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:23.500077Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:21.510Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/core/drop_monitor.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "594e47957f3fe034645e6885393ce96c12286334", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "96941f29ebcc1e9cbf570dc903f30374909562f5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b3722fb69468693555f531cddda5c30444726dac", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f251ccef1d864790e5253386e95544420b7cd8f3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "76ce2f9125244e1708d29c1d3f9d1d50b347bda0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "07ea878684dfb78a9d4f564c39d07e855a9e242e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f1e197a665c2148ebc25fe09c53689e60afea195", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/core/drop_monitor.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: replace spin_lock by raw_spin_lock\n\ntrace_drop_common() is called with preemption disabled, and it acquires\na spin_lock. This is problematic for RT kernels because spin_locks are\nsleeping locks in this configuration, which causes the following splat:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n5 locks held by rcuc/47/449:\n #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210\n #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130\n #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210\n #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70\n #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290\nirq event stamp: 139909\nhardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80\nhardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290\nsoftirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170\nsoftirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0\nPreemption disabled at:\n[<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0\nCPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7\nHardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022\nCall Trace:\n <TASK>\n dump_stack_lvl+0x8c/0xd0\n dump_stack+0x14/0x20\n __might_resched+0x21e/0x2f0\n rt_spin_lock+0x5e/0x130\n ? trace_drop_common.constprop.0+0xb5/0x290\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_drop_common.constprop.0+0xb5/0x290\n ? preempt_count_sub+0x1c/0xd0\n ? _raw_spin_unlock_irqrestore+0x4a/0x80\n ? __pfx_trace_drop_common.constprop.0+0x10/0x10\n ? rt_mutex_slowunlock+0x26a/0x2e0\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_rt_mutex_slowunlock+0x10/0x10\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_kfree_skb_hit+0x15/0x20\n trace_kfree_skb+0xe9/0x150\n kfree_skb_reason+0x7b/0x110\n skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10\n ? mark_lock.part.0+0x8a/0x520\n...\n\ntrace_drop_common() also disables interrupts, but this is a minor issue\nbecause we could easily replace it with a local_lock.\n\nReplace the spin_lock with raw_spin_lock to avoid sleeping in atomic\ncontext.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:22.853Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334", }, { url: "https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5", }, { url: "https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac", }, { url: "https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3", }, { url: "https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0", }, { url: "https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e", }, { url: "https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195", }, ], title: "drop_monitor: replace spin_lock by raw_spin_lock", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40980", datePublished: "2024-07-12T12:32:15.569Z", dateReserved: "2024-07-12T12:17:45.604Z", dateUpdated: "2024-12-19T09:09:22.853Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40974
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/pseries: Enforce hcall result buffer validity and size
plpar_hcall(), plpar_hcall9(), and related functions expect callers to
provide valid result buffers of certain minimum size. Currently this
is communicated only through comments in the code and the compiler has
no idea.
For example, if I write a bug like this:
long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE
plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);
This compiles with no diagnostics emitted, but likely results in stack
corruption at runtime when plpar_hcall9() stores results past the end
of the array. (To be clear this is a contrived example and I have not
found a real instance yet.)
To make this class of error less likely, we can use explicitly-sized
array parameters instead of pointers in the declarations for the hcall
APIs. When compiled with -Warray-bounds[1], the code above now
provokes a diagnostic like this:
error: array argument is too small;
is of size 32, callee requires at least 72 [-Werror,-Warray-bounds]
60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,
| ^ ~~~~~~
[1] Enabled for LLVM builds but not GCC for now. See commit
0da6e5fd6c37 ("gcc: disable '-Warray-bounds' for gcc-13 too") and
related changes.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.054Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/acf2b80c31c37acab040baa3cf5f19fbd5140b18", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/19c166ee42cf16d8b156a6cb4544122d9a65d3ca", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a8c988d752b3d98d5cc1e3929c519a55ef55426c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/262e942ff5a839b9e4f3302a8987928b0c8b8a2d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8aa11aa001576bf3b00dcb8559564ad7a3113588", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3ad0034910a57aa88ed9976b1431b7b8c84e0048", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/aa6107dcc4ce9a3451f2d729204713783b657257", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ff2e185cf73df480ec69675936c4ee75a445c3e4", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40974", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:44.463070Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:22.210Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/powerpc/include/asm/hvcall.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "acf2b80c31c37acab040baa3cf5f19fbd5140b18", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "19c166ee42cf16d8b156a6cb4544122d9a65d3ca", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a8c988d752b3d98d5cc1e3929c519a55ef55426c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "262e942ff5a839b9e4f3302a8987928b0c8b8a2d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8aa11aa001576bf3b00dcb8559564ad7a3113588", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3ad0034910a57aa88ed9976b1431b7b8c84e0048", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "aa6107dcc4ce9a3451f2d729204713783b657257", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ff2e185cf73df480ec69675936c4ee75a445c3e4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/powerpc/include/asm/hvcall.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Enforce hcall result buffer validity and size\n\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\nprovide valid result buffers of certain minimum size. Currently this\nis communicated only through comments in the code and the compiler has\nno idea.\n\nFor example, if I write a bug like this:\n\n long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\n plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\n\nThis compiles with no diagnostics emitted, but likely results in stack\ncorruption at runtime when plpar_hcall9() stores results past the end\nof the array. (To be clear this is a contrived example and I have not\nfound a real instance yet.)\n\nTo make this class of error less likely, we can use explicitly-sized\narray parameters instead of pointers in the declarations for the hcall\nAPIs. When compiled with -Warray-bounds[1], the code above now\nprovokes a diagnostic like this:\n\nerror: array argument is too small;\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\n 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\n | ^ ~~~~~~\n\n[1] Enabled for LLVM builds but not GCC for now. See commit\n 0da6e5fd6c37 (\"gcc: disable '-Warray-bounds' for gcc-13 too\") and\n related changes.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:15.589Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/acf2b80c31c37acab040baa3cf5f19fbd5140b18", }, { url: "https://git.kernel.org/stable/c/19c166ee42cf16d8b156a6cb4544122d9a65d3ca", }, { url: "https://git.kernel.org/stable/c/a8c988d752b3d98d5cc1e3929c519a55ef55426c", }, { url: "https://git.kernel.org/stable/c/262e942ff5a839b9e4f3302a8987928b0c8b8a2d", }, { url: "https://git.kernel.org/stable/c/8aa11aa001576bf3b00dcb8559564ad7a3113588", }, { url: "https://git.kernel.org/stable/c/3ad0034910a57aa88ed9976b1431b7b8c84e0048", }, { url: "https://git.kernel.org/stable/c/aa6107dcc4ce9a3451f2d729204713783b657257", }, { url: "https://git.kernel.org/stable/c/ff2e185cf73df480ec69675936c4ee75a445c3e4", }, ], title: "powerpc/pseries: Enforce hcall result buffer validity and size", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40974", datePublished: "2024-07-12T12:32:11.417Z", dateReserved: "2024-07-12T12:17:45.603Z", dateUpdated: "2024-12-19T09:09:15.589Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39509
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: remove unnecessary WARN_ON() in implement()
Syzkaller hit a warning [1] in a call to implement() when trying
to write a value into a field of smaller size in an output report.
Since implement() already has a warn message printed out with the
help of hid_warn() and value in question gets trimmed with:
...
value &= m;
...
WARN_ON may be considered superfluous. Remove it to suppress future
syzkaller triggers.
[1]
WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]
WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863
Modules linked in:
CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]
RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863
...
Call Trace:
<TASK>
__usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]
usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636
hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 95d1c8951e5bd50bb89654a99a7012b1e75646bd Version: 95d1c8951e5bd50bb89654a99a7012b1e75646bd Version: 95d1c8951e5bd50bb89654a99a7012b1e75646bd Version: 95d1c8951e5bd50bb89654a99a7012b1e75646bd Version: 95d1c8951e5bd50bb89654a99a7012b1e75646bd Version: 95d1c8951e5bd50bb89654a99a7012b1e75646bd Version: 95d1c8951e5bd50bb89654a99a7012b1e75646bd Version: 95d1c8951e5bd50bb89654a99a7012b1e75646bd |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.686Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/955b3764671f3f157215194972d9c01a3a4bd316", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f9db5fbeffb951cac3f0fb1c2eeffb79785399ca", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/33f6832798dd3297317901cc1db556ac3ae80c24", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8bac61934cd563b073cd30b8cf6d5c758ab5ab26", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/bfd546fc7fd76076f81bf41b85b51ceda30949fd", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/30f76bc468b9b2cbbd5d3eb482661e3e4798893f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/655c6de2f215b61d0708db6b06305eee9bbfeba2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4aa2dcfbad538adf7becd0034a3754e1bd01b2b5", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39509", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:44.616328Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:39.031Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/hid/hid-core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "955b3764671f3f157215194972d9c01a3a4bd316", status: "affected", version: "95d1c8951e5bd50bb89654a99a7012b1e75646bd", versionType: "git", }, { lessThan: "f9db5fbeffb951cac3f0fb1c2eeffb79785399ca", status: "affected", version: "95d1c8951e5bd50bb89654a99a7012b1e75646bd", versionType: "git", }, { lessThan: "33f6832798dd3297317901cc1db556ac3ae80c24", status: "affected", version: "95d1c8951e5bd50bb89654a99a7012b1e75646bd", versionType: "git", }, { lessThan: "8bac61934cd563b073cd30b8cf6d5c758ab5ab26", status: "affected", version: "95d1c8951e5bd50bb89654a99a7012b1e75646bd", versionType: "git", }, { lessThan: "bfd546fc7fd76076f81bf41b85b51ceda30949fd", status: "affected", version: "95d1c8951e5bd50bb89654a99a7012b1e75646bd", versionType: "git", }, { lessThan: "30f76bc468b9b2cbbd5d3eb482661e3e4798893f", status: "affected", version: "95d1c8951e5bd50bb89654a99a7012b1e75646bd", versionType: "git", }, { lessThan: "655c6de2f215b61d0708db6b06305eee9bbfeba2", status: "affected", version: "95d1c8951e5bd50bb89654a99a7012b1e75646bd", versionType: "git", }, { lessThan: "4aa2dcfbad538adf7becd0034a3754e1bd01b2b5", status: "affected", version: "95d1c8951e5bd50bb89654a99a7012b1e75646bd", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/hid/hid-core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.7", }, { lessThan: "4.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: remove unnecessary WARN_ON() in implement()\n\nSyzkaller hit a warning [1] in a call to implement() when trying\nto write a value into a field of smaller size in an output report.\n\nSince implement() already has a warn message printed out with the\nhelp of hid_warn() and value in question gets trimmed with:\n\t...\n\tvalue &= m;\n\t...\nWARN_ON may be considered superfluous. Remove it to suppress future\nsyzkaller triggers.\n\n[1]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\nModules linked in:\nCPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]\nRIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\n...\nCall Trace:\n <TASK>\n __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]\n usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636\n hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:34.288Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/955b3764671f3f157215194972d9c01a3a4bd316", }, { url: "https://git.kernel.org/stable/c/f9db5fbeffb951cac3f0fb1c2eeffb79785399ca", }, { url: "https://git.kernel.org/stable/c/33f6832798dd3297317901cc1db556ac3ae80c24", }, { url: "https://git.kernel.org/stable/c/8bac61934cd563b073cd30b8cf6d5c758ab5ab26", }, { url: "https://git.kernel.org/stable/c/bfd546fc7fd76076f81bf41b85b51ceda30949fd", }, { url: "https://git.kernel.org/stable/c/30f76bc468b9b2cbbd5d3eb482661e3e4798893f", }, { url: "https://git.kernel.org/stable/c/655c6de2f215b61d0708db6b06305eee9bbfeba2", }, { url: "https://git.kernel.org/stable/c/4aa2dcfbad538adf7becd0034a3754e1bd01b2b5", }, ], title: "HID: core: remove unnecessary WARN_ON() in implement()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39509", datePublished: "2024-07-12T12:20:40.257Z", dateReserved: "2024-06-25T14:23:23.753Z", dateUpdated: "2024-12-19T09:07:34.288Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40901
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
There is a potential out-of-bounds access when using test_bit() on a single
word. The test_bit() and set_bit() functions operate on long values, and
when testing or setting a single word, they can exceed the word
boundary. KASAN detects this issue and produces a dump:
BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas
Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965
For full log, please look at [1].
Make the allocation at least the size of sizeof(unsigned long) so that
set_bit() and test_bit() have sufficient room for read/write operations
without overwriting unallocated memory.
[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c696f7b83edeac804e898952058089143f49ca0a Version: c696f7b83edeac804e898952058089143f49ca0a Version: c696f7b83edeac804e898952058089143f49ca0a Version: c696f7b83edeac804e898952058089143f49ca0a Version: c696f7b83edeac804e898952058089143f49ca0a Version: c696f7b83edeac804e898952058089143f49ca0a Version: c696f7b83edeac804e898952058089143f49ca0a Version: c696f7b83edeac804e898952058089143f49ca0a |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:54.924Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/19649e49a6df07cd2e03e0a11396fd3a99485ec2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/521f333e644c4246ca04a4fc4772edc53dd2a801", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/46bab2bcd771e725ff5ca3a68ba68cfeac45676c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9079338c5a0d1f1fee34fb1c9e99b754efe414c5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/18abb5db0aa9b2d48f7037a88b41af2eef821674", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4254dfeda82f20844299dca6c38cbffcfd499f41", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40901", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:31.349447Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:38.538Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/scsi/mpt3sas/mpt3sas_base.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee", status: "affected", version: "c696f7b83edeac804e898952058089143f49ca0a", versionType: "git", }, { lessThan: "19649e49a6df07cd2e03e0a11396fd3a99485ec2", status: "affected", version: "c696f7b83edeac804e898952058089143f49ca0a", versionType: "git", }, { lessThan: "0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16", status: "affected", version: "c696f7b83edeac804e898952058089143f49ca0a", versionType: "git", }, { lessThan: "521f333e644c4246ca04a4fc4772edc53dd2a801", status: "affected", version: "c696f7b83edeac804e898952058089143f49ca0a", versionType: "git", }, { lessThan: "46bab2bcd771e725ff5ca3a68ba68cfeac45676c", status: "affected", version: "c696f7b83edeac804e898952058089143f49ca0a", versionType: "git", }, { lessThan: "9079338c5a0d1f1fee34fb1c9e99b754efe414c5", status: "affected", version: "c696f7b83edeac804e898952058089143f49ca0a", versionType: "git", }, { lessThan: "18abb5db0aa9b2d48f7037a88b41af2eef821674", status: "affected", version: "c696f7b83edeac804e898952058089143f49ca0a", versionType: "git", }, { lessThan: "4254dfeda82f20844299dca6c38cbffcfd499f41", status: "affected", version: "c696f7b83edeac804e898952058089143f49ca0a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/scsi/mpt3sas/mpt3sas_base.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.10", }, { lessThan: "4.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory\n\nThere is a potential out-of-bounds access when using test_bit() on a single\nword. The test_bit() and set_bit() functions operate on long values, and\nwhen testing or setting a single word, they can exceed the word\nboundary. KASAN detects this issue and produces a dump:\n\n\t BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas\n\n\t Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965\n\nFor full log, please look at [1].\n\nMake the allocation at least the size of sizeof(unsigned long) so that\nset_bit() and test_bit() have sufficient room for read/write operations\nwithout overwriting unallocated memory.\n\n[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:38.873Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee", }, { url: "https://git.kernel.org/stable/c/19649e49a6df07cd2e03e0a11396fd3a99485ec2", }, { url: "https://git.kernel.org/stable/c/0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16", }, { url: "https://git.kernel.org/stable/c/521f333e644c4246ca04a4fc4772edc53dd2a801", }, { url: "https://git.kernel.org/stable/c/46bab2bcd771e725ff5ca3a68ba68cfeac45676c", }, { url: "https://git.kernel.org/stable/c/9079338c5a0d1f1fee34fb1c9e99b754efe414c5", }, { url: "https://git.kernel.org/stable/c/18abb5db0aa9b2d48f7037a88b41af2eef821674", }, { url: "https://git.kernel.org/stable/c/4254dfeda82f20844299dca6c38cbffcfd499f41", }, ], title: "scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40901", datePublished: "2024-07-12T12:20:42.859Z", dateReserved: "2024-07-12T12:17:45.579Z", dateUpdated: "2024-12-19T09:07:38.873Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40927
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xhci: Handle TD clearing for multiple streams case
When multiple streams are in use, multiple TDs might be in flight when
an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for
each, to ensure everything is reset properly and the caches cleared.
Change the logic so that any N>1 TDs found active for different streams
are deferred until after the first one is processed, calling
xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to
queue another command until we are done with all of them. Also change
the error/"should never happen" paths to ensure we at least clear any
affected TDs, even if we can't issue a command to clear the hardware
cache, and complain loudly with an xhci_warn() if this ever happens.
This problem case dates back to commit e9df17eb1408 ("USB: xhci: Correct
assumptions about number of rings per endpoint.") early on in the XHCI
driver's life, when stream support was first added.
It was then identified but not fixed nor made into a warning in commit
674f8438c121 ("xhci: split handling halted endpoints into two steps"),
which added a FIXME comment for the problem case (without materially
changing the behavior as far as I can tell, though the new logic made
the problem more obvious).
Then later, in commit 94f339147fc3 ("xhci: Fix failure to give back some
cached cancelled URBs."), it was acknowledged again.
[Mathias: commit 94f339147fc3 ("xhci: Fix failure to give back some cached
cancelled URBs.") was a targeted regression fix to the previously mentioned
patch. Users reported issues with usb stuck after unmounting/disconnecting
UAS devices. This rolled back the TD clearing of multiple streams to its
original state.]
Apparently the commit author was aware of the problem (yet still chose
to submit it): It was still mentioned as a FIXME, an xhci_dbg() was
added to log the problem condition, and the remaining issue was mentioned
in the commit description. The choice of making the log type xhci_dbg()
for what is, at this point, a completely unhandled and known broken
condition is puzzling and unfortunate, as it guarantees that no actual
users would see the log in production, thereby making it nigh
undebuggable (indeed, even if you turn on DEBUG, the message doesn't
really hint at there being a problem at all).
It took me *months* of random xHC crashes to finally find a reliable
repro and be able to do a deep dive debug session, which could all have
been avoided had this unhandled, broken condition been actually reported
with a warning, as it should have been as a bug intentionally left in
unfixed (never mind that it shouldn't have been left in at all).
> Another fix to solve clearing the caches of all stream rings with
> cancelled TDs is needed, but not as urgent.
3 years after that statement and 14 years after the original bug was
introduced, I think it's finally time to fix it. And maybe next time
let's not leave bugs unfixed (that are actually worse than the original
bug), and let's actually get people to review kernel commits please.
Fixes xHC crashes and IOMMU faults with UAS devices when handling
errors/faults. Easiest repro is to use `hdparm` to mark an early sector
(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.
At least in the case of JMicron controllers, the read errors end up
having to cancel two TDs (for two queued requests to different streams)
and the one that didn't get cleared properly ends up faulting the xHC
entirely when it tries to access DMA pages that have since been unmapped,
referred to by the stale TDs. This normally happens quickly (after two
or three loops). After this fix, I left the `cat` in a loop running
overnight and experienced no xHC failures, with all read errors
recovered properly. Repro'd and tested on an Apple M1 Mac Mini
(dwc3 host).
On systems without an IOMMU, this bug would instead silently corrupt
freed memory, making this a
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e9df17eb1408cfafa3d1844bfc7f22c7237b31b8 Version: e9df17eb1408cfafa3d1844bfc7f22c7237b31b8 Version: e9df17eb1408cfafa3d1844bfc7f22c7237b31b8 Version: e9df17eb1408cfafa3d1844bfc7f22c7237b31b8 Version: e9df17eb1408cfafa3d1844bfc7f22c7237b31b8 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.945Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40927", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:11.586761Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:03.177Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/usb/host/xhci-ring.c", "drivers/usb/host/xhci.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "26460c1afa311524f588e288a4941432f0de6228", status: "affected", version: "e9df17eb1408cfafa3d1844bfc7f22c7237b31b8", versionType: "git", }, { lessThan: "633f72cb6124ecda97b641fbc119340bd88d51a9", status: "affected", version: "e9df17eb1408cfafa3d1844bfc7f22c7237b31b8", versionType: "git", }, { lessThan: "949be4ec5835e0ccb3e2a8ab0e46179cb5512518", status: "affected", version: "e9df17eb1408cfafa3d1844bfc7f22c7237b31b8", versionType: "git", }, { lessThan: "61593dc413c3655e4328a351555235bc3089486a", status: "affected", version: "e9df17eb1408cfafa3d1844bfc7f22c7237b31b8", versionType: "git", }, { lessThan: "5ceac4402f5d975e5a01c806438eb4e554771577", status: "affected", version: "e9df17eb1408cfafa3d1844bfc7f22c7237b31b8", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/usb/host/xhci-ring.c", "drivers/usb/host/xhci.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.35", }, { lessThan: "2.6.35", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Handle TD clearing for multiple streams case\n\nWhen multiple streams are in use, multiple TDs might be in flight when\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\neach, to ensure everything is reset properly and the caches cleared.\nChange the logic so that any N>1 TDs found active for different streams\nare deferred until after the first one is processed, calling\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\nqueue another command until we are done with all of them. Also change\nthe error/\"should never happen\" paths to ensure we at least clear any\naffected TDs, even if we can't issue a command to clear the hardware\ncache, and complain loudly with an xhci_warn() if this ever happens.\n\nThis problem case dates back to commit e9df17eb1408 (\"USB: xhci: Correct\nassumptions about number of rings per endpoint.\") early on in the XHCI\ndriver's life, when stream support was first added.\nIt was then identified but not fixed nor made into a warning in commit\n674f8438c121 (\"xhci: split handling halted endpoints into two steps\"),\nwhich added a FIXME comment for the problem case (without materially\nchanging the behavior as far as I can tell, though the new logic made\nthe problem more obvious).\n\nThen later, in commit 94f339147fc3 (\"xhci: Fix failure to give back some\ncached cancelled URBs.\"), it was acknowledged again.\n\n[Mathias: commit 94f339147fc3 (\"xhci: Fix failure to give back some cached\ncancelled URBs.\") was a targeted regression fix to the previously mentioned\npatch. Users reported issues with usb stuck after unmounting/disconnecting\nUAS devices. This rolled back the TD clearing of multiple streams to its\noriginal state.]\n\nApparently the commit author was aware of the problem (yet still chose\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\nadded to log the problem condition, and the remaining issue was mentioned\nin the commit description. The choice of making the log type xhci_dbg()\nfor what is, at this point, a completely unhandled and known broken\ncondition is puzzling and unfortunate, as it guarantees that no actual\nusers would see the log in production, thereby making it nigh\nundebuggable (indeed, even if you turn on DEBUG, the message doesn't\nreally hint at there being a problem at all).\n\nIt took me *months* of random xHC crashes to finally find a reliable\nrepro and be able to do a deep dive debug session, which could all have\nbeen avoided had this unhandled, broken condition been actually reported\nwith a warning, as it should have been as a bug intentionally left in\nunfixed (never mind that it shouldn't have been left in at all).\n\n> Another fix to solve clearing the caches of all stream rings with\n> cancelled TDs is needed, but not as urgent.\n\n3 years after that statement and 14 years after the original bug was\nintroduced, I think it's finally time to fix it. And maybe next time\nlet's not leave bugs unfixed (that are actually worse than the original\nbug), and let's actually get people to review kernel commits please.\n\nFixes xHC crashes and IOMMU faults with UAS devices when handling\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.\nAt least in the case of JMicron controllers, the read errors end up\nhaving to cancel two TDs (for two queued requests to different streams)\nand the one that didn't get cleared properly ends up faulting the xHC\nentirely when it tries to access DMA pages that have since been unmapped,\nreferred to by the stale TDs. This normally happens quickly (after two\nor three loops). After this fix, I left the `cat` in a loop running\novernight and experienced no xHC failures, with all read errors\nrecovered properly. Repro'd and tested on an Apple M1 Mac Mini\n(dwc3 host).\n\nOn systems without an IOMMU, this bug would instead silently corrupt\nfreed memory, making this a\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:21.011Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228", }, { url: "https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9", }, { url: "https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518", }, { url: "https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a", }, { url: "https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577", }, ], title: "xhci: Handle TD clearing for multiple streams case", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40927", datePublished: "2024-07-12T12:25:07.101Z", dateReserved: "2024-07-12T12:17:45.583Z", dateUpdated: "2024-12-19T09:08:21.011Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40958
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netns: Make get_net_ns() handle zero refcount net
Syzkaller hit a warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0
Modules linked in:
CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:refcount_warn_saturate+0xdf/0x1d0
Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1
RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac
RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001
RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139
R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4
R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040
FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? show_regs+0xa3/0xc0
? __warn+0xa5/0x1c0
? refcount_warn_saturate+0xdf/0x1d0
? report_bug+0x1fc/0x2d0
? refcount_warn_saturate+0xdf/0x1d0
? handle_bug+0xa1/0x110
? exc_invalid_op+0x3c/0xb0
? asm_exc_invalid_op+0x1f/0x30
? __warn_printk+0xcc/0x140
? __warn_printk+0xd5/0x140
? refcount_warn_saturate+0xdf/0x1d0
get_net_ns+0xa4/0xc0
? __pfx_get_net_ns+0x10/0x10
open_related_ns+0x5a/0x130
__tun_chr_ioctl+0x1616/0x2370
? __sanitizer_cov_trace_switch+0x58/0xa0
? __sanitizer_cov_trace_const_cmp2+0x1c/0x30
? __pfx_tun_chr_ioctl+0x10/0x10
tun_chr_ioctl+0x2f/0x40
__x64_sys_ioctl+0x11b/0x160
x64_sys_call+0x1211/0x20d0
do_syscall_64+0x9e/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5b28f165d7
Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8
RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7
RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003
RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0
R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730
R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
This is trigger as below:
ns0 ns1
tun_set_iff() //dev is tun0
tun->dev = dev
//ip link set tun0 netns ns1
put_net() //ref is 0
__tun_chr_ioctl() //TUNGETDEVNETNS
net = dev_net(tun->dev);
open_related_ns(&net->ns, get_net_ns); //ns1
get_net_ns()
get_net() //addition on 0
Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f Version: 0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f Version: 0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f Version: 0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f Version: 0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f Version: 0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f Version: 0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.927Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40958", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:35.616951Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:23.921Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/core/net_namespace.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3a6cd326ead7c8bb1f64486789a01974a9f1ad55", status: "affected", version: "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f", versionType: "git", }, { lessThan: "2b82028a1f5ee3a8e04090776b10c534144ae77b", status: "affected", version: "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f", versionType: "git", }, { lessThan: "cb7f811f638a14590ff98f53c6dd1fb54627d940", status: "affected", version: "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f", versionType: "git", }, { lessThan: "1b631bffcb2c09551888f3c723f4365c91fe05ef", status: "affected", version: "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f", versionType: "git", }, { lessThan: "ef0394ca25953ea0eddcc82feae1f750451f1876", status: "affected", version: "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f", versionType: "git", }, { lessThan: "3af28df0d883e8c89a29ac31bc65f9023485743b", status: "affected", version: "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f", versionType: "git", }, { lessThan: "ff960f9d3edbe08a736b5a224d91a305ccc946b0", status: "affected", version: "0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/core/net_namespace.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.2", }, { lessThan: "5.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetns: Make get_net_ns() handle zero refcount net\n\nSyzkaller hit a warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0\nModules linked in:\nCPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xdf/0x1d0\nCode: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1\nRSP: 0018:ffff8881067b7da0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac\nRDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001\nRBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139\nR10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4\nR13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040\nFS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ? show_regs+0xa3/0xc0\n ? __warn+0xa5/0x1c0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? report_bug+0x1fc/0x2d0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? handle_bug+0xa1/0x110\n ? exc_invalid_op+0x3c/0xb0\n ? asm_exc_invalid_op+0x1f/0x30\n ? __warn_printk+0xcc/0x140\n ? __warn_printk+0xd5/0x140\n ? refcount_warn_saturate+0xdf/0x1d0\n get_net_ns+0xa4/0xc0\n ? __pfx_get_net_ns+0x10/0x10\n open_related_ns+0x5a/0x130\n __tun_chr_ioctl+0x1616/0x2370\n ? __sanitizer_cov_trace_switch+0x58/0xa0\n ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30\n ? __pfx_tun_chr_ioctl+0x10/0x10\n tun_chr_ioctl+0x2f/0x40\n __x64_sys_ioctl+0x11b/0x160\n x64_sys_call+0x1211/0x20d0\n do_syscall_64+0x9e/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5b28f165d7\nCode: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8\nRSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7\nRDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003\nRBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0\nR10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730\nR13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000\n </TASK>\nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nThis is trigger as below:\n ns0 ns1\ntun_set_iff() //dev is tun0\n tun->dev = dev\n//ip link set tun0 netns ns1\n put_net() //ref is 0\n__tun_chr_ioctl() //TUNGETDEVNETNS\n net = dev_net(tun->dev);\n open_related_ns(&net->ns, get_net_ns); //ns1\n get_net_ns()\n get_net() //addition on 0\n\nUse maybe_get_net() in get_net_ns in case net's ref is zero to fix this", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:56.586Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55", }, { url: "https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b", }, { url: "https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940", }, { url: "https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef", }, { url: "https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876", }, { url: "https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b", }, { url: "https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0", }, ], title: "netns: Make get_net_ns() handle zero refcount net", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40958", datePublished: "2024-07-12T12:32:00.431Z", dateReserved: "2024-07-12T12:17:45.593Z", dateUpdated: "2024-12-19T09:08:56.586Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40968
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
MIPS: Octeon: Add PCIe link status check
The standard PCIe configuration read-write interface is used to
access the configuration space of the peripheral PCIe devices
of the mips processor after the PCIe link surprise down, it can
generate kernel panic caused by "Data bus error". So it is
necessary to add PCIe link status check for system protection.
When the PCIe link is down or in training, assigning a value
of 0 to the configuration address can prevent read-write behavior
to the configuration space of peripheral PCIe devices, thereby
preventing kernel panic.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.133Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6bff05aaa32c2f7e1f6e68e890876642159db419", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/64845ac64819683ad5e51b668b2ed56ee3386aee", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6c1b9fe148a4e03bbfa234267ebb89f35285814a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/25998f5613159fe35920dbd484fcac7ea3ad0799", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d996deb80398a90dd3c03590e68dad543da87d62", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1c33fd17383f48f679186c54df78542106deeaa0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/38d647d509543e9434b3cc470b914348be271fe9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/29b83a64df3b42c88c0338696feb6fdcd7f1f3b7", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40968", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:03.974651Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:22.885Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/mips/pci/pcie-octeon.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6bff05aaa32c2f7e1f6e68e890876642159db419", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "64845ac64819683ad5e51b668b2ed56ee3386aee", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6c1b9fe148a4e03bbfa234267ebb89f35285814a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "25998f5613159fe35920dbd484fcac7ea3ad0799", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d996deb80398a90dd3c03590e68dad543da87d62", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1c33fd17383f48f679186c54df78542106deeaa0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "38d647d509543e9434b3cc470b914348be271fe9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "29b83a64df3b42c88c0338696feb6fdcd7f1f3b7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/mips/pci/pcie-octeon.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: Octeon: Add PCIe link status check\n\nThe standard PCIe configuration read-write interface is used to\naccess the configuration space of the peripheral PCIe devices\nof the mips processor after the PCIe link surprise down, it can\ngenerate kernel panic caused by \"Data bus error\". So it is\nnecessary to add PCIe link status check for system protection.\nWhen the PCIe link is down or in training, assigning a value\nof 0 to the configuration address can prevent read-write behavior\nto the configuration space of peripheral PCIe devices, thereby\npreventing kernel panic.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:08.361Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6bff05aaa32c2f7e1f6e68e890876642159db419", }, { url: "https://git.kernel.org/stable/c/64845ac64819683ad5e51b668b2ed56ee3386aee", }, { url: "https://git.kernel.org/stable/c/6c1b9fe148a4e03bbfa234267ebb89f35285814a", }, { url: "https://git.kernel.org/stable/c/25998f5613159fe35920dbd484fcac7ea3ad0799", }, { url: "https://git.kernel.org/stable/c/d996deb80398a90dd3c03590e68dad543da87d62", }, { url: "https://git.kernel.org/stable/c/1c33fd17383f48f679186c54df78542106deeaa0", }, { url: "https://git.kernel.org/stable/c/38d647d509543e9434b3cc470b914348be271fe9", }, { url: "https://git.kernel.org/stable/c/29b83a64df3b42c88c0338696feb6fdcd7f1f3b7", }, ], title: "MIPS: Octeon: Add PCIe link status check", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40968", datePublished: "2024-07-12T12:32:07.476Z", dateReserved: "2024-07-12T12:17:45.602Z", dateUpdated: "2024-12-19T09:09:08.361Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40985
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/tcp_ao: Don't leak ao_info on error-path
It seems I introduced it together with TCP_AO_CMDF_AO_REQUIRED, on
version 5 [1] of TCP-AO patches. Quite frustrative that having all these
selftests that I've written, running kmemtest & kcov was always in todo.
[1]: https://lore.kernel.org/netdev/20230215183335.800122-5-dima@arista.com/
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.072Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ebaa7d3c26332330a48f9a15f8e518d526cc0f21", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f9ae848904289ddb16c7c9e4553ed4c64300de49", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40985", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:07.158782Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:20.918Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv4/tcp_ao.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ebaa7d3c26332330a48f9a15f8e518d526cc0f21", status: "affected", version: "0aadc73995d08f6b0dc061c14a564ffa46f5914e", versionType: "git", }, { lessThan: "f9ae848904289ddb16c7c9e4553ed4c64300de49", status: "affected", version: "0aadc73995d08f6b0dc061c14a564ffa46f5914e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv4/tcp_ao.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.7", }, { lessThan: "6.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp_ao: Don't leak ao_info on error-path\n\nIt seems I introduced it together with TCP_AO_CMDF_AO_REQUIRED, on\nversion 5 [1] of TCP-AO patches. Quite frustrative that having all these\nselftests that I've written, running kmemtest & kcov was always in todo.\n\n[1]: https://lore.kernel.org/netdev/20230215183335.800122-5-dima@arista.com/", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:29.123Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ebaa7d3c26332330a48f9a15f8e518d526cc0f21", }, { url: "https://git.kernel.org/stable/c/f9ae848904289ddb16c7c9e4553ed4c64300de49", }, ], title: "net/tcp_ao: Don't leak ao_info on error-path", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40985", datePublished: "2024-07-12T12:37:31.133Z", dateReserved: "2024-07-12T12:17:45.605Z", dateUpdated: "2024-12-19T09:09:29.123Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40944
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/kexec: Fix bug with call depth tracking
The call to cc_platform_has() triggers a fault and system crash if call depth
tracking is active because the GS segment has been reset by load_segments() and
GS_BASE is now 0 but call depth tracking uses per-CPU variables to operate.
Call cc_platform_has() earlier in the function when GS is still valid.
[ bp: Massage. ]
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.992Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d91ddd05082691e69b30744825d18ae799293258", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2cfb464669b645a9b98478b74f2bcea9860dcff1", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/93c1800b3799f17375989b0daf76497dd3e80922", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40944", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:17.603512Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:25.451Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/x86/kernel/machine_kexec_64.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d91ddd05082691e69b30744825d18ae799293258", status: "affected", version: "5d8213864ade86b48fc492584ea86d65a62f892e", versionType: "git", }, { lessThan: "2cfb464669b645a9b98478b74f2bcea9860dcff1", status: "affected", version: "5d8213864ade86b48fc492584ea86d65a62f892e", versionType: "git", }, { lessThan: "93c1800b3799f17375989b0daf76497dd3e80922", status: "affected", version: "5d8213864ade86b48fc492584ea86d65a62f892e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/x86/kernel/machine_kexec_64.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: Fix bug with call depth tracking\n\nThe call to cc_platform_has() triggers a fault and system crash if call depth\ntracking is active because the GS segment has been reset by load_segments() and\nGS_BASE is now 0 but call depth tracking uses per-CPU variables to operate.\n\nCall cc_platform_has() earlier in the function when GS is still valid.\n\n [ bp: Massage. ]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:40.960Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d91ddd05082691e69b30744825d18ae799293258", }, { url: "https://git.kernel.org/stable/c/2cfb464669b645a9b98478b74f2bcea9860dcff1", }, { url: "https://git.kernel.org/stable/c/93c1800b3799f17375989b0daf76497dd3e80922", }, ], title: "x86/kexec: Fix bug with call depth tracking", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40944", datePublished: "2024-07-12T12:25:18.490Z", dateReserved: "2024-07-12T12:17:45.588Z", dateUpdated: "2024-12-19T09:08:40.960Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40906
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Always stop health timer during driver removal
Currently, if teardown_hca fails to execute during driver removal, mlx5
does not stop the health timer. Afterwards, mlx5 continue with driver
teardown. This may lead to a UAF bug, which results in page fault
Oops[1], since the health timer invokes after resources were freed.
