Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-1888
Vulnerability from csaf_certbund
Published
2024-08-20 22:00
Modified
2025-01-20 23:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein lokaler Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen unspezifischen Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Der Kernel stellt den Kern des Linux Betriebssystems dar.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein lokaler Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen unspezifischen Angriff durchzuführen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-1888 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1888.json", }, { category: "self", summary: "WID-SEC-2024-1888 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1888", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48887 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082109-CVE-2022-48887-4019@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48889 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082109-CVE-2022-48889-c929@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48890 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082109-CVE-2022-48890-7f36@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48891 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082109-CVE-2022-48891-e463@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48892 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082110-CVE-2022-48892-3458@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48893 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082110-CVE-2022-48893-8d4c@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48894 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082110-CVE-2022-48894-7997@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48895 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082110-CVE-2022-48895-1370@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48896 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082110-CVE-2022-48896-7c80@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52899 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082112-CVE-2023-52899-f644@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52900 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082112-CVE-2023-52900-32f2@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52901 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082113-CVE-2023-52901-c9fb@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52902 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082113-CVE-2023-52902-d3fa@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52903 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082113-CVE-2023-52903-ad59@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52904 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082113-CVE-2023-52904-b85a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52905 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082113-CVE-2023-52905-53fd@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52906 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082114-CVE-2023-52906-7967@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52907 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082114-CVE-2023-52907-faaf@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52908 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082114-CVE-2023-52908-537f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52909 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082114-CVE-2023-52909-f80d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52910 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082115-CVE-2023-52910-3067@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52911 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082115-CVE-2023-52911-28fa@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52912 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082115-CVE-2023-52912-a6c0@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52913 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082115-CVE-2023-52913-5347@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52914 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082115-CVE-2023-52914-473c@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43869 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082133-CVE-2024-43869-26aa@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43870 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082135-CVE-2024-43870-2b6f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43871 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082136-CVE-2024-43871-c2cd@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43872 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082136-CVE-2024-43872-c87e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43873 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082136-CVE-2024-43873-c547@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43874 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082136-CVE-2024-43874-edda@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43875 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082136-CVE-2024-43875-1257@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43876 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082137-CVE-2024-43876-793b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43877 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082137-CVE-2024-43877-e8e4@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43878 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082137-CVE-2024-43878-2b2b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43879 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082137-CVE-2024-43879-95cb@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43880 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082137-CVE-2024-43880-78ec@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43881 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082138-CVE-2024-43881-ead4@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43882 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082152-CVE-2024-43882-4fa4@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43862 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082154-CVE-2024-43862-636a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43861 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082156-CVE-2024-43861-1958@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43863 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082156-CVE-2024-43863-9124@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43864 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082156-CVE-2024-43864-81ad@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43865 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082156-CVE-2024-43865-743d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43866 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082157-CVE-2024-43866-66ed@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43867 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082157-CVE-2024-43867-0620@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-43868 vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/2024082157-CVE-2024-43868-9a44@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcements vom 2024-08-20", url: "https://lore.kernel.org/linux-cve-announce/", }, { category: "external", summary: "Amazon Linux Security Advisory ALASKERNEL-5.10-2024-069 vom 2024-09-04", url: "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-069.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALASKERNEL-5.4-2024-083 vom 2024-09-04", url: "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-083.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3189-1 vom 2024-09-10", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019404.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3195-1 vom 2024-09-10", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019407.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3190-1 vom 2024-09-10", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019403.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3194-1 vom 2024-09-10", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019400.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3209-1 vom 2024-09-11", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YNWVZVIFSX7PLBJX3I3PDZ4MIBERTN2Y/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3227-1 vom 2024-09-12", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019430.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3225-1 vom 2024-09-12", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019432.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3252-1 vom 2024-09-16", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019436.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3249-1 vom 2024-09-16", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019438.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3251-1 vom 2024-09-16", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019435.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3383-1 vom 2024-09-23", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019497.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:7001 vom 2024-09-24", url: "https://access.redhat.com/errata/RHSA-2024:7001", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3408-1 vom 2024-09-24", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/TGC7PQ5QNGEZWYIHCKH2KPZMGYJ4VN6B/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:7000 vom 2024-09-24", url: "https://access.redhat.com/errata/RHSA-2024:7000", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-7000 vom 2024-09-26", url: "https://linux.oracle.com/errata/ELSA-2024-7000.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3467-1 vom 2024-09-27", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019532.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3483-1 vom 2024-09-29", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2HO244EHQ65DPDJ2NOBAXLG7QYWSCUMA/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3483-1 vom 2024-09-29", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2HO244EHQ65DPDJ2NOBAXLG7QYWSCUMA/", }, { category: "external", summary: "Rocky Linux Security Advisory RLSA-2024:7001 vom 2024-09-30", url: "https://errata.build.resf.org/RLSA-2024:7001", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3499-1 vom 2024-09-30", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019536.html", }, { category: "external", summary: "Debian Security Advisory DLA-3912 vom 2024-10-07", url: "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3551-1 vom 2024-10-08", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/Q7MIMQMCXNGMVS32KLTADYTPQCKF5HWU/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3561-1 vom 2024-10-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LSUY4BSWS5WR46CHS4FPBIJIRLKHRDHV/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3564-1 vom 2024-10-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/R7FS3QARF7WUPH5GFL22NW3G3SDO2C7Z/", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12780 vom 2024-10-14", url: "https://linux.oracle.com/errata/ELSA-2024-12780.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12782 vom 2024-10-14", url: "https://linux.oracle.com/errata/ELSA-2024-12782.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8318 vom 2024-10-23", url: "https://access.redhat.com/errata/RHSA-2024:8318", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS-2024-2658 vom 2024-11-01", url: "https://alas.aws.amazon.com/AL2/ALAS-2024-2658.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-1 vom 2024-10-31", url: "https://ubuntu.com/security/notices/USN-7088-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-2 vom 2024-11-04", url: "https://ubuntu.com/security/notices/USN-7088-2", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8870 vom 2024-11-05", url: "https://access.redhat.com/errata/RHSA-2024:8870", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:8856 vom 2024-11-05", url: "https://access.redhat.com/errata/RHSA-2024:8856", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-8856 vom 2024-11-06", url: "https://linux.oracle.com/errata/ELSA-2024-8856.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-3 vom 2024-11-06", url: "https://ubuntu.com/security/notices/USN-7088-3", }, { category: "external", summary: "Rocky Linux Security Advisory RLSA-2024:8870 vom 2024-11-08", url: "https://errata.build.resf.org/RLSA-2024:8870", }, { category: "external", summary: "Ubuntu Security Notice USN-7100-1 vom 2024-11-11", url: "https://ubuntu.com/security/notices/USN-7100-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7100-2 vom 2024-11-12", url: "https://ubuntu.com/security/notices/USN-7100-2", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:9315 vom 2024-11-12", url: "https://access.redhat.com/errata/RHSA-2024:9315", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12815 vom 2024-11-13", url: "https://linux.oracle.com/errata/ELSA-2024-12815.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3985-1 vom 2024-11-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KB6DG7QR5KXDQRV57H4IY2TB2LW42K4S/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3983-1 vom 2024-11-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QUOFKELDJYP3JMHIXPCVKVI4REVXAKTX/", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-5 vom 2024-11-14", url: "https://ubuntu.com/security/notices/USN-7088-5", }, { category: "external", summary: "Ubuntu Security Notice USN-7119-1 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7119-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7120-1 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7120-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7121-1 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7121-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7120-2 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7120-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7123-1 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7123-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7121-2 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7121-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7120-3 vom 2024-11-21", url: "https://ubuntu.com/security/notices/USN-7120-3", }, { category: "external", summary: "Debian Security Advisory DSA-5818 vom 2024-11-24", url: "https://lists.debian.org/debian-security-announce/2024/msg00233.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7121-3 vom 2024-11-25", url: "https://ubuntu.com/security/notices/USN-7121-3", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4082-1 vom 2024-11-27", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019851.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4100-1 vom 2024-11-28", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019864.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4141-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019888.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4122-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019885.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4125-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019882.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4120-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019886.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4127-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019881.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4123-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019884.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4129-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019879.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4139-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019889.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4131-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019887.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4124-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019883.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4128-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019880.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4161-1 vom 2024-12-04", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/R6RFOLIFPTX44BLCDCF6HLSN7S4I4YXH/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4160-1 vom 2024-12-03", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019905.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4177-1 vom 2024-12-04", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019912.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4170-1 vom 2024-12-04", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019913.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4177-1 vom 2024-12-04", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/EXGR6SY2Q2Z3TLER4MUKW35TYBEOJEMH/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4180-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3ACAYSLQECATBMYSIXEOONW3SJQYVWGD/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4179-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/CIKG67SDI2FHVFOUWGSFTWXBX6AJTWEQ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4177-1 vom 2024-12-04", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EXGR6SY2Q2Z3TLER4MUKW35TYBEOJEMH/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4197-1 vom 2024-12-05", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019927.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4209-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VJP47EXIE7RQJ2MRSR6HYMNI52GICWOP/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4207-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KHOJJYPB3I2C5FKMLHD5WFCQI342KAXA/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4210-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/67TGK2LDMDGINETA7HTYVAUONB6OAZD5/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4217-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/M53UYAMNDLCCFQJMB3EWLVYJENF2J65Z/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4220-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/5LS3ZVBG6LNL6BFVLEKSCPDDZTE7XQIS/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4206-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/FSWHAR4P5O4W4NVL7QLKN3Y3Z6UJX4CO/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4214-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/P4UZ4KLYIQHACIYR7LE2ANITUCPLWFYS/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4216-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KZC5ZXKVE5JSNEKEAICAO52WN7SOJCTX/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4218-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4UVNDL3CU4NHVPE7QELR2N5HRCDSMYEV/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4208-1 vom 2024-12-05", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HJOOCIMJWVQXHEUVET7W2XBWXJY6XR6M/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4195-1 vom 2024-12-05", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019928.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4219-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019940.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4221-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019938.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4228-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/SUCQUP757AUWMZNCNQ2DGQICEYBRZUIC/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4235-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LIMMCWFWYJUMJTABZZ7ZEYXOOVE5BZY7/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4231-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019946.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4226-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019950.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4237-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/BCHNVYFKS4NR3DL7MH6Y4ESWA6J2GMMA/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4242-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019958.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4239-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019961.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4241-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019959.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4249-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019953.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4240-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/EUR2PWCHWG65STMTPQUOUBDQ33SYE74N/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4236-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ODASOBSBN3UUGHNO44MK2K4MC35CPLXJ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4234-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/B6RMLGICBLD3BNXSBS7J23W3GCEJMFJA/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4230-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/DMN7SCFOSTXIR74OFGMHOJLOSHZOF3RH/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4248-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019954.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4247-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019955.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4243-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/GDL3TRRFKGYVQIW7MMTUJS76GCW7B3JZ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4256-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/34BVCDIDBQSXQ6Y3TVDGD4FSZ7N3D3LI/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4246-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3LFFLGXO55CBY4WD74GYLL6CL2HWJM2Q/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4250-1 vom 2024-12-06", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019952.