Hence, stop the health monitor even if teardown_hca fails.
[1]
mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
mlx5_core 0000:18:00.0: E-Switch: cleanup
mlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource
mlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup
BUG: unable to handle page fault for address: ffffa26487064230
PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1
Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020
RIP: 0010:ioread32be+0x34/0x60
RSP: 0018:ffffa26480003e58 EFLAGS: 00010292
RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0
RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230
RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8
R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0
R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0
FS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
? __die+0x23/0x70
? page_fault_oops+0x171/0x4e0
? exc_page_fault+0x175/0x180
? asm_exc_page_fault+0x26/0x30
? __pfx_poll_health+0x10/0x10 [mlx5_core]
? __pfx_poll_health+0x10/0x10 [mlx5_core]
? ioread32be+0x34/0x60
mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]
? __pfx_poll_health+0x10/0x10 [mlx5_core]
poll_health+0x42/0x230 [mlx5_core]
? __next_timer_interrupt+0xbc/0x110
? __pfx_poll_health+0x10/0x10 [mlx5_core]
call_timer_fn+0x21/0x130
? __pfx_poll_health+0x10/0x10 [mlx5_core]
__run_timers+0x222/0x2c0
run_timer_softirq+0x1d/0x40
__do_softirq+0xc9/0x2c8
__irq_exit_rcu+0xa6/0xc0
sysvec_apic_timer_interrupt+0x72/0x90
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:cpuidle_enter_state+0xcc/0x440
? cpuidle_enter_state+0xbd/0x440
cpuidle_enter+0x2d/0x40
do_idle+0x20d/0x270
cpu_startup_entry+0x2a/0x30
rest_init+0xd0/0xd0
arch_call_rest_init+0xe/0x30
start_kernel+0x709/0xa90
x86_64_start_reservations+0x18/0x30
x86_64_start_kernel+0x96/0xa0
secondary_startup_64_no_verify+0x18f/0x19b
---[ end trace 0000000000000000 ]---
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.321Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40906", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:18.717669Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:38.096Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e7d4485d47839f4d1284592ae242c4e65b2810a9", status: "affected", version: "9b98d395b85dd042fe83fb696b1ac02e6c93a520", versionType: "git", }, { lessThan: "6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a", status: "affected", version: "9b98d395b85dd042fe83fb696b1ac02e6c93a520", versionType: "git", }, { lessThan: "e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8", status: "affected", version: "9b98d395b85dd042fe83fb696b1ac02e6c93a520", versionType: "git", }, { lessThan: "c8b3f38d2dae0397944814d691a419c451f9906f", status: "affected", version: "9b98d395b85dd042fe83fb696b1ac02e6c93a520", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always stop health timer during driver removal\n\nCurrently, if teardown_hca fails to execute during driver removal, mlx5\ndoes not stop the health timer. Afterwards, mlx5 continue with driver\nteardown. This may lead to a UAF bug, which results in page fault\nOops[1], since the health timer invokes after resources were freed.\n\nHence, stop the health monitor even if teardown_hca fails.\n\n[1]\nmlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: cleanup\nmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource\nmlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup\nBUG: unable to handle page fault for address: ffffa26487064230\nPGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1\nHardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020\nRIP: 0010:ioread32be+0x34/0x60\nRSP: 0018:ffffa26480003e58 EFLAGS: 00010292\nRAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0\nRDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230\nRBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8\nR10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0\nR13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0\nFS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <IRQ>\n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x175/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? ioread32be+0x34/0x60\n mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n poll_health+0x42/0x230 [mlx5_core]\n ? __next_timer_interrupt+0xbc/0x110\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n call_timer_fn+0x21/0x130\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n __run_timers+0x222/0x2c0\n run_timer_softirq+0x1d/0x40\n __do_softirq+0xc9/0x2c8\n __irq_exit_rcu+0xa6/0xc0\n sysvec_apic_timer_interrupt+0x72/0x90\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:cpuidle_enter_state+0xcc/0x440\n ? cpuidle_enter_state+0xbd/0x440\n cpuidle_enter+0x2d/0x40\n do_idle+0x20d/0x270\n cpu_startup_entry+0x2a/0x30\n rest_init+0xd0/0xd0\n arch_call_rest_init+0xe/0x30\n start_kernel+0x709/0xa90\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0x96/0xa0\n secondary_startup_64_no_verify+0x18f/0x19b\n---[ end trace 0000000000000000 ]---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:44.725Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9", }, { url: "https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a", }, { url: "https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8", }, { url: "https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f", }, ], title: "net/mlx5: Always stop health timer during driver removal", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40906", datePublished: "2024-07-12T12:20:46.485Z", dateReserved: "2024-07-12T12:17:45.580Z", dateUpdated: "2024-12-19T09:07:44.725Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40916
Vulnerability from cvelistv5
Published
2024-07-12 12:24
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found
When reading EDID fails and driver reports no modes available, the DRM
core adds an artificial 1024x786 mode to the connector. Unfortunately
some variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not
able to drive such mode, so report a safe 640x480 mode instead of nothing
in case of the EDID reading failure.
This fixes the following issue observed on Trats2 board since commit
13d5b040363c ("drm/exynos: do not return negative values from .get_modes()"):
[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations
exynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)
exynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)
exynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)
exynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)
exynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)
[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1
exynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state
panel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c
exynos-mixer 12c10000.mixer: timeout waiting for VSYNC
------------[ cut here ]------------
WARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8
[CRTC:70:crtc-1] vblank wait timed out
Modules linked in:
CPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913
Hardware name: Samsung Exynos (Flattened Device Tree)
Workqueue: events_unbound deferred_probe_work_func
Call trace:
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x68/0x88
dump_stack_lvl from __warn+0x7c/0x1c4
__warn from warn_slowpath_fmt+0x11c/0x1a8
warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8
drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c
drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184
commit_tail from drm_atomic_helper_commit+0x168/0x190
drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0
drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c
drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc
drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40
drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4
__drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c
drm_fb_helper_set_par from fbcon_init+0x3d8/0x550
fbcon_init from visual_init+0xc0/0x108
visual_init from do_bind_con_driver+0x1b8/0x3a4
do_bind_con_driver from do_take_over_console+0x140/0x1ec
do_take_over_console from do_fbcon_takeover+0x70/0xd0
do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac
fbcon_fb_registered from register_framebuffer+0x190/0x21c
register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574
__drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0
exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94
drm_client_register from exynos_drm_bind+0x160/0x190
exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8
try_to_bring_up_aggregate_device from __component_add+0xb0/0x170
__component_add from mixer_probe+0x74/0xcc
mixer_probe from platform_probe+0x5c/0xb8
platform_probe from really_probe+0xe0/0x3d8
really_probe from __driver_probe_device+0x9c/0x1e4
__driver_probe_device from driver_probe_device+0x30/0xc0
driver_probe_device from __device_attach_driver+0xa8/0x120
__device_attach_driver from bus_for_each_drv+0x80/0xcc
bus_for_each_drv from __device_attach+0xac/0x1fc
__device_attach from bus_probe_device+0x8c/0x90
bus_probe_device from deferred_probe_work_func+0
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 348aa3d47e8bc2fa4e5b8079554724343631b82a Version: a8cb3b072403ce0748d368278bc7ab87d15e90a7 Version: 912c149a52c37a2f8199449360bf392ae4ef7f4c Version: 8f914db6fe252c5e78a9b8b03adc1b0a33aec25d Version: b71ae5fb2dd3c89c66efa613dccffc45c246c8b9 Version: 13d5b040363c7ec0ac29c2de9cf661a24a8aa531 Version: 13d5b040363c7ec0ac29c2de9cf661a24a8aa531 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.397Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e23f2eaf51ecb6ab4ceb770e747d50c1db2eb222", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4dfffb50316c761c59386c9b002a10ac6d7bb6c9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6d6bb258d886e124e5a5328e947b36fdcb3a6028", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c3ca24dfe9a2b3f4e8899af108829b0f4b4b15ec", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/35bcf16b4a28c10923ff391d14f6ed0ae471ee5f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/510a6c0dfa6ec61d07a4b64698d8dc60045bd632", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/799d4b392417ed6889030a5b2335ccb6dcf030ab", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40916", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:46.451559Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:04.124Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/exynos/exynos_hdmi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e23f2eaf51ecb6ab4ceb770e747d50c1db2eb222", status: "affected", version: "348aa3d47e8bc2fa4e5b8079554724343631b82a", versionType: "git", }, { lessThan: "4dfffb50316c761c59386c9b002a10ac6d7bb6c9", status: "affected", version: "a8cb3b072403ce0748d368278bc7ab87d15e90a7", versionType: "git", }, { lessThan: "6d6bb258d886e124e5a5328e947b36fdcb3a6028", status: "affected", version: "912c149a52c37a2f8199449360bf392ae4ef7f4c", versionType: "git", }, { lessThan: "c3ca24dfe9a2b3f4e8899af108829b0f4b4b15ec", status: "affected", version: "8f914db6fe252c5e78a9b8b03adc1b0a33aec25d", versionType: "git", }, { lessThan: "35bcf16b4a28c10923ff391d14f6ed0ae471ee5f", status: "affected", version: "b71ae5fb2dd3c89c66efa613dccffc45c246c8b9", versionType: "git", }, { lessThan: "510a6c0dfa6ec61d07a4b64698d8dc60045bd632", status: "affected", version: "13d5b040363c7ec0ac29c2de9cf661a24a8aa531", versionType: "git", }, { lessThan: "799d4b392417ed6889030a5b2335ccb6dcf030ab", status: "affected", version: "13d5b040363c7ec0ac29c2de9cf661a24a8aa531", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/exynos/exynos_hdmi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found\n\nWhen reading EDID fails and driver reports no modes available, the DRM\ncore adds an artificial 1024x786 mode to the connector. Unfortunately\nsome variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not\nable to drive such mode, so report a safe 640x480 mode instead of nothing\nin case of the EDID reading failure.\n\nThis fixes the following issue observed on Trats2 board since commit\n13d5b040363c (\"drm/exynos: do not return negative values from .get_modes()\"):\n\n[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations\nexynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)\nexynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)\nexynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)\nexynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)\nexynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)\n[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1\nexynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state\npanel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c\nexynos-mixer 12c10000.mixer: timeout waiting for VSYNC\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n[CRTC:70:crtc-1] vblank wait timed out\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x68/0x88\n dump_stack_lvl from __warn+0x7c/0x1c4\n __warn from warn_slowpath_fmt+0x11c/0x1a8\n warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c\n drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184\n commit_tail from drm_atomic_helper_commit+0x168/0x190\n drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0\n drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c\n drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc\n drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40\n drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4\n __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c\n drm_fb_helper_set_par from fbcon_init+0x3d8/0x550\n fbcon_init from visual_init+0xc0/0x108\n visual_init from do_bind_con_driver+0x1b8/0x3a4\n do_bind_con_driver from do_take_over_console+0x140/0x1ec\n do_take_over_console from do_fbcon_takeover+0x70/0xd0\n do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac\n fbcon_fb_registered from register_framebuffer+0x190/0x21c\n register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574\n __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0\n exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94\n drm_client_register from exynos_drm_bind+0x160/0x190\n exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8\n try_to_bring_up_aggregate_device from __component_add+0xb0/0x170\n __component_add from mixer_probe+0x74/0xcc\n mixer_probe from platform_probe+0x5c/0xb8\n platform_probe from really_probe+0xe0/0x3d8\n really_probe from __driver_probe_device+0x9c/0x1e4\n __driver_probe_device from driver_probe_device+0x30/0xc0\n driver_probe_device from __device_attach_driver+0xa8/0x120\n __device_attach_driver from bus_for_each_drv+0x80/0xcc\n bus_for_each_drv from __device_attach+0xac/0x1fc\n __device_attach from bus_probe_device+0x8c/0x90\n bus_probe_device from deferred_probe_work_func+0\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:57.856Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e23f2eaf51ecb6ab4ceb770e747d50c1db2eb222", }, { url: "https://git.kernel.org/stable/c/4dfffb50316c761c59386c9b002a10ac6d7bb6c9", }, { url: "https://git.kernel.org/stable/c/6d6bb258d886e124e5a5328e947b36fdcb3a6028", }, { url: "https://git.kernel.org/stable/c/c3ca24dfe9a2b3f4e8899af108829b0f4b4b15ec", }, { url: "https://git.kernel.org/stable/c/35bcf16b4a28c10923ff391d14f6ed0ae471ee5f", }, { url: "https://git.kernel.org/stable/c/510a6c0dfa6ec61d07a4b64698d8dc60045bd632", }, { url: "https://git.kernel.org/stable/c/799d4b392417ed6889030a5b2335ccb6dcf030ab", }, ], title: "drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40916", datePublished: "2024-07-12T12:24:59.429Z", dateReserved: "2024-07-12T12:17:45.581Z", dateUpdated: "2024-12-19T09:07:57.856Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40952
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()
bdev->bd_super has been removed and commit 8887b94d9322 change the usage
from bdev->bd_super to b_assoc_map->host->i_sb. This introduces the
following NULL pointer dereference in ocfs2_journal_dirty() since
b_assoc_map is still not initialized. This can be easily reproduced by
running xfstests generic/186, which simulate no more credits.
[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000
...
[ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2]
...
[ 134.365071] Call Trace:
[ 134.365312] <TASK>
[ 134.365524] ? __die_body+0x1e/0x60
[ 134.365868] ? page_fault_oops+0x13d/0x4f0
[ 134.366265] ? __pfx_bit_wait_io+0x10/0x10
[ 134.366659] ? schedule+0x27/0xb0
[ 134.366981] ? exc_page_fault+0x6a/0x140
[ 134.367356] ? asm_exc_page_fault+0x26/0x30
[ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2]
[ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2]
[ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2]
[ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2]
[ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2]
[ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2]
[ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2]
[ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2]
[ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2]
[ 134.372994] ? inode_update_timestamps+0x4a/0x120
[ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]
[ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]
[ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2]
[ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2]
[ 134.376971] ? security_file_permission+0x29/0x50
[ 134.377644] vfs_clone_file_range+0xfe/0x320
[ 134.378268] ioctl_file_clone+0x45/0xa0
[ 134.378853] do_vfs_ioctl+0x457/0x990
[ 134.379422] __x64_sys_ioctl+0x6e/0xd0
[ 134.379987] do_syscall_64+0x5d/0x170
[ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 134.381231] RIP: 0033:0x7fa4926397cb
[ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48
[ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb
[ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003
[ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000
[ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000
[ 134.389207] </TASK>
Fix it by only aborting transaction and journal in ocfs2_journal_dirty()
now, and leave ocfs2_abort() later when detecting an aborted handle,
e.g. start next transaction. Also log the handle details in this case.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.281Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0550ad87711f815b3d73e487ec58ca7d8f56edbc", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/72663d3e09091f431a0774227ca207c0358362dd", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/58f7e1e2c9e72c7974054c64c3abeac81c11f822", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40952", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:55.352305Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:24.609Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ocfs2/journal.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0550ad87711f815b3d73e487ec58ca7d8f56edbc", status: "affected", version: "8887b94d93224e0ef7e1bc6369640e313b8b12f4", versionType: "git", }, { lessThan: "72663d3e09091f431a0774227ca207c0358362dd", status: "affected", version: "8887b94d93224e0ef7e1bc6369640e313b8b12f4", versionType: "git", }, { lessThan: "58f7e1e2c9e72c7974054c64c3abeac81c11f822", status: "affected", version: "8887b94d93224e0ef7e1bc6369640e313b8b12f4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ocfs2/journal.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.6", }, { lessThan: "6.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()\n\nbdev->bd_super has been removed and commit 8887b94d9322 change the usage\nfrom bdev->bd_super to b_assoc_map->host->i_sb. This introduces the\nfollowing NULL pointer dereference in ocfs2_journal_dirty() since\nb_assoc_map is still not initialized. This can be easily reproduced by\nrunning xfstests generic/186, which simulate no more credits.\n\n[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000\n...\n[ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2]\n...\n[ 134.365071] Call Trace:\n[ 134.365312] <TASK>\n[ 134.365524] ? __die_body+0x1e/0x60\n[ 134.365868] ? page_fault_oops+0x13d/0x4f0\n[ 134.366265] ? __pfx_bit_wait_io+0x10/0x10\n[ 134.366659] ? schedule+0x27/0xb0\n[ 134.366981] ? exc_page_fault+0x6a/0x140\n[ 134.367356] ? asm_exc_page_fault+0x26/0x30\n[ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2]\n[ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2]\n[ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2]\n[ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2]\n[ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2]\n[ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2]\n[ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2]\n[ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2]\n[ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2]\n[ 134.372994] ? inode_update_timestamps+0x4a/0x120\n[ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]\n[ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]\n[ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2]\n[ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2]\n[ 134.376971] ? security_file_permission+0x29/0x50\n[ 134.377644] vfs_clone_file_range+0xfe/0x320\n[ 134.378268] ioctl_file_clone+0x45/0xa0\n[ 134.378853] do_vfs_ioctl+0x457/0x990\n[ 134.379422] __x64_sys_ioctl+0x6e/0xd0\n[ 134.379987] do_syscall_64+0x5d/0x170\n[ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 134.381231] RIP: 0033:0x7fa4926397cb\n[ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48\n[ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb\n[ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003\n[ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000\n[ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000\n[ 134.389207] </TASK>\n\nFix it by only aborting transaction and journal in ocfs2_journal_dirty()\nnow, and leave ocfs2_abort() later when detecting an aborted handle,\ne.g. start next transaction. Also log the handle details in this case.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:49.266Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0550ad87711f815b3d73e487ec58ca7d8f56edbc", }, { url: "https://git.kernel.org/stable/c/72663d3e09091f431a0774227ca207c0358362dd", }, { url: "https://git.kernel.org/stable/c/58f7e1e2c9e72c7974054c64c3abeac81c11f822", }, ], title: "ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40952", datePublished: "2024-07-12T12:31:56.160Z", dateReserved: "2024-07-12T12:17:45.592Z", dateUpdated: "2024-12-19T09:08:49.266Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40924
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/dpt: Make DPT object unshrinkable
In some scenarios, the DPT object gets shrunk but
the actual framebuffer did not and thus its still
there on the DPT's vm->bound_list. Then it tries to
rewrite the PTEs via a stale CPU mapping. This causes panic.
[vsyrjala: Add TODO comment]
(cherry picked from commit 51064d471c53dcc8eddd2333c3f1c1d9131ba36c)
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.996Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/327280149066f0e5f2e50356b5823f76dabfe86e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7a9883be3b98673333eec65c4a21cc18e60292eb", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a2552020fb714ff357182c3c179abfac2289f84d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/43e2b37e2ab660c3565d4cff27922bc70e79c3f1", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40924", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:20.923051Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:03.482Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/i915/gem/i915_gem_object.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "327280149066f0e5f2e50356b5823f76dabfe86e", status: "affected", version: "0dc987b699ce4266450d407d6d79d41eab88c5d0", versionType: "git", }, { lessThan: "7a9883be3b98673333eec65c4a21cc18e60292eb", status: "affected", version: "0dc987b699ce4266450d407d6d79d41eab88c5d0", versionType: "git", }, { lessThan: "a2552020fb714ff357182c3c179abfac2289f84d", status: "affected", version: "0dc987b699ce4266450d407d6d79d41eab88c5d0", versionType: "git", }, { lessThan: "43e2b37e2ab660c3565d4cff27922bc70e79c3f1", status: "affected", version: "0dc987b699ce4266450d407d6d79d41eab88c5d0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/i915/gem/i915_gem_object.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dpt: Make DPT object unshrinkable\n\nIn some scenarios, the DPT object gets shrunk but\nthe actual framebuffer did not and thus its still\nthere on the DPT's vm->bound_list. Then it tries to\nrewrite the PTEs via a stale CPU mapping. This causes panic.\n\n[vsyrjala: Add TODO comment]\n(cherry picked from commit 51064d471c53dcc8eddd2333c3f1c1d9131ba36c)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:17.492Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/327280149066f0e5f2e50356b5823f76dabfe86e", }, { url: "https://git.kernel.org/stable/c/7a9883be3b98673333eec65c4a21cc18e60292eb", }, { url: "https://git.kernel.org/stable/c/a2552020fb714ff357182c3c179abfac2289f84d", }, { url: "https://git.kernel.org/stable/c/43e2b37e2ab660c3565d4cff27922bc70e79c3f1", }, ], title: "drm/i915/dpt: Make DPT object unshrinkable", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40924", datePublished: "2024-07-12T12:25:04.991Z", dateReserved: "2024-07-12T12:17:45.582Z", dateUpdated: "2024-12-19T09:08:17.492Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40942
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
The hwmp code use objects of type mesh_preq_queue, added to a list in
ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath
gets deleted, ex mesh interface is removed, the entries in that list will
never get cleaned. Fix this by flushing all corresponding items of the
preq_queue in mesh_path_flush_pending().
This should take care of KASAN reports like this:
unreferenced object 0xffff00000668d800 (size 128):
comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s)
hex dump (first 32 bytes):
00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....
8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........
backtrace:
[<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
[<00000000049bd418>] kmalloc_trace+0x34/0x80
[<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
[<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
[<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
[<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
[<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
[<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
[<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
[<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
[<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
[<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
[<00000000b36425d1>] worker_thread+0x9c/0x634
[<0000000005852dd5>] kthread+0x1bc/0x1c4
[<000000005fccd770>] ret_from_fork+0x10/0x20
unreferenced object 0xffff000009051f00 (size 128):
comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s)
hex dump (first 32 bytes):
90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....
36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....
backtrace:
[<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
[<00000000049bd418>] kmalloc_trace+0x34/0x80
[<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
[<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
[<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
[<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
[<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
[<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
[<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
[<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
[<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
[<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
[<00000000b36425d1>] worker_thread+0x9c/0x634
[<0000000005852dd5>] kthread+0x1bc/0x1c4
[<000000005fccd770>] ret_from_fork+0x10/0x20
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e Version: 050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e Version: 050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e Version: 050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e Version: 050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e Version: 050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e Version: 050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e Version: 050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.383Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c39b6549", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b7d7f11a291830fdf69d3301075dd0fb347ced84", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40942", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:23.938409Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:25.698Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/mac80211/mesh_pathtbl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "377dbb220edc8421b7960691876c5b3bef62f89b", status: "affected", version: "050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e", versionType: "git", }, { lessThan: "ec79670eae430b3ffb7e0a6417ad7657728b8f95", status: "affected", version: "050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e", versionType: "git", }, { lessThan: "7518e20a189f8659b8b83969db4d33a4068fcfc3", status: "affected", version: "050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e", versionType: "git", }, { lessThan: "c4c865f971fd4a255208f57ef04d814c2ae9e0dc", status: "affected", version: "050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e", versionType: "git", }, { lessThan: "617dadbfb2d3e152c5753e28356d189c9d6f33c0", status: "affected", version: "050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e", versionType: "git", }, { lessThan: "63d5f89bb5664d60edbf8cf0df911aaae8ed96a4", status: "affected", version: "050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e", versionType: "git", }, { lessThan: "d81e244af521de63ad2883e17571b789c39b6549", status: "affected", version: "050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e", versionType: "git", }, { lessThan: "b7d7f11a291830fdf69d3301075dd0fb347ced84", status: "affected", version: "050ac52cbe1f3de2fb0d06f02c7919ae1f691c9e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/mac80211/mesh_pathtbl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.26", }, { lessThan: "2.6.26", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: mesh: Fix leak of mesh_preq_queue objects\n\nThe hwmp code use objects of type mesh_preq_queue, added to a list in\nieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath\ngets deleted, ex mesh interface is removed, the entries in that list will\nnever get cleaned. Fix this by flushing all corresponding items of the\npreq_queue in mesh_path_flush_pending().\n\nThis should take care of KASAN reports like this:\n\nunreferenced object 0xffff00000668d800 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419552 (age 1836.444s)\n hex dump (first 32 bytes):\n 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....\n 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20\nunreferenced object 0xffff000009051f00 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419553 (age 1836.440s)\n hex dump (first 32 bytes):\n 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....\n 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:38.678Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b", }, { url: "https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95", }, { url: "https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3", }, { url: "https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc", }, { url: "https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0", }, { url: "https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4", }, { url: "https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c39b6549", }, { url: "https://git.kernel.org/stable/c/b7d7f11a291830fdf69d3301075dd0fb347ced84", }, ], title: "wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40942", datePublished: "2024-07-12T12:25:17.149Z", dateReserved: "2024-07-12T12:17:45.587Z", dateUpdated: "2024-12-19T09:08:38.678Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40933
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: temperature: mlx90635: Fix ERR_PTR dereference in mlx90635_probe()
When devm_regmap_init_i2c() fails, regmap_ee could be error pointer,
instead of checking for IS_ERR(regmap_ee), regmap is checked which looks
like a copy paste error.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.385Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5a5595ae8cc7cdaa1a10b56a26ddbe3429245c6c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a23c14b062d8800a2192077d83273bbfe6c7552d", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40933", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:52.590615Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:02.522Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/iio/temperature/mlx90635.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5a5595ae8cc7cdaa1a10b56a26ddbe3429245c6c", status: "affected", version: "a1d1ba5e1c28b9887be1bdb3630caf0b532ec980", versionType: "git", }, { lessThan: "a23c14b062d8800a2192077d83273bbfe6c7552d", status: "affected", version: "a1d1ba5e1c28b9887be1bdb3630caf0b532ec980", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/iio/temperature/mlx90635.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niio: temperature: mlx90635: Fix ERR_PTR dereference in mlx90635_probe()\n\nWhen devm_regmap_init_i2c() fails, regmap_ee could be error pointer,\ninstead of checking for IS_ERR(regmap_ee), regmap is checked which looks\nlike a copy paste error.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:28.082Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5a5595ae8cc7cdaa1a10b56a26ddbe3429245c6c", }, { url: "https://git.kernel.org/stable/c/a23c14b062d8800a2192077d83273bbfe6c7552d", }, ], title: "iio: temperature: mlx90635: Fix ERR_PTR dereference in mlx90635_probe()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40933", datePublished: "2024-07-12T12:25:11.106Z", dateReserved: "2024-07-12T12:17:45.583Z", dateUpdated: "2024-12-19T09:08:28.082Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40994
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ptp: fix integer overflow in max_vclocks_store
On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc()
to do the allocation to prevent this.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 44c494c8e30e35713c7d11ca3c5ab332cbfabacf Version: 44c494c8e30e35713c7d11ca3c5ab332cbfabacf Version: 44c494c8e30e35713c7d11ca3c5ab332cbfabacf Version: 44c494c8e30e35713c7d11ca3c5ab332cbfabacf Version: 44c494c8e30e35713c7d11ca3c5ab332cbfabacf |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.058Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4b03da87d0b7074c93d9662c6e1a8939f9b8b86e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d50d62d5e6ee6aa03c00bddb91745d0b632d3b0f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/666e934d749e50a37f3796caaf843a605f115b6f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e1fccfb4638ee6188377867f6015d0ce35764a8e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/81d23d2a24012e448f651e007fac2cfd20a45ce0", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40994", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:38.458996Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:19.919Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/ptp/ptp_sysfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4b03da87d0b7074c93d9662c6e1a8939f9b8b86e", status: "affected", version: "44c494c8e30e35713c7d11ca3c5ab332cbfabacf", versionType: "git", }, { lessThan: "d50d62d5e6ee6aa03c00bddb91745d0b632d3b0f", status: "affected", version: "44c494c8e30e35713c7d11ca3c5ab332cbfabacf", versionType: "git", }, { lessThan: "666e934d749e50a37f3796caaf843a605f115b6f", status: "affected", version: "44c494c8e30e35713c7d11ca3c5ab332cbfabacf", versionType: "git", }, { lessThan: "e1fccfb4638ee6188377867f6015d0ce35764a8e", status: "affected", version: "44c494c8e30e35713c7d11ca3c5ab332cbfabacf", versionType: "git", }, { lessThan: "81d23d2a24012e448f651e007fac2cfd20a45ce0", status: "affected", version: "44c494c8e30e35713c7d11ca3c5ab332cbfabacf", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/ptp/ptp_sysfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.14", }, { lessThan: "5.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: fix integer overflow in max_vclocks_store\n\nOn 32bit systems, the \"4 * max\" multiply can overflow. Use kcalloc()\nto do the allocation to prevent this.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:40.021Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4b03da87d0b7074c93d9662c6e1a8939f9b8b86e", }, { url: "https://git.kernel.org/stable/c/d50d62d5e6ee6aa03c00bddb91745d0b632d3b0f", }, { url: "https://git.kernel.org/stable/c/666e934d749e50a37f3796caaf843a605f115b6f", }, { url: "https://git.kernel.org/stable/c/e1fccfb4638ee6188377867f6015d0ce35764a8e", }, { url: "https://git.kernel.org/stable/c/81d23d2a24012e448f651e007fac2cfd20a45ce0", }, ], title: "ptp: fix integer overflow in max_vclocks_store", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40994", datePublished: "2024-07-12T12:37:37.124Z", dateReserved: "2024-07-12T12:17:45.606Z", dateUpdated: "2024-12-19T09:09:40.021Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39504
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_inner: validate mandatory meta and payload
Check for mandatory netlink attributes in payload and meta expression
when used embedded from the inner expression, otherwise NULL pointer
dereference is possible from userspace.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.508Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b30669fdea0ca03aa22995e6c99f7e7d9dee89ff", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/39323f54cad29602917848346c71b087da92a19d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c4ab9da85b9df3692f861512fe6c9812f38b7471", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39504", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:07:01.032732Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:40.108Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/netfilter/nft_meta.c", "net/netfilter/nft_payload.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b30669fdea0ca03aa22995e6c99f7e7d9dee89ff", status: "affected", version: "3a07327d10a09379315c844c63f27941f5081e0a", versionType: "git", }, { lessThan: "39323f54cad29602917848346c71b087da92a19d", status: "affected", version: "3a07327d10a09379315c844c63f27941f5081e0a", versionType: "git", }, { lessThan: "c4ab9da85b9df3692f861512fe6c9812f38b7471", status: "affected", version: "3a07327d10a09379315c844c63f27941f5081e0a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/netfilter/nft_meta.c", "net/netfilter/nft_payload.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: validate mandatory meta and payload\n\nCheck for mandatory netlink attributes in payload and meta expression\nwhen used embedded from the inner expression, otherwise NULL pointer\ndereference is possible from userspace.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:28.308Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b30669fdea0ca03aa22995e6c99f7e7d9dee89ff", }, { url: "https://git.kernel.org/stable/c/39323f54cad29602917848346c71b087da92a19d", }, { url: "https://git.kernel.org/stable/c/c4ab9da85b9df3692f861512fe6c9812f38b7471", }, ], title: "netfilter: nft_inner: validate mandatory meta and payload", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39504", datePublished: "2024-07-12T12:20:36.964Z", dateReserved: "2024-06-25T14:23:23.752Z", dateUpdated: "2024-12-19T09:07:28.308Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39508
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/io-wq: Use set_bit() and test_bit() at worker->flags
Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq
to address potential data races.
The structure io_worker->flags may be accessed through various data
paths, leading to concurrency issues. When KCSAN is enabled, it reveals
data races occurring in io_worker_handle_work and
io_wq_activate_free_worker functions.
BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker
write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:
io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)
io_wq_worker (io_uring/io-wq.c:?)
<snip>
read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:
io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)
io_wq_enqueue (io_uring/io-wq.c:947)
io_queue_iowq (io_uring/io_uring.c:524)
io_req_task_submit (io_uring/io_uring.c:1511)
io_handle_tw_list (io_uring/io_uring.c:1198)
<snip>
Line numbers against commit 18daea77cca6 ("Merge tag 'for-linus' of
git://git.kernel.org/pub/scm/virt/kvm/kvm").
These races involve writes and reads to the same memory location by
different tasks running on different CPUs. To mitigate this, refactor
the code to use atomic operations such as set_bit(), test_bit(), and
clear_bit() instead of basic "and" and "or" operations. This ensures
thread-safe manipulation of worker flags.
Also, move `create_index` to avoid holes in the structure.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.901Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39508", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:48.077960Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:32:47.742Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "io_uring/io-wq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ab702c3483db9046bab9f40306f1a28b22dbbdc0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1cbb0affb15470a9621267fe0a8568007553a4bf", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8a565304927fbd28c9f028c492b5c1714002cbab", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "io_uring/io-wq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: Use set_bit() and test_bit() at worker->flags\n\nUtilize set_bit() and test_bit() on worker->flags within io_uring/io-wq\nto address potential data races.\n\nThe structure io_worker->flags may be accessed through various data\npaths, leading to concurrency issues. When KCSAN is enabled, it reveals\ndata races occurring in io_worker_handle_work and\nio_wq_activate_free_worker functions.\n\n\t BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker\n\t write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:\n\t io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)\n\t io_wq_worker (io_uring/io-wq.c:?)\n<snip>\n\n\t read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:\n\t io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)\n\t io_wq_enqueue (io_uring/io-wq.c:947)\n\t io_queue_iowq (io_uring/io_uring.c:524)\n\t io_req_task_submit (io_uring/io_uring.c:1511)\n\t io_handle_tw_list (io_uring/io_uring.c:1198)\n<snip>\n\nLine numbers against commit 18daea77cca6 (\"Merge tag 'for-linus' of\ngit://git.kernel.org/pub/scm/virt/kvm/kvm\").\n\nThese races involve writes and reads to the same memory location by\ndifferent tasks running on different CPUs. To mitigate this, refactor\nthe code to use atomic operations such as set_bit(), test_bit(), and\nclear_bit() instead of basic \"and\" and \"or\" operations. This ensures\nthread-safe manipulation of worker flags.\n\nAlso, move `create_index` to avoid holes in the structure.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:32.990Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0", }, { url: "https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf", }, { url: "https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab", }, ], title: "io_uring/io-wq: Use set_bit() and test_bit() at worker->flags", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39508", datePublished: "2024-07-12T12:20:39.607Z", dateReserved: "2024-06-25T14:23:23.753Z", dateUpdated: "2024-12-19T09:07:32.990Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40934
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()
Fix a memory leak on logi_dj_recv_send_report() error path.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cf48a7ba5c095f76bb9c1951f120fa048442422f Version: e38a6f12685d8a2189b72078f6254b069ff84650 Version: 4fb28379b3c735398b252a979c991b340baa6b5b Version: 6e59609541514d2ed3472f5bc999c55bdb6144ee Version: 6f20d3261265885f6a6be4cda49d7019728760e0 Version: 6f20d3261265885f6a6be4cda49d7019728760e0 Version: 6f20d3261265885f6a6be4cda49d7019728760e0 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.347Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/15122dc140d82c51c216535c57b044c4587aae45", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/caa9c9acb93db7ad7b74b157cf101579bac9596d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a0503757947f2e46e59c1962326b53b3208c8213", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/789c99a1d7d2c8f6096d75fc2930505840ec9ea0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f677ca8cfefee2a729ca315f660cd4868abdf8de", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1df2ead5dfad5f8f92467bd94889392d53100b98", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ce3af2ee95170b7d9e15fff6e500d67deab1e7b3", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40934", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:49.502854Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:27.026Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/hid/hid-logitech-dj.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "15122dc140d82c51c216535c57b044c4587aae45", status: "affected", version: "cf48a7ba5c095f76bb9c1951f120fa048442422f", versionType: "git", }, { lessThan: "caa9c9acb93db7ad7b74b157cf101579bac9596d", status: "affected", version: "e38a6f12685d8a2189b72078f6254b069ff84650", versionType: "git", }, { lessThan: "a0503757947f2e46e59c1962326b53b3208c8213", status: "affected", version: "4fb28379b3c735398b252a979c991b340baa6b5b", versionType: "git", }, { lessThan: "789c99a1d7d2c8f6096d75fc2930505840ec9ea0", status: "affected", version: "6e59609541514d2ed3472f5bc999c55bdb6144ee", versionType: "git", }, { lessThan: "f677ca8cfefee2a729ca315f660cd4868abdf8de", status: "affected", version: "6f20d3261265885f6a6be4cda49d7019728760e0", versionType: "git", }, { lessThan: "1df2ead5dfad5f8f92467bd94889392d53100b98", status: "affected", version: "6f20d3261265885f6a6be4cda49d7019728760e0", versionType: "git", }, { lessThan: "ce3af2ee95170b7d9e15fff6e500d67deab1e7b3", status: "affected", version: "6f20d3261265885f6a6be4cda49d7019728760e0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/hid/hid-logitech-dj.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.6", }, { lessThan: "6.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\n\nFix a memory leak on logi_dj_recv_send_report() error path.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:29.226Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/15122dc140d82c51c216535c57b044c4587aae45", }, { url: "https://git.kernel.org/stable/c/caa9c9acb93db7ad7b74b157cf101579bac9596d", }, { url: "https://git.kernel.org/stable/c/a0503757947f2e46e59c1962326b53b3208c8213", }, { url: "https://git.kernel.org/stable/c/789c99a1d7d2c8f6096d75fc2930505840ec9ea0", }, { url: "https://git.kernel.org/stable/c/f677ca8cfefee2a729ca315f660cd4868abdf8de", }, { url: "https://git.kernel.org/stable/c/1df2ead5dfad5f8f92467bd94889392d53100b98", }, { url: "https://git.kernel.org/stable/c/ce3af2ee95170b7d9e15fff6e500d67deab1e7b3", }, ], title: "HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40934", datePublished: "2024-07-12T12:25:11.836Z", dateReserved: "2024-07-12T12:17:45.584Z", dateUpdated: "2024-12-19T09:08:29.226Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40945
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu: Return right value in iommu_sva_bind_device()
iommu_sva_bind_device() should return either a sva bond handle or an
ERR_PTR value in error cases. Existing drivers (idxd and uacce) only
check the return value with IS_ERR(). This could potentially lead to
a kernel NULL pointer dereference issue if the function returns NULL
instead of an error pointer.