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4227-1 vom 2024-12-06", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/R6NJTIPCJBC7ULVGL3ST3ZEMPJQ6UE7K/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4264-1 vom 2024-12-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/SZPUHL7SUZ57L3OJFO25IHYVDJ76ONGC/", }, { category: "external", summary: "Ubuntu Security Notice USN-7144-1 vom 2024-12-09", url: "https://ubuntu.com/security/notices/USN-7144-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4263-1 vom 2024-12-09", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019971.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4261-1 vom 2024-12-09", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019973.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4268-1 vom 2024-12-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4R24RCLIOBNAGXYRDUNMPGCPFAUIOAF3/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4262-1 vom 2024-12-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AF5MYHVYCHCM3AIO34JSXWJNP2WUCOHS/", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12868 vom 2024-12-09", url: "https://linux.oracle.com/errata/ELSA-2024-12868.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4265-1 vom 2024-12-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LFH2MVQS6KSRYDULB5KJQ5L72KPQCO6L/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4266-1 vom 2024-12-09", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RRJRAM3LFR4MNOHCFB2XIOS6OJUDNUPE/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4275-1 vom 2024-12-10", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YTZ2WGLML4Q6E3IG32UCJ6NFIDUTWN22/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4275-1 vom 2024-12-10", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YTZ2WGLML4Q6E3IG32UCJ6NFIDUTWN22/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4276-1 vom 2024-12-10", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/OANRUYCXIPE5N4KSSYCB3BUCEHKCKHCH/", }, { category: "external", summary: "Ubuntu Security Notice USN-7148-1 vom 2024-12-10", url: "https://ubuntu.com/security/notices/USN-7148-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7154-1 vom 2024-12-12", url: "https://ubuntu.com/security/notices/USN-7154-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7156-1 vom 2024-12-12", url: "https://ubuntu.com/security/notices/USN-7156-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7155-1 vom 2024-12-12", url: "https://ubuntu.com/security/notices/USN-7155-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4364-1 vom 2024-12-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020019.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7166-1 vom 2024-12-17", url: "https://ubuntu.com/security/notices/USN-7166-1", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12887 vom 2024-12-18", url: "https://linux.oracle.com/errata/ELSA-2024-12887.html", }, { category: "external", summary: "Ubuntu Security Notice LSN-0108-1 vom 2024-12-19", url: "https://ubuntu.com/security/notices/LSN-0108-1", }, { category: "external", summary: "Amazon Linux Security Advisory ALASKERNEL-5.15-2024-059 vom 2024-12-19", url: "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-059.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7166-3 vom 2024-12-20", url: "https://ubuntu.com/security/notices/USN-7166-3", }, { category: "external", summary: "Debian Security Advisory DLA-4008 vom 2025-01-03", url: "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7154-2 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7154-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7186-1 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7186-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0034-1 vom 2025-01-08", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020071.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7186-2 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7186-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7196-1 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7196-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7194-1 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7194-1", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-9315 vom 2025-01-13", url: "https://oss.oracle.com/pipermail/el-errata/2025-January/017000.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0091-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020100.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0090-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020101.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0089-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020102.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0084-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020104.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0101-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020116.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0106-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020113.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0097-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020107.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0105-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020114.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0103-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020115.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0107-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020112.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0109-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020110.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0114-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YC7MKFCHLBJHUQM2SLPOGVG4DUWP2J4E/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0115-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VK2D63Q2FKHJWXOLVAS7HPIWURVL3MQQ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0110-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/PLWCG227VUGPKNXHW6FOCW727UUPVLLU/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0111-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2IXCN5JTEUUWORLKQVOQYQKMHTJ73CSG/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0124-1 vom 2025-01-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020125.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0132-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/U2TCRAW6MN33ZU3TBEQGGYRWFSJ6BPOU/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0131-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NVEFJ5TKVGVJIR3Y7Y6XQIAGC5P5TTK7/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0137-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YHBMZ4MND2ONRG4N26VJNJGAZBXMYEDV/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0138-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ET3TDUWYDTZV554NRC7LB5HGM4TCIIGZ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0146-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/C6ANXHEO54VUUFEWI6QYB2M3L2SS7OOW/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0150-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/USHZQFRYGMLVCVQRQLPH4FARDBDAEC6G/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0172-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020164.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0168-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020165.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0158-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020154.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0164-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020153.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0188-1 vom 2025-01-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020169.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0181-1 vom 2025-01-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020173.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0187-1 vom 2025-01-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020170.html", }, ], source_lang: "en-US", title: "Linux Kernel: Mehrere Schwachstellen", tracking: { current_release_date: "2025-01-20T23:00:00.000+00:00", generator: { date: "2025-01-21T09:09:46.056+00:00", engine: { name: "BSI-WID", version: "1.3.10", }, }, id: "WID-SEC-W-2024-1888", initial_release_date: "2024-08-20T22:00:00.000+00:00", revision_history: [ { date: "2024-08-20T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-09-04T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2024-09-10T22:00:00.000+00:00", number: "3", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-09-11T22:00:00.000+00:00", number: "4", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-09-12T22:00:00.000+00:00", number: "5", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-09-16T22:00:00.000+00:00", number: "6", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-09-23T22:00:00.000+00:00", number: "7", summary: "Neue Updates von SUSE und Red Hat aufgenommen", }, { date: "2024-09-25T22:00:00.000+00:00", number: "8", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-09-29T22:00:00.000+00:00", number: "9", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-09-30T22:00:00.000+00:00", number: "10", summary: "Neue Updates von Rocky Enterprise Software Foundation und SUSE aufgenommen", }, { date: "2024-10-07T22:00:00.000+00:00", number: "11", summary: "Neue Updates von Debian aufgenommen", }, { date: "2024-10-08T22:00:00.000+00:00", number: "12", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-10-09T22:00:00.000+00:00", number: "13", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-10-14T22:00:00.000+00:00", number: "14", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-10-23T22:00:00.000+00:00", number: "15", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-10-31T23:00:00.000+00:00", number: "16", summary: "Neue Updates von Amazon und Ubuntu aufgenommen", }, { date: "2024-11-04T23:00:00.000+00:00", number: "17", summary: "Neue Updates von Ubuntu und Red Hat aufgenommen", }, { date: "2024-11-05T23:00:00.000+00:00", number: "18", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-11-10T23:00:00.000+00:00", number: "19", summary: "Neue Updates von Rocky Enterprise Software Foundation aufgenommen", }, { date: "2024-11-11T23:00:00.000+00:00", number: "20", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-12T23:00:00.000+00:00", number: "21", summary: "Neue Updates von Ubuntu und Red Hat aufgenommen", }, { date: "2024-11-13T23:00:00.000+00:00", number: "22", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-11-14T23:00:00.000+00:00", number: "23", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-19T23:00:00.000+00:00", number: "24", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-20T23:00:00.000+00:00", number: "25", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-21T23:00:00.000+00:00", number: "26", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-24T23:00:00.000+00:00", number: "27", summary: "Neue Updates von Debian aufgenommen", }, { date: "2024-11-25T23:00:00.000+00:00", number: "28", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-27T23:00:00.000+00:00", number: "29", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-11-28T23:00:00.000+00:00", number: "30", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-02T23:00:00.000+00:00", number: "31", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-03T23:00:00.000+00:00", number: "32", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-04T23:00:00.000+00:00", number: "33", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-05T23:00:00.000+00:00", number: "34", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-08T23:00:00.000+00:00", number: "35", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-09T23:00:00.000+00:00", number: "36", summary: "Neue Updates von SUSE, Ubuntu und Oracle Linux aufgenommen", }, { date: "2024-12-10T23:00:00.000+00:00", number: "37", summary: "Neue Updates von SUSE und Ubuntu aufgenommen", }, { date: "2024-12-12T23:00:00.000+00:00", number: "38", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-12-17T23:00:00.000+00:00", number: "39", summary: "Neue Updates von SUSE und Ubuntu aufgenommen", }, { date: "2024-12-18T23:00:00.000+00:00", number: "40", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-12-19T23:00:00.000+00:00", number: "41", summary: "Neue Updates von Ubuntu und Amazon aufgenommen", }, { date: "2024-12-22T23:00:00.000+00:00", number: "42", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2025-01-02T23:00:00.000+00:00", number: "43", summary: "Neue Updates von Debian aufgenommen", }, { date: "2025-01-06T23:00:00.000+00:00", number: "44", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2025-01-08T23:00:00.000+00:00", number: "45", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-09T23:00:00.000+00:00", number: "46", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2025-01-13T23:00:00.000+00:00", number: "47", summary: "Neue Updates von Oracle Linux und SUSE aufgenommen", }, { date: "2025-01-14T23:00:00.000+00:00", number: "48", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-15T23:00:00.000+00:00", number: "49", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-16T23:00:00.000+00:00", number: "50", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-19T23:00:00.000+00:00", number: "51", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-20T23:00:00.000+00:00", number: "52", summary: "Neue Updates von SUSE aufgenommen", }, ], status: "final", version: "52", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { category: "product_name", name: "Debian Linux", product: { name: "Debian Linux", product_id: "2951", product_identification_helper: { cpe: "cpe:/o:debian:debian_linux:-", }, }, }, ], category: "vendor", name: "Debian", }, { branches: [ { category: "product_name", name: "Open Source Linux Kernel", product: { name: "Open Source Linux Kernel", product_id: "T036987", product_identification_helper: { cpe: "cpe:/o:linux:linux_kernel:-", }, }, }, ], category: "vendor", name: "Open Source", }, { branches: [ { category: "product_name", name: "Oracle Linux", product: { name: "Oracle Linux", product_id: "T004914", product_identification_helper: { cpe: "cpe:/o:oracle:linux:-", }, }, }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "RESF Rocky Linux", product: { name: "RESF Rocky Linux", product_id: "T032255", product_identification_helper: { cpe: "cpe:/o:resf:rocky_linux:-", }, }, }, ], category: "vendor", name: "RESF", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2022-48867", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48867", }, { cve: "CVE-2022-48868", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48868", }, { cve: "CVE-2022-48869", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48869", }, { cve: "CVE-2022-48870", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48870", }, { cve: "CVE-2022-48871", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48871", }, { cve: "CVE-2022-48872", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48872", }, { cve: "CVE-2022-48873", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48873", }, { cve: "CVE-2022-48874", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48874", }, { cve: "CVE-2022-48875", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48875", }, { cve: "CVE-2022-48876", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48876", }, { cve: "CVE-2022-48877", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48877", }, { cve: "CVE-2022-48878", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48878", }, { cve: "CVE-2022-48879", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48879", }, { cve: "CVE-2022-48880", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48880", }, { cve: "CVE-2022-48881", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48881", }, { cve: "CVE-2022-48882", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48882", }, { cve: "CVE-2022-48883", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48883", }, { cve: "CVE-2022-48884", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48884", }, { cve: "CVE-2022-48885", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48885", }, { cve: "CVE-2022-48886", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48886", }, { cve: "CVE-2022-48887", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48887", }, { cve: "CVE-2022-48888", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48888", }, { cve: "CVE-2022-48889", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48889", }, { cve: "CVE-2022-48890", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48890", }, { cve: "CVE-2022-48891", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48891", }, { cve: "CVE-2022-48892", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48892", }, { cve: "CVE-2022-48893", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48893", }, { cve: "CVE-2022-48894", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48894", }, { cve: "CVE-2022-48895", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48895", }, { cve: "CVE-2022-48896", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48896", }, { cve: "CVE-2022-48897", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48897", }, { cve: "CVE-2022-48898", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48898", }, { cve: "CVE-2022-48899", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2022-48899", }, { cve: "CVE-2023-52893", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52893", }, { cve: "CVE-2023-52894", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52894", }, { cve: "CVE-2023-52895", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52895", }, { cve: "CVE-2023-52896", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52896", }, { cve: "CVE-2023-52897", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52897", }, { cve: "CVE-2023-52898", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52898", }, { cve: "CVE-2023-52899", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52899", }, { cve: "CVE-2023-52900", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52900", }, { cve: "CVE-2023-52901", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52901", }, { cve: "CVE-2023-52902", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52902", }, { cve: "CVE-2023-52903", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52903", }, { cve: "CVE-2023-52904", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52904", }, { cve: "CVE-2023-52905", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52905", }, { cve: "CVE-2023-52906", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52906", }, { cve: "CVE-2023-52907", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52907", }, { cve: "CVE-2023-52908", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52908", }, { cve: "CVE-2023-52909", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52909", }, { cve: "CVE-2023-52910", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52910", }, { cve: "CVE-2023-52911", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52911", }, { cve: "CVE-2023-52912", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52912", }, { cve: "CVE-2023-52913", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52913", }, { cve: "CVE-2023-52914", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2023-52914", }, { cve: "CVE-2024-43861", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43861", }, { cve: "CVE-2024-43862", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43862", }, { cve: "CVE-2024-43863", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43863", }, { cve: "CVE-2024-43864", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43864", }, { cve: "CVE-2024-43865", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43865", }, { cve: "CVE-2024-43866", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43866", }, { cve: "CVE-2024-43867", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43867", }, { cve: "CVE-2024-43868", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43868", }, { cve: "CVE-2024-43869", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43869", }, { cve: "CVE-2024-43870", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43870", }, { cve: "CVE-2024-43871", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43871", }, { cve: "CVE-2024-43872", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43872", }, { cve: "CVE-2024-43873", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43873", }, { cve: "CVE-2024-43874", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43874", }, { cve: "CVE-2024-43875", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43875", }, { cve: "CVE-2024-43876", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43876", }, { cve: "CVE-2024-43877", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43877", }, { cve: "CVE-2024-43878", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43878", }, { cve: "CVE-2024-43879", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43879", }, { cve: "CVE-2024-43880", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43880", }, { cve: "CVE-2024-43881", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43881", }, { cve: "CVE-2024-43882", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in verschiedenen Komponenten und Subsystemen wie drm, iommu, net, nfsd oder ALSA, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer NULL- Pointer-Dereferenz, einem Speicherleck oder einem use-after-free. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen Angriff mit nicht näher bekannten Auswirkungen durchzuführen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T036987", "T000126", "398363", "T004914", "T032255", ], }, release_date: "2024-08-20T22:00:00.000+00:00", title: "CVE-2024-43882", }, ], }
cve-2022-48890
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM
storvsc_queuecommand() maps the scatter/gather list using scsi_dma_map(),
which in a confidential VM allocates swiotlb bounce buffers. If the I/O
submission fails in storvsc_do_io(), the I/O is typically retried by higher
level code, but the bounce buffer memory is never freed. The mostly like
cause of I/O submission failure is a full VMBus channel ring buffer, which
is not uncommon under high I/O loads. Eventually enough bounce buffer
memory leaks that the confidential VM can't do any I/O. The same problem
can arise in a non-confidential VM with kernel boot parameter
swiotlb=force.