In reality, this doesn't cause any problems because iommu_sva_bind_device()
only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.
In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will
return an error, and the device drivers won't call iommu_sva_bind_device()
at all.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.881Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/700f564758882db7c039dfba9443fe762561a3f8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cf34f8f66982a36e5cba0d05781b21ec9606b91e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2973b8e7d127754de9013177c41c0b5547406998", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7388ae6f26c0ba95f70cc96bf9c5d5cb06c908b6", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/61a96da9649a6b6a1a5d5bde9374b045fdb5c12e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/89e8a2366e3bce584b6c01549d5019c5cda1205e", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40945", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:14.417698Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:25.334Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/iommu.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "700f564758882db7c039dfba9443fe762561a3f8", status: "affected", version: "26b25a2b98e45aeb40eedcedc586ad5034cbd984", versionType: "git", }, { lessThan: "cf34f8f66982a36e5cba0d05781b21ec9606b91e", status: "affected", version: "26b25a2b98e45aeb40eedcedc586ad5034cbd984", versionType: "git", }, { lessThan: "2973b8e7d127754de9013177c41c0b5547406998", status: "affected", version: "26b25a2b98e45aeb40eedcedc586ad5034cbd984", versionType: "git", }, { lessThan: "7388ae6f26c0ba95f70cc96bf9c5d5cb06c908b6", status: "affected", version: "26b25a2b98e45aeb40eedcedc586ad5034cbd984", versionType: "git", }, { lessThan: "61a96da9649a6b6a1a5d5bde9374b045fdb5c12e", status: "affected", version: "26b25a2b98e45aeb40eedcedc586ad5034cbd984", versionType: "git", }, { lessThan: "89e8a2366e3bce584b6c01549d5019c5cda1205e", status: "affected", version: "26b25a2b98e45aeb40eedcedc586ad5034cbd984", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/iommu.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.2", }, { lessThan: "5.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Return right value in iommu_sva_bind_device()\n\niommu_sva_bind_device() should return either a sva bond handle or an\nERR_PTR value in error cases. Existing drivers (idxd and uacce) only\ncheck the return value with IS_ERR(). This could potentially lead to\na kernel NULL pointer dereference issue if the function returns NULL\ninstead of an error pointer.\n\nIn reality, this doesn't cause any problems because iommu_sva_bind_device()\nonly returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.\nIn this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will\nreturn an error, and the device drivers won't call iommu_sva_bind_device()\nat all.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:42.203Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/700f564758882db7c039dfba9443fe762561a3f8", }, { url: "https://git.kernel.org/stable/c/cf34f8f66982a36e5cba0d05781b21ec9606b91e", }, { url: "https://git.kernel.org/stable/c/2973b8e7d127754de9013177c41c0b5547406998", }, { url: "https://git.kernel.org/stable/c/7388ae6f26c0ba95f70cc96bf9c5d5cb06c908b6", }, { url: "https://git.kernel.org/stable/c/61a96da9649a6b6a1a5d5bde9374b045fdb5c12e", }, { url: "https://git.kernel.org/stable/c/89e8a2366e3bce584b6c01549d5019c5cda1205e", }, ], title: "iommu: Return right value in iommu_sva_bind_device()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40945", datePublished: "2024-07-12T12:25:19.164Z", dateReserved: "2024-07-12T12:17:45.588Z", dateUpdated: "2024-12-19T09:08:42.203Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40995
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()
syzbot found hanging tasks waiting on rtnl_lock [1]
A reproducer is available in the syzbot bug.
When a request to add multiple actions with the same index is sent, the
second request will block forever on the first request. This holds
rtnl_lock, and causes tasks to hang.
Return -EAGAIN to prevent infinite looping, while keeping documented
behavior.
[1]
INFO: task kworker/1:0:5088 blocked for more than 143 seconds.
Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000
Workqueue: events_power_efficient reg_check_chans_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0xf15/0x5d00 kernel/sched/core.c:6746
__schedule_loop kernel/sched/core.c:6823 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6838
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
wiphy_lock include/net/cfg80211.h:5953 [inline]
reg_leave_invalid_chans net/wireless/reg.c:2466 [inline]
reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0190c1d452a91c38a3462abdd81752be1b9006a8 Version: 0190c1d452a91c38a3462abdd81752be1b9006a8 Version: 0190c1d452a91c38a3462abdd81752be1b9006a8 Version: 0190c1d452a91c38a3462abdd81752be1b9006a8 Version: 0190c1d452a91c38a3462abdd81752be1b9006a8 Version: 0190c1d452a91c38a3462abdd81752be1b9006a8 Version: 0190c1d452a91c38a3462abdd81752be1b9006a8 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.074Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c6a7da65a296745535a964be1019ec7691b0cb90", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/25987a97eec4d5f897cd04ee1b45170829c610da", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6fc78d67f51aeb9a542d39a8714e16bc411582d4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5f926aa96b08b6c47178fe1171e7ae331c695fc2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7a0e497b597df7c4cf2b63fc6e9188b6cabe5335", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d864319871b05fadd153e0aede4811ca7008f5d6", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40995", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:35.312165Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:19.797Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/sched/act_api.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74", status: "affected", version: "0190c1d452a91c38a3462abdd81752be1b9006a8", versionType: "git", }, { lessThan: "c6a7da65a296745535a964be1019ec7691b0cb90", status: "affected", version: "0190c1d452a91c38a3462abdd81752be1b9006a8", versionType: "git", }, { lessThan: "25987a97eec4d5f897cd04ee1b45170829c610da", status: "affected", version: "0190c1d452a91c38a3462abdd81752be1b9006a8", versionType: "git", }, { lessThan: "6fc78d67f51aeb9a542d39a8714e16bc411582d4", status: "affected", version: "0190c1d452a91c38a3462abdd81752be1b9006a8", versionType: "git", }, { lessThan: "5f926aa96b08b6c47178fe1171e7ae331c695fc2", status: "affected", version: "0190c1d452a91c38a3462abdd81752be1b9006a8", versionType: "git", }, { lessThan: "7a0e497b597df7c4cf2b63fc6e9188b6cabe5335", status: "affected", version: "0190c1d452a91c38a3462abdd81752be1b9006a8", versionType: "git", }, { lessThan: "d864319871b05fadd153e0aede4811ca7008f5d6", status: "affected", version: "0190c1d452a91c38a3462abdd81752be1b9006a8", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/sched/act_api.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.19", }, { lessThan: "4.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()\n\nsyzbot found hanging tasks waiting on rtnl_lock [1]\n\nA reproducer is available in the syzbot bug.\n\nWhen a request to add multiple actions with the same index is sent, the\nsecond request will block forever on the first request. This holds\nrtnl_lock, and causes tasks to hang.\n\nReturn -EAGAIN to prevent infinite looping, while keeping documented\nbehavior.\n\n[1]\n\nINFO: task kworker/1:0:5088 blocked for more than 143 seconds.\nNot tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000\nWorkqueue: events_power_efficient reg_check_chans_work\nCall Trace:\n<TASK>\ncontext_switch kernel/sched/core.c:5409 [inline]\n__schedule+0xf15/0x5d00 kernel/sched/core.c:6746\n__schedule_loop kernel/sched/core.c:6823 [inline]\nschedule+0xe7/0x350 kernel/sched/core.c:6838\nschedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895\n__mutex_lock_common kernel/locking/mutex.c:684 [inline]\n__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752\nwiphy_lock include/net/cfg80211.h:5953 [inline]\nreg_leave_invalid_chans net/wireless/reg.c:2466 [inline]\nreg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:41.241Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74", }, { url: "https://git.kernel.org/stable/c/c6a7da65a296745535a964be1019ec7691b0cb90", }, { url: "https://git.kernel.org/stable/c/25987a97eec4d5f897cd04ee1b45170829c610da", }, { url: "https://git.kernel.org/stable/c/6fc78d67f51aeb9a542d39a8714e16bc411582d4", }, { url: "https://git.kernel.org/stable/c/5f926aa96b08b6c47178fe1171e7ae331c695fc2", }, { url: "https://git.kernel.org/stable/c/7a0e497b597df7c4cf2b63fc6e9188b6cabe5335", }, { url: "https://git.kernel.org/stable/c/d864319871b05fadd153e0aede4811ca7008f5d6", }, ], title: "net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40995", datePublished: "2024-07-12T12:37:37.791Z", dateReserved: "2024-07-12T12:17:45.607Z", dateUpdated: "2024-12-19T09:09:41.241Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40982
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ssb: Fix potential NULL pointer dereference in ssb_device_uevent()
The ssb_device_uevent() function first attempts to convert the 'dev' pointer
to 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before
performing the NULL check, potentially leading to a NULL pointer
dereference if 'dev' is NULL.
To fix this issue, move the NULL check before dereferencing the 'dev' pointer,
ensuring that the pointer is valid before attempting to use it.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.078Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c5dc2d8eb3981bae261ea7d1060a80868e886813", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7d43c8377c6fc846b1812f8df360425c9323dc56", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/789c17185fb0f39560496c2beab9b57ce1d0cbe7", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40982", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:16.585793Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:21.284Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/ssb/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c5dc2d8eb3981bae261ea7d1060a80868e886813", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7d43c8377c6fc846b1812f8df360425c9323dc56", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "789c17185fb0f39560496c2beab9b57ce1d0cbe7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/ssb/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nssb: Fix potential NULL pointer dereference in ssb_device_uevent()\n\nThe ssb_device_uevent() function first attempts to convert the 'dev' pointer\nto 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before\nperforming the NULL check, potentially leading to a NULL pointer\ndereference if 'dev' is NULL.\n\nTo fix this issue, move the NULL check before dereferencing the 'dev' pointer,\nensuring that the pointer is valid before attempting to use it.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:25.425Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c5dc2d8eb3981bae261ea7d1060a80868e886813", }, { url: "https://git.kernel.org/stable/c/7d43c8377c6fc846b1812f8df360425c9323dc56", }, { url: "https://git.kernel.org/stable/c/789c17185fb0f39560496c2beab9b57ce1d0cbe7", }, ], title: "ssb: Fix potential NULL pointer dereference in ssb_device_uevent()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40982", datePublished: "2024-07-12T12:32:16.938Z", dateReserved: "2024-07-12T12:17:45.604Z", dateUpdated: "2024-12-19T09:09:25.425Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40972
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: do not create EA inode under buffer lock
ext4_xattr_set_entry() creates new EA inodes while holding buffer lock
on the external xattr block. This is problematic as it nests all the
allocation locking (which acquires locks on other buffers) under the
buffer lock. This can even deadlock when the filesystem is corrupted and
e.g. quota file is setup to contain xattr block as data block. Move the
allocation of EA inode out of ext4_xattr_set_entry() into the callers.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.913Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40972", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:50.931793Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:22.436Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/xattr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0752e7fb549d90c33b4d4186f11cfd25a556d1dd", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "737fb7853acd5bc8984f6f42e4bfba3334be8ae1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "111103907234bffd0a34fba070ad9367de058752", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0a46ef234756dca04623b7591e8ebb3440622f0b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/xattr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.107", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.47", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: do not create EA inode under buffer lock\n\next4_xattr_set_entry() creates new EA inodes while holding buffer lock\non the external xattr block. This is problematic as it nests all the\nallocation locking (which acquires locks on other buffers) under the\nbuffer lock. This can even deadlock when the filesystem is corrupted and\ne.g. quota file is setup to contain xattr block as data block. Move the\nallocation of EA inode out of ext4_xattr_set_entry() into the callers.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:13.146Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0752e7fb549d90c33b4d4186f11cfd25a556d1dd", }, { url: "https://git.kernel.org/stable/c/737fb7853acd5bc8984f6f42e4bfba3334be8ae1", }, { url: "https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752", }, { url: "https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b", }, ], title: "ext4: do not create EA inode under buffer lock", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40972", datePublished: "2024-07-12T12:32:10.102Z", dateReserved: "2024-07-12T12:17:45.603Z", dateUpdated: "2024-12-19T09:09:13.146Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40918
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Try to fix random segmentation faults in package builds
PA-RISC systems with PA8800 and PA8900 processors have had problems
with random segmentation faults for many years. Systems with earlier
processors are much more stable.
Systems with PA8800 and PA8900 processors have a large L2 cache which
needs per page flushing for decent performance when a large range is
flushed. The combined cache in these systems is also more sensitive to
non-equivalent aliases than the caches in earlier systems.
The majority of random segmentation faults that I have looked at
appear to be memory corruption in memory allocated using mmap and
malloc.
My first attempt at fixing the random faults didn't work. On
reviewing the cache code, I realized that there were two issues
which the existing code didn't handle correctly. Both relate
to cache move-in. Another issue is that the present bit in PTEs
is racy.
1) PA-RISC caches have a mind of their own and they can speculatively
load data and instructions for a page as long as there is a entry in
the TLB for the page which allows move-in. TLBs are local to each
CPU. Thus, the TLB entry for a page must be purged before flushing
the page. This is particularly important on SMP systems.
In some of the flush routines, the flush routine would be called
and then the TLB entry would be purged. This was because the flush
routine needed the TLB entry to do the flush.
2) My initial approach to trying the fix the random faults was to
try and use flush_cache_page_if_present for all flush operations.
This actually made things worse and led to a couple of hardware
lockups. It finally dawned on me that some lines weren't being
flushed because the pte check code was racy. This resulted in
random inequivalent mappings to physical pages.
The __flush_cache_page tmpalias flush sets up its own TLB entry
and it doesn't need the existing TLB entry. As long as we can find
the pte pointer for the vm page, we can get the pfn and physical
address of the page. We can also purge the TLB entry for the page
before doing the flush. Further, __flush_cache_page uses a special
TLB entry that inhibits cache move-in.
When switching page mappings, we need to ensure that lines are
removed from the cache. It is not sufficient to just flush the
lines to memory as they may come back.
This made it clear that we needed to implement all the required
flush operations using tmpalias routines. This includes flushes
for user and kernel pages.
After modifying the code to use tmpalias flushes, it became clear
that the random segmentation faults were not fully resolved. The
frequency of faults was worse on systems with a 64 MB L2 (PA8900)
and systems with more CPUs (rp4440).
The warning that I added to flush_cache_page_if_present to detect
pages that couldn't be flushed triggered frequently on some systems.
Helge and I looked at the pages that couldn't be flushed and found
that the PTE was either cleared or for a swap page. Ignoring pages
that were swapped out seemed okay but pages with cleared PTEs seemed
problematic.
I looked at routines related to pte_clear and noticed ptep_clear_flush.
The default implementation just flushes the TLB entry. However, it was
obvious that on parisc we need to flush the cache page as well. If
we don't flush the cache page, stale lines will be left in the cache
and cause random corruption. Once a PTE is cleared, there is no way
to find the physical address associated with the PTE and flush the
associated page at a later time.
I implemented an updated change with a parisc specific version of
ptep_clear_flush. It fixed the random data corruption on Helge's rp4440
and rp3440, as well as on my c8000.
At this point, I realized that I could restore the code where we only
flush in flush_cache_page_if_present if the page has been accessed.
However, for this, we also need to flush the cache when the accessed
bit is cleared in
---truncated---
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.362Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40918", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:39.909873Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:03.854Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/parisc/include/asm/cacheflush.h", "arch/parisc/include/asm/pgtable.h", "arch/parisc/kernel/cache.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5bf196f1936bf93df31112fbdfb78c03537c07b0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d66f2607d89f760cdffed88b22f309c895a2af20", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "72d95924ee35c8cd16ef52f912483ee938a34d49", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/parisc/include/asm/cacheflush.h", "arch/parisc/include/asm/pgtable.h", "arch/parisc/kernel/cache.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Try to fix random segmentation faults in package builds\n\nPA-RISC systems with PA8800 and PA8900 processors have had problems\nwith random segmentation faults for many years. Systems with earlier\nprocessors are much more stable.\n\nSystems with PA8800 and PA8900 processors have a large L2 cache which\nneeds per page flushing for decent performance when a large range is\nflushed. The combined cache in these systems is also more sensitive to\nnon-equivalent aliases than the caches in earlier systems.\n\nThe majority of random segmentation faults that I have looked at\nappear to be memory corruption in memory allocated using mmap and\nmalloc.\n\nMy first attempt at fixing the random faults didn't work. On\nreviewing the cache code, I realized that there were two issues\nwhich the existing code didn't handle correctly. Both relate\nto cache move-in. Another issue is that the present bit in PTEs\nis racy.\n\n1) PA-RISC caches have a mind of their own and they can speculatively\nload data and instructions for a page as long as there is a entry in\nthe TLB for the page which allows move-in. TLBs are local to each\nCPU. Thus, the TLB entry for a page must be purged before flushing\nthe page. This is particularly important on SMP systems.\n\nIn some of the flush routines, the flush routine would be called\nand then the TLB entry would be purged. This was because the flush\nroutine needed the TLB entry to do the flush.\n\n2) My initial approach to trying the fix the random faults was to\ntry and use flush_cache_page_if_present for all flush operations.\nThis actually made things worse and led to a couple of hardware\nlockups. It finally dawned on me that some lines weren't being\nflushed because the pte check code was racy. This resulted in\nrandom inequivalent mappings to physical pages.\n\nThe __flush_cache_page tmpalias flush sets up its own TLB entry\nand it doesn't need the existing TLB entry. As long as we can find\nthe pte pointer for the vm page, we can get the pfn and physical\naddress of the page. We can also purge the TLB entry for the page\nbefore doing the flush. Further, __flush_cache_page uses a special\nTLB entry that inhibits cache move-in.\n\nWhen switching page mappings, we need to ensure that lines are\nremoved from the cache. It is not sufficient to just flush the\nlines to memory as they may come back.\n\nThis made it clear that we needed to implement all the required\nflush operations using tmpalias routines. This includes flushes\nfor user and kernel pages.\n\nAfter modifying the code to use tmpalias flushes, it became clear\nthat the random segmentation faults were not fully resolved. The\nfrequency of faults was worse on systems with a 64 MB L2 (PA8900)\nand systems with more CPUs (rp4440).\n\nThe warning that I added to flush_cache_page_if_present to detect\npages that couldn't be flushed triggered frequently on some systems.\n\nHelge and I looked at the pages that couldn't be flushed and found\nthat the PTE was either cleared or for a swap page. Ignoring pages\nthat were swapped out seemed okay but pages with cleared PTEs seemed\nproblematic.\n\nI looked at routines related to pte_clear and noticed ptep_clear_flush.\nThe default implementation just flushes the TLB entry. However, it was\nobvious that on parisc we need to flush the cache page as well. If\nwe don't flush the cache page, stale lines will be left in the cache\nand cause random corruption. Once a PTE is cleared, there is no way\nto find the physical address associated with the PTE and flush the\nassociated page at a later time.\n\nI implemented an updated change with a parisc specific version of\nptep_clear_flush. It fixed the random data corruption on Helge's rp4440\nand rp3440, as well as on my c8000.\n\nAt this point, I realized that I could restore the code where we only\nflush in flush_cache_page_if_present if the page has been accessed.\nHowever, for this, we also need to flush the cache when the accessed\nbit is cleared in\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:10.492Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0", }, { url: "https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20", }, { url: "https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49", }, ], title: "parisc: Try to fix random segmentation faults in package builds", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40918", datePublished: "2024-07-12T12:25:00.846Z", dateReserved: "2024-07-12T12:17:45.581Z", dateUpdated: "2024-12-19T09:08:10.492Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40960
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: prevent possible NULL dereference in rt6_probe()
syzbot caught a NULL dereference in rt6_probe() [1]
Bail out if __in6_dev_get() returns NULL.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]
CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]
RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758
Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19
RSP: 0018:ffffc900034af070 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000
RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c
RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a
R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000
FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784
nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496
__find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825
find_rr_leaf net/ipv6/route.c:853 [inline]
rt6_select net/ipv6/route.c:897 [inline]
fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195
ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231
pol_lookup_func include/net/ip6_fib.h:616 [inline]
fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121
ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]
ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651
ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147
ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250
rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898
inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
sock_write_iter+0x4b8/0x5c0 net/socket.c:1160
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x6b6/0x1140 fs/read_write.c:590
ksys_write+0x1f8/0x260 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 52e1635631b342803aecaf81a362c1464e3da2e5 Version: 52e1635631b342803aecaf81a362c1464e3da2e5 Version: 52e1635631b342803aecaf81a362c1464e3da2e5 Version: 52e1635631b342803aecaf81a362c1464e3da2e5 Version: 52e1635631b342803aecaf81a362c1464e3da2e5 Version: 52e1635631b342803aecaf81a362c1464e3da2e5 Version: 52e1635631b342803aecaf81a362c1464e3da2e5 Version: 52e1635631b342803aecaf81a362c1464e3da2e5 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.974Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f0cda984e4e634b221dbf9642b8ecc5b4806b41e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d66fc4826127c82f99c4033380f8e93833d331c7", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1ed9849fdf9a1a617129346b11d2094ca26828dc", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/569c9d9ea6648d099187527b93982f406ddcebc0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/51ee2f7c30790799d0ec30c0ce0c743e58f046f2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/73e7c8ca6ad76f29b2c99c20845a6f3b203ff0c6", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6eed6d3cd19ff3cfa83aeceed86da14abaf7417b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b86762dbe19a62e785c189f313cda5b989931f37", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40960", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:29.403653Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:23.694Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv6/route.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f0cda984e4e634b221dbf9642b8ecc5b4806b41e", status: "affected", version: "52e1635631b342803aecaf81a362c1464e3da2e5", versionType: "git", }, { lessThan: "d66fc4826127c82f99c4033380f8e93833d331c7", status: "affected", version: "52e1635631b342803aecaf81a362c1464e3da2e5", versionType: "git", }, { lessThan: "1ed9849fdf9a1a617129346b11d2094ca26828dc", status: "affected", version: "52e1635631b342803aecaf81a362c1464e3da2e5", versionType: "git", }, { lessThan: "569c9d9ea6648d099187527b93982f406ddcebc0", status: "affected", version: "52e1635631b342803aecaf81a362c1464e3da2e5", versionType: "git", }, { lessThan: "51ee2f7c30790799d0ec30c0ce0c743e58f046f2", status: "affected", version: "52e1635631b342803aecaf81a362c1464e3da2e5", versionType: "git", }, { lessThan: "73e7c8ca6ad76f29b2c99c20845a6f3b203ff0c6", status: "affected", version: "52e1635631b342803aecaf81a362c1464e3da2e5", versionType: "git", }, { lessThan: "6eed6d3cd19ff3cfa83aeceed86da14abaf7417b", status: "affected", version: "52e1635631b342803aecaf81a362c1464e3da2e5", versionType: "git", }, { lessThan: "b86762dbe19a62e785c189f313cda5b989931f37", status: "affected", version: "52e1635631b342803aecaf81a362c1464e3da2e5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv6/route.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.17", }, { lessThan: "2.6.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL dereference in rt6_probe()\n\nsyzbot caught a NULL dereference in rt6_probe() [1]\n\nBail out if __in6_dev_get() returns NULL.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]\nCPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]\n RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758\nCode: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19\nRSP: 0018:ffffc900034af070 EFLAGS: 00010203\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000\nRDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c\nRBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a\nR13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000\nFS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784\n nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496\n __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825\n find_rr_leaf net/ipv6/route.c:853 [inline]\n rt6_select net/ipv6/route.c:897 [inline]\n fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195\n ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231\n pol_lookup_func include/net/ip6_fib.h:616 [inline]\n fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121\n ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]\n ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651\n ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147\n ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250\n rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898\n inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_write_iter+0x4b8/0x5c0 net/socket.c:1160\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x6b6/0x1140 fs/read_write.c:590\n ksys_write+0x1f8/0x260 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:58.870Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f0cda984e4e634b221dbf9642b8ecc5b4806b41e", }, { url: "https://git.kernel.org/stable/c/d66fc4826127c82f99c4033380f8e93833d331c7", }, { url: "https://git.kernel.org/stable/c/1ed9849fdf9a1a617129346b11d2094ca26828dc", }, { url: "https://git.kernel.org/stable/c/569c9d9ea6648d099187527b93982f406ddcebc0", }, { url: "https://git.kernel.org/stable/c/51ee2f7c30790799d0ec30c0ce0c743e58f046f2", }, { url: "https://git.kernel.org/stable/c/73e7c8ca6ad76f29b2c99c20845a6f3b203ff0c6", }, { url: "https://git.kernel.org/stable/c/6eed6d3cd19ff3cfa83aeceed86da14abaf7417b", }, { url: "https://git.kernel.org/stable/c/b86762dbe19a62e785c189f313cda5b989931f37", }, ], title: "ipv6: prevent possible NULL dereference in rt6_probe()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40960", datePublished: "2024-07-12T12:32:01.939Z", dateReserved: "2024-07-12T12:17:45.594Z", dateUpdated: "2024-12-19T09:08:58.870Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40998
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()
In the following concurrency we will access the uninitialized rs->lock:
ext4_fill_super
ext4_register_sysfs
// sysfs registered msg_ratelimit_interval_ms
// Other processes modify rs->interval to
// non-zero via msg_ratelimit_interval_ms
ext4_orphan_cleanup
ext4_msg(sb, KERN_INFO, "Errors on filesystem, "
__ext4_msg
___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)
if (!rs->interval) // do nothing if interval is 0
return 1;
raw_spin_trylock_irqsave(&rs->lock, flags)
raw_spin_trylock(lock)
_raw_spin_trylock
__raw_spin_trylock
spin_acquire(&lock->dep_map, 0, 1, _RET_IP_)
lock_acquire
__lock_acquire
register_lock_class
assign_lock_key
dump_stack();
ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);
raw_spin_lock_init(&rs->lock);
// init rs->lock here
and get the following dump_stack:
=========================================================
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504
[...]
Call Trace:
dump_stack_lvl+0xc5/0x170
dump_stack+0x18/0x30
register_lock_class+0x740/0x7c0
__lock_acquire+0x69/0x13a0
lock_acquire+0x120/0x450
_raw_spin_trylock+0x98/0xd0
___ratelimit+0xf6/0x220
__ext4_msg+0x7f/0x160 [ext4]
ext4_orphan_cleanup+0x665/0x740 [ext4]
__ext4_fill_super+0x21ea/0x2b10 [ext4]
ext4_fill_super+0x14d/0x360 [ext4]
[...]
=========================================================
Normally interval is 0 until s_msg_ratelimit_state is initialized, so
___ratelimit() does nothing. But registering sysfs precedes initializing
rs->lock, so it is possible to change rs->interval to a non-zero value
via the msg_ratelimit_interval_ms interface of sysfs while rs->lock is
uninitialized, and then a call to ext4_msg triggers the problem by
accessing an uninitialized rs->lock. Therefore register sysfs after all
initializations are complete to avoid such problems.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.156Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40998", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:25.647023Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:19.460Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "23afcd52af06880c6c913a0ad99022b8937b575c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "645267906944a9aeec9d5c56ee24a9096a288798", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b4b4fda34e535756f9e774fb2d09c4537b7dfd1c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\n\nIn the following concurrency we will access the uninitialized rs->lock:\n\next4_fill_super\n ext4_register_sysfs\n // sysfs registered msg_ratelimit_interval_ms\n // Other processes modify rs->interval to\n // non-zero via msg_ratelimit_interval_ms\n ext4_orphan_cleanup\n ext4_msg(sb, KERN_INFO, \"Errors on filesystem, \"\n __ext4_msg\n ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\n if (!rs->interval) // do nothing if interval is 0\n return 1;\n raw_spin_trylock_irqsave(&rs->lock, flags)\n raw_spin_trylock(lock)\n _raw_spin_trylock\n __raw_spin_trylock\n spin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\n lock_acquire\n __lock_acquire\n register_lock_class\n assign_lock_key\n dump_stack();\n ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\n raw_spin_lock_init(&rs->lock);\n // init rs->lock here\n\nand get the following dump_stack:\n\n=========================================================\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\n[...]\nCall Trace:\n dump_stack_lvl+0xc5/0x170\n dump_stack+0x18/0x30\n register_lock_class+0x740/0x7c0\n __lock_acquire+0x69/0x13a0\n lock_acquire+0x120/0x450\n _raw_spin_trylock+0x98/0xd0\n ___ratelimit+0xf6/0x220\n __ext4_msg+0x7f/0x160 [ext4]\n ext4_orphan_cleanup+0x665/0x740 [ext4]\n __ext4_fill_super+0x21ea/0x2b10 [ext4]\n ext4_fill_super+0x14d/0x360 [ext4]\n[...]\n=========================================================\n\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\n___ratelimit() does nothing. But registering sysfs precedes initializing\nrs->lock, so it is possible to change rs->interval to a non-zero value\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\nuninitialized, and then a call to ext4_msg triggers the problem by\naccessing an uninitialized rs->lock. Therefore register sysfs after all\ninitializations are complete to avoid such problems.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:44.883Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c", }, { url: "https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798", }, { url: "https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c", }, ], title: "ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40998", datePublished: "2024-07-12T12:37:39.823Z", dateReserved: "2024-07-12T12:17:45.607Z", dateUpdated: "2024-12-19T09:09:44.883Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40978
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qedi: Fix crash while reading debugfs attribute
The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly
on a __user pointer, which results into the crash.
To fix this issue, use a small local stack buffer for sprintf() and then
call simple_read_from_buffer(), which in turns make the copy_to_user()
call.
BUG: unable to handle page fault for address: 00007f4801111000
PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0
Oops: 0002 [#1] PREEMPT SMP PTI
Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023
RIP: 0010:memcpy_orig+0xcd/0x130
RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202
RAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f
RDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000
RBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572
R10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff
R13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af
FS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? __die_body+0x1a/0x60
? page_fault_oops+0x183/0x510
? exc_page_fault+0x69/0x150
? asm_exc_page_fault+0x22/0x30
? memcpy_orig+0xcd/0x130
vsnprintf+0x102/0x4c0
sprintf+0x51/0x80
qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]
full_proxy_read+0x50/0x80
vfs_read+0xa5/0x2e0
? folio_add_new_anon_rmap+0x44/0xa0
? set_pte_at+0x15/0x30
? do_pte_missing+0x426/0x7f0
ksys_read+0xa5/0xe0
do_syscall_64+0x58/0x80
? __count_memcg_events+0x46/0x90
? count_memcg_event_mm+0x3d/0x60
? handle_mm_fault+0x196/0x2f0
? do_user_addr_fault+0x267/0x890
? exc_page_fault+0x69/0x150
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f4800f20b4d
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.066Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/21c963de2e86e88f6a8ca556bcebb8e62ab8e901", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/144d76a676b630e321556965011b00e2de0b40a7", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/397a8990c377ee4b61d6df768e61dff9e316d46b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/eaddb86637669f6bad89245ee63f8fb2bfb50241", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fa85b016a56b9775a3fe41e5d26e666945963b46", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e2f433ea7d0ff77998766a088a287337fb43ad75", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/28027ec8e32ecbadcd67623edb290dad61e735b5", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40978", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:30.760177Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:21.743Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/scsi/qedi/qedi_debugfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "56bec63a7fc87ad50b3373a87517dc9770eef9e0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "21c963de2e86e88f6a8ca556bcebb8e62ab8e901", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "144d76a676b630e321556965011b00e2de0b40a7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "397a8990c377ee4b61d6df768e61dff9e316d46b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "eaddb86637669f6bad89245ee63f8fb2bfb50241", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fa85b016a56b9775a3fe41e5d26e666945963b46", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e2f433ea7d0ff77998766a088a287337fb43ad75", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "28027ec8e32ecbadcd67623edb290dad61e735b5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/scsi/qedi/qedi_debugfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix crash while reading debugfs attribute\n\nThe qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly\non a __user pointer, which results into the crash.\n\nTo fix this issue, use a small local stack buffer for sprintf() and then\ncall simple_read_from_buffer(), which in turns make the copy_to_user()\ncall.\n\nBUG: unable to handle page fault for address: 00007f4801111000\nPGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0\nOops: 0002 [#1] PREEMPT SMP PTI\nHardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023\nRIP: 0010:memcpy_orig+0xcd/0x130\nRSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202\nRAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f\nRDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000\nRBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572\nR10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff\nR13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af\nFS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x183/0x510\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? memcpy_orig+0xcd/0x130\n vsnprintf+0x102/0x4c0\n sprintf+0x51/0x80\n qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]\n full_proxy_read+0x50/0x80\n vfs_read+0xa5/0x2e0\n ? folio_add_new_anon_rmap+0x44/0xa0\n ? set_pte_at+0x15/0x30\n ? do_pte_missing+0x426/0x7f0\n ksys_read+0xa5/0xe0\n do_syscall_64+0x58/0x80\n ? __count_memcg_events+0x46/0x90\n ? count_memcg_event_mm+0x3d/0x60\n ? handle_mm_fault+0x196/0x2f0\n ? do_user_addr_fault+0x267/0x890\n ? exc_page_fault+0x69/0x150\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4800f20b4d", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:20.490Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0", }, { url: "https://git.kernel.org/stable/c/21c963de2e86e88f6a8ca556bcebb8e62ab8e901", }, { url: "https://git.kernel.org/stable/c/144d76a676b630e321556965011b00e2de0b40a7", }, { url: "https://git.kernel.org/stable/c/397a8990c377ee4b61d6df768e61dff9e316d46b", }, { url: "https://git.kernel.org/stable/c/eaddb86637669f6bad89245ee63f8fb2bfb50241", }, { url: "https://git.kernel.org/stable/c/fa85b016a56b9775a3fe41e5d26e666945963b46", }, { url: "https://git.kernel.org/stable/c/e2f433ea7d0ff77998766a088a287337fb43ad75", }, { url: "https://git.kernel.org/stable/c/28027ec8e32ecbadcd67623edb290dad61e735b5", }, ], title: "scsi: qedi: Fix crash while reading debugfs attribute", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40978", datePublished: "2024-07-12T12:32:14.149Z", dateReserved: "2024-07-12T12:17:45.604Z", dateUpdated: "2024-12-19T09:09:20.490Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39501
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: core: synchronize really_probe() and dev_uevent()
Synchronize the dev->driver usage in really_probe() and dev_uevent().
These can run in different threads, what can result in the following
race condition for dev->driver uninitialization:
Thread #1:
==========
really_probe() {
...
probe_failed:
...
device_unbind_cleanup(dev) {
...
dev->driver = NULL; // <= Failed probe sets dev->driver to NULL
...
}
...
}
Thread #2:
==========
dev_uevent() {
...
if (dev->driver)
// If dev->driver is NULLed from really_probe() from here on,
// after above check, the system crashes
add_uevent_var(env, "DRIVER=%s", dev->driver->name);
...