Fix this by doing scsi_dma_unmap() in the case of an I/O submission
error, which frees the bounce buffer memory.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48890", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:25.311779Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:55.107Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/scsi/storvsc_drv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "87c71e88f6a6619ffb1ff88f84dff48ef6d57adb", status: "affected", version: "743b237c3a7b0f5b44aa704aae8a1058877b6322", versionType: "git", }, { lessThan: "67ff3d0a49f3d445c3922e30a54e03c161da561e", status: "affected", version: "743b237c3a7b0f5b44aa704aae8a1058877b6322", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/scsi/storvsc_drv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM\n\nstorvsc_queuecommand() maps the scatter/gather list using scsi_dma_map(),\nwhich in a confidential VM allocates swiotlb bounce buffers. If the I/O\nsubmission fails in storvsc_do_io(), the I/O is typically retried by higher\nlevel code, but the bounce buffer memory is never freed. The mostly like\ncause of I/O submission failure is a full VMBus channel ring buffer, which\nis not uncommon under high I/O loads. Eventually enough bounce buffer\nmemory leaks that the confidential VM can't do any I/O. The same problem\ncan arise in a non-confidential VM with kernel boot parameter\nswiotlb=force.\n\nFix this by doing scsi_dma_unmap() in the case of an I/O submission\nerror, which frees the bounce buffer memory.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:56.978Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/87c71e88f6a6619ffb1ff88f84dff48ef6d57adb", }, { url: "https://git.kernel.org/stable/c/67ff3d0a49f3d445c3922e30a54e03c161da561e", }, ], title: "scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48890", datePublished: "2024-08-21T06:10:22.243Z", dateReserved: "2024-08-21T06:06:23.290Z", dateUpdated: "2024-12-19T08:09:56.978Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43874
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked
Fix a null pointer dereference induced by DEBUG_TEST_DRIVER_REMOVE.
Return from __sev_snp_shutdown_locked() if the psp_device or the
sev_device structs are not initialized. Without the fix, the driver will
produce the following splat:
ccp 0000:55:00.5: enabling device (0000 -> 0002)
ccp 0000:55:00.5: sev enabled
ccp 0000:55:00.5: psp enabled
BUG: kernel NULL pointer dereference, address: 00000000000000f0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI
CPU: 262 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1+ #29
RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150
Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83
RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb2ea4014b808
RBP: ffffb2ea4014b7e8 R08: 0000000000000106 R09: 000000000003d9c0
R10: 0000000000000001 R11: ffffffffa39ff070 R12: ffff9e49d40590c8
R13: 0000000000000000 R14: ffffb2ea4014b808 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff9e58b1e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000f0 CR3: 0000000418a3e001 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body+0x6f/0xb0
? __die+0xcc/0xf0
? page_fault_oops+0x330/0x3a0
? save_trace+0x2a5/0x360
? do_user_addr_fault+0x583/0x630
? exc_page_fault+0x81/0x120
? asm_exc_page_fault+0x2b/0x30
? __sev_snp_shutdown_locked+0x2e/0x150
__sev_firmware_shutdown+0x349/0x5b0
? pm_runtime_barrier+0x66/0xe0
sev_dev_destroy+0x34/0xb0
psp_dev_destroy+0x27/0x60
sp_destroy+0x39/0x90
sp_pci_remove+0x22/0x60
pci_device_remove+0x4e/0x110
really_probe+0x271/0x4e0
__driver_probe_device+0x8f/0x160
driver_probe_device+0x24/0x120
__driver_attach+0xc7/0x280
? driver_attach+0x30/0x30
bus_for_each_dev+0x10d/0x130
driver_attach+0x22/0x30
bus_add_driver+0x171/0x2b0
? unaccepted_memory_init_kdump+0x20/0x20
driver_register+0x67/0x100
__pci_register_driver+0x83/0x90
sp_pci_init+0x22/0x30
sp_mod_init+0x13/0x30
do_one_initcall+0xb8/0x290
? sched_clock_noinstr+0xd/0x10
? local_clock_noinstr+0x3e/0x100
? stack_depot_save_flags+0x21e/0x6a0
? local_clock+0x1c/0x60
? stack_depot_save_flags+0x21e/0x6a0
? sched_clock_noinstr+0xd/0x10
? local_clock_noinstr+0x3e/0x100
? __lock_acquire+0xd90/0xe30
? sched_clock_noinstr+0xd/0x10
? local_clock_noinstr+0x3e/0x100
? __create_object+0x66/0x100
? local_clock+0x1c/0x60
? __create_object+0x66/0x100
? parameq+0x1b/0x90
? parse_one+0x6d/0x1d0
? parse_args+0xd7/0x1f0
? do_initcall_level+0x180/0x180
do_initcall_level+0xb0/0x180
do_initcalls+0x60/0xa0
? kernel_init+0x1f/0x1d0
do_basic_setup+0x41/0x50
kernel_init_freeable+0x1ac/0x230
? rest_init+0x1f0/0x1f0
kernel_init+0x1f/0x1d0
? rest_init+0x1f0/0x1f0
ret_from_fork+0x3d/0x50
? rest_init+0x1f0/0x1f0
ret_from_fork_asm+0x11/0x20
</TASK>
Modules linked in:
CR2: 00000000000000f0
---[ end trace 0000000000000000 ]---
RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150
Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83
RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000
RDX: 0000000
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43874", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:10.385758Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:18.142Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/crypto/ccp/sev-dev.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "bbf2c94503f6a421ed9b79e300d8085810da765d", status: "affected", version: "1ca5614b84eed5904f65f143e0e7aaab0ac4c6b2", versionType: "git", }, { lessThan: "468e3295774d0edce15f4ae475913b5076dd4f40", status: "affected", version: "1ca5614b84eed5904f65f143e0e7aaab0ac4c6b2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/crypto/ccp/sev-dev.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked\n\nFix a null pointer dereference induced by DEBUG_TEST_DRIVER_REMOVE.