}
really_probe() holds the lock, already. So nothing needs to be done
there. dev_uevent() is called with lock held, often, too. But not
always. What implies that we can't add any locking in dev_uevent()
itself. So fix this race by adding the lock to the non-protected
path. This is the path where above race is observed:
dev_uevent+0x235/0x380
uevent_show+0x10c/0x1f0 <= Add lock here
dev_attr_show+0x3a/0xa0
sysfs_kf_seq_show+0x17c/0x250
kernfs_seq_show+0x7c/0x90
seq_read_iter+0x2d7/0x940
kernfs_fop_read_iter+0xc6/0x310
vfs_read+0x5bc/0x6b0
ksys_read+0xeb/0x1b0
__x64_sys_read+0x42/0x50
x64_sys_call+0x27ad/0x2d30
do_syscall_64+0xcd/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Similar cases are reported by syzkaller in
https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a
But these are regarding the *initialization* of dev->driver
dev->driver = drv;
As this switches dev->driver to non-NULL these reports can be considered
to be false-positives (which should be "fixed" by this commit, as well,
though).
The same issue was reported and tried to be fixed back in 2015 in
https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/
already.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 239378f16aa1ab5c502e42a06359d2de4f88ebb4 Version: 239378f16aa1ab5c502e42a06359d2de4f88ebb4 Version: 239378f16aa1ab5c502e42a06359d2de4f88ebb4 Version: 239378f16aa1ab5c502e42a06359d2de4f88ebb4 Version: 239378f16aa1ab5c502e42a06359d2de4f88ebb4 Version: 239378f16aa1ab5c502e42a06359d2de4f88ebb4 Version: 239378f16aa1ab5c502e42a06359d2de4f88ebb4 Version: 239378f16aa1ab5c502e42a06359d2de4f88ebb4 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.451Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/bb3641a5831789d83a58a39ed4a928bcbece7080", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/13d25e82b6d00d743c7961dcb260329f86bedf7c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/760603e30bf19d7b4c28e9d81f18b54fa3b745ad", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ec772ed7cb21b46fb132f89241682553efd0b721", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/08891eeaa97c079b7f95d60b62dcf0e3ce034b69", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a42b0060d6ff2f7e59290a26d5f162a3c6329b90", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/95d03d369ea647b89e950667f1c3363ea6f564e6", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c0a40097f0bc81deafc15f9195d1fb54595cd6d0", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39501", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:07:10.431440Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:40.462Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/base/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "bb3641a5831789d83a58a39ed4a928bcbece7080", status: "affected", version: "239378f16aa1ab5c502e42a06359d2de4f88ebb4", versionType: "git", }, { lessThan: "13d25e82b6d00d743c7961dcb260329f86bedf7c", status: "affected", version: "239378f16aa1ab5c502e42a06359d2de4f88ebb4", versionType: "git", }, { lessThan: "760603e30bf19d7b4c28e9d81f18b54fa3b745ad", status: "affected", version: "239378f16aa1ab5c502e42a06359d2de4f88ebb4", versionType: "git", }, { lessThan: "ec772ed7cb21b46fb132f89241682553efd0b721", status: "affected", version: "239378f16aa1ab5c502e42a06359d2de4f88ebb4", versionType: "git", }, { lessThan: "08891eeaa97c079b7f95d60b62dcf0e3ce034b69", status: "affected", version: "239378f16aa1ab5c502e42a06359d2de4f88ebb4", versionType: "git", }, { lessThan: "a42b0060d6ff2f7e59290a26d5f162a3c6329b90", status: "affected", version: "239378f16aa1ab5c502e42a06359d2de4f88ebb4", versionType: "git", }, { lessThan: "95d03d369ea647b89e950667f1c3363ea6f564e6", status: "affected", version: "239378f16aa1ab5c502e42a06359d2de4f88ebb4", versionType: "git", }, { lessThan: "c0a40097f0bc81deafc15f9195d1fb54595cd6d0", status: "affected", version: "239378f16aa1ab5c502e42a06359d2de4f88ebb4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/base/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.21", }, { lessThan: "2.6.21", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: core: synchronize really_probe() and dev_uevent()\n\nSynchronize the dev->driver usage in really_probe() and dev_uevent().\nThese can run in different threads, what can result in the following\nrace condition for dev->driver uninitialization:\n\nThread #1:\n==========\n\nreally_probe() {\n...\nprobe_failed:\n...\ndevice_unbind_cleanup(dev) {\n ...\n dev->driver = NULL; // <= Failed probe sets dev->driver to NULL\n ...\n }\n...\n}\n\nThread #2:\n==========\n\ndev_uevent() {\n...\nif (dev->driver)\n // If dev->driver is NULLed from really_probe() from here on,\n // after above check, the system crashes\n add_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n...\n}\n\nreally_probe() holds the lock, already. So nothing needs to be done\nthere. dev_uevent() is called with lock held, often, too. But not\nalways. What implies that we can't add any locking in dev_uevent()\nitself. So fix this race by adding the lock to the non-protected\npath. This is the path where above race is observed:\n\n dev_uevent+0x235/0x380\n uevent_show+0x10c/0x1f0 <= Add lock here\n dev_attr_show+0x3a/0xa0\n sysfs_kf_seq_show+0x17c/0x250\n kernfs_seq_show+0x7c/0x90\n seq_read_iter+0x2d7/0x940\n kernfs_fop_read_iter+0xc6/0x310\n vfs_read+0x5bc/0x6b0\n ksys_read+0xeb/0x1b0\n __x64_sys_read+0x42/0x50\n x64_sys_call+0x27ad/0x2d30\n do_syscall_64+0xcd/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nSimilar cases are reported by syzkaller in\n\nhttps://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a\n\nBut these are regarding the *initialization* of dev->driver\n\ndev->driver = drv;\n\nAs this switches dev->driver to non-NULL these reports can be considered\nto be false-positives (which should be \"fixed\" by this commit, as well,\nthough).\n\nThe same issue was reported and tried to be fixed back in 2015 in\n\nhttps://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/\n\nalready.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:24.772Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/bb3641a5831789d83a58a39ed4a928bcbece7080", }, { url: "https://git.kernel.org/stable/c/13d25e82b6d00d743c7961dcb260329f86bedf7c", }, { url: "https://git.kernel.org/stable/c/760603e30bf19d7b4c28e9d81f18b54fa3b745ad", }, { url: "https://git.kernel.org/stable/c/ec772ed7cb21b46fb132f89241682553efd0b721", }, { url: "https://git.kernel.org/stable/c/08891eeaa97c079b7f95d60b62dcf0e3ce034b69", }, { url: "https://git.kernel.org/stable/c/a42b0060d6ff2f7e59290a26d5f162a3c6329b90", }, { url: "https://git.kernel.org/stable/c/95d03d369ea647b89e950667f1c3363ea6f564e6", }, { url: "https://git.kernel.org/stable/c/c0a40097f0bc81deafc15f9195d1fb54595cd6d0", }, ], title: "drivers: core: synchronize really_probe() and dev_uevent()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39501", datePublished: "2024-07-12T12:20:34.980Z", dateReserved: "2024-06-25T14:23:23.752Z", dateUpdated: "2024-12-19T09:07:24.772Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40983
Vulnerability from cvelistv5
Published
2024-07-12 12:33
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: force a dst refcount before doing decryption
As it says in commit 3bc07321ccc2 ("xfrm: Force a dst refcount before
entering the xfrm type handlers"):
"Crypto requests might return asynchronous. In this case we leave the
rcu protected region, so force a refcount on the skb's destination
entry before we enter the xfrm type input/output handlers."
On TIPC decryption path it has the same problem, and skb_dst_force()
should be called before doing decryption to avoid a possible crash.
Shuang reported this issue when this warning is triggered:
[] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]
[] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug
[] Workqueue: crypto cryptd_queue_worker
[] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]
[] Call Trace:
[] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]
[] tipc_rcv+0xcf5/0x1060 [tipc]
[] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]
[] cryptd_aead_crypt+0xdb/0x190
[] cryptd_queue_worker+0xed/0x190
[] process_one_work+0x93d/0x17e0
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.020Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3eb1b39627892c4e26cb0162b75725aa5fcc60c8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/692803b39a36e63ac73208e0a3769ae6a2f9bc76", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/623c90d86a61e3780f682b32928af469c66ec4c2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b57a4a2dc8746cea58a922ebe31b6aa629d69d93", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6808b41371670c51feea14f63ade211e78100930", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2ebe8f840c7450ecbfca9d18ac92e9ce9155e269", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40983", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:13.493957Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:21.167Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/tipc/node.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3eb1b39627892c4e26cb0162b75725aa5fcc60c8", status: "affected", version: "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", versionType: "git", }, { lessThan: "692803b39a36e63ac73208e0a3769ae6a2f9bc76", status: "affected", version: "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", versionType: "git", }, { lessThan: "623c90d86a61e3780f682b32928af469c66ec4c2", status: "affected", version: "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", versionType: "git", }, { lessThan: "b57a4a2dc8746cea58a922ebe31b6aa629d69d93", status: "affected", version: "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", versionType: "git", }, { lessThan: "6808b41371670c51feea14f63ade211e78100930", status: "affected", version: "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", versionType: "git", }, { lessThan: "2ebe8f840c7450ecbfca9d18ac92e9ce9155e269", status: "affected", version: "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/tipc/node.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.5", }, { lessThan: "5.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: force a dst refcount before doing decryption\n\nAs it says in commit 3bc07321ccc2 (\"xfrm: Force a dst refcount before\nentering the xfrm type handlers\"):\n\n\"Crypto requests might return asynchronous. In this case we leave the\n rcu protected region, so force a refcount on the skb's destination\n entry before we enter the xfrm type input/output handlers.\"\n\nOn TIPC decryption path it has the same problem, and skb_dst_force()\nshould be called before doing decryption to avoid a possible crash.\n\nShuang reported this issue when this warning is triggered:\n\n [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug\n [] Workqueue: crypto cryptd_queue_worker\n [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Call Trace:\n [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]\n [] tipc_rcv+0xcf5/0x1060 [tipc]\n [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]\n [] cryptd_aead_crypt+0xdb/0x190\n [] cryptd_queue_worker+0xed/0x190\n [] process_one_work+0x93d/0x17e0", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:26.705Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3eb1b39627892c4e26cb0162b75725aa5fcc60c8", }, { url: "https://git.kernel.org/stable/c/692803b39a36e63ac73208e0a3769ae6a2f9bc76", }, { url: "https://git.kernel.org/stable/c/623c90d86a61e3780f682b32928af469c66ec4c2", }, { url: "https://git.kernel.org/stable/c/b57a4a2dc8746cea58a922ebe31b6aa629d69d93", }, { url: "https://git.kernel.org/stable/c/6808b41371670c51feea14f63ade211e78100930", }, { url: "https://git.kernel.org/stable/c/2ebe8f840c7450ecbfca9d18ac92e9ce9155e269", }, ], title: "tipc: force a dst refcount before doing decryption", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40983", datePublished: "2024-07-12T12:33:57.263Z", dateReserved: "2024-07-12T12:17:45.604Z", dateUpdated: "2024-12-19T09:09:26.705Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40899
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()
We got the following issue in a fuzz test of randomly issuing the restore
command:
==================================================================
BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0
Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962
CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542
Call Trace:
kasan_report+0x94/0xc0
cachefiles_ondemand_daemon_read+0x609/0xab0
vfs_read+0x169/0xb50
ksys_read+0xf5/0x1e0
Allocated by task 626:
__kmalloc+0x1df/0x4b0
cachefiles_ondemand_send_req+0x24d/0x690
cachefiles_create_tmpfile+0x249/0xb30
cachefiles_create_file+0x6f/0x140
cachefiles_look_up_object+0x29c/0xa60
cachefiles_lookup_cookie+0x37d/0xca0
fscache_cookie_state_machine+0x43c/0x1230
[...]
Freed by task 626:
kfree+0xf1/0x2c0
cachefiles_ondemand_send_req+0x568/0x690
cachefiles_create_tmpfile+0x249/0xb30
cachefiles_create_file+0x6f/0x140
cachefiles_look_up_object+0x29c/0xa60
cachefiles_lookup_cookie+0x37d/0xca0
fscache_cookie_state_machine+0x43c/0x1230
[...]
==================================================================
Following is the process that triggers the issue:
mount | daemon_thread1 | daemon_thread2
------------------------------------------------------------
cachefiles_ondemand_init_object
cachefiles_ondemand_send_req
REQ_A = kzalloc(sizeof(*req) + data_len)
wait_for_completion(&REQ_A->done)
cachefiles_daemon_read
cachefiles_ondemand_daemon_read
REQ_A = cachefiles_ondemand_select_req
cachefiles_ondemand_get_fd
copy_to_user(_buffer, msg, n)
process_open_req(REQ_A)
------ restore ------
cachefiles_ondemand_restore
xas_for_each(&xas, req, ULONG_MAX)
xas_set_mark(&xas, CACHEFILES_REQ_NEW);
cachefiles_daemon_read
cachefiles_ondemand_daemon_read
REQ_A = cachefiles_ondemand_select_req
write(devfd, ("copen %u,%llu", msg->msg_id, size));
cachefiles_ondemand_copen
xa_erase(&cache->reqs, id)
complete(&REQ_A->done)
kfree(REQ_A)
cachefiles_ondemand_get_fd(REQ_A)
fd = get_unused_fd_flags
file = anon_inode_getfile
fd_install(fd, file)
load = (void *)REQ_A->msg.data;
load->fd = fd;
// load UAF !!!
This issue is caused by issuing a restore command when the daemon is still
alive, which results in a request being processed multiple times thus
triggering a UAF. So to avoid this problem, add an additional reference
count to cachefiles_req, which is held while waiting and reading, and then
released when the waiting and reading is over.
Note that since there is only one reference count for waiting, we need to
avoid the same request being completed multiple times, so we can only
complete the request if it is successfully removed from the xarray.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.873Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40899", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:37.680820Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:38.781Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/cachefiles/internal.h", "fs/cachefiles/ondemand.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "99e9c5bd27ddefa0f9db88625bf5e31c1e833d62", status: "affected", version: "a0cc87f86698174aacc083c4652d2606007dd902", versionType: "git", }, { lessThan: "a6de82765e12fb1201ab607f0d3ffe3309b30fc0", status: "affected", version: "9f5fa40f0924e9de85b16c6d1aea80327ce647d8", versionType: "git", }, { lessThan: "1d902d9a3aa4f2a8bda698294e34be788be012fc", status: "affected", version: "e73fa11a356ca0905c3cc648eaacc6f0f2d2c8b3", versionType: "git", }, { lessThan: "de3e26f9e5b76fc628077578c001c4a51bf54d06", status: "affected", version: "e73fa11a356ca0905c3cc648eaacc6f0f2d2c8b3", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/cachefiles/internal.h", "fs/cachefiles/ondemand.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0\nWrite of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962\n\nCPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542\nCall Trace:\n kasan_report+0x94/0xc0\n cachefiles_ondemand_daemon_read+0x609/0xab0\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 626:\n __kmalloc+0x1df/0x4b0\n cachefiles_ondemand_send_req+0x24d/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 626:\n kfree+0xf1/0x2c0\n cachefiles_ondemand_send_req+0x568/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n cachefiles_ondemand_get_fd\n copy_to_user(_buffer, msg, n)\n process_open_req(REQ_A)\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW);\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n\n write(devfd, (\"copen %u,%llu\", msg->msg_id, size));\n cachefiles_ondemand_copen\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n kfree(REQ_A)\n cachefiles_ondemand_get_fd(REQ_A)\n fd = get_unused_fd_flags\n file = anon_inode_getfile\n fd_install(fd, file)\n load = (void *)REQ_A->msg.data;\n load->fd = fd;\n // load UAF !!!\n\nThis issue is caused by issuing a restore command when the daemon is still\nalive, which results in a request being processed multiple times thus\ntriggering a UAF. So to avoid this problem, add an additional reference\ncount to cachefiles_req, which is held while waiting and reading, and then\nreleased when the waiting and reading is over.\n\nNote that since there is only one reference count for waiting, we need to\navoid the same request being completed multiple times, so we can only\ncomplete the request if it is successfully removed from the xarray.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:36.566Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62", }, { url: "https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0", }, { url: "https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc", }, { url: "https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06", }, ], title: "cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40899", datePublished: "2024-07-12T12:20:41.541Z", dateReserved: "2024-07-12T12:17:45.579Z", dateUpdated: "2024-12-19T09:07:36.566Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40911
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: Lock wiphy in cfg80211_get_station
Wiphy should be locked before calling rdev_get_station() (see lockdep
assert in ieee80211_get_station()).
This fixes the following kernel NULL dereference:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000
[0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] SMP
Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath
CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705
Hardware name: RPT (r1) (DT)
Workqueue: bat_events batadv_v_elp_throughput_metric_update
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]
lr : sta_set_sinfo+0xcc/0xbd4
sp : ffff000007b43ad0
x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98
x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000
x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc
x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000
x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d
x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e
x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000
x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000
x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90
x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000
Call trace:
ath10k_sta_statistics+0x10/0x2dc [ath10k_core]
sta_set_sinfo+0xcc/0xbd4
ieee80211_get_station+0x2c/0x44
cfg80211_get_station+0x80/0x154
batadv_v_elp_get_throughput+0x138/0x1fc
batadv_v_elp_throughput_metric_update+0x1c/0xa4
process_one_work+0x1ec/0x414
worker_thread+0x70/0x46c
kthread+0xdc/0xe0
ret_from_fork+0x10/0x20
Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)
This happens because STA has time to disconnect and reconnect before
batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In
this situation, ath10k_sta_state() can be in the middle of resetting
arsta data when the work queue get chance to be scheduled and ends up
accessing it. Locking wiphy prevents that.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7406353d43c8e2faf478721e87aeb6f2f9685de0 Version: 7406353d43c8e2faf478721e87aeb6f2f9685de0 Version: 7406353d43c8e2faf478721e87aeb6f2f9685de0 Version: 7406353d43c8e2faf478721e87aeb6f2f9685de0 Version: 7406353d43c8e2faf478721e87aeb6f2f9685de0 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.419Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/dfd84ce41663be9ca3f69bd657c45f49b69344d9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6d540b0317901535275020bd4ac44fac6439ca76", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0ccc63958d8373e15a69f4f8069f3e78f7f3898a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/43e1eefb0b2094e2281150d87d09e8bc872b9fba", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/642f89daa34567d02f312d03e41523a894906dae", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40911", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:02.658686Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:37.167Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/wireless/util.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "dfd84ce41663be9ca3f69bd657c45f49b69344d9", status: "affected", version: "7406353d43c8e2faf478721e87aeb6f2f9685de0", versionType: "git", }, { lessThan: "6d540b0317901535275020bd4ac44fac6439ca76", status: "affected", version: "7406353d43c8e2faf478721e87aeb6f2f9685de0", versionType: "git", }, { lessThan: "0ccc63958d8373e15a69f4f8069f3e78f7f3898a", status: "affected", version: "7406353d43c8e2faf478721e87aeb6f2f9685de0", versionType: "git", }, { lessThan: "43e1eefb0b2094e2281150d87d09e8bc872b9fba", status: "affected", version: "7406353d43c8e2faf478721e87aeb6f2f9685de0", versionType: "git", }, { lessThan: "642f89daa34567d02f312d03e41523a894906dae", status: "affected", version: "7406353d43c8e2faf478721e87aeb6f2f9685de0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/wireless/util.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.16", }, { lessThan: "3.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Lock wiphy in cfg80211_get_station\n\nWiphy should be locked before calling rdev_get_station() (see lockdep\nassert in ieee80211_get_station()).\n\nThis fixes the following kernel NULL dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000\n [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000\n Internal error: Oops: 0000000096000006 [#1] SMP\n Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath\n CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705\n Hardware name: RPT (r1) (DT)\n Workqueue: bat_events batadv_v_elp_throughput_metric_update\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n lr : sta_set_sinfo+0xcc/0xbd4\n sp : ffff000007b43ad0\n x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98\n x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000\n x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc\n x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000\n x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d\n x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e\n x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000\n x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000\n x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90\n x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000\n Call trace:\n ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n sta_set_sinfo+0xcc/0xbd4\n ieee80211_get_station+0x2c/0x44\n cfg80211_get_station+0x80/0x154\n batadv_v_elp_get_throughput+0x138/0x1fc\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x1ec/0x414\n worker_thread+0x70/0x46c\n kthread+0xdc/0xe0\n ret_from_fork+0x10/0x20\n Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)\n\nThis happens because STA has time to disconnect and reconnect before\nbatadv_v_elp_throughput_metric_update() delayed work gets scheduled. In\nthis situation, ath10k_sta_state() can be in the middle of resetting\narsta data when the work queue get chance to be scheduled and ends up\naccessing it. Locking wiphy prevents that.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:50.487Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/dfd84ce41663be9ca3f69bd657c45f49b69344d9", }, { url: "https://git.kernel.org/stable/c/6d540b0317901535275020bd4ac44fac6439ca76", }, { url: "https://git.kernel.org/stable/c/0ccc63958d8373e15a69f4f8069f3e78f7f3898a", }, { url: "https://git.kernel.org/stable/c/43e1eefb0b2094e2281150d87d09e8bc872b9fba", }, { url: "https://git.kernel.org/stable/c/642f89daa34567d02f312d03e41523a894906dae", }, ], title: "wifi: cfg80211: Lock wiphy in cfg80211_get_station", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40911", datePublished: "2024-07-12T12:20:49.796Z", dateReserved: "2024-07-12T12:17:45.580Z", dateUpdated: "2024-12-19T09:07:50.487Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39497
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)
Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap
allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag
causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:
BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));
Return -EINVAL early if COW mapping is detected.
This bug affects all drm drivers using default shmem helpers.
It can be reproduced by this simple example:
void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);
ptr[0] = 0;
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.499Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1b4a8b89bf6787090b56424d269bf84ba00c3263", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/03c71c42809ef4b17f5d874cdb2d3bf40e847b86", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/39bc27bd688066a63e56f7f64ad34fae03fbe3b8", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39497", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:07:23.056270Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:40.913Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/drm_gem_shmem_helper.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a508a102edf8735adc9bb73d37dd13c38d1a1b10", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, { lessThan: "3ae63a8c1685e16958560ec08d30defdc5b9cca0", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, { lessThan: "2219e5f97244b79c276751a1167615b9714db1b0", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, { lessThan: "1b4a8b89bf6787090b56424d269bf84ba00c3263", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, { lessThan: "03c71c42809ef4b17f5d874cdb2d3bf40e847b86", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, { lessThan: "39bc27bd688066a63e56f7f64ad34fae03fbe3b8", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/drm_gem_shmem_helper.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.2", }, { lessThan: "5.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.229", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.169", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.114", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)\n\nLack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap\nallows users to call mmap with PROT_WRITE and MAP_PRIVATE flag\ncausing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:\nBUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));\n\nReturn -EINVAL early if COW mapping is detected.\n\nThis bug affects all drm drivers using default shmem helpers.\nIt can be reproduced by this simple example:\nvoid *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);\nptr[0] = 0;", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:20.068Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a508a102edf8735adc9bb73d37dd13c38d1a1b10", }, { url: "https://git.kernel.org/stable/c/3ae63a8c1685e16958560ec08d30defdc5b9cca0", }, { url: "https://git.kernel.org/stable/c/2219e5f97244b79c276751a1167615b9714db1b0", }, { url: "https://git.kernel.org/stable/c/1b4a8b89bf6787090b56424d269bf84ba00c3263", }, { url: "https://git.kernel.org/stable/c/03c71c42809ef4b17f5d874cdb2d3bf40e847b86", }, { url: "https://git.kernel.org/stable/c/39bc27bd688066a63e56f7f64ad34fae03fbe3b8", }, ], title: "drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39497", datePublished: "2024-07-12T12:20:32.330Z", dateReserved: "2024-06-25T14:23:23.751Z", dateUpdated: "2024-12-19T09:07:20.068Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39494
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: Fix use-after-free on a dentry's dname.name
->d_name.name can change on rename and the earlier value can be freed;
there are conditions sufficient to stabilize it (->d_lock on dentry,
->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,
rename_lock), but none of those are met at any of the sites. Take a stable
snapshot of the name instead.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.999Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39494", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:07:29.508967Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:39.893Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "security/integrity/ima/ima_api.c", "security/integrity/ima/ima_template_lib.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0b31e28fbd773aefb6164687e0767319b8199829", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7fb374981e31c193b1152ed8d3b0a95b671330d4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a78a6f0da57d058e2009e9958fdcef66f165208c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "be84f32bb2c981ca670922e047cdde1488b233de", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "security/integrity/ima/ima_api.c", "security/integrity/ima/ima_template_lib.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.174", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.97", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix use-after-free on a dentry's dname.name\n\n->d_name.name can change on rename and the earlier value can be freed;\nthere are conditions sufficient to stabilize it (->d_lock on dentry,\n->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,\nrename_lock), but none of those are met at any of the sites. Take a stable\nsnapshot of the name instead.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:16.533Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0b31e28fbd773aefb6164687e0767319b8199829", }, { url: "https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4", }, { url: "https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c", }, { url: "https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c", }, { url: "https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de", }, ], title: "ima: Fix use-after-free on a dentry's dname.name", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39494", datePublished: "2024-07-12T12:20:30.348Z", dateReserved: "2024-06-25T14:23:23.748Z", dateUpdated: "2024-12-19T09:07:16.533Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40950
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: huge_memory: fix misused mapping_large_folio_support() for anon folios
When I did a large folios split test, a WARNING "[ 5059.122759][ T166]
Cannot split file folio to non-0 order" was triggered. But the test cases
are only for anonmous folios. while mapping_large_folio_support() is only
reasonable for page cache folios.
In split_huge_page_to_list_to_order(), the folio passed to
mapping_large_folio_support() maybe anonmous folio. The folio_test_anon()
check is missing. So the split of the anonmous THP is failed. This is
also the same for shmem_mapping(). We'd better add a check for both. But
the shmem_mapping() in __split_huge_page() is not involved, as for
anonmous folios, the end parameter is set to -1, so (head[i].index >= end)
is always false. shmem_mapping() is not called.
Also add a VM_WARN_ON_ONCE() in mapping_large_folio_support() for anon
mapping, So we can detect the wrong use more easily.
THP folios maybe exist in the pagecache even the file system doesn't
support large folio, it is because when CONFIG_TRANSPARENT_HUGEPAGE is
enabled, khugepaged will try to collapse read-only file-backed pages to
THP. But the mapping does not actually support multi order large folios
properly.
Using /sys/kernel/debug/split_huge_pages to verify this, with this patch,
large anon THP is successfully split and the warning is ceased.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.883Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5df493a99fcf887133cf01d23cd4bebb6d385d3c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6a50c9b512f7734bc356f4bd47885a6f7c98491a", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40950", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:01.869844Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:24.864Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/pagemap.h", "mm/huge_memory.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5df493a99fcf887133cf01d23cd4bebb6d385d3c", status: "affected", version: "c010d47f107f609b9f4d6a103b6dfc53889049e9", versionType: "git", }, { lessThan: "6a50c9b512f7734bc356f4bd47885a6f7c98491a", status: "affected", version: "c010d47f107f609b9f4d6a103b6dfc53889049e9", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/pagemap.h", "mm/huge_memory.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: huge_memory: fix misused mapping_large_folio_support() for anon folios\n\nWhen I did a large folios split test, a WARNING \"[ 5059.122759][ T166]\nCannot split file folio to non-0 order\" was triggered. But the test cases\nare only for anonmous folios. while mapping_large_folio_support() is only\nreasonable for page cache folios.\n\nIn split_huge_page_to_list_to_order(), the folio passed to\nmapping_large_folio_support() maybe anonmous folio. The folio_test_anon()\ncheck is missing. So the split of the anonmous THP is failed. This is\nalso the same for shmem_mapping(). We'd better add a check for both. But\nthe shmem_mapping() in __split_huge_page() is not involved, as for\nanonmous folios, the end parameter is set to -1, so (head[i].index >= end)\nis always false. shmem_mapping() is not called.\n\nAlso add a VM_WARN_ON_ONCE() in mapping_large_folio_support() for anon\nmapping, So we can detect the wrong use more easily.\n\nTHP folios maybe exist in the pagecache even the file system doesn't\nsupport large folio, it is because when CONFIG_TRANSPARENT_HUGEPAGE is\nenabled, khugepaged will try to collapse read-only file-backed pages to\nTHP. But the mapping does not actually support multi order large folios\nproperly.\n\nUsing /sys/kernel/debug/split_huge_pages to verify this, with this patch,\nlarge anon THP is successfully split and the warning is ceased.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:46.850Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5df493a99fcf887133cf01d23cd4bebb6d385d3c", }, { url: "https://git.kernel.org/stable/c/6a50c9b512f7734bc356f4bd47885a6f7c98491a", }, ], title: "mm: huge_memory: fix misused mapping_large_folio_support() for anon folios", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40950", datePublished: "2024-07-12T12:31:54.815Z", dateReserved: "2024-07-12T12:17:45.591Z", dateUpdated: "2024-12-19T09:08:46.850Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40957
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors
input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for
PREROUTING hook, in PREROUTING hook, we should passing a valid indev,
and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer
dereference, as below:
[74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090
[74830.655633] #PF: supervisor read access in kernel mode
[74830.657888] #PF: error_code(0x0000) - not-present page
[74830.659500] PGD 0 P4D 0
[74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI
...
[74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]
...
[74830.689725] Call Trace:
[74830.690402] <IRQ>
[74830.690953] ? show_trace_log_lvl+0x1c4/0x2df
[74830.692020] ? show_trace_log_lvl+0x1c4/0x2df
[74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]
[74830.694275] ? __die_body.cold+0x8/0xd
[74830.695205] ? page_fault_oops+0xac/0x140
[74830.696244] ? exc_page_fault+0x62/0x150
[74830.697225] ? asm_exc_page_fault+0x22/0x30
[74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]
[74830.699540] ipt_do_table+0x286/0x710 [ip_tables]
[74830.700758] ? ip6_route_input+0x19d/0x240
[74830.701752] nf_hook_slow+0x3f/0xb0
[74830.702678] input_action_end_dx4+0x19b/0x1e0
[74830.703735] ? input_action_end_t+0xe0/0xe0
[74830.704734] seg6_local_input_core+0x2d/0x60
[74830.705782] lwtunnel_input+0x5b/0xb0
[74830.706690] __netif_receive_skb_one_core+0x63/0xa0
[74830.707825] process_backlog+0x99/0x140
[74830.709538] __napi_poll+0x2c/0x160
[74830.710673] net_rx_action+0x296/0x350
[74830.711860] __do_softirq+0xcb/0x2ac
[74830.713049] do_softirq+0x63/0x90
input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally
trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():
static bool
rpfilter_is_loopback(const struct sk_buff *skb,
const struct net_device *in)
{
// in is NULL
return skb->pkt_type == PACKET_LOOPBACK ||
in->flags & IFF_LOOPBACK;
}
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7a3f5b0de3647c854e34269c3332d7a1e902901a Version: 7a3f5b0de3647c854e34269c3332d7a1e902901a Version: 7a3f5b0de3647c854e34269c3332d7a1e902901a Version: 7a3f5b0de3647c854e34269c3332d7a1e902901a Version: 7a3f5b0de3647c854e34269c3332d7a1e902901a |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.923Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40957", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:38.761289Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:24.035Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv6/seg6_local.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "af90e3d73dc45778767b2fb6e7edd57ebe34380d", status: "affected", version: "7a3f5b0de3647c854e34269c3332d7a1e902901a", versionType: "git", }, { lessThan: "ec4d970b597ee5e17b0d8d73b7875197ce9a04d4", status: "affected", version: "7a3f5b0de3647c854e34269c3332d7a1e902901a", versionType: "git", }, { lessThan: "d62df86c172033679d744f07d89e93e367dd11f6", status: "affected", version: "7a3f5b0de3647c854e34269c3332d7a1e902901a", versionType: "git", }, { lessThan: "561475d53aa7e4511ee7cdba8728ded81cf1db1c", status: "affected", version: "7a3f5b0de3647c854e34269c3332d7a1e902901a", versionType: "git", }, { lessThan: "9a3bc8d16e0aacd65c31aaf23a2bced3288a7779", status: "affected", version: "7a3f5b0de3647c854e34269c3332d7a1e902901a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv6/seg6_local.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\n\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\n\n [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n [74830.655633] #PF: supervisor read access in kernel mode\n [74830.657888] #PF: error_code(0x0000) - not-present page\n [74830.659500] PGD 0 P4D 0\n [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n ...\n [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n ...\n [74830.689725] Call Trace:\n [74830.690402] <IRQ>\n [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]\n [74830.694275] ? __die_body.cold+0x8/0xd\n [74830.695205] ? page_fault_oops+0xac/0x140\n [74830.696244] ? exc_page_fault+0x62/0x150\n [74830.697225] ? asm_exc_page_fault+0x22/0x30\n [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]\n [74830.700758] ? ip6_route_input+0x19d/0x240\n [74830.701752] nf_hook_slow+0x3f/0xb0\n [74830.702678] input_action_end_dx4+0x19b/0x1e0\n [74830.703735] ? input_action_end_t+0xe0/0xe0\n [74830.704734] seg6_local_input_core+0x2d/0x60\n [74830.705782] lwtunnel_input+0x5b/0xb0\n [74830.706690] __netif_receive_skb_one_core+0x63/0xa0\n [74830.707825] process_backlog+0x99/0x140\n [74830.709538] __napi_poll+0x2c/0x160\n [74830.710673] net_rx_action+0x296/0x350\n [74830.711860] __do_softirq+0xcb/0x2ac\n [74830.713049] do_softirq+0x63/0x90\n\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\n\n static bool\n rpfilter_is_loopback(const struct sk_buff *skb,\n \t const struct net_device *in)\n {\n // in is NULL\n return skb->pkt_type == PACKET_LOOPBACK ||\n \t in->flags & IFF_LOOPBACK;\n }", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:55.338Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d", }, { url: "https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4", }, { url: "https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6", }, { url: "https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c", }, { url: "https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779", }, ], title: "seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40957", datePublished: "2024-07-12T12:31:59.747Z", dateReserved: "2024-07-12T12:17:45.593Z", dateUpdated: "2024-12-19T09:08:55.338Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40970
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Avoid hw_desc array overrun in dw-axi-dmac
I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3
segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()
handles the hw_desc considering the descs_allocated, this scenario would result in a
kernel panic (hw_desc array will be overrun).
To fix this, the proposal is to add a new member to the axi_dma_desc structure,
where we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in
axi_desc_put() to handle the hw_desc array correctly.
Additionally I propose to remove the axi_chan_start_first_queued() call after completing
the transfer, since it was identified that unbalance can occur (started descriptors can
be interrupted and transfer ignored due to DMA channel not being enabled).
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.177Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/dd42570018f5962c10f215ad9c21274ed5d3541e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9004784e8d68bcd1ac1376407ba296fa28f04dbe", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/333e11bf47fa8d477db90e2900b1ed3c9ae9b697", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40970", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:57.618240Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:22.651Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c", "drivers/dma/dw-axi-dmac/dw-axi-dmac.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "dd42570018f5962c10f215ad9c21274ed5d3541e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9004784e8d68bcd1ac1376407ba296fa28f04dbe", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "333e11bf47fa8d477db90e2900b1ed3c9ae9b697", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c", "drivers/dma/dw-axi-dmac/dw-axi-dmac.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nAvoid hw_desc array overrun in dw-axi-dmac\n\nI have a use case where nr_buffers = 3 and in which each descriptor is composed by 3\nsegments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()\nhandles the hw_desc considering the descs_allocated, this scenario would result in a\nkernel panic (hw_desc array will be overrun).\n\nTo fix this, the proposal is to add a new member to the axi_dma_desc structure,\nwhere we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in\naxi_desc_put() to handle the hw_desc array correctly.\n\nAdditionally I propose to remove the axi_chan_start_first_queued() call after completing\nthe transfer, since it was identified that unbalance can occur (started descriptors can\nbe interrupted and transfer ignored due to DMA channel not being enabled).", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:10.766Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5", }, { url: "https://git.kernel.org/stable/c/dd42570018f5962c10f215ad9c21274ed5d3541e", }, { url: "https://git.kernel.org/stable/c/e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66", }, { url: "https://git.kernel.org/stable/c/9004784e8d68bcd1ac1376407ba296fa28f04dbe", }, { url: "https://git.kernel.org/stable/c/333e11bf47fa8d477db90e2900b1ed3c9ae9b697", }, ], title: "Avoid hw_desc array overrun in dw-axi-dmac", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40970", datePublished: "2024-07-12T12:32:08.788Z", dateReserved: "2024-07-12T12:17:45.603Z", dateUpdated: "2024-12-19T09:09:10.766Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40909
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a potential use-after-free in bpf_link_free()
After commit 1a80dbcb2dba, bpf_link can be freed by
link->ops->dealloc_deferred, but the code still tests and uses
link->ops->dealloc afterward, which leads to a use-after-free as
reported by syzbot. Actually, one of them should be sufficient, so
just call one of them instead of both. Also add a WARN_ON() in case
of any problematic implementation.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.487Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/91cff53136daeff50816b0baeafd38a6976f6209", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fa97b8fed9896f1e89cb657513e483a152d4c382", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2884dc7d08d98a89d8d65121524bb7533183a63a", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40909", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:09.099919Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:37.410Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/bpf/syscall.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "91cff53136daeff50816b0baeafd38a6976f6209", status: "affected", version: "876941f533e7b47fc69977fc4551c02f2d18af97", versionType: "git", }, { lessThan: "fa97b8fed9896f1e89cb657513e483a152d4c382", status: "affected", version: "1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce", versionType: "git", }, { lessThan: "2884dc7d08d98a89d8d65121524bb7533183a63a", status: "affected", version: "1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/bpf/syscall.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a potential use-after-free in bpf_link_free()\n\nAfter commit 1a80dbcb2dba, bpf_link can be freed by\nlink->ops->dealloc_deferred, but the code still tests and uses\nlink->ops->dealloc afterward, which leads to a use-after-free as\nreported by syzbot. Actually, one of them should be sufficient, so\njust call one of them instead of both. Also add a WARN_ON() in case\nof any problematic implementation.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:48.226Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/91cff53136daeff50816b0baeafd38a6976f6209", }, { url: "https://git.kernel.org/stable/c/fa97b8fed9896f1e89cb657513e483a152d4c382", }, { url: "https://git.kernel.org/stable/c/2884dc7d08d98a89d8d65121524bb7533183a63a", }, ], title: "bpf: Fix a potential use-after-free in bpf_link_free()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40909", datePublished: "2024-07-12T12:20:48.447Z", dateReserved: "2024-07-12T12:17:45.580Z", dateUpdated: "2024-12-19T09:07:48.226Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40903
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps
There could be a potential use-after-free case in
tcpm_register_source_caps(). This could happen when:
* new (say invalid) source caps are advertised
* the existing source caps are unregistered
* tcpm_register_source_caps() returns with an error as
usb_power_delivery_register_capabilities() fails
This causes port->partner_source_caps to hold on to the now freed source
caps.
Reset port->partner_source_caps value to NULL after unregistering
existing source caps.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:54.867Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4053696594d7235f3638d49a00cf0f289e4b36a3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/04c05d50fa79a41582f7bde8a1fd4377ae4a39e5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6b67b652849faf108a09647c7fde9b179ef24e2b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e7e921918d905544500ca7a95889f898121ba886", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40903", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:28.165210Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:38.436Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/usb/typec/tcpm/tcpm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4053696594d7235f3638d49a00cf0f289e4b36a3", status: "affected", version: "cfcd544a9974c6b6fb37ca385146e4796dcaf66d", versionType: "git", }, { lessThan: "04c05d50fa79a41582f7bde8a1fd4377ae4a39e5", status: "affected", version: "b16abab1fb645c4b7a86c357dc83a48cf21c2795", versionType: "git", }, { lessThan: "6b67b652849faf108a09647c7fde9b179ef24e2b", status: "affected", version: "230ecdf71a644c9c73e0e6735b33173074ae3f94", versionType: "git", }, { lessThan: "e7e921918d905544500ca7a95889f898121ba886", status: "affected", version: "230ecdf71a644c9c73e0e6735b33173074ae3f94", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/usb/typec/tcpm/tcpm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps\n\nThere could be a potential use-after-free case in\ntcpm_register_source_caps(). This could happen when:\n * new (say invalid) source caps are advertised\n * the existing source caps are unregistered\n * tcpm_register_source_caps() returns with an error as\n usb_power_delivery_register_capabilities() fails\n\nThis causes port->partner_source_caps to hold on to the now freed source\ncaps.\n\nReset port->partner_source_caps value to NULL after unregistering\nexisting source caps.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:41.205Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4053696594d7235f3638d49a00cf0f289e4b36a3", }, { url: "https://git.kernel.org/stable/c/04c05d50fa79a41582f7bde8a1fd4377ae4a39e5", }, { url: "https://git.kernel.org/stable/c/6b67b652849faf108a09647c7fde9b179ef24e2b", }, { url: "https://git.kernel.org/stable/c/e7e921918d905544500ca7a95889f898121ba886", }, ], title: "usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40903", datePublished: "2024-07-12T12:20:44.367Z", dateReserved: "2024-07-12T12:17:45.579Z", dateUpdated: "2024-12-19T09:07:41.205Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40979
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix kernel crash during resume
Currently during resume, QMI target memory is not properly handled, resulting
in kernel crash in case DMA remap is not supported:
BUG: Bad page state in process kworker/u16:54 pfn:36e80
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80
page dumped because: nonzero _refcount
Call Trace:
bad_page
free_page_is_bad_report
__free_pages_ok
__free_pages
dma_direct_free
dma_free_attrs
ath12k_qmi_free_target_mem_chunk
ath12k_qmi_msg_mem_request_cb
The reason is:
Once ath12k module is loaded, firmware sends memory request to host. In case
DMA remap not supported, ath12k refuses the first request due to failure in
allocating with large segment size:
ath12k_pci 0000:04:00.0: qmi firmware request memory request
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144
ath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size
ath12k_pci 0000:04:00.0: qmi delays mem_request 2
ath12k_pci 0000:04:00.0: qmi firmware request memory request
Later firmware comes back with more but small segments and allocation
succeeds:
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288
ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536
ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288
Now ath12k is working. If suspend is triggered, firmware will be reloaded
during resume. As same as before, firmware requests two large segments at
first. In ath12k_qmi_msg_mem_request_cb() segment count and size are
assigned:
ab->qmi.mem_seg_count == 2
ab->qmi.target_mem[0].size == 7077888
ab->qmi.target_mem[1].size == 8454144
Then allocation failed like before and ath12k_qmi_free_target_mem_chunk()
is called to free all allocated segments. Note the first segment is skipped
because its v.addr is cleared due to allocation failure:
chunk->v.addr = dma_alloc_coherent()
Also note that this leaks that segment because it has not been freed.
While freeing the second segment, a size of 8454144 is passed to
dma_free_coherent(). However remember that this segment is allocated at
the first time firmware is loaded, before suspend. So its real size is
524288, much smaller than 8454144. As a result kernel found we are freeing
some memory which is in use and thus cras
---truncated---
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.885Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/bb50a4e711ff95348ad53641acb1306d89eb4c3a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/303c017821d88ebad887814114d4e5966d320b28", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40979", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:27.015778Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:21.625Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath12k/core.c", "drivers/net/wireless/ath/ath12k/qmi.c", "drivers/net/wireless/ath/ath12k/qmi.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "bb50a4e711ff95348ad53641acb1306d89eb4c3a", status: "affected", version: "d889913205cf7ebda905b1e62c5867ed4e39f6c2", versionType: "git", }, { lessThan: "303c017821d88ebad887814114d4e5966d320b28", status: "affected", version: "d889913205cf7ebda905b1e62c5867ed4e39f6c2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath12k/core.c", "drivers/net/wireless/ath/ath12k/qmi.c", "drivers/net/wireless/ath/ath12k/qmi.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.3", }, { lessThan: "6.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix kernel crash during resume\n\nCurrently during resume, QMI target memory is not properly handled, resulting\nin kernel crash in case DMA remap is not supported:\n\nBUG: Bad page state in process kworker/u16:54 pfn:36e80\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80\npage dumped because: nonzero _refcount\nCall Trace:\n bad_page\n free_page_is_bad_report\n __free_pages_ok\n __free_pages\n dma_direct_free\n dma_free_attrs\n ath12k_qmi_free_target_mem_chunk\n ath12k_qmi_msg_mem_request_cb\n\nThe reason is:\nOnce ath12k module is loaded, firmware sends memory request to host. In case\nDMA remap not supported, ath12k refuses the first request due to failure in\nallocating with large segment size:\n\nath12k_pci 0000:04:00.0: qmi firmware request memory request\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144\nath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size\nath12k_pci 0000:04:00.0: qmi delays mem_request 2\nath12k_pci 0000:04:00.0: qmi firmware request memory request\n\nLater firmware comes back with more but small segments and allocation\nsucceeds:\n\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\n\nNow ath12k is working. If suspend is triggered, firmware will be reloaded\nduring resume. As same as before, firmware requests two large segments at\nfirst. In ath12k_qmi_msg_mem_request_cb() segment count and size are\nassigned:\n\n\tab->qmi.mem_seg_count == 2\n\tab->qmi.target_mem[0].size == 7077888\n\tab->qmi.target_mem[1].size == 8454144\n\nThen allocation failed like before and ath12k_qmi_free_target_mem_chunk()\nis called to free all allocated segments. Note the first segment is skipped\nbecause its v.addr is cleared due to allocation failure:\n\n\tchunk->v.addr = dma_alloc_coherent()\n\nAlso note that this leaks that segment because it has not been freed.\n\nWhile freeing the second segment, a size of 8454144 is passed to\ndma_free_coherent(). However remember that this segment is allocated at\nthe first time firmware is loaded, before suspend. So its real size is\n524288, much smaller than 8454144. As a result kernel found we are freeing\nsome memory which is in use and thus cras\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:21.680Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/bb50a4e711ff95348ad53641acb1306d89eb4c3a", }, { url: "https://git.kernel.org/stable/c/303c017821d88ebad887814114d4e5966d320b28", }, ], title: "wifi: ath12k: fix kernel crash during resume", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40979", datePublished: "2024-07-12T12:32:14.902Z", dateReserved: "2024-07-12T12:17:45.604Z", dateUpdated: "2024-12-19T09:09:21.680Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40990
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Add check for srq max_sge attribute
max_sge attribute is passed by the user, and is inserted and used
unchecked, so verify that the value doesn't exceed maximum allowed value
before using it.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c Version: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c Version: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c Version: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c Version: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c Version: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.093Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7186b81c1f15e39069b1af172c6a951728ed3511", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1e692244bf7dd827dd72edc6c4a3b36ae572f03c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/999586418600b4b3b93c2a0edd3a4ca71ee759bf", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e0deb0e9c967b61420235f7f17a4450b4b4d6ce2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4ab99e3613139f026d2d8ba954819e2876120ab3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/36ab7ada64caf08f10ee5a114d39964d1f91e81d", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40990", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:51.391484Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:20.373Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/hw/mlx5/srq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7186b81c1f15e39069b1af172c6a951728ed3511", status: "affected", version: "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", versionType: "git", }, { lessThan: "1e692244bf7dd827dd72edc6c4a3b36ae572f03c", status: "affected", version: "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", versionType: "git", }, { lessThan: "999586418600b4b3b93c2a0edd3a4ca71ee759bf", status: "affected", version: "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", versionType: "git", }, { lessThan: "e0deb0e9c967b61420235f7f17a4450b4b4d6ce2", status: "affected", version: "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", versionType: "git", }, { lessThan: "4ab99e3613139f026d2d8ba954819e2876120ab3", status: "affected", version: "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", versionType: "git", }, { lessThan: "36ab7ada64caf08f10ee5a114d39964d1f91e81d", status: "affected", version: "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/hw/mlx5/srq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.11", }, { lessThan: "3.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Add check for srq max_sge attribute\n\nmax_sge attribute is passed by the user, and is inserted and used\nunchecked, so verify that the value doesn't exceed maximum allowed value\nbefore using it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:35.165Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7186b81c1f15e39069b1af172c6a951728ed3511", }, { url: "https://git.kernel.org/stable/c/1e692244bf7dd827dd72edc6c4a3b36ae572f03c", }, { url: "https://git.kernel.org/stable/c/999586418600b4b3b93c2a0edd3a4ca71ee759bf", }, { url: "https://git.kernel.org/stable/c/e0deb0e9c967b61420235f7f17a4450b4b4d6ce2", }, { url: "https://git.kernel.org/stable/c/4ab99e3613139f026d2d8ba954819e2876120ab3", }, { url: "https://git.kernel.org/stable/c/36ab7ada64caf08f10ee5a114d39964d1f91e81d", }, ], title: "RDMA/mlx5: Add check for srq max_sge attribute", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40990", datePublished: "2024-07-12T12:37:34.485Z", dateReserved: "2024-07-12T12:17:45.605Z", dateUpdated: "2024-12-19T09:09:35.165Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40959
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.
syzbot reported:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00
RSP: 0018:ffffc90000117378 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7
RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98
RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000
R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]
xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541
xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]
xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201
xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]
xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309
ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256
send6+0x611/0xd20 drivers/net/wireguard/socket.c:139
wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178
wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40
wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.894Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c71761292d4d002a8eccb57b86792c4e3b3eb3c7", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/caf0bec84c62fb1cf6f7c9f0e8c857c87f8adbc3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/20427b85781aca0ad072851f6907a3d4b2fed8d1", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9f30f1f1a51d91e19f5a09236bb0b59e6a07ad08", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/83c02fb2cc0afee5bb53cddf3f34f045f654ad6a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f897d7171652fcfc76d042bfec798b010ee89e41", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/600a62b4232ac027f788c3ca395bc2333adeaacf", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d46401052c2d5614da8efea5788532f0401cb164", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40959", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:32.493847Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:23.806Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv6/xfrm6_policy.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c71761292d4d002a8eccb57b86792c4e3b3eb3c7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "caf0bec84c62fb1cf6f7c9f0e8c857c87f8adbc3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "20427b85781aca0ad072851f6907a3d4b2fed8d1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9f30f1f1a51d91e19f5a09236bb0b59e6a07ad08", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "83c02fb2cc0afee5bb53cddf3f34f045f654ad6a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f897d7171652fcfc76d042bfec798b010ee89e41", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "600a62b4232ac027f788c3ca395bc2333adeaacf", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d46401052c2d5614da8efea5788532f0401cb164", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv6/xfrm6_policy.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.12", }, { lessThan: "2.6.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()\n\nip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: wg-kex-wg1 wg_packet_handshake_send_worker\n RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64\nCode: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00\nRSP: 0018:ffffc90000117378 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7\nRDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98\nRBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000\nR10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]\n xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]\n xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541\n xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835\n xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]\n xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201\n xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]\n xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309\n ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256\n send6+0x611/0xd20 drivers/net/wireguard/socket.c:139\n wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178\n wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200\n wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40\n wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:57.738Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c71761292d4d002a8eccb57b86792c4e3b3eb3c7", }, { url: "https://git.kernel.org/stable/c/caf0bec84c62fb1cf6f7c9f0e8c857c87f8adbc3", }, { url: "https://git.kernel.org/stable/c/20427b85781aca0ad072851f6907a3d4b2fed8d1", }, { url: "https://git.kernel.org/stable/c/9f30f1f1a51d91e19f5a09236bb0b59e6a07ad08", }, { url: "https://git.kernel.org/stable/c/83c02fb2cc0afee5bb53cddf3f34f045f654ad6a", }, { url: "https://git.kernel.org/stable/c/f897d7171652fcfc76d042bfec798b010ee89e41", }, { url: "https://git.kernel.org/stable/c/600a62b4232ac027f788c3ca395bc2333adeaacf", }, { url: "https://git.kernel.org/stable/c/d46401052c2d5614da8efea5788532f0401cb164", }, ], title: "xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40959", datePublished: "2024-07-12T12:32:01.149Z", dateReserved: "2024-07-12T12:17:45.593Z", dateUpdated: "2024-12-19T09:08:57.738Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39499
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vmci: prevent speculation leaks by sanitizing event in event_deliver()
Coverity spotted that event_msg is controlled by user-space,
event_msg->event_data.event is passed to event_deliver() and used
as an index without sanitization.
This change ensures that the event index is sanitized to mitigate any
possibility of speculative information leaks.
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
Only compile tested, no access to HW.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1d990201f9bb499b7c76ab00abeb7e803c0bcb2a Version: 1d990201f9bb499b7c76ab00abeb7e803c0bcb2a Version: 1d990201f9bb499b7c76ab00abeb7e803c0bcb2a Version: 1d990201f9bb499b7c76ab00abeb7e803c0bcb2a Version: 1d990201f9bb499b7c76ab00abeb7e803c0bcb2a Version: 1d990201f9bb499b7c76ab00abeb7e803c0bcb2a Version: 1d990201f9bb499b7c76ab00abeb7e803c0bcb2a Version: 1d990201f9bb499b7c76ab00abeb7e803c0bcb2a |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.899Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/58730dfbd4ae01c1b022b0d234a8bf8c02cdfb81", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/681967c4ff210e06380acf9b9a1b33ae06e77cbd", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f70ff737346744633e7b655c1fb23e1578491ff3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/95ac3e773a1f8da83c4710a720fbfe80055aafae", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/95bac1c8bedb362374ea1937b1d3e833e01174ee", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e293c6b38ac9029d76ff0d2a6b2d74131709a9a8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/757804e1c599af5d2a7f864c8e8b2842406ff4bb", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8003f00d895310d409b2bf9ef907c56b42a4e0f4", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39499", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:07:16.825229Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:40.701Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/misc/vmw_vmci/vmci_event.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "58730dfbd4ae01c1b022b0d234a8bf8c02cdfb81", status: "affected", version: "1d990201f9bb499b7c76ab00abeb7e803c0bcb2a", versionType: "git", }, { lessThan: "681967c4ff210e06380acf9b9a1b33ae06e77cbd", status: "affected", version: "1d990201f9bb499b7c76ab00abeb7e803c0bcb2a", versionType: "git", }, { lessThan: "f70ff737346744633e7b655c1fb23e1578491ff3", status: "affected", version: "1d990201f9bb499b7c76ab00abeb7e803c0bcb2a", versionType: "git", }, { lessThan: "95ac3e773a1f8da83c4710a720fbfe80055aafae", status: "affected", version: "1d990201f9bb499b7c76ab00abeb7e803c0bcb2a", versionType: "git", }, { lessThan: "95bac1c8bedb362374ea1937b1d3e833e01174ee", status: "affected", version: "1d990201f9bb499b7c76ab00abeb7e803c0bcb2a", versionType: "git", }, { lessThan: "e293c6b38ac9029d76ff0d2a6b2d74131709a9a8", status: "affected", version: "1d990201f9bb499b7c76ab00abeb7e803c0bcb2a", versionType: "git", }, { lessThan: "757804e1c599af5d2a7f864c8e8b2842406ff4bb", status: "affected", version: "1d990201f9bb499b7c76ab00abeb7e803c0bcb2a", versionType: "git", }, { lessThan: "8003f00d895310d409b2bf9ef907c56b42a4e0f4", status: "affected", version: "1d990201f9bb499b7c76ab00abeb7e803c0bcb2a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/misc/vmw_vmci/vmci_event.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.9", }, { lessThan: "3.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\n\nCoverity spotted that event_msg is controlled by user-space,\nevent_msg->event_data.event is passed to event_deliver() and used\nas an index without sanitization.\n\nThis change ensures that the event index is sanitized to mitigate any\npossibility of speculative information leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.\n\nOnly compile tested, no access to HW.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:22.375Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/58730dfbd4ae01c1b022b0d234a8bf8c02cdfb81", }, { url: "https://git.kernel.org/stable/c/681967c4ff210e06380acf9b9a1b33ae06e77cbd", }, { url: "https://git.kernel.org/stable/c/f70ff737346744633e7b655c1fb23e1578491ff3", }, { url: "https://git.kernel.org/stable/c/95ac3e773a1f8da83c4710a720fbfe80055aafae", }, { url: "https://git.kernel.org/stable/c/95bac1c8bedb362374ea1937b1d3e833e01174ee", }, { url: "https://git.kernel.org/stable/c/e293c6b38ac9029d76ff0d2a6b2d74131709a9a8", }, { url: "https://git.kernel.org/stable/c/757804e1c599af5d2a7f864c8e8b2842406ff4bb", }, { url: "https://git.kernel.org/stable/c/8003f00d895310d409b2bf9ef907c56b42a4e0f4", }, ], title: "vmci: prevent speculation leaks by sanitizing event in event_deliver()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39499", datePublished: "2024-07-12T12:20:33.658Z", dateReserved: "2024-06-25T14:23:23.751Z", dateUpdated: "2024-12-19T09:07:22.375Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40905
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix possible race in __fib6_drop_pcpu_from()
syzbot found a race in __fib6_drop_pcpu_from() [1]
If compiler reads more than once (*ppcpu_rt),
second read could read NULL, if another cpu clears
the value in rt6_get_pcpu_route().
Add a READ_ONCE() to prevent this race.
Also add rcu_read_lock()/rcu_read_unlock() because
we rely on RCU protection while dereferencing pcpu_rt.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: netns cleanup_net
RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984
Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48
RSP: 0018:ffffc900040df070 EFLAGS: 00010206
RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16
RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091
RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8
R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]
fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]
fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038
fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]
fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043
fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205
fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127
fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175
fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255
__fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271
rt6_sync_down_dev net/ipv6/route.c:4906 [inline]
rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911
addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855
addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778
notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992
call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
call_netdevice_notifiers net/core/dev.c:2044 [inline]
dev_close_many+0x333/0x6a0 net/core/dev.c:1585
unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193
unregister_netdevice_many net/core/dev.c:11276 [inline]
default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759
ops_exit_list+0x128/0x180 net/core/net_namespace.c:178
cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d52d3997f843ffefaa8d8462790ffcaca6c74192 Version: d52d3997f843ffefaa8d8462790ffcaca6c74192 Version: d52d3997f843ffefaa8d8462790ffcaca6c74192 Version: d52d3997f843ffefaa8d8462790ffcaca6c74192 Version: d52d3997f843ffefaa8d8462790ffcaca6c74192 Version: d52d3997f843ffefaa8d8462790ffcaca6c74192 Version: d52d3997f843ffefaa8d8462790ffcaca6c74192 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.398Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c90af1cced2f669a7b2304584be4ada495eaa0e5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c693698787660c97950bc1f93a8dd19d8307153d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a0bc020592b54a8f3fa2b7f244b6e39e526c2e12", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2498960dac9b6fc49b6d1574f7cd1a4872744adf", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7e796c3fefa8b17b30e7252886ae8cffacd2b9ef", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/09e5a5a80e205922151136069e440477d6816914", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b01e1c030770ff3b4fe37fc7cc6bca03f594133f", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40905", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:21.867829Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:38.202Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv6/ip6_fib.c", "net/ipv6/route.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c90af1cced2f669a7b2304584be4ada495eaa0e5", status: "affected", version: "d52d3997f843ffefaa8d8462790ffcaca6c74192", versionType: "git", }, { lessThan: "c693698787660c97950bc1f93a8dd19d8307153d", status: "affected", version: "d52d3997f843ffefaa8d8462790ffcaca6c74192", versionType: "git", }, { lessThan: "a0bc020592b54a8f3fa2b7f244b6e39e526c2e12", status: "affected", version: "d52d3997f843ffefaa8d8462790ffcaca6c74192", versionType: "git", }, { lessThan: "2498960dac9b6fc49b6d1574f7cd1a4872744adf", status: "affected", version: "d52d3997f843ffefaa8d8462790ffcaca6c74192", versionType: "git", }, { lessThan: "7e796c3fefa8b17b30e7252886ae8cffacd2b9ef", status: "affected", version: "d52d3997f843ffefaa8d8462790ffcaca6c74192", versionType: "git", }, { lessThan: "09e5a5a80e205922151136069e440477d6816914", status: "affected", version: "d52d3997f843ffefaa8d8462790ffcaca6c74192", versionType: "git", }, { lessThan: "b01e1c030770ff3b4fe37fc7cc6bca03f594133f", status: "affected", version: "d52d3997f843ffefaa8d8462790ffcaca6c74192", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv6/ip6_fib.c", "net/ipv6/route.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.2", }, { lessThan: "4.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible race in __fib6_drop_pcpu_from()\n\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\n\nIf compiler reads more than once (*ppcpu_rt),\nsecond read could read NULL, if another cpu clears\nthe value in rt6_get_pcpu_route().\n\nAdd a READ_ONCE() to prevent this race.\n\nAlso add rcu_read_lock()/rcu_read_unlock() because\nwe rely on RCU protection while dereferencing pcpu_rt.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: netns cleanup_net\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\n fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\n fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\n fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\n fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\n fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\n fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\n fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\n fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\n __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\n rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\n rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\n addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\n addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\n notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\n call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\n call_netdevice_notifiers net/core/dev.c:2044 [inline]\n dev_close_many+0x333/0x6a0 net/core/dev.c:1585\n unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\n unregister_netdevice_many net/core/dev.c:11276 [inline]\n default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:43.524Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c90af1cced2f669a7b2304584be4ada495eaa0e5", }, { url: "https://git.kernel.org/stable/c/c693698787660c97950bc1f93a8dd19d8307153d", }, { url: "https://git.kernel.org/stable/c/a0bc020592b54a8f3fa2b7f244b6e39e526c2e12", }, { url: "https://git.kernel.org/stable/c/2498960dac9b6fc49b6d1574f7cd1a4872744adf", }, { url: "https://git.kernel.org/stable/c/7e796c3fefa8b17b30e7252886ae8cffacd2b9ef", }, { url: "https://git.kernel.org/stable/c/09e5a5a80e205922151136069e440477d6816914", }, { url: "https://git.kernel.org/stable/c/b01e1c030770ff3b4fe37fc7cc6bca03f594133f", }, ], title: "ipv6: fix possible race in __fib6_drop_pcpu_from()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40905", datePublished: "2024-07-12T12:20:45.832Z", dateReserved: "2024-07-12T12:17:45.580Z", dateUpdated: "2024-12-19T09:07:43.524Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40920
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: mst: fix suspicious rcu usage in br_mst_set_state
I converted br_mst_set_state to RCU to avoid a vlan use-after-free
but forgot to change the vlan group dereference helper. Switch to vlan
group RCU deref helper to fix the suspicious rcu usage warning.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8ca9a750fc711911ef616ceb627d07357b04545e Version: 4488617e5e995a09abe4d81add5fb165674edb59 Version: e43dd2b1ec746e105b7db5f9ad6ef14685a615a4 Version: 3a7c1661ae1383364cd6092d851f5e5da64d476b |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.750Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/caaa2129784a04dcade0ea92c12e6ff90bbd23d8", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7caefa2771722e65496d85b62e1dc4442b7d1345", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/406bfc04b01ee47e4c626f77ecc7d9f85135b166", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/546ceb1dfdac866648ec959cbc71d9525bd73462", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40920", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:33.673278Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:03.619Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bridge/br_mst.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "caaa2129784a04dcade0ea92c12e6ff90bbd23d8", status: "affected", version: "8ca9a750fc711911ef616ceb627d07357b04545e", versionType: "git", }, { lessThan: "7caefa2771722e65496d85b62e1dc4442b7d1345", status: "affected", version: "4488617e5e995a09abe4d81add5fb165674edb59", versionType: "git", }, { lessThan: "406bfc04b01ee47e4c626f77ecc7d9f85135b166", status: "affected", version: "e43dd2b1ec746e105b7db5f9ad6ef14685a615a4", versionType: "git", }, { lessThan: "546ceb1dfdac866648ec959cbc71d9525bd73462", status: "affected", version: "3a7c1661ae1383364cd6092d851f5e5da64d476b", versionType: "git", }, ], }, { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bridge/br_mst.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6.1.95", status: "affected", version: "6.1.93", versionType: "semver", }, { lessThan: "6.6.35", status: "affected", version: "6.6.33", versionType: "semver", }, { lessThan: "6.9.6", status: "affected", version: "6.9.3", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: fix suspicious rcu usage in br_mst_set_state\n\nI converted br_mst_set_state to RCU to avoid a vlan use-after-free\nbut forgot to change the vlan group dereference helper. Switch to vlan\ngroup RCU deref helper to fix the suspicious rcu usage warning.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:12.802Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/caaa2129784a04dcade0ea92c12e6ff90bbd23d8", }, { url: "https://git.kernel.org/stable/c/7caefa2771722e65496d85b62e1dc4442b7d1345", }, { url: "https://git.kernel.org/stable/c/406bfc04b01ee47e4c626f77ecc7d9f85135b166", }, { url: "https://git.kernel.org/stable/c/546ceb1dfdac866648ec959cbc71d9525bd73462", }, ], title: "net: bridge: mst: fix suspicious rcu usage in br_mst_set_state", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40920", datePublished: "2024-07-12T12:25:02.222Z", dateReserved: "2024-07-12T12:17:45.582Z", dateUpdated: "2024-12-19T09:08:12.802Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40977
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2025-01-17 15:56
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921s: fix potential hung tasks during chip recovery
During chip recovery (e.g. chip reset), there is a possible situation that
kernel worker reset_work is holding the lock and waiting for kernel thread
stat_worker to be parked, while stat_worker is waiting for the release of
the same lock.
It causes a deadlock resulting in the dumping of hung tasks messages and
possible rebooting of the device.
This patch prevents the execution of stat_worker during the chip recovery.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.879Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0b81faa05b0b9feb3ae2d69be1d21f0d126ecb08", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/85edd783f4539a994d66c4c014d5858f490b7a02", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e974dd4c22a23ec3ce579fb6d31a674ac0435da9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ecf0b2b8a37c8464186620bef37812a117ff6366", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40977", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:34.340786Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:21.862Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/mediatek/mt76/mt7921/mac.c", "drivers/net/wireless/mediatek/mt76/mt7921/pci_mac.c", "drivers/net/wireless/mediatek/mt76/mt7921/sdio_mac.c", "drivers/net/wireless/mediatek/mt76/sdio.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0b81faa05b0b9feb3ae2d69be1d21f0d126ecb08", status: "affected", version: "7bc04215a66b60e198aecaee8418f6d79fa19faa", versionType: "git", }, { lessThan: "85edd783f4539a994d66c4c014d5858f490b7a02", status: "affected", version: "7bc04215a66b60e198aecaee8418f6d79fa19faa", versionType: "git", }, { lessThan: "e974dd4c22a23ec3ce579fb6d31a674ac0435da9", status: "affected", version: "7bc04215a66b60e198aecaee8418f6d79fa19faa", versionType: "git", }, { lessThan: "ecf0b2b8a37c8464186620bef37812a117ff6366", status: "affected", version: "7bc04215a66b60e198aecaee8418f6d79fa19faa", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/mediatek/mt76/mt7921/mac.c", "drivers/net/wireless/mediatek/mt76/mt7921/pci_mac.c", "drivers/net/wireless/mediatek/mt76/mt7921/sdio_mac.c", "drivers/net/wireless/mediatek/mt76/sdio.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.16", }, { lessThan: "4.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921s: fix potential hung tasks during chip recovery\n\nDuring chip recovery (e.g. chip reset), there is a possible situation that\nkernel worker reset_work is holding the lock and waiting for kernel thread\nstat_worker to be parked, while stat_worker is waiting for the release of\nthe same lock.\nIt causes a deadlock resulting in the dumping of hung tasks messages and\npossible rebooting of the device.\n\nThis patch prevents the execution of stat_worker during the chip recovery.", }, ], providerMetadata: { dateUpdated: "2025-01-17T15:56:08.500Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0b81faa05b0b9feb3ae2d69be1d21f0d126ecb08", }, { url: "https://git.kernel.org/stable/c/85edd783f4539a994d66c4c014d5858f490b7a02", }, { url: "https://git.kernel.org/stable/c/e974dd4c22a23ec3ce579fb6d31a674ac0435da9", }, { url: "https://git.kernel.org/stable/c/ecf0b2b8a37c8464186620bef37812a117ff6366", }, ], title: "wifi: mt76: mt7921s: fix potential hung tasks during chip recovery", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40977", datePublished: "2024-07-12T12:32:13.447Z", dateReserved: "2024-07-12T12:17:45.603Z", dateUpdated: "2025-01-17T15:56:08.500Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-41005
Vulnerability from cvelistv5
Published
2024-07-12 12:44
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netpoll: Fix race condition in netpoll_owner_active
KCSAN detected a race condition in netpoll:
BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb
write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:
net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)
<snip>
read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:
netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)
netpoll_send_udp (net/core/netpoll.c:?)
<snip>
value changed: 0x0000000a -> 0xffffffff
This happens because netpoll_owner_active() needs to check if the
current CPU is the owner of the lock, touching napi->poll_owner
non atomically. The ->poll_owner field contains the current CPU holding
the lock.
Use an atomic read to check if the poll owner is the current CPU.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.066Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-41005", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:02.203539Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:18.654Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/core/netpoll.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "43c0ca793a18578a0f5b305dd77fcf7ed99f1265", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "96826b16ef9c6568d31a1f6ceaa266411a46e46c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3f1a155950a1685ffd0fd7175b3f671da8771f3d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a130e7da73ae93afdb4659842267eec734ffbd57", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c2e6a872bde9912f1a7579639c5ca3adf1003916", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/core/netpoll.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix race condition in netpoll_owner_active\n\nKCSAN detected a race condition in netpoll:\n\n\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\n\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\n\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\n<snip>\n\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\n\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\n\tnetpoll_send_udp (net/core/netpoll.c:?)\n<snip>\n\tvalue changed: 0x0000000a -> 0xffffffff\n\nThis happens because netpoll_owner_active() needs to check if the\ncurrent CPU is the owner of the lock, touching napi->poll_owner\nnon atomically. The ->poll_owner field contains the current CPU holding\nthe lock.\n\nUse an atomic read to check if the poll owner is the current CPU.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:53.516Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265", }, { url: "https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e", }, { url: "https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c", }, { url: "https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d", }, { url: "https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57", }, { url: "https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916", }, ], title: "netpoll: Fix race condition in netpoll_owner_active", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-41005", datePublished: "2024-07-12T12:44:40.467Z", dateReserved: "2024-07-12T12:17:45.610Z", dateUpdated: "2024-12-19T09:09:53.516Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52885
Vulnerability from cvelistv5
Published
2024-07-14 07:11
Modified
2024-12-19 08:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
After the listener svc_sock is freed, and before invoking svc_tcp_accept()
for the established child sock, there is a window that the newsock
retaining a freed listener svc_sock in sk_user_data which cloning from
parent. In the race window, if data is received on the newsock, we will
observe use-after-free report in svc_tcp_listen_data_ready().
Reproduce by two tasks:
1. while :; do rpc.nfsd 0 ; rpc.nfsd; done
2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done
KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]
Read of size 8 at addr ffff888139d96228 by task nc/102553
CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
Call Trace:
<IRQ>
dump_stack_lvl+0x33/0x50
print_address_description.constprop.0+0x27/0x310
print_report+0x3e/0x70
kasan_report+0xae/0xe0
svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]
tcp_data_queue+0x9f4/0x20e0
tcp_rcv_established+0x666/0x1f60
tcp_v4_do_rcv+0x51c/0x850
tcp_v4_rcv+0x23fc/0x2e80
ip_protocol_deliver_rcu+0x62/0x300
ip_local_deliver_finish+0x267/0x350
ip_local_deliver+0x18b/0x2d0
ip_rcv+0x2fb/0x370
__netif_receive_skb_one_core+0x166/0x1b0
process_backlog+0x24c/0x5e0
__napi_poll+0xa2/0x500
net_rx_action+0x854/0xc90
__do_softirq+0x1bb/0x5de
do_softirq+0xcb/0x100
</IRQ>
<TASK>
...