\nReturn from __sev_snp_shutdown_locked() if the psp_device or the\nsev_device structs are not initialized. Without the fix, the driver will\nproduce the following splat:\n\n ccp 0000:55:00.5: enabling device (0000 -> 0002)\n ccp 0000:55:00.5: sev enabled\n ccp 0000:55:00.5: psp enabled\n BUG: kernel NULL pointer dereference, address: 00000000000000f0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI\n CPU: 262 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1+ #29\n RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150\n Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83\n RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb2ea4014b808\n RBP: ffffb2ea4014b7e8 R08: 0000000000000106 R09: 000000000003d9c0\n R10: 0000000000000001 R11: ffffffffa39ff070 R12: ffff9e49d40590c8\n R13: 0000000000000000 R14: ffffb2ea4014b808 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff9e58b1e00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000f0 CR3: 0000000418a3e001 CR4: 0000000000770ef0\n PKRU: 55555554\n Call Trace:\n <TASK>\n ? __die_body+0x6f/0xb0\n ? __die+0xcc/0xf0\n ? page_fault_oops+0x330/0x3a0\n ? save_trace+0x2a5/0x360\n ? do_user_addr_fault+0x583/0x630\n ? exc_page_fault+0x81/0x120\n ? asm_exc_page_fault+0x2b/0x30\n ? __sev_snp_shutdown_locked+0x2e/0x150\n __sev_firmware_shutdown+0x349/0x5b0\n ? pm_runtime_barrier+0x66/0xe0\n sev_dev_destroy+0x34/0xb0\n psp_dev_destroy+0x27/0x60\n sp_destroy+0x39/0x90\n sp_pci_remove+0x22/0x60\n pci_device_remove+0x4e/0x110\n really_probe+0x271/0x4e0\n __driver_probe_device+0x8f/0x160\n driver_probe_device+0x24/0x120\n __driver_attach+0xc7/0x280\n ? driver_attach+0x30/0x30\n bus_for_each_dev+0x10d/0x130\n driver_attach+0x22/0x30\n bus_add_driver+0x171/0x2b0\n ? unaccepted_memory_init_kdump+0x20/0x20\n driver_register+0x67/0x100\n __pci_register_driver+0x83/0x90\n sp_pci_init+0x22/0x30\n sp_mod_init+0x13/0x30\n do_one_initcall+0xb8/0x290\n ? sched_clock_noinstr+0xd/0x10\n ? local_clock_noinstr+0x3e/0x100\n ? stack_depot_save_flags+0x21e/0x6a0\n ? local_clock+0x1c/0x60\n ? stack_depot_save_flags+0x21e/0x6a0\n ? sched_clock_noinstr+0xd/0x10\n ? local_clock_noinstr+0x3e/0x100\n ? __lock_acquire+0xd90/0xe30\n ? sched_clock_noinstr+0xd/0x10\n ? local_clock_noinstr+0x3e/0x100\n ? __create_object+0x66/0x100\n ? local_clock+0x1c/0x60\n ? __create_object+0x66/0x100\n ? parameq+0x1b/0x90\n ? parse_one+0x6d/0x1d0\n ? parse_args+0xd7/0x1f0\n ? do_initcall_level+0x180/0x180\n do_initcall_level+0xb0/0x180\n do_initcalls+0x60/0xa0\n ? kernel_init+0x1f/0x1d0\n do_basic_setup+0x41/0x50\n kernel_init_freeable+0x1ac/0x230\n ? rest_init+0x1f0/0x1f0\n kernel_init+0x1f/0x1d0\n ? rest_init+0x1f0/0x1f0\n ret_from_fork+0x3d/0x50\n ? rest_init+0x1f0/0x1f0\n ret_from_fork_asm+0x11/0x20\n </TASK>\n Modules linked in:\n CR2: 00000000000000f0\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150\n Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83\n RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000\n RDX: 0000000\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:35.548Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/bbf2c94503f6a421ed9b79e300d8085810da765d", }, { url: "https://git.kernel.org/stable/c/468e3295774d0edce15f4ae475913b5076dd4f40", }, ], title: "crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43874", datePublished: "2024-08-21T00:06:26.153Z", dateReserved: "2024-08-17T09:11:59.281Z", dateUpdated: "2024-12-19T09:17:35.548Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48867
Vulnerability from cvelistv5
Published
2024-08-21 06:09
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Prevent use after free on completion memory
On driver unload any pending descriptors are flushed at the
time the interrupt is freed:
idxd_dmaengine_drv_remove() ->
drv_disable_wq() ->
idxd_wq_free_irq() ->
idxd_flush_pending_descs().
If there are any descriptors present that need to be flushed this
flow triggers a "not present" page fault as below:
BUG: unable to handle page fault for address: ff391c97c70c9040
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
The address that triggers the fault is the address of the
descriptor that was freed moments earlier via:
drv_disable_wq()->idxd_wq_free_resources()
Fix the use after free by freeing the descriptors after any possible
usage. This is done after idxd_wq_reset() to ensure that the memory
remains accessible during possible completion writes by the device.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48867", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:41.653435Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:54.768Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/dma/idxd/device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b9e8e3fcfec625fc1c2f68f684448aeeb882625b", status: "affected", version: "63c14ae6c161dec8ff3be49277edc75a769e054a", versionType: "git", }, { lessThan: "1beeec45f9ac31eba52478379f70a5fa9c2ad005", status: "affected", version: "63c14ae6c161dec8ff3be49277edc75a769e054a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/dma/idxd/device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Prevent use after free on completion memory\n\nOn driver unload any pending descriptors are flushed at the\ntime the interrupt is freed:\nidxd_dmaengine_drv_remove() ->\n\tdrv_disable_wq() ->\n\t\tidxd_wq_free_irq() ->\n\t\t\tidxd_flush_pending_descs().\n\nIf there are any descriptors present that need to be flushed this\nflow triggers a \"not present\" page fault as below:\n\n BUG: unable to handle page fault for address: ff391c97c70c9040\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n\nThe address that triggers the fault is the address of the\ndescriptor that was freed moments earlier via:\ndrv_disable_wq()->idxd_wq_free_resources()\n\nFix the use after free by freeing the descriptors after any possible\nusage. This is done after idxd_wq_reset() to ensure that the memory\nremains accessible during possible completion writes by the device.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:29.917Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b9e8e3fcfec625fc1c2f68f684448aeeb882625b", }, { url: "https://git.kernel.org/stable/c/1beeec45f9ac31eba52478379f70a5fa9c2ad005", }, ], title: "dmaengine: idxd: Prevent use after free on completion memory", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48867", datePublished: "2024-08-21T06:09:57.153Z", dateReserved: "2024-07-16T11:38:08.921Z", dateUpdated: "2024-12-19T08:09:29.917Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52901
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Check endpoint is valid before dereferencing it
When the host controller is not responding, all URBs queued to all
endpoints need to be killed. This can cause a kernel panic if we
dereference an invalid endpoint.
Fix this by using xhci_get_virt_ep() helper to find the endpoint and
checking if the endpoint is valid before dereferencing it.