</TASK>
Allocated by task 102371:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
__kasan_kmalloc+0x7b/0x90
svc_setup_socket+0x52/0x4f0 [sunrpc]
svc_addsock+0x20d/0x400 [sunrpc]
__write_ports_addfd+0x209/0x390 [nfsd]
write_ports+0x239/0x2c0 [nfsd]
nfsctl_transaction_write+0xac/0x110 [nfsd]
vfs_write+0x1c3/0xae0
ksys_write+0xed/0x1c0
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Freed by task 102551:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_save_free_info+0x2a/0x50
__kasan_slab_free+0x106/0x190
__kmem_cache_free+0x133/0x270
svc_xprt_free+0x1e2/0x350 [sunrpc]
svc_xprt_destroy_all+0x25a/0x440 [sunrpc]
nfsd_put+0x125/0x240 [nfsd]
nfsd_svc+0x2cb/0x3c0 [nfsd]
write_threads+0x1ac/0x2a0 [nfsd]
nfsctl_transaction_write+0xac/0x110 [nfsd]
vfs_write+0x1c3/0xae0
ksys_write+0xed/0x1c0
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready()
if state != TCP_LISTEN, that will avoid dereferencing svsk for all
child socket.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fa9251afc33c81606d70cfe91800a779096442ec Version: fa9251afc33c81606d70cfe91800a779096442ec Version: fa9251afc33c81606d70cfe91800a779096442ec Version: fa9251afc33c81606d70cfe91800a779096442ec Version: fa9251afc33c81606d70cfe91800a779096442ec Version: fa9251afc33c81606d70cfe91800a779096442ec Version: fa9251afc33c81606d70cfe91800a779096442ec Version: fa9251afc33c81606d70cfe91800a779096442ec |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T23:18:41.393Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-52885", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:00:55.699629Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:18.417Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/sunrpc/svcsock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c7b8c2d06e437639694abe76978e915cfb73f428", status: "affected", version: "fa9251afc33c81606d70cfe91800a779096442ec", versionType: "git", }, { lessThan: "dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254", status: "affected", version: "fa9251afc33c81606d70cfe91800a779096442ec", versionType: "git", }, { lessThan: "42725e5c1b181b757ba11d804443922982334d9b", status: "affected", version: "fa9251afc33c81606d70cfe91800a779096442ec", versionType: "git", }, { lessThan: "cd5ec3ee52ce4b7e283cc11facfa420c297c8065", status: "affected", version: "fa9251afc33c81606d70cfe91800a779096442ec", versionType: "git", }, { lessThan: "fbf4ace39b2e4f3833236afbb2336edbafd75eee", status: "affected", version: "fa9251afc33c81606d70cfe91800a779096442ec", versionType: "git", }, { lessThan: "ef047411887ff0845afd642d6a687819308e1a4e", status: "affected", version: "fa9251afc33c81606d70cfe91800a779096442ec", versionType: "git", }, { lessThan: "7e1f989055622fd086c5dfb291fc72adf5660b6f", status: "affected", version: "fa9251afc33c81606d70cfe91800a779096442ec", versionType: "git", }, { lessThan: "fc80fc2d4e39137869da3150ee169b40bf879287", status: "affected", version: "fa9251afc33c81606d70cfe91800a779096442ec", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/sunrpc/svcsock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.8", }, { lessThan: "4.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.322", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.291", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.251", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.188", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.121", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.39", versionType: "semver", }, { lessThanOrEqual: "6.4.*", status: "unaffected", version: "6.4.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.5", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix UAF in svc_tcp_listen_data_ready()\n\nAfter the listener svc_sock is freed, and before invoking svc_tcp_accept()\nfor the established child sock, there is a window that the newsock\nretaining a freed listener svc_sock in sk_user_data which cloning from\nparent. In the race window, if data is received on the newsock, we will\nobserve use-after-free report in svc_tcp_listen_data_ready().\n\nReproduce by two tasks:\n\n1. while :; do rpc.nfsd 0 ; rpc.nfsd; done\n2. while :; do echo \"\" | ncat -4 127.0.0.1 2049 ; done\n\nKASAN report:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n Read of size 8 at addr ffff888139d96228 by task nc/102553\n CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n Call Trace:\n <IRQ>\n dump_stack_lvl+0x33/0x50\n print_address_description.constprop.0+0x27/0x310\n print_report+0x3e/0x70\n kasan_report+0xae/0xe0\n svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n tcp_data_queue+0x9f4/0x20e0\n tcp_rcv_established+0x666/0x1f60\n tcp_v4_do_rcv+0x51c/0x850\n tcp_v4_rcv+0x23fc/0x2e80\n ip_protocol_deliver_rcu+0x62/0x300\n ip_local_deliver_finish+0x267/0x350\n ip_local_deliver+0x18b/0x2d0\n ip_rcv+0x2fb/0x370\n __netif_receive_skb_one_core+0x166/0x1b0\n process_backlog+0x24c/0x5e0\n __napi_poll+0xa2/0x500\n net_rx_action+0x854/0xc90\n __do_softirq+0x1bb/0x5de\n do_softirq+0xcb/0x100\n </IRQ>\n <TASK>\n ...\n </TASK>\n\n Allocated by task 102371:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x7b/0x90\n svc_setup_socket+0x52/0x4f0 [sunrpc]\n svc_addsock+0x20d/0x400 [sunrpc]\n __write_ports_addfd+0x209/0x390 [nfsd]\n write_ports+0x239/0x2c0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 102551:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x50\n __kasan_slab_free+0x106/0x190\n __kmem_cache_free+0x133/0x270\n svc_xprt_free+0x1e2/0x350 [sunrpc]\n svc_xprt_destroy_all+0x25a/0x440 [sunrpc]\n nfsd_put+0x125/0x240 [nfsd]\n nfsd_svc+0x2cb/0x3c0 [nfsd]\n write_threads+0x1ac/0x2a0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nFix the UAF by simply doing nothing in svc_tcp_listen_data_ready()\nif state != TCP_LISTEN, that will avoid dereferencing svsk for all\nchild socket.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:27:53.997Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428", }, { url: "https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254", }, { url: "https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b", }, { url: "https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065", }, { url: "https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee", }, { url: "https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e", }, { url: "https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f", }, { url: "https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287", }, ], title: "SUNRPC: Fix UAF in svc_tcp_listen_data_ready()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52885", datePublished: "2024-07-14T07:11:28.548Z", dateReserved: "2024-05-21T15:35:00.782Z", dateUpdated: "2024-12-19T08:27:53.997Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40997
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2025-01-17 15:56
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: amd-pstate: fix memory leak on CPU EPP exit
The cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is
not freed in the analogous exit function, so fix that.
[ rjw: Subject and changelog edits ]
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.139Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8015c17fe11a8608cc3eb83d0ab831e1845a9582", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cea04f3d9aeebda9d9c063c0dfa71e739c322c81", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40997", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:28.872143Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:19.570Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/cpufreq/amd-pstate.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd", status: "affected", version: "ec437d71db77a181227bf6d0ac9d4a80e58ecf0f", versionType: "git", }, { lessThan: "8015c17fe11a8608cc3eb83d0ab831e1845a9582", status: "affected", version: "ec437d71db77a181227bf6d0ac9d4a80e58ecf0f", versionType: "git", }, { lessThan: "cea04f3d9aeebda9d9c063c0dfa71e739c322c81", status: "affected", version: "ec437d71db77a181227bf6d0ac9d4a80e58ecf0f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/cpufreq/amd-pstate.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\n\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\nnot freed in the analogous exit function, so fix that.\n\n[ rjw: Subject and changelog edits ]", }, ], providerMetadata: { dateUpdated: "2025-01-17T15:56:09.680Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd", }, { url: "https://git.kernel.org/stable/c/8015c17fe11a8608cc3eb83d0ab831e1845a9582", }, { url: "https://git.kernel.org/stable/c/cea04f3d9aeebda9d9c063c0dfa71e739c322c81", }, ], title: "cpufreq: amd-pstate: fix memory leak on CPU EPP exit", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40997", datePublished: "2024-07-12T12:37:39.128Z", dateReserved: "2024-07-12T12:17:45.607Z", dateUpdated: "2025-01-17T15:56:09.680Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40910
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ax25: Fix refcount imbalance on inbound connections
When releasing a socket in ax25_release(), we call netdev_put() to
decrease the refcount on the associated ax.25 device. However, the
execution path for accepting an incoming connection never calls
netdev_hold(). This imbalance leads to refcount errors, and ultimately
to kernel crashes.
A typical call trace for the above situation will start with one of the
following errors:
refcount_t: decrement hit 0; leaking memory.
refcount_t: underflow; use-after-free.
And will then have a trace like:
Call Trace:
<TASK>
? show_regs+0x64/0x70
? __warn+0x83/0x120
? refcount_warn_saturate+0xb2/0x100
? report_bug+0x158/0x190
? prb_read_valid+0x20/0x30
? handle_bug+0x3e/0x70
? exc_invalid_op+0x1c/0x70
? asm_exc_invalid_op+0x1f/0x30
? refcount_warn_saturate+0xb2/0x100
? refcount_warn_saturate+0xb2/0x100
ax25_release+0x2ad/0x360
__sock_release+0x35/0xa0
sock_close+0x19/0x20
[...]
On reboot (or any attempt to remove the interface), the kernel gets
stuck in an infinite loop:
unregister_netdevice: waiting for ax0 to become free. Usage count = 0
This patch corrects these issues by ensuring that we call netdev_hold()
and ax25_dev_hold() for new connections in ax25_accept(). This makes the
logic leading to ax25_accept() match the logic for ax25_bind(): in both
cases we increment the refcount, which is ultimately decremented in
ax25_release().
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.370Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40910", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:05.854978Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:37.278Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ax25/af_ax25.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f4df9d6c8d4e4c818252b0419c2165d66eabd4eb", status: "affected", version: "9fd75b66b8f68498454d685dc4ba13192ae069b0", versionType: "git", }, { lessThan: "52100fd74ad07b53a4666feafff1cd11436362d3", status: "affected", version: "9fd75b66b8f68498454d685dc4ba13192ae069b0", versionType: "git", }, { lessThan: "a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964", status: "affected", version: "9fd75b66b8f68498454d685dc4ba13192ae069b0", versionType: "git", }, { lessThan: "3c34fb0bd4a4237592c5ecb5b2e2531900c55774", status: "affected", version: "9fd75b66b8f68498454d685dc4ba13192ae069b0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ax25/af_ax25.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix refcount imbalance on inbound connections\n\nWhen releasing a socket in ax25_release(), we call netdev_put() to\ndecrease the refcount on the associated ax.25 device. However, the\nexecution path for accepting an incoming connection never calls\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\nto kernel crashes.\n\nA typical call trace for the above situation will start with one of the\nfollowing errors:\n\n refcount_t: decrement hit 0; leaking memory.\n refcount_t: underflow; use-after-free.\n\nAnd will then have a trace like:\n\n Call Trace:\n <TASK>\n ? show_regs+0x64/0x70\n ? __warn+0x83/0x120\n ? refcount_warn_saturate+0xb2/0x100\n ? report_bug+0x158/0x190\n ? prb_read_valid+0x20/0x30\n ? handle_bug+0x3e/0x70\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? refcount_warn_saturate+0xb2/0x100\n ? refcount_warn_saturate+0xb2/0x100\n ax25_release+0x2ad/0x360\n __sock_release+0x35/0xa0\n sock_close+0x19/0x20\n [...]\n\nOn reboot (or any attempt to remove the interface), the kernel gets\nstuck in an infinite loop:\n\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\n\nThis patch corrects these issues by ensuring that we call netdev_hold()\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\ncases we increment the refcount, which is ultimately decremented in\nax25_release().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:49.343Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb", }, { url: "https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3", }, { url: "https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964", }, { url: "https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774", }, ], title: "ax25: Fix refcount imbalance on inbound connections", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40910", datePublished: "2024-07-12T12:20:49.085Z", dateReserved: "2024-07-12T12:17:45.580Z", dateUpdated: "2024-12-19T09:07:49.343Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40900
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: remove requests from xarray during flushing requests
Even with CACHEFILES_DEAD set, we can still read the requests, so in the
following concurrency the request may be used after it has been freed:
mount | daemon_thread1 | daemon_thread2
------------------------------------------------------------
cachefiles_ondemand_init_object
cachefiles_ondemand_send_req
REQ_A = kzalloc(sizeof(*req) + data_len)
wait_for_completion(&REQ_A->done)
cachefiles_daemon_read
cachefiles_ondemand_daemon_read
// close dev fd
cachefiles_flush_reqs
complete(&REQ_A->done)
kfree(REQ_A)
xa_lock(&cache->reqs);
cachefiles_ondemand_select_req
req->msg.opcode != CACHEFILES_OP_READ
// req use-after-free !!!
xa_unlock(&cache->reqs);
xa_destroy(&cache->reqs)
Hence remove requests from cache->reqs when flushing them to avoid
accessing freed requests.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:54.905Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40900", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:34.508297Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:38.653Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/cachefiles/daemon.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, { lessThan: "50d0e55356ba5b84ffb51c42704126124257e598", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, { lessThan: "37e19cf86a520d65de1de9cb330415c332a40d19", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, { lessThan: "0fc75c5940fa634d84e64c93bfc388e1274ed013", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/cachefiles/daemon.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: remove requests from xarray during flushing requests\n\nEven with CACHEFILES_DEAD set, we can still read the requests, so in the\nfollowing concurrency the request may be used after it has been freed:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n // close dev fd\n cachefiles_flush_reqs\n complete(&REQ_A->done)\n kfree(REQ_A)\n xa_lock(&cache->reqs);\n cachefiles_ondemand_select_req\n req->msg.opcode != CACHEFILES_OP_READ\n // req use-after-free !!!\n xa_unlock(&cache->reqs);\n xa_destroy(&cache->reqs)\n\nHence remove requests from cache->reqs when flushing them to avoid\naccessing freed requests.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:37.704Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7", }, { url: "https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598", }, { url: "https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19", }, { url: "https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013", }, ], title: "cachefiles: remove requests from xarray during flushing requests", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40900", datePublished: "2024-07-12T12:20:42.192Z", dateReserved: "2024-07-12T12:17:45.579Z", dateUpdated: "2024-12-19T09:07:37.704Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40949
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: shmem: fix getting incorrect lruvec when replacing a shmem folio
When testing shmem swapin, I encountered the warning below on my machine.
The reason is that replacing an old shmem folio with a new one causes
mem_cgroup_migrate() to clear the old folio's memcg data. As a result,
the old folio cannot get the correct memcg's lruvec needed to remove
itself from the LRU list when it is being freed. This could lead to
possible serious problems, such as LRU list crashes due to holding the
wrong LRU lock, and incorrect LRU statistics.
To fix this issue, we can fallback to use the mem_cgroup_replace_folio()
to replace the old shmem folio.
[ 5241.100311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d9960
[ 5241.100317] head: order:4 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 5241.100319] flags: 0x17fffe0000040068(uptodate|lru|head|swapbacked|node=0|zone=2|lastcpupid=0x3ffff)
[ 5241.100323] raw: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000
[ 5241.100325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 5241.100326] head: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000
[ 5241.100327] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 5241.100328] head: 17fffe0000000204 fffffdffd6665801 ffffffffffffffff 0000000000000000
[ 5241.100329] head: 0000000a00000010 0000000000000000 00000000ffffffff 0000000000000000
[ 5241.100330] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled())
[ 5241.100338] ------------[ cut here ]------------
[ 5241.100339] WARNING: CPU: 19 PID: 78402 at include/linux/memcontrol.h:775 folio_lruvec_lock_irqsave+0x140/0x150
[...]
[ 5241.100374] pc : folio_lruvec_lock_irqsave+0x140/0x150
[ 5241.100375] lr : folio_lruvec_lock_irqsave+0x138/0x150
[ 5241.100376] sp : ffff80008b38b930
[...]
[ 5241.100398] Call trace:
[ 5241.100399] folio_lruvec_lock_irqsave+0x140/0x150
[ 5241.100401] __page_cache_release+0x90/0x300
[ 5241.100404] __folio_put+0x50/0x108
[ 5241.100406] shmem_replace_folio+0x1b4/0x240
[ 5241.100409] shmem_swapin_folio+0x314/0x528
[ 5241.100411] shmem_get_folio_gfp+0x3b4/0x930
[ 5241.100412] shmem_fault+0x74/0x160
[ 5241.100414] __do_fault+0x40/0x218
[ 5241.100417] do_shared_fault+0x34/0x1b0
[ 5241.100419] do_fault+0x40/0x168
[ 5241.100420] handle_pte_fault+0x80/0x228
[ 5241.100422] __handle_mm_fault+0x1c4/0x440
[ 5241.100424] handle_mm_fault+0x60/0x1f0
[ 5241.100426] do_page_fault+0x120/0x488
[ 5241.100429] do_translation_fault+0x4c/0x68
[ 5241.100431] do_mem_abort+0x48/0xa0
[ 5241.100434] el0_da+0x38/0xc0
[ 5241.100436] el0t_64_sync_handler+0x68/0xc0
[ 5241.100437] el0t_64_sync+0x14c/0x150
[ 5241.100439] ---[ end trace 0000000000000000 ]---
[baolin.wang@linux.alibaba.com: remove less helpful comments, per Matthew]
Link: https://lkml.kernel.org/r/ccad3fe1375b468ebca3227b6b729f3eaf9d8046.1718423197.git.baolin.wang@linux.alibaba.com
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.330Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8c6c3719ebb7913f8a665d11816d2e38b0eadbab", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9094b4a1c76cfe84b906cc152bab34d4ba26fa5c", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40949", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:04.999520Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:24.967Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/memcontrol.c", "mm/shmem.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8c6c3719ebb7913f8a665d11816d2e38b0eadbab", status: "affected", version: "85ce2c517ade0d51b7ad95f2e88be9bbe294379a", versionType: "git", }, { lessThan: "9094b4a1c76cfe84b906cc152bab34d4ba26fa5c", status: "affected", version: "85ce2c517ade0d51b7ad95f2e88be9bbe294379a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/memcontrol.c", "mm/shmem.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.7", }, { lessThan: "6.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: shmem: fix getting incorrect lruvec when replacing a shmem folio\n\nWhen testing shmem swapin, I encountered the warning below on my machine. \nThe reason is that replacing an old shmem folio with a new one causes\nmem_cgroup_migrate() to clear the old folio's memcg data. As a result,\nthe old folio cannot get the correct memcg's lruvec needed to remove\nitself from the LRU list when it is being freed. This could lead to\npossible serious problems, such as LRU list crashes due to holding the\nwrong LRU lock, and incorrect LRU statistics.\n\nTo fix this issue, we can fallback to use the mem_cgroup_replace_folio()\nto replace the old shmem folio.\n\n[ 5241.100311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d9960\n[ 5241.100317] head: order:4 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 5241.100319] flags: 0x17fffe0000040068(uptodate|lru|head|swapbacked|node=0|zone=2|lastcpupid=0x3ffff)\n[ 5241.100323] raw: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000\n[ 5241.100325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[ 5241.100326] head: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000\n[ 5241.100327] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[ 5241.100328] head: 17fffe0000000204 fffffdffd6665801 ffffffffffffffff 0000000000000000\n[ 5241.100329] head: 0000000a00000010 0000000000000000 00000000ffffffff 0000000000000000\n[ 5241.100330] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled())\n[ 5241.100338] ------------[ cut here ]------------\n[ 5241.100339] WARNING: CPU: 19 PID: 78402 at include/linux/memcontrol.h:775 folio_lruvec_lock_irqsave+0x140/0x150\n[...]\n[ 5241.100374] pc : folio_lruvec_lock_irqsave+0x140/0x150\n[ 5241.100375] lr : folio_lruvec_lock_irqsave+0x138/0x150\n[ 5241.100376] sp : ffff80008b38b930\n[...]\n[ 5241.100398] Call trace:\n[ 5241.100399] folio_lruvec_lock_irqsave+0x140/0x150\n[ 5241.100401] __page_cache_release+0x90/0x300\n[ 5241.100404] __folio_put+0x50/0x108\n[ 5241.100406] shmem_replace_folio+0x1b4/0x240\n[ 5241.100409] shmem_swapin_folio+0x314/0x528\n[ 5241.100411] shmem_get_folio_gfp+0x3b4/0x930\n[ 5241.100412] shmem_fault+0x74/0x160\n[ 5241.100414] __do_fault+0x40/0x218\n[ 5241.100417] do_shared_fault+0x34/0x1b0\n[ 5241.100419] do_fault+0x40/0x168\n[ 5241.100420] handle_pte_fault+0x80/0x228\n[ 5241.100422] __handle_mm_fault+0x1c4/0x440\n[ 5241.100424] handle_mm_fault+0x60/0x1f0\n[ 5241.100426] do_page_fault+0x120/0x488\n[ 5241.100429] do_translation_fault+0x4c/0x68\n[ 5241.100431] do_mem_abort+0x48/0xa0\n[ 5241.100434] el0_da+0x38/0xc0\n[ 5241.100436] el0t_64_sync_handler+0x68/0xc0\n[ 5241.100437] el0t_64_sync+0x14c/0x150\n[ 5241.100439] ---[ end trace 0000000000000000 ]---\n\n[baolin.wang@linux.alibaba.com: remove less helpful comments, per Matthew]\n Link: https://lkml.kernel.org/r/ccad3fe1375b468ebca3227b6b729f3eaf9d8046.1718423197.git.baolin.wang@linux.alibaba.com", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:45.734Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8c6c3719ebb7913f8a665d11816d2e38b0eadbab", }, { url: "https://git.kernel.org/stable/c/9094b4a1c76cfe84b906cc152bab34d4ba26fa5c", }, ], title: "mm: shmem: fix getting incorrect lruvec when replacing a shmem folio", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40949", datePublished: "2024-07-12T12:31:54.134Z", dateReserved: "2024-07-12T12:17:45.591Z", dateUpdated: "2024-12-19T09:08:45.734Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39498
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2
[Why]
Commit:
- commit 5aa1dfcdf0a4 ("drm/mst: Refactor the flow for payload allocation/removement")
accidently overwrite the commit
- commit 54d217406afe ("drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2")
which cause regression.
[How]
Recover the original NULL fix and remove the unnecessary input parameter 'state' for
drm_dp_add_payload_part2().
(cherry picked from commit 4545614c1d8da603e57b60dd66224d81b6ffc305)
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.796Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8e21de5f99b2368a5155037ce0aae8aaba3f5241", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5a507b7d2be15fddb95bf8dee01110b723e2bcd9", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39498", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:07:19.937077Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:40.808Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c", "drivers/gpu/drm/display/drm_dp_mst_topology.c", "drivers/gpu/drm/i915/display/intel_dp_mst.c", "drivers/gpu/drm/nouveau/dispnv50/disp.c", "include/drm/display/drm_dp_mst_helper.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8e21de5f99b2368a5155037ce0aae8aaba3f5241", status: "affected", version: "5aa1dfcdf0a429e4941e2eef75b006a8c7a8ac49", versionType: "git", }, { lessThan: "5a507b7d2be15fddb95bf8dee01110b723e2bcd9", status: "affected", version: "5aa1dfcdf0a429e4941e2eef75b006a8c7a8ac49", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c", "drivers/gpu/drm/display/drm_dp_mst_topology.c", "drivers/gpu/drm/i915/display/intel_dp_mst.c", "drivers/gpu/drm/nouveau/dispnv50/disp.c", "include/drm/display/drm_dp_mst_helper.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.7", }, { lessThan: "6.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2\n\n[Why]\nCommit:\n- commit 5aa1dfcdf0a4 (\"drm/mst: Refactor the flow for payload allocation/removement\")\naccidently overwrite the commit\n- commit 54d217406afe (\"drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2\")\nwhich cause regression.\n\n[How]\nRecover the original NULL fix and remove the unnecessary input parameter 'state' for\ndrm_dp_add_payload_part2().\n\n(cherry picked from commit 4545614c1d8da603e57b60dd66224d81b6ffc305)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:21.218Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8e21de5f99b2368a5155037ce0aae8aaba3f5241", }, { url: "https://git.kernel.org/stable/c/5a507b7d2be15fddb95bf8dee01110b723e2bcd9", }, ], title: "drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39498", datePublished: "2024-07-12T12:20:32.980Z", dateReserved: "2024-06-25T14:23:23.751Z", dateUpdated: "2024-12-19T09:07:21.218Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40953
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the
loads and stores are atomic. In the extremely unlikely scenario the
compiler tears the stores, it's theoretically possible for KVM to attempt
to get a vCPU using an out-of-bounds index, e.g. if the write is split
into multiple 8-bit stores, and is paired with a 32-bit load on a VM with
257 vCPUs:
CPU0 CPU1
last_boosted_vcpu = 0xff;
(last_boosted_vcpu = 0x100)
last_boosted_vcpu[15:8] = 0x01;
i = (last_boosted_vcpu = 0x1ff)
last_boosted_vcpu[7:0] = 0x00;
vcpu = kvm->vcpu_array[0x1ff];
As detected by KCSAN:
BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]
write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:
kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm
handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel
vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?
arch/x86/kvm/vmx/vmx.c:6606) kvm_intel
vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm
kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm
kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm
__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)
__x64_sys_ioctl (fs/ioctl.c:890)
x64_sys_call (arch/x86/entry/syscall_64.c:33)
do_syscall_64 (arch/x86/entry/common.c:?)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:
kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm
handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel
vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?
arch/x86/kvm/vmx/vmx.c:6606) kvm_intel
vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm
kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm
kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm
__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)
__x64_sys_ioctl (fs/ioctl.c:890)
x64_sys_call (arch/x86/entry/syscall_64.c:33)
do_syscall_64 (arch/x86/entry/common.c:?)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
value changed: 0x00000012 -> 0x00000000
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 Version: 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 Version: 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 Version: 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 Version: 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 Version: 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 Version: 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 Version: 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.851Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40953", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:52.034893Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:24.499Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "virt/kvm/kvm_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "11a772d5376aa6d3e2e69b5b5c585f79b60c0e17", status: "affected", version: "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", versionType: "git", }, { lessThan: "4c141136a28421b78f34969b25a4fa32e06e2180", status: "affected", version: "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", versionType: "git", }, { lessThan: "71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84", status: "affected", version: "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", versionType: "git", }, { lessThan: "82bd728a06e55f5b5f93d10ce67f4fe7e689853a", status: "affected", version: "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", versionType: "git", }, { lessThan: "92c77807d938145c7c3350c944ef9f39d7f6017c", status: "affected", version: "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", versionType: "git", }, { lessThan: "a937ef951bba72f48d2402451419d725d70dba20", status: "affected", version: "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", versionType: "git", }, { lessThan: "95c8dd79f3a14df96b3820b35b8399bd91b2be60", status: "affected", version: "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", versionType: "git", }, { lessThan: "49f683b41f28918df3e51ddc0d928cb2e934ccdb", status: "affected", version: "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "virt/kvm/kvm_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.39", }, { lessThan: "2.6.39", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.228", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.169", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\n\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\nloads and stores are atomic. In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\n\n CPU0 CPU1\n last_boosted_vcpu = 0xff;\n\n (last_boosted_vcpu = 0x100)\n last_boosted_vcpu[15:8] = 0x01;\n i = (last_boosted_vcpu = 0x1ff)\n last_boosted_vcpu[7:0] = 0x00;\n\n vcpu = kvm->vcpu_array[0x1ff];\n\nAs detected by KCSAN:\n\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\n\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n value changed: 0x00000012 -> 0x00000000", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:50.435Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17", }, { url: "https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180", }, { url: "https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84", }, { url: "https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a", }, { url: "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c", }, { url: "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20", }, { url: "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60", }, { url: "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb", }, ], title: "KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40953", datePublished: "2024-07-12T12:31:56.832Z", dateReserved: "2024-07-12T12:17:45.592Z", dateUpdated: "2024-12-19T09:08:50.435Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40912
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
softirq context. However using only spin_lock() to get sta->ps_lock in
ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
take this same lock ending in deadlock. Below is an example of rcu stall
that arises in such situation.
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)
CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742
Hardware name: RPT (r1) (DT)
pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : queued_spin_lock_slowpath+0x58/0x2d0
lr : invoke_tx_handlers_early+0x5b4/0x5c0
sp : ffff00001ef64660
x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
Call trace:
queued_spin_lock_slowpath+0x58/0x2d0
ieee80211_tx+0x80/0x12c
ieee80211_tx_pending+0x110/0x278
tasklet_action_common.constprop.0+0x10c/0x144
tasklet_action+0x20/0x28
_stext+0x11c/0x284
____do_softirq+0xc/0x14
call_on_irq_stack+0x24/0x34
do_softirq_own_stack+0x18/0x20
do_softirq+0x74/0x7c
__local_bh_enable_ip+0xa0/0xa4
_ieee80211_wake_txqs+0x3b0/0x4b8
__ieee80211_wake_queue+0x12c/0x168
ieee80211_add_pending_skbs+0xec/0x138
ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
ieee80211_mps_sta_status_update+0x18/0x24
sta_apply_parameters+0x3bc/0x4c0
ieee80211_change_station+0x1b8/0x2dc
nl80211_set_station+0x444/0x49c
genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
genl_rcv_msg+0x1b0/0x244
netlink_rcv_skb+0x38/0x10c
genl_rcv+0x34/0x48
netlink_unicast+0x254/0x2bc
netlink_sendmsg+0x190/0x3b4
____sys_sendmsg+0x1e8/0x218
___sys_sendmsg+0x68/0x8c
__sys_sendmsg+0x44/0x84
__arm64_sys_sendmsg+0x20/0x28
do_el0_svc+0x6c/0xe8
el0_svc+0x14/0x48
el0t_64_sync_handler+0xb0/0xb4
el0t_64_sync+0x14c/0x150
Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
on the same CPU that is holding the lock.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1d147bfa64293b2723c4fec50922168658e613ba Version: 1d147bfa64293b2723c4fec50922168658e613ba Version: 1d147bfa64293b2723c4fec50922168658e613ba Version: 1d147bfa64293b2723c4fec50922168658e613ba Version: 1d147bfa64293b2723c4fec50922168658e613ba Version: 1d147bfa64293b2723c4fec50922168658e613ba Version: 1d147bfa64293b2723c4fec50922168658e613ba Version: 1d147bfa64293b2723c4fec50922168658e613ba |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.352Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40912", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:59.270343Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:37.046Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/mac80211/sta_info.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e51637e0c66a6f72d134d9f95daa47ea62b43c7e", status: "affected", version: "1d147bfa64293b2723c4fec50922168658e613ba", versionType: "git", }, { lessThan: "28ba44d680a30c51cf485a2f5a3b680e66ed3932", status: "affected", version: "1d147bfa64293b2723c4fec50922168658e613ba", versionType: "git", }, { lessThan: "e7e916d693dcb5a297f40312600a82475f2e63bc", status: "affected", version: "1d147bfa64293b2723c4fec50922168658e613ba", versionType: "git", }, { lessThan: "d90bdff79f8e40adf889b5408bfcf521528b169f", status: "affected", version: "1d147bfa64293b2723c4fec50922168658e613ba", versionType: "git", }, { lessThan: "9c49b58b9a2bed707e7638576e54c4bccd97b9eb", status: "affected", version: "1d147bfa64293b2723c4fec50922168658e613ba", versionType: "git", }, { lessThan: "456bbb8a31e425177dc0e8d4f98728a560c20e81", status: "affected", version: "1d147bfa64293b2723c4fec50922168658e613ba", versionType: "git", }, { lessThan: "47d176755d5c0baf284eff039560f8c1ba0ea485", status: "affected", version: "1d147bfa64293b2723c4fec50922168658e613ba", versionType: "git", }, { lessThan: "44c06bbde6443de206b30f513100b5670b23fc5e", status: "affected", version: "1d147bfa64293b2723c4fec50922168658e613ba", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/mac80211/sta_info.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.14", }, { lessThan: "3.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.317", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\n\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\n\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:51.648Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e", }, { url: "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932", }, { url: "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc", }, { url: "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f", }, { url: "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb", }, { url: "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81", }, { url: "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485", }, { url: "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e", }, ], title: "wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40912", datePublished: "2024-07-12T12:20:50.488Z", dateReserved: "2024-07-12T12:17:45.581Z", dateUpdated: "2024-12-19T09:07:51.648Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40921
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state
Pass the already obtained vlan group pointer to br_mst_vlan_set_state()
instead of dereferencing it again. Each caller has already correctly
dereferenced it for their context. This change is required for the
following suspicious RCU dereference fix. No functional changes
intended.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8ca9a750fc711911ef616ceb627d07357b04545e Version: 4488617e5e995a09abe4d81add5fb165674edb59 Version: e43dd2b1ec746e105b7db5f9ad6ef14685a615a4 Version: 3a7c1661ae1383364cd6092d851f5e5da64d476b |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.321Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/09f4337c27f5bdeb8646a6db91488cc2f7d537ff", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a6cc9e9a651b9861efa068c164ee62dfba68c6ca", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d2dc02775fc0c4eacaee833a0637e5958884a8e5", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/36c92936e868601fa1f43da6758cf55805043509", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40921", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:30.546464Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:28.825Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bridge/br_mst.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "09f4337c27f5bdeb8646a6db91488cc2f7d537ff", status: "affected", version: "8ca9a750fc711911ef616ceb627d07357b04545e", versionType: "git", }, { lessThan: "a6cc9e9a651b9861efa068c164ee62dfba68c6ca", status: "affected", version: "4488617e5e995a09abe4d81add5fb165674edb59", versionType: "git", }, { lessThan: "d2dc02775fc0c4eacaee833a0637e5958884a8e5", status: "affected", version: "e43dd2b1ec746e105b7db5f9ad6ef14685a615a4", versionType: "git", }, { lessThan: "36c92936e868601fa1f43da6758cf55805043509", status: "affected", version: "3a7c1661ae1383364cd6092d851f5e5da64d476b", versionType: "git", }, ], }, { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bridge/br_mst.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6.1.95", status: "affected", version: "6.1.93", versionType: "semver", }, { lessThan: "6.6.35", status: "affected", version: "6.6.33", versionType: "semver", }, { lessThan: "6.9.6", status: "affected", version: "6.9.3", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: pass vlan group directly to br_mst_vlan_set_state\n\nPass the already obtained vlan group pointer to br_mst_vlan_set_state()\ninstead of dereferencing it again. Each caller has already correctly\ndereferenced it for their context. This change is required for the\nfollowing suspicious RCU dereference fix. No functional changes\nintended.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:13.931Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/09f4337c27f5bdeb8646a6db91488cc2f7d537ff", }, { url: "https://git.kernel.org/stable/c/a6cc9e9a651b9861efa068c164ee62dfba68c6ca", }, { url: "https://git.kernel.org/stable/c/d2dc02775fc0c4eacaee833a0637e5958884a8e5", }, { url: "https://git.kernel.org/stable/c/36c92936e868601fa1f43da6758cf55805043509", }, ], title: "net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40921", datePublished: "2024-07-12T12:25:02.907Z", dateReserved: "2024-07-12T12:17:45.582Z", dateUpdated: "2024-12-19T09:08:13.931Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40928
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()
Clang static checker (scan-build) warning:
net/ethtool/ioctl.c:line 2233, column 2
Called function pointer is null (null dereference).
Return '-EOPNOTSUPP' when 'ops->get_ethtool_phy_stats' is NULL to fix
this typo error.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.350Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6548d543a27449a1a3d8079925de93f5764d6f22", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/92196be82a4eb61813833dc62876fd198ae51ab1", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0dcc53abf58d572d34c5313de85f607cd33fc691", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40928", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:08.517985Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:03.056Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ethtool/ioctl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6548d543a27449a1a3d8079925de93f5764d6f22", status: "affected", version: "201ed315f9676809cd5b20a39206e964106d4f27", versionType: "git", }, { lessThan: "92196be82a4eb61813833dc62876fd198ae51ab1", status: "affected", version: "201ed315f9676809cd5b20a39206e964106d4f27", versionType: "git", }, { lessThan: "0dcc53abf58d572d34c5313de85f607cd33fc691", status: "affected", version: "201ed315f9676809cd5b20a39206e964106d4f27", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ethtool/ioctl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()\n\nClang static checker (scan-build) warning:\nnet/ethtool/ioctl.c:line 2233, column 2\nCalled function pointer is null (null dereference).\n\nReturn '-EOPNOTSUPP' when 'ops->get_ethtool_phy_stats' is NULL to fix\nthis typo error.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:22.178Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6548d543a27449a1a3d8079925de93f5764d6f22", }, { url: "https://git.kernel.org/stable/c/92196be82a4eb61813833dc62876fd198ae51ab1", }, { url: "https://git.kernel.org/stable/c/0dcc53abf58d572d34c5313de85f607cd33fc691", }, ], title: "net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40928", datePublished: "2024-07-12T12:25:07.769Z", dateReserved: "2024-07-12T12:17:45.583Z", dateUpdated: "2024-12-19T09:08:22.178Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40964
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind()
The cs35l41_hda_unbind() function clears the hda_component entry
matching it's index and then dereferences the codec pointer held in the
first element of the hda_component array, this is an issue when the
device index was 0.
Instead use the codec pointer stashed in the cs35l41_hda structure as it
will still be valid.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.017Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ff27bd8e17884f7cdefecb3f3817caadd6813dc0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/19be722369c347f3af1c5848e303980ed040b819", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6386682cdc8b41319c92fbbe421953e33a28840c", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40964", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:16.637343Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:23.352Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "sound/pci/hda/cs35l41_hda.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ff27bd8e17884f7cdefecb3f3817caadd6813dc0", status: "affected", version: "7cf5ce66dfda2be444ea668c3d48f732ba4a7fd1", versionType: "git", }, { lessThan: "19be722369c347f3af1c5848e303980ed040b819", status: "affected", version: "7cf5ce66dfda2be444ea668c3d48f732ba4a7fd1", versionType: "git", }, { lessThan: "6386682cdc8b41319c92fbbe421953e33a28840c", status: "affected", version: "7cf5ce66dfda2be444ea668c3d48f732ba4a7fd1", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "sound/pci/hda/cs35l41_hda.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.6", }, { lessThan: "6.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind()\n\nThe cs35l41_hda_unbind() function clears the hda_component entry\nmatching it's index and then dereferences the codec pointer held in the\nfirst element of the hda_component array, this is an issue when the\ndevice index was 0.\n\nInstead use the codec pointer stashed in the cs35l41_hda structure as it\nwill still be valid.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:03.743Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ff27bd8e17884f7cdefecb3f3817caadd6813dc0", }, { url: "https://git.kernel.org/stable/c/19be722369c347f3af1c5848e303980ed040b819", }, { url: "https://git.kernel.org/stable/c/6386682cdc8b41319c92fbbe421953e33a28840c", }, ], title: "ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40964", datePublished: "2024-07-12T12:32:04.720Z", dateReserved: "2024-07-12T12:17:45.602Z", dateUpdated: "2024-12-19T09:09:03.743Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40969
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: don't set RO when shutting down f2fs
Shutdown does not check the error of thaw_super due to readonly, which
causes a deadlock like below.
f2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread
- bdev_freeze
- freeze_super
- f2fs_stop_checkpoint()
- f2fs_handle_critical_error - sb_start_write
- set RO - waiting
- bdev_thaw
- thaw_super_locked
- return -EINVAL, if sb_rdonly()
- f2fs_stop_discard_thread
-> wait for kthread_stop(discard_thread);
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.044Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40969", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:00.775440Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:22.766Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f47ed3b284b38f235355e281f57dfa8fffcc6563", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3bdb7f161697e2d5123b89fe1778ef17a44858e7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don't set RO when shutting down f2fs\n\nShutdown does not check the error of thaw_super due to readonly, which\ncauses a deadlock like below.\n\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\n - bdev_freeze\n - freeze_super\n - f2fs_stop_checkpoint()\n - f2fs_handle_critical_error - sb_start_write\n - set RO - waiting\n - bdev_thaw\n - thaw_super_locked\n - return -EINVAL, if sb_rdonly()\n - f2fs_stop_discard_thread\n -> wait for kthread_stop(discard_thread);", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:09.555Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a", }, { url: "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563", }, { url: "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7", }, ], title: "f2fs: don't set RO when shutting down f2fs", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40969", datePublished: "2024-07-12T12:32:08.139Z", dateReserved: "2024-07-12T12:17:45.602Z", dateUpdated: "2024-12-19T09:09:09.555Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-41002
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/sec - Fix memory leak for sec resource release
The AIV is one of the SEC resources. When releasing resources,
it need to release the AIV resources at the same time.
Otherwise, memory leakage occurs.
The aiv resource release is added to the sec resource release
function.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.064Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a886bcb0f67d1e3d6b2da25b3519de59098200c2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7c42ce556ff65995c8875c9ed64141c14238e7e6", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9f21886370db451b0fdc651f6e41550a1da70601", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/36810d2db3496bb8b4db7ccda666674a5efc7b47", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/bba4250757b4ae1680fea435a358d8093f254094", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-41002", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:11.700200Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:19.020Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/crypto/hisilicon/sec2/sec_crypto.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a886bcb0f67d1e3d6b2da25b3519de59098200c2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7c42ce556ff65995c8875c9ed64141c14238e7e6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9f21886370db451b0fdc651f6e41550a1da70601", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "36810d2db3496bb8b4db7ccda666674a5efc7b47", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "bba4250757b4ae1680fea435a358d8093f254094", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/crypto/hisilicon/sec2/sec_crypto.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/sec - Fix memory leak for sec resource release\n\nThe AIV is one of the SEC resources. When releasing resources,\nit need to release the AIV resources at the same time.\nOtherwise, memory leakage occurs.\n\nThe aiv resource release is added to the sec resource release\nfunction.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:49.777Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a886bcb0f67d1e3d6b2da25b3519de59098200c2", }, { url: "https://git.kernel.org/stable/c/7c42ce556ff65995c8875c9ed64141c14238e7e6", }, { url: "https://git.kernel.org/stable/c/9f21886370db451b0fdc651f6e41550a1da70601", }, { url: "https://git.kernel.org/stable/c/36810d2db3496bb8b4db7ccda666674a5efc7b47", }, { url: "https://git.kernel.org/stable/c/bba4250757b4ae1680fea435a358d8093f254094", }, ], title: "crypto: hisilicon/sec - Fix memory leak for sec resource release", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-41002", datePublished: "2024-07-12T12:37:42.523Z", dateReserved: "2024-07-12T12:17:45.609Z", dateUpdated: "2024-12-19T09:09:49.777Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40913
Vulnerability from cvelistv5
Published
2024-07-12 12:24
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: defer exposing anon_fd until after copy_to_user() succeeds
After installing the anonymous fd, we can now see it in userland and close
it. However, at this point we may not have gotten the reference count of
the cache, but we will put it during colse fd, so this may cause a cache
UAF.
So grab the cache reference count before fd_install(). In addition, by
kernel convention, fd is taken over by the user land after fd_install(),
and the kernel should not call close_fd() after that, i.e., it should call
fd_install() after everything is ready, thus fd_install() is called after
copy_to_user() succeeds.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.392Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/eac51d9daacd61dcc93333ff6a890cf3efc8c1c0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d2d3eb377a5d081bf2bed177d354a4f59b74da88", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b9f58cdae6a364a3270fd6b6a46e0fd4f7f8ce32", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4b4391e77a6bf24cba2ef1590e113d9b73b11039", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40913", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:56.112213Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:39.494Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/cachefiles/ondemand.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "eac51d9daacd61dcc93333ff6a890cf3efc8c1c0", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, { lessThan: "d2d3eb377a5d081bf2bed177d354a4f59b74da88", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, { lessThan: "b9f58cdae6a364a3270fd6b6a46e0fd4f7f8ce32", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, { lessThan: "4b4391e77a6bf24cba2ef1590e113d9b73b11039", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/cachefiles/ondemand.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: defer exposing anon_fd until after copy_to_user() succeeds\n\nAfter installing the anonymous fd, we can now see it in userland and close\nit. However, at this point we may not have gotten the reference count of\nthe cache, but we will put it during colse fd, so this may cause a cache\nUAF.\n\nSo grab the cache reference count before fd_install(). In addition, by\nkernel convention, fd is taken over by the user land after fd_install(),\nand the kernel should not call close_fd() after that, i.e., it should call\nfd_install() after everything is ready, thus fd_install() is called after\ncopy_to_user() succeeds.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:52.813Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/eac51d9daacd61dcc93333ff6a890cf3efc8c1c0", }, { url: "https://git.kernel.org/stable/c/d2d3eb377a5d081bf2bed177d354a4f59b74da88", }, { url: "https://git.kernel.org/stable/c/b9f58cdae6a364a3270fd6b6a46e0fd4f7f8ce32", }, { url: "https://git.kernel.org/stable/c/4b4391e77a6bf24cba2ef1590e113d9b73b11039", }, ], title: "cachefiles: defer exposing anon_fd until after copy_to_user() succeeds", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40913", datePublished: "2024-07-12T12:24:57.363Z", dateReserved: "2024-07-12T12:17:45.581Z", dateUpdated: "2024-12-19T09:07:52.813Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40962
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes
Shin'ichiro reported that when he's running fstests' test-case
btrfs/167 on emulated zoned devices, he's seeing the following NULL
pointer dereference in 'btrfs_zone_finish_endio()':
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]
CPU: 4 PID: 2332440 Comm: kworker/u80:15 Tainted: G W 6.10.0-rc2-kts+ #4
Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020
Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]
RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]
RSP: 0018:ffff88867f107a90 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff893e5534
RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088
RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed1081696028
R10: ffff88840b4b0143 R11: ffff88834dfff600 R12: ffff88840b4b0000
R13: 0000000000020000 R14: 0000000000000000 R15: ffff888530ad5210
FS: 0000000000000000(0000) GS:ffff888e3f800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f87223fff38 CR3: 00000007a7c6a002 CR4: 00000000007706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x19/0x27
? die_addr+0x46/0x70
? exc_general_protection+0x14f/0x250
? asm_exc_general_protection+0x26/0x30
? do_raw_read_unlock+0x44/0x70
? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]
btrfs_finish_one_ordered+0x5d9/0x19a0 [btrfs]
? __pfx_lock_release+0x10/0x10
? do_raw_write_lock+0x90/0x260
? __pfx_do_raw_write_lock+0x10/0x10
? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]
? _raw_write_unlock+0x23/0x40
? btrfs_finish_ordered_zoned+0x5a9/0x850 [btrfs]
? lock_acquire+0x435/0x500
btrfs_work_helper+0x1b1/0xa70 [btrfs]
? __schedule+0x10a8/0x60b0
? __pfx___might_resched+0x10/0x10
process_one_work+0x862/0x1410
? __pfx_lock_acquire+0x10/0x10
? __pfx_process_one_work+0x10/0x10
? assign_work+0x16c/0x240
worker_thread+0x5e6/0x1010
? __pfx_worker_thread+0x10/0x10
kthread+0x2c3/0x3a0
? trace_irq_enable.constprop.0+0xce/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x31/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Enabling CONFIG_BTRFS_ASSERT revealed the following assertion to
trigger:
assertion failed: !list_empty(&ordered->list), in fs/btrfs/zoned.c:1815
This indicates, that we're missing the checksums list on the
ordered_extent. As btrfs/167 is doing a NOCOW write this is to be
expected.
Further analysis with drgn confirmed the assumption:
>>> inode = prog.crashed_thread().stack_trace()[11]['ordered'].inode
>>> btrfs_inode = drgn.container_of(inode, "struct btrfs_inode", \
"vfs_inode")
>>> print(btrfs_inode.flags)
(u32)1
As zoned emulation mode simulates conventional zones on regular devices,
we cannot use zone-append for writing. But we're only attaching dummy
checksums if we're doing a zone-append write.
So for NOCOW zoned data writes on conventional zones, also attach a
dummy checksum.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.986Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/082b3d4e788953a3ff42ecdb70c4210149076285", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/25cfe59f4470a051d1b80f51fa0ca3a5048e4a19", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/cebae292e0c32a228e8f2219c270a7237be24a6a", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40962", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:23.008786Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:23.463Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/btrfs/bio.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "082b3d4e788953a3ff42ecdb70c4210149076285", status: "affected", version: "cbfce4c7fbde23cc8bcba44822a58c728caf6ec9", versionType: "git", }, { lessThan: "25cfe59f4470a051d1b80f51fa0ca3a5048e4a19", status: "affected", version: "cbfce4c7fbde23cc8bcba44822a58c728caf6ec9", versionType: "git", }, { lessThan: "cebae292e0c32a228e8f2219c270a7237be24a6a", status: "affected", version: "cbfce4c7fbde23cc8bcba44822a58c728caf6ec9", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/btrfs/bio.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.5", }, { lessThan: "6.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: allocate dummy checksums for zoned NODATASUM writes\n\nShin'ichiro reported that when he's running fstests' test-case\nbtrfs/167 on emulated zoned devices, he's seeing the following NULL\npointer dereference in 'btrfs_zone_finish_endio()':\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 4 PID: 2332440 Comm: kworker/u80:15 Tainted: G W 6.10.0-rc2-kts+ #4\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\n RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]\n\n RSP: 0018:ffff88867f107a90 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff893e5534\n RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088\n RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed1081696028\n R10: ffff88840b4b0143 R11: ffff88834dfff600 R12: ffff88840b4b0000\n R13: 0000000000020000 R14: 0000000000000000 R15: ffff888530ad5210\n FS: 0000000000000000(0000) GS:ffff888e3f800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f87223fff38 CR3: 00000007a7c6a002 CR4: 00000000007706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n <TASK>\n ? __die_body.cold+0x19/0x27\n ? die_addr+0x46/0x70\n ? exc_general_protection+0x14f/0x250\n ? asm_exc_general_protection+0x26/0x30\n ? do_raw_read_unlock+0x44/0x70\n ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]\n btrfs_finish_one_ordered+0x5d9/0x19a0 [btrfs]\n ? __pfx_lock_release+0x10/0x10\n ? do_raw_write_lock+0x90/0x260\n ? __pfx_do_raw_write_lock+0x10/0x10\n ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]\n ? _raw_write_unlock+0x23/0x40\n ? btrfs_finish_ordered_zoned+0x5a9/0x850 [btrfs]\n ? lock_acquire+0x435/0x500\n btrfs_work_helper+0x1b1/0xa70 [btrfs]\n ? __schedule+0x10a8/0x60b0\n ? __pfx___might_resched+0x10/0x10\n process_one_work+0x862/0x1410\n ? __pfx_lock_acquire+0x10/0x10\n ? __pfx_process_one_work+0x10/0x10\n ? assign_work+0x16c/0x240\n worker_thread+0x5e6/0x1010\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x2c3/0x3a0\n ? trace_irq_enable.constprop.0+0xce/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nEnabling CONFIG_BTRFS_ASSERT revealed the following assertion to\ntrigger:\n\n assertion failed: !list_empty(&ordered->list), in fs/btrfs/zoned.c:1815\n\nThis indicates, that we're missing the checksums list on the\nordered_extent. As btrfs/167 is doing a NOCOW write this is to be\nexpected.\n\nFurther analysis with drgn confirmed the assumption:\n\n >>> inode = prog.crashed_thread().stack_trace()[11]['ordered'].inode\n >>> btrfs_inode = drgn.container_of(inode, \"struct btrfs_inode\", \\\n \t\t\t\t\"vfs_inode\")\n >>> print(btrfs_inode.flags)\n (u32)1\n\nAs zoned emulation mode simulates conventional zones on regular devices,\nwe cannot use zone-append for writing. But we're only attaching dummy\nchecksums if we're doing a zone-append write.\n\nSo for NOCOW zoned data writes on conventional zones, also attach a\ndummy checksum.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:01.353Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/082b3d4e788953a3ff42ecdb70c4210149076285", }, { url: "https://git.kernel.org/stable/c/25cfe59f4470a051d1b80f51fa0ca3a5048e4a19", }, { url: "https://git.kernel.org/stable/c/cebae292e0c32a228e8f2219c270a7237be24a6a", }, ], title: "btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40962", datePublished: "2024-07-12T12:32:03.316Z", dateReserved: "2024-07-12T12:17:45.594Z", dateUpdated: "2024-12-19T09:09:01.353Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40976
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/lima: mask irqs in timeout path before hard reset
There is a race condition in which a rendering job might take just long
enough to trigger the drm sched job timeout handler but also still
complete before the hard reset is done by the timeout handler.
This runs into race conditions not expected by the timeout handler.
In some very specific cases it currently may result in a refcount
imbalance on lima_pm_idle, with a stack dump such as:
[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0
...
[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0
...
[10136.669628] Call trace:
[10136.669634] lima_devfreq_record_idle+0xa0/0xb0
[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0
[10136.669656] lima_gp_irq_handler+0xa8/0x120
[10136.669666] __handle_irq_event_percpu+0x48/0x160
[10136.669679] handle_irq_event+0x4c/0xc0
We can prevent that race condition entirely by masking the irqs at the
beginning of the timeout handler, at which point we give up on waiting
for that job entirely.
The irqs will be enabled again at the next hard reset which is already
done as a recovery by the timeout handler.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.951Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/bdbc4ca77f5eaac15de7230814253cddfed273b1", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a421cc7a6a001b70415aa4f66024fa6178885a14", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40976", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:37.570914Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:21.987Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/lima/lima_sched.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "bdbc4ca77f5eaac15de7230814253cddfed273b1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a421cc7a6a001b70415aa4f66024fa6178885a14", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/lima/lima_sched.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: mask irqs in timeout path before hard reset\n\nThere is a race condition in which a rendering job might take just long\nenough to trigger the drm sched job timeout handler but also still\ncomplete before the hard reset is done by the timeout handler.\nThis runs into race conditions not expected by the timeout handler.\nIn some very specific cases it currently may result in a refcount\nimbalance on lima_pm_idle, with a stack dump such as:\n\n[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669628] Call trace:\n[10136.669634] lima_devfreq_record_idle+0xa0/0xb0\n[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0\n[10136.669656] lima_gp_irq_handler+0xa8/0x120\n[10136.669666] __handle_irq_event_percpu+0x48/0x160\n[10136.669679] handle_irq_event+0x4c/0xc0\n\nWe can prevent that race condition entirely by masking the irqs at the\nbeginning of the timeout handler, at which point we give up on waiting\nfor that job entirely.\nThe irqs will be enabled again at the next hard reset which is already\ndone as a recovery by the timeout handler.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:17.961Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a", }, { url: "https://git.kernel.org/stable/c/70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a", }, { url: "https://git.kernel.org/stable/c/9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344", }, { url: "https://git.kernel.org/stable/c/bdbc4ca77f5eaac15de7230814253cddfed273b1", }, { url: "https://git.kernel.org/stable/c/58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db", }, { url: "https://git.kernel.org/stable/c/a421cc7a6a001b70415aa4f66024fa6178885a14", }, ], title: "drm/lima: mask irqs in timeout path before hard reset", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40976", datePublished: "2024-07-12T12:32:12.782Z", dateReserved: "2024-07-12T12:17:45.603Z", dateUpdated: "2024-12-19T09:09:17.961Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40935
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: flush all requests after setting CACHEFILES_DEAD
In ondemand mode, when the daemon is processing an open request, if the
kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write()
will always return -EIO, so the daemon can't pass the copen to the kernel.
Then the kernel process that is waiting for the copen triggers a hung_task.
Since the DEAD state is irreversible, it can only be exited by closing
/dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark
the cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to
avoid the above hungtask. We may still be able to read some of the cached
data before closing the fd of /dev/cachefiles.
Note that this relies on the patch that adds reference counting to the req,
otherwise it may UAF.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.674Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/320ba9cbca78be79c912143bbba1d1b35ca55cf0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3bf0b8030296e9ee60d3d4c15849ad9ac0b47081", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e73fac95084839c5178d97e81c6a2051251bdc00", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/85e833cd7243bda7285492b0653c3abb1e2e757b", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40935", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:46.320967Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:02.419Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/cachefiles/daemon.c", "fs/cachefiles/internal.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "320ba9cbca78be79c912143bbba1d1b35ca55cf0", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, { lessThan: "3bf0b8030296e9ee60d3d4c15849ad9ac0b47081", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, { lessThan: "e73fac95084839c5178d97e81c6a2051251bdc00", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, { lessThan: "85e833cd7243bda7285492b0653c3abb1e2e757b", status: "affected", version: "c8383054506c77b814489c09877b5db83fd4abf2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/cachefiles/daemon.c", "fs/cachefiles/internal.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: flush all requests after setting CACHEFILES_DEAD\n\nIn ondemand mode, when the daemon is processing an open request, if the\nkernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write()\nwill always return -EIO, so the daemon can't pass the copen to the kernel.\nThen the kernel process that is waiting for the copen triggers a hung_task.\n\nSince the DEAD state is irreversible, it can only be exited by closing\n/dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark\nthe cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to\navoid the above hungtask. We may still be able to read some of the cached\ndata before closing the fd of /dev/cachefiles.\n\nNote that this relies on the patch that adds reference counting to the req,\notherwise it may UAF.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:30.379Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/320ba9cbca78be79c912143bbba1d1b35ca55cf0", }, { url: "https://git.kernel.org/stable/c/3bf0b8030296e9ee60d3d4c15849ad9ac0b47081", }, { url: "https://git.kernel.org/stable/c/e73fac95084839c5178d97e81c6a2051251bdc00", }, { url: "https://git.kernel.org/stable/c/85e833cd7243bda7285492b0653c3abb1e2e757b", }, ], title: "cachefiles: flush all requests after setting CACHEFILES_DEAD", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40935", datePublished: "2024-07-12T12:25:12.483Z", dateReserved: "2024-07-12T12:17:45.584Z", dateUpdated: "2024-12-19T09:08:30.379Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40965
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: lpi2c: Avoid calling clk_get_rate during transfer
Instead of repeatedly calling clk_get_rate for each transfer, lock
the clock rate and cache the value.
A deadlock has been observed while adding tlv320aic32x4 audio codec to
the system. When this clock provider adds its clock, the clk mutex is
locked already, it needs to access i2c, which in return needs the mutex
for clk_get_rate as well.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.822Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2b42e9587a7a9c7b824e0feb92958f258263963e", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4268254a39484fc11ba991ae148bacbe75d9cc0a", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40965", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:13.465899Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:23.239Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/i2c/busses/i2c-imx-lpi2c.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d038693e08adf9c162c6377800495e4f5a2df045", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2b42e9587a7a9c7b824e0feb92958f258263963e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4268254a39484fc11ba991ae148bacbe75d9cc0a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/i2c/busses/i2c-imx-lpi2c.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: lpi2c: Avoid calling clk_get_rate during transfer\n\nInstead of repeatedly calling clk_get_rate for each transfer, lock\nthe clock rate and cache the value.\nA deadlock has been observed while adding tlv320aic32x4 audio codec to\nthe system. When this clock provider adds its clock, the clk mutex is\nlocked already, it needs to access i2c, which in return needs the mutex\nfor clk_get_rate as well.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:04.913Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d038693e08adf9c162c6377800495e4f5a2df045", }, { url: "https://git.kernel.org/stable/c/2b42e9587a7a9c7b824e0feb92958f258263963e", }, { url: "https://git.kernel.org/stable/c/4268254a39484fc11ba991ae148bacbe75d9cc0a", }, ], title: "i2c: lpi2c: Avoid calling clk_get_rate during transfer", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40965", datePublished: "2024-07-12T12:32:05.453Z", dateReserved: "2024-07-12T12:17:45.602Z", dateUpdated: "2024-12-19T09:09:04.913Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40946
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2024-07-15T06:58:44.244Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, rejectedReasons: [ { lang: "en", value: "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", }, ], }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40946", datePublished: "2024-07-12T12:31:52.120Z", dateRejected: "2024-07-15T06:58:44.244Z", dateReserved: "2024-07-12T12:17:45.589Z", dateUpdated: "2024-07-15T06:58:44.244Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40992
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix responder length checking for UD request packets
According to the IBA specification:
If a UD request packet is detected with an invalid length, the request
shall be an invalid request and it shall be silently dropped by
the responder. The responder then waits for a new request packet.
commit 689c5421bfe0 ("RDMA/rxe: Fix incorrect responder length checking")
defers responder length check for UD QPs in function `copy_data`.
But it introduces a regression issue for UD QPs.
When the packet size is too large to fit in the receive buffer.
`copy_data` will return error code -EINVAL. Then `send_data_in`
will return RESPST_ERR_MALFORMED_WQE. UD QP will transfer into
ERROR state.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.166Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/163868ec1f6c610d16da9e458fe1dd7d5de97341", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/943c94f41dfe36536dc9aaa12c9efdf548ceb996", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f67ac0061c7614c1548963d3ef1ee1606efd8636", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40992", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:44.819044Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:20.142Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/sw/rxe/rxe_resp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "163868ec1f6c610d16da9e458fe1dd7d5de97341", status: "affected", version: "689c5421bfe0eac65526bd97a466b9590a6aad3c", versionType: "git", }, { lessThan: "943c94f41dfe36536dc9aaa12c9efdf548ceb996", status: "affected", version: "689c5421bfe0eac65526bd97a466b9590a6aad3c", versionType: "git", }, { lessThan: "f67ac0061c7614c1548963d3ef1ee1606efd8636", status: "affected", version: "689c5421bfe0eac65526bd97a466b9590a6aad3c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/sw/rxe/rxe_resp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix responder length checking for UD request packets\n\nAccording to the IBA specification:\nIf a UD request packet is detected with an invalid length, the request\nshall be an invalid request and it shall be silently dropped by\nthe responder. The responder then waits for a new request packet.\n\ncommit 689c5421bfe0 (\"RDMA/rxe: Fix incorrect responder length checking\")\ndefers responder length check for UD QPs in function `copy_data`.\nBut it introduces a regression issue for UD QPs.\n\nWhen the packet size is too large to fit in the receive buffer.\n`copy_data` will return error code -EINVAL. Then `send_data_in`\nwill return RESPST_ERR_MALFORMED_WQE. UD QP will transfer into\nERROR state.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:37.559Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/163868ec1f6c610d16da9e458fe1dd7d5de97341", }, { url: "https://git.kernel.org/stable/c/943c94f41dfe36536dc9aaa12c9efdf548ceb996", }, { url: "https://git.kernel.org/stable/c/f67ac0061c7614c1548963d3ef1ee1606efd8636", }, ], title: "RDMA/rxe: Fix responder length checking for UD request packets", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40992", datePublished: "2024-07-12T12:37:35.800Z", dateReserved: "2024-07-12T12:17:45.605Z", dateUpdated: "2024-12-19T09:09:37.559Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40948
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/page_table_check: fix crash on ZONE_DEVICE
Not all pages may apply to pgtable check. One example is ZONE_DEVICE
pages: they map PFNs directly, and they don't allocate page_ext at all
even if there's struct page around. One may reference
devm_memremap_pages().
When both ZONE_DEVICE and page-table-check enabled, then try to map some
dax memories, one can trigger kernel bug constantly now when the kernel
was trying to inject some pfn maps on the dax device:
kernel BUG at mm/page_table_check.c:55!
While it's pretty legal to use set_pxx_at() for ZONE_DEVICE pages for page
fault resolutions, skip all the checks if page_ext doesn't even exist in
pgtable checker, which applies to ZONE_DEVICE but maybe more.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.324Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/51897f99351fff7b57f4f141940fa93b4e90fd2b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/84d3549d54f5ff9fa3281257be3019386f51d1a0", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/dec2382247860d2134c8d41e103e26460c099629", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/8bb592c2eca8fd2bc06db7d80b38da18da4a2f43", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40948", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:08.155956Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:25.080Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/page_table_check.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "51897f99351fff7b57f4f141940fa93b4e90fd2b", status: "affected", version: "df4e817b710809425d899340dbfa8504a3ca4ba5", versionType: "git", }, { lessThan: "84d3549d54f5ff9fa3281257be3019386f51d1a0", status: "affected", version: "df4e817b710809425d899340dbfa8504a3ca4ba5", versionType: "git", }, { lessThan: "dec2382247860d2134c8d41e103e26460c099629", status: "affected", version: "df4e817b710809425d899340dbfa8504a3ca4ba5", versionType: "git", }, { lessThan: "8bb592c2eca8fd2bc06db7d80b38da18da4a2f43", status: "affected", version: "df4e817b710809425d899340dbfa8504a3ca4ba5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/page_table_check.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_table_check: fix crash on ZONE_DEVICE\n\nNot all pages may apply to pgtable check. One example is ZONE_DEVICE\npages: they map PFNs directly, and they don't allocate page_ext at all\neven if there's struct page around. One may reference\ndevm_memremap_pages().\n\nWhen both ZONE_DEVICE and page-table-check enabled, then try to map some\ndax memories, one can trigger kernel bug constantly now when the kernel\nwas trying to inject some pfn maps on the dax device:\n\n kernel BUG at mm/page_table_check.c:55!\n\nWhile it's pretty legal to use set_pxx_at() for ZONE_DEVICE pages for page\nfault resolutions, skip all the checks if page_ext doesn't even exist in\npgtable checker, which applies to ZONE_DEVICE but maybe more.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:44.478Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/51897f99351fff7b57f4f141940fa93b4e90fd2b", }, { url: "https://git.kernel.org/stable/c/84d3549d54f5ff9fa3281257be3019386f51d1a0", }, { url: "https://git.kernel.org/stable/c/dec2382247860d2134c8d41e103e26460c099629", }, { url: "https://git.kernel.org/stable/c/8bb592c2eca8fd2bc06db7d80b38da18da4a2f43", }, ], title: "mm/page_table_check: fix crash on ZONE_DEVICE", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40948", datePublished: "2024-07-12T12:31:53.478Z", dateReserved: "2024-07-12T12:17:45.591Z", dateUpdated: "2024-12-19T09:08:44.478Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40939
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: iosm: Fix tainted pointer delete is case of region creation fail
In case of region creation fail in ipc_devlink_create_region(), previously
created regions delete process starts from tainted pointer which actually
holds error code value.
Fix this bug by decreasing region index before delete.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.776Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fe394d59cdae81389dbf995e87c83c1acd120597", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/040d9384870386eb5dc55472ac573ac7756b2050", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/37a438704d19bdbe246d51d3749b6b3a8fe65afd", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b0c9a26435413b81799047a7be53255640432547", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40939", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:33.559080Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:26.102Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wwan/iosm/iosm_ipc_devlink.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fe394d59cdae81389dbf995e87c83c1acd120597", status: "affected", version: "4dcd183fbd67b105decc8be262311937730ccdbf", versionType: "git", }, { lessThan: "040d9384870386eb5dc55472ac573ac7756b2050", status: "affected", version: "4dcd183fbd67b105decc8be262311937730ccdbf", versionType: "git", }, { lessThan: "37a438704d19bdbe246d51d3749b6b3a8fe65afd", status: "affected", version: "4dcd183fbd67b105decc8be262311937730ccdbf", versionType: "git", }, { lessThan: "b0c9a26435413b81799047a7be53255640432547", status: "affected", version: "4dcd183fbd67b105decc8be262311937730ccdbf", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wwan/iosm/iosm_ipc_devlink.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.16", }, { lessThan: "5.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: iosm: Fix tainted pointer delete is case of region creation fail\n\nIn case of region creation fail in ipc_devlink_create_region(), previously\ncreated regions delete process starts from tainted pointer which actually\nholds error code value.\nFix this bug by decreasing region index before delete.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:34.994Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fe394d59cdae81389dbf995e87c83c1acd120597", }, { url: "https://git.kernel.org/stable/c/040d9384870386eb5dc55472ac573ac7756b2050", }, { url: "https://git.kernel.org/stable/c/37a438704d19bdbe246d51d3749b6b3a8fe65afd", }, { url: "https://git.kernel.org/stable/c/b0c9a26435413b81799047a7be53255640432547", }, ], title: "net: wwan: iosm: Fix tainted pointer delete is case of region creation fail", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40939", datePublished: "2024-07-12T12:25:15.148Z", dateReserved: "2024-07-12T12:17:45.586Z", dateUpdated: "2024-12-19T09:08:34.994Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40922
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/rsrc: don't lock while !TASK_RUNNING
There is a report of io_rsrc_ref_quiesce() locking a mutex while not
TASK_RUNNING, which is due to forgetting restoring the state back after
io_run_task_work_sig() and attempts to break out of the waiting loop.
do not call blocking ops when !TASK_RUNNING; state=1 set at
[<ffffffff815d2494>] prepare_to_wait+0xa4/0x380
kernel/sched/wait.c:237
WARNING: CPU: 2 PID: 397056 at kernel/sched/core.c:10099
__might_sleep+0x114/0x160 kernel/sched/core.c:10099
RIP: 0010:__might_sleep+0x114/0x160 kernel/sched/core.c:10099
Call Trace:
<TASK>
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0xb4/0x940 kernel/locking/mutex.c:752
io_rsrc_ref_quiesce+0x590/0x940 io_uring/rsrc.c:253
io_sqe_buffers_unregister+0xa2/0x340 io_uring/rsrc.c:799
__io_uring_register io_uring/register.c:424 [inline]
__do_sys_io_uring_register+0x5b9/0x2400 io_uring/register.c:613
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.988Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0c9df3df0c888d9ec8d11a68474a4aa04d371cff", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4429c6c77e176a4c5aa7a3bbd1632f9fc0582518", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/54559642b96116b45e4b5ca7fd9f7835b8561272", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40922", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:27.374940Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:28.678Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "io_uring/rsrc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0c9df3df0c888d9ec8d11a68474a4aa04d371cff", status: "affected", version: "4ea15b56f0810f0d8795d475db1bb74b3a7c1b2f", versionType: "git", }, { lessThan: "4429c6c77e176a4c5aa7a3bbd1632f9fc0582518", status: "affected", version: "4ea15b56f0810f0d8795d475db1bb74b3a7c1b2f", versionType: "git", }, { lessThan: "54559642b96116b45e4b5ca7fd9f7835b8561272", status: "affected", version: "4ea15b56f0810f0d8795d475db1bb74b3a7c1b2f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "io_uring/rsrc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.4", }, { lessThan: "6.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: don't lock while !TASK_RUNNING\n\nThere is a report of io_rsrc_ref_quiesce() locking a mutex while not\nTASK_RUNNING, which is due to forgetting restoring the state back after\nio_run_task_work_sig() and attempts to break out of the waiting loop.\n\ndo not call blocking ops when !TASK_RUNNING; state=1 set at\n[<ffffffff815d2494>] prepare_to_wait+0xa4/0x380\nkernel/sched/wait.c:237\nWARNING: CPU: 2 PID: 397056 at kernel/sched/core.c:10099\n__might_sleep+0x114/0x160 kernel/sched/core.c:10099\nRIP: 0010:__might_sleep+0x114/0x160 kernel/sched/core.c:10099\nCall Trace:\n <TASK>\n __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n __mutex_lock+0xb4/0x940 kernel/locking/mutex.c:752\n io_rsrc_ref_quiesce+0x590/0x940 io_uring/rsrc.c:253\n io_sqe_buffers_unregister+0xa2/0x340 io_uring/rsrc.c:799\n __io_uring_register io_uring/register.c:424 [inline]\n __do_sys_io_uring_register+0x5b9/0x2400 io_uring/register.c:613\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6f/0x77", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:15.197Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0c9df3df0c888d9ec8d11a68474a4aa04d371cff", }, { url: "https://git.kernel.org/stable/c/4429c6c77e176a4c5aa7a3bbd1632f9fc0582518", }, { url: "https://git.kernel.org/stable/c/54559642b96116b45e4b5ca7fd9f7835b8561272", }, ], title: "io_uring/rsrc: don't lock while !TASK_RUNNING", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40922", datePublished: "2024-07-12T12:25:03.570Z", dateReserved: "2024-07-12T12:17:45.582Z", dateUpdated: "2024-12-19T09:08:15.197Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40937
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gve: Clear napi->skb before dev_kfree_skb_any()
gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it
is freed with dev_kfree_skb_any(). This can result in a subsequent call
to napi_get_frags returning a dangling pointer.
Fix this by clearing napi->skb before the skb is freed.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9b8dd5e5ea48bbb7532d20c4093a79d8283e4029 Version: 9b8dd5e5ea48bbb7532d20c4093a79d8283e4029 Version: 9b8dd5e5ea48bbb7532d20c4093a79d8283e4029 Version: 9b8dd5e5ea48bbb7532d20c4093a79d8283e4029 Version: 9b8dd5e5ea48bbb7532d20c4093a79d8283e4029 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.542Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40937", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:04:39.753649Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:26.574Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/google/gve/gve_rx_dqo.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "75afd8724739ee5ed8165acde5f6ac3988b485cc", status: "affected", version: "9b8dd5e5ea48bbb7532d20c4093a79d8283e4029", versionType: "git", }, { lessThan: "d221284991118c0ab16480b53baecd857c0bc442", status: "affected", version: "9b8dd5e5ea48bbb7532d20c4093a79d8283e4029", versionType: "git", }, { lessThan: "2ce5341c36993b776012601921d7688693f8c037", status: "affected", version: "9b8dd5e5ea48bbb7532d20c4093a79d8283e4029", versionType: "git", }, { lessThan: "a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50", status: "affected", version: "9b8dd5e5ea48bbb7532d20c4093a79d8283e4029", versionType: "git", }, { lessThan: "6f4d93b78ade0a4c2cafd587f7b429ce95abb02e", status: "affected", version: "9b8dd5e5ea48bbb7532d20c4093a79d8283e4029", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/google/gve/gve_rx_dqo.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.14", }, { lessThan: "5.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Clear napi->skb before dev_kfree_skb_any()\n\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\nto napi_get_frags returning a dangling pointer.\n\nFix this by clearing napi->skb before the skb is freed.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:32.705Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc", }, { url: "https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442", }, { url: "https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037", }, { url: "https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50", }, { url: "https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e", }, ], title: "gve: Clear napi->skb before dev_kfree_skb_any()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40937", datePublished: "2024-07-12T12:25:13.807Z", dateReserved: "2024-07-12T12:17:45.584Z", dateUpdated: "2024-12-19T09:08:32.705Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40951
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()
bdev->bd_super has been removed and commit 8887b94d9322 change the usage
from bdev->bd_super to b_assoc_map->host->i_sb. Since ocfs2 hasn't set
bh->b_assoc_map, it will trigger NULL pointer dereference when calling
into ocfs2_abort_trigger().