[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead
[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8
[233311.853964] pc : xhci_hc_died+0x10c/0x270
[233311.853971] lr : xhci_hc_died+0x1ac/0x270
[233311.854077] Call trace:
[233311.854085] xhci_hc_died+0x10c/0x270
[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4
[233311.854105] call_timer_fn+0x50/0x2d4
[233311.854112] expire_timers+0xac/0x2e4
[233311.854118] run_timer_softirq+0x300/0xabc
[233311.854127] __do_softirq+0x148/0x528
[233311.854135] irq_exit+0x194/0x1a8
[233311.854143] __handle_domain_irq+0x164/0x1d0
[233311.854149] gic_handle_irq.22273+0x10c/0x188
[233311.854156] el1_irq+0xfc/0x1a8
[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]
[233311.854185] cpuidle_enter_state+0x1f0/0x764
[233311.854194] do_idle+0x594/0x6ac
[233311.854201] cpu_startup_entry+0x7c/0x80
[233311.854209] secondary_start_kernel+0x170/0x198
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 50e8725e7c429701e530439013f9681e1fa36b5d Version: 50e8725e7c429701e530439013f9681e1fa36b5d Version: 50e8725e7c429701e530439013f9681e1fa36b5d Version: 50e8725e7c429701e530439013f9681e1fa36b5d Version: 50e8725e7c429701e530439013f9681e1fa36b5d Version: 50e8725e7c429701e530439013f9681e1fa36b5d Version: 50e8725e7c429701e530439013f9681e1fa36b5d |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52901", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:27.437210Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:14.673Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/usb/host/xhci-ring.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "375be2dd61a072f7b1cac9b17eea59e07b58db3a", status: "affected", version: "50e8725e7c429701e530439013f9681e1fa36b5d", versionType: "git", }, { lessThan: "2d2820d5f375563690c96e60676855205abfb7f5", status: "affected", version: "50e8725e7c429701e530439013f9681e1fa36b5d", versionType: "git", }, { lessThan: "9891e5c73cab3fd9ed532dc50e9799e55e974766", status: "affected", version: "50e8725e7c429701e530439013f9681e1fa36b5d", versionType: "git", }, { lessThan: "66fc1600855c05c4ba4e997184c91cf298e0405c", status: "affected", version: "50e8725e7c429701e530439013f9681e1fa36b5d", versionType: "git", }, { lessThan: "f39c813af0b64f44af94e435c07bfa1ddc2575f5", status: "affected", version: "50e8725e7c429701e530439013f9681e1fa36b5d", versionType: "git", }, { lessThan: "08864dc14a6803f0377ca77b9740b26db30c020f", status: "affected", version: "50e8725e7c429701e530439013f9681e1fa36b5d", versionType: "git", }, { lessThan: "e8fb5bc76eb86437ab87002d4a36d6da02165654", status: "affected", version: "50e8725e7c429701e530439013f9681e1fa36b5d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/usb/host/xhci-ring.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.15", }, { lessThan: "3.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.304", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.271", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Check endpoint is valid before dereferencing it\n\nWhen the host controller is not responding, all URBs queued to all\nendpoints need to be killed. This can cause a kernel panic if we\ndereference an invalid endpoint.\n\nFix this by using xhci_get_virt_ep() helper to find the endpoint and\nchecking if the endpoint is valid before dereferencing it.\n\n[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead\n[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8\n\n[233311.853964] pc : xhci_hc_died+0x10c/0x270\n[233311.853971] lr : xhci_hc_died+0x1ac/0x270\n\n[233311.854077] Call trace:\n[233311.854085] xhci_hc_died+0x10c/0x270\n[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4\n[233311.854105] call_timer_fn+0x50/0x2d4\n[233311.854112] expire_timers+0xac/0x2e4\n[233311.854118] run_timer_softirq+0x300/0xabc\n[233311.854127] __do_softirq+0x148/0x528\n[233311.854135] irq_exit+0x194/0x1a8\n[233311.854143] __handle_domain_irq+0x164/0x1d0\n[233311.854149] gic_handle_irq.22273+0x10c/0x188\n[233311.854156] el1_irq+0xfc/0x1a8\n[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]\n[233311.854185] cpuidle_enter_state+0x1f0/0x764\n[233311.854194] do_idle+0x594/0x6ac\n[233311.854201] cpu_startup_entry+0x7c/0x80\n[233311.854209] secondary_start_kernel+0x170/0x198", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:10.876Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/375be2dd61a072f7b1cac9b17eea59e07b58db3a", }, { url: "https://git.kernel.org/stable/c/2d2820d5f375563690c96e60676855205abfb7f5", }, { url: "https://git.kernel.org/stable/c/9891e5c73cab3fd9ed532dc50e9799e55e974766", }, { url: "https://git.kernel.org/stable/c/66fc1600855c05c4ba4e997184c91cf298e0405c", }, { url: "https://git.kernel.org/stable/c/f39c813af0b64f44af94e435c07bfa1ddc2575f5", }, { url: "https://git.kernel.org/stable/c/08864dc14a6803f0377ca77b9740b26db30c020f", }, { url: "https://git.kernel.org/stable/c/e8fb5bc76eb86437ab87002d4a36d6da02165654", }, ], title: "usb: xhci: Check endpoint is valid before dereferencing it", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52901", datePublished: "2024-08-21T06:10:41.640Z", dateReserved: "2024-08-21T06:07:11.014Z", dateUpdated: "2024-12-19T08:28:10.876Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52907
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()
Fix a use-after-free that occurs in hcd when in_urb sent from
pn533_usb_send_frame() is completed earlier than out_urb. Its callback
frees the skb data in pn533_send_async_complete() that is used as a
transfer buffer of out_urb. Wait before sending in_urb until the
callback of out_urb is called. To modify the callback of out_urb alone,
separate the complete function of out_urb and ack_urb.
Found by a modified version of syzkaller.