Actually this was pointed out in history, see commit 74e364ad1b13. But
I've made a mistake when reviewing commit 8887b94d9322 and then
re-introduce this regression.
Since we cannot revive bdev in buffer head, so fix this issue by
initializing all types of ocfs2 triggers when fill super, and then get the
specific ocfs2 trigger from ocfs2_caching_info when access journal.
[joseph.qi@linux.alibaba.com: v2]
Link: https://lkml.kernel.org/r/20240602112045.1112708-1-joseph.qi@linux.alibaba.com
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.313Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/67bcecd780609f471260a8c83fb0ae15f27734ce", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/eb63357ef229fae061ce7ce2839d558681c42f1a", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/685d03c3795378fca6a1b3d43581f7f1a3fc095f", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40951", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:58.522422Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:24.753Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ocfs2/journal.c", "fs/ocfs2/ocfs2.h", "fs/ocfs2/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "67bcecd780609f471260a8c83fb0ae15f27734ce", status: "affected", version: "8887b94d93224e0ef7e1bc6369640e313b8b12f4", versionType: "git", }, { lessThan: "eb63357ef229fae061ce7ce2839d558681c42f1a", status: "affected", version: "8887b94d93224e0ef7e1bc6369640e313b8b12f4", versionType: "git", }, { lessThan: "685d03c3795378fca6a1b3d43581f7f1a3fc095f", status: "affected", version: "8887b94d93224e0ef7e1bc6369640e313b8b12f4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ocfs2/journal.c", "fs/ocfs2/ocfs2.h", "fs/ocfs2/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.6", }, { lessThan: "6.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()\n\nbdev->bd_super has been removed and commit 8887b94d9322 change the usage\nfrom bdev->bd_super to b_assoc_map->host->i_sb. Since ocfs2 hasn't set\nbh->b_assoc_map, it will trigger NULL pointer dereference when calling\ninto ocfs2_abort_trigger().\n\nActually this was pointed out in history, see commit 74e364ad1b13. But\nI've made a mistake when reviewing commit 8887b94d9322 and then\nre-introduce this regression.\n\nSince we cannot revive bdev in buffer head, so fix this issue by\ninitializing all types of ocfs2 triggers when fill super, and then get the\nspecific ocfs2 trigger from ocfs2_caching_info when access journal.\n\n[joseph.qi@linux.alibaba.com: v2]\n Link: https://lkml.kernel.org/r/20240602112045.1112708-1-joseph.qi@linux.alibaba.com", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:48.039Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/67bcecd780609f471260a8c83fb0ae15f27734ce", }, { url: "https://git.kernel.org/stable/c/eb63357ef229fae061ce7ce2839d558681c42f1a", }, { url: "https://git.kernel.org/stable/c/685d03c3795378fca6a1b3d43581f7f1a3fc095f", }, ], title: "ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40951", datePublished: "2024-07-12T12:31:55.493Z", dateReserved: "2024-07-12T12:17:45.591Z", dateUpdated: "2024-12-19T09:08:48.039Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39503
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
Lion Ackermann reported that there is a race condition between namespace cleanup
in ipset and the garbage collection of the list:set type. The namespace
cleanup can destroy the list:set type of sets while the gc of the set type is
waiting to run in rcu cleanup. The latter uses data from the destroyed set which
thus leads use after free. The patch contains the following parts:
- When destroying all sets, first remove the garbage collectors, then wait
if needed and then destroy the sets.
- Fix the badly ordered "wait then remove gc" for the destroy a single set
case.
- Fix the missing rcu locking in the list:set type in the userspace test
case.
- Use proper RCU list handlings in the list:set type.
The patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c7f2733e5011bfd136f1ca93497394d43aa76225 Version: a24d5f2ac8ef702a58e55ec276aad29b4bd97e05 Version: c2dc077d8f722a1c73a24e674f925602ee5ece49 Version: 653bc5e6d9995d7d5f497c665b321875a626161c Version: b93a6756a01f4fd2f329a39216f9824c56a66397 Version: 97f7cf1cd80eeed3b7c808b7c12463295c751001 Version: 97f7cf1cd80eeed3b7c808b7c12463295c751001 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.850Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39503", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:07:04.128981Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:40.232Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/netfilter/ipset/ip_set_core.c", "net/netfilter/ipset/ip_set_list_set.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3", status: "affected", version: "c7f2733e5011bfd136f1ca93497394d43aa76225", versionType: "git", }, { lessThan: "93b53c202b51a69e42ca57f5a183f7e008e19f83", status: "affected", version: "a24d5f2ac8ef702a58e55ec276aad29b4bd97e05", versionType: "git", }, { lessThan: "0f1bb77c6d837c9513943bc7c08f04c5cc5c6568", status: "affected", version: "c2dc077d8f722a1c73a24e674f925602ee5ece49", versionType: "git", }, { lessThan: "390b353d1a1da3e9c6c0fd14fe650d69063c95d6", status: "affected", version: "653bc5e6d9995d7d5f497c665b321875a626161c", versionType: "git", }, { lessThan: "2ba35b37f780c6410bb4bba9c3072596d8576702", status: "affected", version: "b93a6756a01f4fd2f329a39216f9824c56a66397", versionType: "git", }, { lessThan: "90ae20d47de602198eb69e6cd7a3db3420abfc08", status: "affected", version: "97f7cf1cd80eeed3b7c808b7c12463295c751001", versionType: "git", }, { lessThan: "4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10", status: "affected", version: "97f7cf1cd80eeed3b7c808b7c12463295c751001", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/netfilter/ipset/ip_set_core.c", "net/netfilter/ipset/ip_set_list_set.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Fix race between namespace cleanup and gc in the list:set type\n\nLion Ackermann reported that there is a race condition between namespace cleanup\nin ipset and the garbage collection of the list:set type. The namespace\ncleanup can destroy the list:set type of sets while the gc of the set type is\nwaiting to run in rcu cleanup. The latter uses data from the destroyed set which\nthus leads use after free. The patch contains the following parts:\n\n- When destroying all sets, first remove the garbage collectors, then wait\n if needed and then destroy the sets.\n- Fix the badly ordered \"wait then remove gc\" for the destroy a single set\n case.\n- Fix the missing rcu locking in the list:set type in the userspace test\n case.\n- Use proper RCU list handlings in the list:set type.\n\nThe patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:27.134Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3", }, { url: "https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83", }, { url: "https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568", }, { url: "https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6", }, { url: "https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702", }, { url: "https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08", }, { url: "https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10", }, ], title: "netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39503", datePublished: "2024-07-12T12:20:36.299Z", dateReserved: "2024-06-25T14:23:23.752Z", dateUpdated: "2024-12-19T09:07:27.134Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40966
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: add the option to have a tty reject a new ldisc
... and use it to limit the virtual terminals to just N_TTY. They are
kind of special, and in particular, the "con_write()" routine violates
the "writes cannot sleep" rule that some ldiscs rely on.
This avoids the
BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659
when N_GSM has been attached to a virtual console, and gsmld_write()
calls con_write() while holding a spinlock, and con_write() then tries
to get the console lock.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.123Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3c6332f3bb1578b5b10ac2561247b1d6272ae937", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/287b569a5b914903ba7c438a3c0dbc3410ebb409", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5920ac19964f9e20181f63b410d9200ddbf8dc86", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/6bd23e0c2bb6c65d4f5754d1456bc9a4427fc59b", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40966", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:10.358016Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:23.131Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/tty/tty_ldisc.c", "drivers/tty/vt/vt.c", "include/linux/tty_driver.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3c6332f3bb1578b5b10ac2561247b1d6272ae937", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "287b569a5b914903ba7c438a3c0dbc3410ebb409", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5920ac19964f9e20181f63b410d9200ddbf8dc86", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6bd23e0c2bb6c65d4f5754d1456bc9a4427fc59b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/tty/tty_ldisc.c", "drivers/tty/vt/vt.c", "include/linux/tty_driver.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: add the option to have a tty reject a new ldisc\n\n... and use it to limit the virtual terminals to just N_TTY. They are\nkind of special, and in particular, the \"con_write()\" routine violates\nthe \"writes cannot sleep\" rule that some ldiscs rely on.\n\nThis avoids the\n\n BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659\n\nwhen N_GSM has been attached to a virtual console, and gsmld_write()\ncalls con_write() while holding a spinlock, and con_write() then tries\nto get the console lock.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:06.084Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3c6332f3bb1578b5b10ac2561247b1d6272ae937", }, { url: "https://git.kernel.org/stable/c/287b569a5b914903ba7c438a3c0dbc3410ebb409", }, { url: "https://git.kernel.org/stable/c/5920ac19964f9e20181f63b410d9200ddbf8dc86", }, { url: "https://git.kernel.org/stable/c/6bd23e0c2bb6c65d4f5754d1456bc9a4427fc59b", }, ], title: "tty: add the option to have a tty reject a new ldisc", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40966", datePublished: "2024-07-12T12:32:06.122Z", dateReserved: "2024-07-12T12:17:45.602Z", dateUpdated: "2024-12-19T09:09:06.084Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40925
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix request.queuelist usage in flush
Friedrich Weber reported a kernel crash problem and bisected to commit
81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine").
The root cause is that we use "list_move_tail(&rq->queuelist, pending)"
in the PREFLUSH/POSTFLUSH sequences. But rq->queuelist.next == xxx since
it's popped out from plug->cached_rq in __blk_mq_alloc_requests_batch().
We don't initialize its queuelist just for this first request, although
the queuelist of all later popped requests will be initialized.
Fix it by changing to use "list_add_tail(&rq->queuelist, pending)" so
rq->queuelist doesn't need to be initialized. It should be ok since rq
can't be on any list when PREFLUSH or POSTFLUSH, has no move actually.
Please note the commit 81ada09cc25e ("blk-flush: reuse rq queuelist in
flush state machine") also has another requirement that no drivers would
touch rq->queuelist after blk_mq_end_request() since we will reuse it to
add rq to the post-flush pending list in POSTFLUSH. If this is not true,
we will have to revert that commit IMHO.
This updated version adds "list_del_init(&rq->queuelist)" in flush rq
callback since the dm layer may submit request of a weird invalid format
(REQ_FSEQ_PREFLUSH | REQ_FSEQ_POSTFLUSH), which causes double list_add
if without this "list_del_init(&rq->queuelist)". The weird invalid format
problem should be fixed in dm layer.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.086Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/fe1e395563ccb051e9dbd8fa99859f5caaad2e71", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/87907bd69721a8506618a954d41a1de3040e88aa", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/d0321c812d89c5910d8da8e4b10c891c6b96ff70", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40925", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:17.851843Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:03.370Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "block/blk-flush.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fe1e395563ccb051e9dbd8fa99859f5caaad2e71", status: "affected", version: "81ada09cc25e4bf2de7d2951925fb409338a545d", versionType: "git", }, { lessThan: "87907bd69721a8506618a954d41a1de3040e88aa", status: "affected", version: "81ada09cc25e4bf2de7d2951925fb409338a545d", versionType: "git", }, { lessThan: "d0321c812d89c5910d8da8e4b10c891c6b96ff70", status: "affected", version: "81ada09cc25e4bf2de7d2951925fb409338a545d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "block/blk-flush.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.6", }, { lessThan: "6.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix request.queuelist usage in flush\n\nFriedrich Weber reported a kernel crash problem and bisected to commit\n81ada09cc25e (\"blk-flush: reuse rq queuelist in flush state machine\").\n\nThe root cause is that we use \"list_move_tail(&rq->queuelist, pending)\"\nin the PREFLUSH/POSTFLUSH sequences. But rq->queuelist.next == xxx since\nit's popped out from plug->cached_rq in __blk_mq_alloc_requests_batch().\nWe don't initialize its queuelist just for this first request, although\nthe queuelist of all later popped requests will be initialized.\n\nFix it by changing to use \"list_add_tail(&rq->queuelist, pending)\" so\nrq->queuelist doesn't need to be initialized. It should be ok since rq\ncan't be on any list when PREFLUSH or POSTFLUSH, has no move actually.\n\nPlease note the commit 81ada09cc25e (\"blk-flush: reuse rq queuelist in\nflush state machine\") also has another requirement that no drivers would\ntouch rq->queuelist after blk_mq_end_request() since we will reuse it to\nadd rq to the post-flush pending list in POSTFLUSH. If this is not true,\nwe will have to revert that commit IMHO.\n\nThis updated version adds \"list_del_init(&rq->queuelist)\" in flush rq\ncallback since the dm layer may submit request of a weird invalid format\n(REQ_FSEQ_PREFLUSH | REQ_FSEQ_POSTFLUSH), which causes double list_add\nif without this \"list_del_init(&rq->queuelist)\". The weird invalid format\nproblem should be fixed in dm layer.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:18.710Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fe1e395563ccb051e9dbd8fa99859f5caaad2e71", }, { url: "https://git.kernel.org/stable/c/87907bd69721a8506618a954d41a1de3040e88aa", }, { url: "https://git.kernel.org/stable/c/d0321c812d89c5910d8da8e4b10c891c6b96ff70", }, ], title: "block: fix request.queuelist usage in flush", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40925", datePublished: "2024-07-12T12:25:05.747Z", dateReserved: "2024-07-12T12:17:45.582Z", dateUpdated: "2024-12-19T09:08:18.710Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40930
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: validate HE operation element parsing
Validate that the HE operation element has the correct
length before parsing it.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.787Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f15e3e13e14cc5ae8f950c16efe706add18ac8e2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4dc3a3893dae5a7f73e5809273aca0f1f3548d55", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40930", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:05:02.066310Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:33:02.818Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/wireless/scan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f15e3e13e14cc5ae8f950c16efe706add18ac8e2", status: "affected", version: "645f3d85129d8aac3b896ba685fbc20a31c2c036", versionType: "git", }, { lessThan: "4dc3a3893dae5a7f73e5809273aca0f1f3548d55", status: "affected", version: "645f3d85129d8aac3b896ba685fbc20a31c2c036", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/wireless/scan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: validate HE operation element parsing\n\nValidate that the HE operation element has the correct\nlength before parsing it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:08:24.451Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f15e3e13e14cc5ae8f950c16efe706add18ac8e2", }, { url: "https://git.kernel.org/stable/c/4dc3a3893dae5a7f73e5809273aca0f1f3548d55", }, ], title: "wifi: cfg80211: validate HE operation element parsing", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40930", datePublished: "2024-07-12T12:25:09.110Z", dateReserved: "2024-07-12T12:17:45.583Z", dateUpdated: "2024-12-19T09:08:24.451Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39500
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sock_map: avoid race between sock_map_close and sk_psock_put
sk_psock_get will return NULL if the refcount of psock has gone to 0, which
will happen when the last call of sk_psock_put is done. However,
sk_psock_drop may not have finished yet, so the close callback will still
point to sock_map_close despite psock being NULL.
This can be reproduced with a thread deleting an element from the sock map,
while the second one creates a socket, adds it to the map and closes it.
That will trigger the WARN_ON_ONCE:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701
Modules linked in:
CPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701
Code: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02
RSP: 0018:ffffc9000441fda8 EFLAGS: 00010293
RAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000
RDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0
RBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3
R10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840
R13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870
FS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0
Call Trace:
<TASK>
unix_release+0x87/0xc0 net/unix/af_unix.c:1048
__sock_release net/socket.c:659 [inline]
sock_close+0xbe/0x240 net/socket.c:1421
__fput+0x42b/0x8a0 fs/file_table.c:422
__do_sys_close fs/open.c:1556 [inline]
__se_sys_close fs/open.c:1541 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1541
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb37d618070
Code: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
RSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070
RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Use sk_psock, which will only check that the pointer is not been set to
NULL yet, which should only happen after the callbacks are restored. If,
then, a reference can still be gotten, we may call sk_psock_stop and cancel
psock->work.
As suggested by Paolo Abeni, reorder the condition so the control flow is
less convoluted.
After that change, the reproducer does not trigger the WARN_ON_ONCE
anymore.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: aadb2bb83ff789de63b48b4edeab7329423a50d3 Version: aadb2bb83ff789de63b48b4edeab7329423a50d3 Version: aadb2bb83ff789de63b48b4edeab7329423a50d3 Version: aadb2bb83ff789de63b48b4edeab7329423a50d3 Version: aadb2bb83ff789de63b48b4edeab7329423a50d3 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.539Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4959ffc65a0e94f8acaac20deac49f89e6ded52d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/5eabdf17fed2ad41b836bb4055ec36d95e512c50", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e946428439a0d2079959f5603256ac51b6047017", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3627605de498639a3c586c8684d12c89cba11073", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/4b4647add7d3c8530493f7247d11e257ee425bf0", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39500", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:07:13.633349Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:40.574Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/core/sock_map.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4959ffc65a0e94f8acaac20deac49f89e6ded52d", status: "affected", version: "aadb2bb83ff789de63b48b4edeab7329423a50d3", versionType: "git", }, { lessThan: "5eabdf17fed2ad41b836bb4055ec36d95e512c50", status: "affected", version: "aadb2bb83ff789de63b48b4edeab7329423a50d3", versionType: "git", }, { lessThan: "e946428439a0d2079959f5603256ac51b6047017", status: "affected", version: "aadb2bb83ff789de63b48b4edeab7329423a50d3", versionType: "git", }, { lessThan: "3627605de498639a3c586c8684d12c89cba11073", status: "affected", version: "aadb2bb83ff789de63b48b4edeab7329423a50d3", versionType: "git", }, { lessThan: "4b4647add7d3c8530493f7247d11e257ee425bf0", status: "affected", version: "aadb2bb83ff789de63b48b4edeab7329423a50d3", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/core/sock_map.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.13", }, { lessThan: "5.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: avoid race between sock_map_close and sk_psock_put\n\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\n\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\n\nThat will trigger the WARN_ON_ONCE:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n </TASK>\n\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\n\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\n\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:23.550Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4959ffc65a0e94f8acaac20deac49f89e6ded52d", }, { url: "https://git.kernel.org/stable/c/5eabdf17fed2ad41b836bb4055ec36d95e512c50", }, { url: "https://git.kernel.org/stable/c/e946428439a0d2079959f5603256ac51b6047017", }, { url: "https://git.kernel.org/stable/c/3627605de498639a3c586c8684d12c89cba11073", }, { url: "https://git.kernel.org/stable/c/4b4647add7d3c8530493f7247d11e257ee425bf0", }, ], title: "sock_map: avoid race between sock_map_close and sk_psock_put", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39500", datePublished: "2024-07-12T12:20:34.317Z", dateReserved: "2024-06-25T14:23:23.751Z", dateUpdated: "2024-12-19T09:07:23.550Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40967
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: imx: Introduce timeout when waiting on transmitter empty
By waiting at most 1 second for USR2_TXDC to be set, we avoid a potential
deadlock.
In case of the timeout, there is not much we can do, so we simply ignore
the transmitter state and optimistically try to continue.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:56.087Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7f2b9ab6d0b26f16cd38dd9fd91d51899635f7c7", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/7f9e70c68b7ace0141fe3bc94bf7b61296b71916", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/982ae3376c4c91590d38dc8a676c10f7df048a44", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/53b2c95547427c358f45515a9f144efee95e3701", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/e533e4c62e9993e62e947ae9bbec34e4c7ae81c2", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40967", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:03:07.116101Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:23.017Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/tty/serial/imx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7f2b9ab6d0b26f16cd38dd9fd91d51899635f7c7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7f9e70c68b7ace0141fe3bc94bf7b61296b71916", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "982ae3376c4c91590d38dc8a676c10f7df048a44", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "53b2c95547427c358f45515a9f144efee95e3701", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e533e4c62e9993e62e947ae9bbec34e4c7ae81c2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/tty/serial/imx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: imx: Introduce timeout when waiting on transmitter empty\n\nBy waiting at most 1 second for USR2_TXDC to be set, we avoid a potential\ndeadlock.\n\nIn case of the timeout, there is not much we can do, so we simply ignore\nthe transmitter state and optimistically try to continue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:07.205Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7f2b9ab6d0b26f16cd38dd9fd91d51899635f7c7", }, { url: "https://git.kernel.org/stable/c/7f9e70c68b7ace0141fe3bc94bf7b61296b71916", }, { url: "https://git.kernel.org/stable/c/982ae3376c4c91590d38dc8a676c10f7df048a44", }, { url: "https://git.kernel.org/stable/c/53b2c95547427c358f45515a9f144efee95e3701", }, { url: "https://git.kernel.org/stable/c/e533e4c62e9993e62e947ae9bbec34e4c7ae81c2", }, ], title: "serial: imx: Introduce timeout when waiting on transmitter empty", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40967", datePublished: "2024-07-12T12:32:06.816Z", dateReserved: "2024-07-12T12:17:45.602Z", dateUpdated: "2024-12-19T09:09:07.205Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-41004
Vulnerability from cvelistv5
Published
2024-07-12 12:44
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Build event generation tests only as modules
The kprobes and synth event generation test modules add events and lock
(get a reference) those event file reference in module init function,
and unlock and delete it in module exit function. This is because those
are designed for playing as modules.
If we make those modules as built-in, those events are left locked in the
kernel, and never be removed. This causes kprobe event self-test failure
as below.
[ 97.349708] ------------[ cut here ]------------
[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.357106] Modules linked in:
[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14
[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90
[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286
[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000
[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68
[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000
[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000
[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000
[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0
[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 97.391196] Call Trace:
[ 97.391967] <TASK>
[ 97.392647] ? __warn+0xcc/0x180
[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.395181] ? report_bug+0xbd/0x150
[ 97.396234] ? handle_bug+0x3e/0x60
[ 97.397311] ? exc_invalid_op+0x1a/0x50
[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20
[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20
[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90
[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.403773] ? init_kprobe_trace+0x50/0x50
[ 97.404972] do_one_initcall+0x112/0x240
[ 97.406113] do_initcall_level+0x95/0xb0
[ 97.407286] ? kernel_init+0x1a/0x1a0
[ 97.408401] do_initcalls+0x3f/0x70
[ 97.409452] kernel_init_freeable+0x16f/0x1e0
[ 97.410662] ? rest_init+0x1f0/0x1f0
[ 97.411738] kernel_init+0x1a/0x1a0
[ 97.412788] ret_from_fork+0x39/0x50
[ 97.413817] ? rest_init+0x1f0/0x1f0
[ 97.414844] ret_from_fork_asm+0x11/0x20
[ 97.416285] </TASK>
[ 97.417134] irq event stamp: 13437323
[ 97.418376] hardirqs last enabled at (13437337): [<ffffffff8110bc0c>] console_unlock+0x11c/0x150
[ 97.421285] hardirqs last disabled at (13437370): [<ffffffff8110bbf1>] console_unlock+0x101/0x150
[ 97.423838] softirqs last enabled at (13437366): [<ffffffff8108e17f>] handle_softirqs+0x23f/0x2a0
[ 97.426450] softirqs last disabled at (13437393): [<ffffffff8108e346>] __irq_exit_rcu+0x66/0xd0
[ 97.428850] ---[ end trace 0000000000000000 ]---
And also, since we can not cleanup dynamic_event file, ftracetest are
failed too.
To avoid these issues, build these tests only as modules.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9fe41efaca08416657efa8731c0d47ccb6a3f3eb Version: 9fe41efaca08416657efa8731c0d47ccb6a3f3eb Version: 9fe41efaca08416657efa8731c0d47ccb6a3f3eb Version: 9fe41efaca08416657efa8731c0d47ccb6a3f3eb Version: 9fe41efaca08416657efa8731c0d47ccb6a3f3eb Version: 9fe41efaca08416657efa8731c0d47ccb6a3f3eb |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.961Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a85bae262ccecc52a40c466ec067f6c915e0839d", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/98a7bfc48fffe170a60d87a5cbb7cdddf08184c3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/32ef4dc2b1caf5825c0cf50646479608311cafc3", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/55d5d08174366efe57ca9e79964828b20c626c45", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/72a0199b361df2387018697b023fdcdd357449a9", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3572bd5689b0812b161b40279e39ca5b66d73e88", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-41004", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:01:05.356959Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:18.790Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/trace/Kconfig", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a85bae262ccecc52a40c466ec067f6c915e0839d", status: "affected", version: "9fe41efaca08416657efa8731c0d47ccb6a3f3eb", versionType: "git", }, { lessThan: "98a7bfc48fffe170a60d87a5cbb7cdddf08184c3", status: "affected", version: "9fe41efaca08416657efa8731c0d47ccb6a3f3eb", versionType: "git", }, { lessThan: "32ef4dc2b1caf5825c0cf50646479608311cafc3", status: "affected", version: "9fe41efaca08416657efa8731c0d47ccb6a3f3eb", versionType: "git", }, { lessThan: "55d5d08174366efe57ca9e79964828b20c626c45", status: "affected", version: "9fe41efaca08416657efa8731c0d47ccb6a3f3eb", versionType: "git", }, { lessThan: "72a0199b361df2387018697b023fdcdd357449a9", status: "affected", version: "9fe41efaca08416657efa8731c0d47ccb6a3f3eb", versionType: "git", }, { lessThan: "3572bd5689b0812b161b40279e39ca5b66d73e88", status: "affected", version: "9fe41efaca08416657efa8731c0d47ccb6a3f3eb", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/trace/Kconfig", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.6", }, { lessThan: "5.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Build event generation tests only as modules\n\nThe kprobes and synth event generation test modules add events and lock\n(get a reference) those event file reference in module init function,\nand unlock and delete it in module exit function. This is because those\nare designed for playing as modules.\n\nIf we make those modules as built-in, those events are left locked in the\nkernel, and never be removed. This causes kprobe event self-test failure\nas below.\n\n[ 97.349708] ------------[ cut here ]------------\n[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.357106] Modules linked in:\n[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14\n[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90\n[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286\n[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000\n[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68\n[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000\n[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000\n[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000\n[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0\n[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 97.391196] Call Trace:\n[ 97.391967] <TASK>\n[ 97.392647] ? __warn+0xcc/0x180\n[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.395181] ? report_bug+0xbd/0x150\n[ 97.396234] ? handle_bug+0x3e/0x60\n[ 97.397311] ? exc_invalid_op+0x1a/0x50\n[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20\n[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20\n[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90\n[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.403773] ? init_kprobe_trace+0x50/0x50\n[ 97.404972] do_one_initcall+0x112/0x240\n[ 97.406113] do_initcall_level+0x95/0xb0\n[ 97.407286] ? kernel_init+0x1a/0x1a0\n[ 97.408401] do_initcalls+0x3f/0x70\n[ 97.409452] kernel_init_freeable+0x16f/0x1e0\n[ 97.410662] ? rest_init+0x1f0/0x1f0\n[ 97.411738] kernel_init+0x1a/0x1a0\n[ 97.412788] ret_from_fork+0x39/0x50\n[ 97.413817] ? rest_init+0x1f0/0x1f0\n[ 97.414844] ret_from_fork_asm+0x11/0x20\n[ 97.416285] </TASK>\n[ 97.417134] irq event stamp: 13437323\n[ 97.418376] hardirqs last enabled at (13437337): [<ffffffff8110bc0c>] console_unlock+0x11c/0x150\n[ 97.421285] hardirqs last disabled at (13437370): [<ffffffff8110bbf1>] console_unlock+0x101/0x150\n[ 97.423838] softirqs last enabled at (13437366): [<ffffffff8108e17f>] handle_softirqs+0x23f/0x2a0\n[ 97.426450] softirqs last disabled at (13437393): [<ffffffff8108e346>] __irq_exit_rcu+0x66/0xd0\n[ 97.428850] ---[ end trace 0000000000000000 ]---\n\nAnd also, since we can not cleanup dynamic_event file, ftracetest are\nfailed too.\n\nTo avoid these issues, build these tests only as modules.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:52.236Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a85bae262ccecc52a40c466ec067f6c915e0839d", }, { url: "https://git.kernel.org/stable/c/98a7bfc48fffe170a60d87a5cbb7cdddf08184c3", }, { url: "https://git.kernel.org/stable/c/32ef4dc2b1caf5825c0cf50646479608311cafc3", }, { url: "https://git.kernel.org/stable/c/55d5d08174366efe57ca9e79964828b20c626c45", }, { url: "https://git.kernel.org/stable/c/72a0199b361df2387018697b023fdcdd357449a9", }, { url: "https://git.kernel.org/stable/c/3572bd5689b0812b161b40279e39ca5b66d73e88", }, ], title: "tracing: Build event generation tests only as modules", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-41004", datePublished: "2024-07-12T12:44:39.793Z", dateReserved: "2024-07-12T12:17:45.610Z", dateUpdated: "2024-12-19T09:09:52.236Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40971
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: remove clear SB_INLINECRYPT flag in default_options
In f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.
If create new file or open file during this gap, these files
will not use inlinecrypt. Worse case, it may lead to data
corruption if wrappedkey_v0 is enable.
Thread A: Thread B:
-f2fs_remount -f2fs_file_open or f2fs_new_inode
-default_options
<- clear SB_INLINECRYPT flag
-fscrypt_select_encryption_impl
-parse_options
<- set SB_INLINECRYPT again
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.892Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/38a82c8d00638bb642bef787eb1d5e0e4d3b7d71", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/724429db09e21ee153fef35e34342279d33df6ae", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/a9cea0489c562c97cd56bb345e78939f9909e7f4", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/eddeb8d941d5be11a9da5637dbe81ac37e8449a2", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ae39c8ec4250d2a35ddaab1c40faacfec306ff66", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/ac5eecf481c29942eb9a862e758c0c8b68090c33", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40971", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:54.463850Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:22.540Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "38a82c8d00638bb642bef787eb1d5e0e4d3b7d71", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "724429db09e21ee153fef35e34342279d33df6ae", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a9cea0489c562c97cd56bb345e78939f9909e7f4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "eddeb8d941d5be11a9da5637dbe81ac37e8449a2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ae39c8ec4250d2a35ddaab1c40faacfec306ff66", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ac5eecf481c29942eb9a862e758c0c8b68090c33", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.96", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: remove clear SB_INLINECRYPT flag in default_options\n\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\n\nThread A: Thread B:\n\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n -default_options\n\t<- clear SB_INLINECRYPT flag\n\n -fscrypt_select_encryption_impl\n\n -parse_options\n\t<- set SB_INLINECRYPT again", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:11.979Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/38a82c8d00638bb642bef787eb1d5e0e4d3b7d71", }, { url: "https://git.kernel.org/stable/c/724429db09e21ee153fef35e34342279d33df6ae", }, { url: "https://git.kernel.org/stable/c/a9cea0489c562c97cd56bb345e78939f9909e7f4", }, { url: "https://git.kernel.org/stable/c/eddeb8d941d5be11a9da5637dbe81ac37e8449a2", }, { url: "https://git.kernel.org/stable/c/ae39c8ec4250d2a35ddaab1c40faacfec306ff66", }, { url: "https://git.kernel.org/stable/c/ac5eecf481c29942eb9a862e758c0c8b68090c33", }, ], title: "f2fs: remove clear SB_INLINECRYPT flag in default_options", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40971", datePublished: "2024-07-12T12:32:09.440Z", dateReserved: "2024-07-12T12:17:45.603Z", dateUpdated: "2024-12-19T09:09:11.979Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-39505
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2024-12-19 09:07
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/komeda: check for error-valued pointer
komeda_pipeline_get_state() may return an error-valued pointer, thus
check the pointer for negative or null value before dereferencing.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 502932a03fceca1cb161eba5f30b18eb640aa8de Version: 502932a03fceca1cb161eba5f30b18eb640aa8de Version: 502932a03fceca1cb161eba5f30b18eb640aa8de Version: 502932a03fceca1cb161eba5f30b18eb640aa8de Version: 502932a03fceca1cb161eba5f30b18eb640aa8de Version: 502932a03fceca1cb161eba5f30b18eb640aa8de Version: 502932a03fceca1cb161eba5f30b18eb640aa8de |
||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:26:15.910Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/0674ed1e58e2fdcc155e7d944f8aad007a94ac69", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/bda7cdaeebf57e46c1a488ae7a15f6f264691f59", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/86042e3d16b7e0686db835c9e7af0f9044dd3a56", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3b1cf943b029c147bfacfd53dc28ffa632c0a622", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/9460961d82134ceda7377b77a3e3e3531b625dfe", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/99392c98b9be0523fe76944b2264b1847512ad23", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/b880018edd3a577e50366338194dee9b899947e0", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-39505", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:06:57.867841Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:40.002Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0674ed1e58e2fdcc155e7d944f8aad007a94ac69", status: "affected", version: "502932a03fceca1cb161eba5f30b18eb640aa8de", versionType: "git", }, { lessThan: "bda7cdaeebf57e46c1a488ae7a15f6f264691f59", status: "affected", version: "502932a03fceca1cb161eba5f30b18eb640aa8de", versionType: "git", }, { lessThan: "86042e3d16b7e0686db835c9e7af0f9044dd3a56", status: "affected", version: "502932a03fceca1cb161eba5f30b18eb640aa8de", versionType: "git", }, { lessThan: "3b1cf943b029c147bfacfd53dc28ffa632c0a622", status: "affected", version: "502932a03fceca1cb161eba5f30b18eb640aa8de", versionType: "git", }, { lessThan: "9460961d82134ceda7377b77a3e3e3531b625dfe", status: "affected", version: "502932a03fceca1cb161eba5f30b18eb640aa8de", versionType: "git", }, { lessThan: "99392c98b9be0523fe76944b2264b1847512ad23", status: "affected", version: "502932a03fceca1cb161eba5f30b18eb640aa8de", versionType: "git", }, { lessThan: "b880018edd3a577e50366338194dee9b899947e0", status: "affected", version: "502932a03fceca1cb161eba5f30b18eb640aa8de", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.3", }, { lessThan: "5.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.279", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.221", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.162", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.95", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.35", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/komeda: check for error-valued pointer\n\nkomeda_pipeline_get_state() may return an error-valued pointer, thus\ncheck the pointer for negative or null value before dereferencing.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:07:29.453Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0674ed1e58e2fdcc155e7d944f8aad007a94ac69", }, { url: "https://git.kernel.org/stable/c/bda7cdaeebf57e46c1a488ae7a15f6f264691f59", }, { url: "https://git.kernel.org/stable/c/86042e3d16b7e0686db835c9e7af0f9044dd3a56", }, { url: "https://git.kernel.org/stable/c/3b1cf943b029c147bfacfd53dc28ffa632c0a622", }, { url: "https://git.kernel.org/stable/c/9460961d82134ceda7377b77a3e3e3531b625dfe", }, { url: "https://git.kernel.org/stable/c/99392c98b9be0523fe76944b2264b1847512ad23", }, { url: "https://git.kernel.org/stable/c/b880018edd3a577e50366338194dee9b899947e0", }, ], title: "drm/komeda: check for error-valued pointer", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-39505", datePublished: "2024-07-12T12:20:37.633Z", dateReserved: "2024-06-25T14:23:23.752Z", dateUpdated: "2024-12-19T09:07:29.453Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-40973
Vulnerability from cvelistv5
Published
2024-07-12 12:32
Modified
2024-12-19 09:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mtk-vcodec: potential null pointer deference in SCP
The return value of devm_kzalloc() needs to be checked to avoid
NULL pointer deference. This is similar to CVE-2022-3113.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:39:55.906Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/f066882293b5ad359e44c4ed24ab1811ffb0b354", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/3a693c7e243b932faee5c1fb728efa73f0abc39b", }, { tags: [ "x_transferred", ], url: "https://git.kernel.org/stable/c/53dbe08504442dc7ba4865c09b3bbf5fe849681b", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-40973", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T17:02:47.755849Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-11T17:34:22.314Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f066882293b5ad359e44c4ed24ab1811ffb0b354", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3a693c7e243b932faee5c1fb728efa73f0abc39b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "53dbe08504442dc7ba4865c09b3bbf5fe849681b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.36", versionType: "semver", }, { lessThanOrEqual: "6.9.*", status: "unaffected", version: "6.9.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.10", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-vcodec: potential null pointer deference in SCP\n\nThe return value of devm_kzalloc() needs to be checked to avoid\nNULL pointer deference. This is similar to CVE-2022-3113.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:09:14.346Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f066882293b5ad359e44c4ed24ab1811ffb0b354", }, { url: "https://git.kernel.org/stable/c/3a693c7e243b932faee5c1fb728efa73f0abc39b", }, { url: "https://git.kernel.org/stable/c/53dbe08504442dc7ba4865c09b3bbf5fe849681b", }, ], title: "media: mtk-vcodec: potential null pointer deference in SCP", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-40973", datePublished: "2024-07-12T12:32:10.763Z", dateReserved: "2024-07-12T12:17:45.603Z", dateUpdated: "2024-12-19T09:09:14.346Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.