BUG: KASAN: use-after-free in dummy_timer
Call Trace:
memcpy (mm/kasan/shadow.c:65)
dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)
transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)
dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)
arch_static_branch (arch/x86/include/asm/jump_label.h:27)
static_key_false (include/linux/jump_label.h:207)
timer_expire_exit (include/trace/events/timer.h:127)
call_timer_fn (kernel/time/timer.c:1475)
expire_timers (kernel/time/timer.c:1519)
__run_timers (kernel/time/timer.c:1790)
run_timer_softirq (kernel/time/timer.c:1803)
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 Version: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 Version: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 Version: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 Version: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 Version: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 Version: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52907", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:08.481823Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:13.576Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/nfc/pn533/usb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "35529d6b827eedb6bf7e81130e4b7e0aba9e58d2", status: "affected", version: "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", versionType: "git", }, { lessThan: "321db5131c92983dac4f3338e8fbb6df214238c0", status: "affected", version: "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", versionType: "git", }, { lessThan: "9424d2205fe94a095fb9365ec0c6137f0b394a2b", status: "affected", version: "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", versionType: "git", }, { lessThan: "0ca78c99656f5c448567db1e148367aa3b01c80a", status: "affected", version: "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", versionType: "git", }, { lessThan: "39ae73e581112cfe27ba50aecb1c891ce57cecb1", status: "affected", version: "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", versionType: "git", }, { lessThan: "8998db5021a28ad67aa8d627bdb4226e4046ccc4", status: "affected", version: "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", versionType: "git", }, { lessThan: "9dab880d675b9d0dd56c6428e4e8352a3339371d", status: "affected", version: "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/nfc/pn533/usb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.1", }, { lessThan: "3.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.303", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.270", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.229", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.164", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()\n\nFix a use-after-free that occurs in hcd when in_urb sent from\npn533_usb_send_frame() is completed earlier than out_urb. Its callback\nfrees the skb data in pn533_send_async_complete() that is used as a\ntransfer buffer of out_urb. Wait before sending in_urb until the\ncallback of out_urb is called. To modify the callback of out_urb alone,\nseparate the complete function of out_urb and ack_urb.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: use-after-free in dummy_timer\nCall Trace:\n memcpy (mm/kasan/shadow.c:65)\n dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)\n transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)\n dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)\n arch_static_branch (arch/x86/include/asm/jump_label.h:27)\n static_key_false (include/linux/jump_label.h:207)\n timer_expire_exit (include/trace/events/timer.h:127)\n call_timer_fn (kernel/time/timer.c:1475)\n expire_timers (kernel/time/timer.c:1519)\n __run_timers (kernel/time/timer.c:1790)\n run_timer_softirq (kernel/time/timer.c:1803)", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:19.598Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/35529d6b827eedb6bf7e81130e4b7e0aba9e58d2", }, { url: "https://git.kernel.org/stable/c/321db5131c92983dac4f3338e8fbb6df214238c0", }, { url: "https://git.kernel.org/stable/c/9424d2205fe94a095fb9365ec0c6137f0b394a2b", }, { url: "https://git.kernel.org/stable/c/0ca78c99656f5c448567db1e148367aa3b01c80a", }, { url: "https://git.kernel.org/stable/c/39ae73e581112cfe27ba50aecb1c891ce57cecb1", }, { url: "https://git.kernel.org/stable/c/8998db5021a28ad67aa8d627bdb4226e4046ccc4", }, { url: "https://git.kernel.org/stable/c/9dab880d675b9d0dd56c6428e4e8352a3339371d", }, ], title: "nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52907", datePublished: "2024-08-21T06:10:48.171Z", dateReserved: "2024-08-21T06:07:11.015Z", dateUpdated: "2024-12-19T08:28:19.598Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48870
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: fix possible null-ptr-defer in spk_ttyio_release
Run the following tests on the qemu platform:
syzkaller:~# modprobe speakup_audptr
input: Speakup as /devices/virtual/input/input4
initialized device: /dev/synth, node (MAJOR 10, MINOR 125)
speakup 3.1.6: initialized
synth name on entry is: (null)
synth probe
spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned
failed (errno -16), then remove the module, we will get a null-ptr-defer
problem, as follow:
syzkaller:~# modprobe -r speakup_audptr
releasing synth audptr
BUG: kernel NULL pointer dereference, address: 0000000000000080
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1
RIP: 0010:mutex_lock+0x14/0x30
Call Trace:
<TASK>
spk_ttyio_release+0x19/0x70 [speakup]
synth_release.part.6+0xac/0xc0 [speakup]
synth_remove+0x56/0x60 [speakup]
__x64_sys_delete_module+0x156/0x250
? fpregs_assert_state_consistent+0x1d/0x50
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Modules linked in: speakup_audptr(-) speakup
Dumping ftrace buffer:
in_synth->dev was not initialized during modprobe, so we add check
for in_synth->dev to fix this bug.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48870", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:32.027830Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:54.375Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/accessibility/speakup/spk_ttyio.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "2da67bff29ab49caafb0766e8b8383b735ff796f", status: "affected", version: "4f2a81f3a88217e7340b2cab5c0a5ebd0112514c", versionType: "git", }, { lessThan: "64152e05a4de3ebf59f1740a0985a6d5fba0c77b", status: "affected", version: "4f2a81f3a88217e7340b2cab5c0a5ebd0112514c", versionType: "git", }, { lessThan: "5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5", status: "affected", version: "4f2a81f3a88217e7340b2cab5c0a5ebd0112514c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/accessibility/speakup/spk_ttyio.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.12", }, { lessThan: "5.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_release\n\nRun the following tests on the qemu platform:\n\nsyzkaller:~# modprobe speakup_audptr\n input: Speakup as /devices/virtual/input/input4\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\n speakup 3.1.6: initialized\n synth name on entry is: (null)\n synth probe\n\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\n\nsyzkaller:~# modprobe -r speakup_audptr\n releasing synth audptr\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\n RIP: 0010:mutex_lock+0x14/0x30\n Call Trace:\n <TASK>\n spk_ttyio_release+0x19/0x70 [speakup]\n synth_release.part.6+0xac/0xc0 [speakup]\n synth_remove+0x56/0x60 [speakup]\n __x64_sys_delete_module+0x156/0x250\n ? fpregs_assert_state_consistent+0x1d/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n </TASK>\n Modules linked in: speakup_audptr(-) speakup\n Dumping ftrace buffer:\n\nin_synth->dev was not initialized during modprobe, so we add check\nfor in_synth->dev to fix this bug.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:33.340Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f", }, { url: "https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b", }, { url: "https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5", }, ], title: "tty: fix possible null-ptr-defer in spk_ttyio_release", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48870", datePublished: "2024-08-21T06:10:00.678Z", dateReserved: "2024-07-16T11:38:08.921Z", dateUpdated: "2024-12-19T08:09:33.340Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48868
Vulnerability from cvelistv5
Published
2024-08-21 06:09
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Let probe fail when workqueue cannot be enabled
The workqueue is enabled when the appropriate driver is loaded and
disabled when the driver is removed. When the driver is removed it
assumes that the workqueue was enabled successfully and proceeds to
free allocations made during workqueue enabling.
Failure during workqueue enabling does not prevent the driver from
being loaded. This is because the error path within drv_enable_wq()
returns success unless a second failure is encountered
during the error path. By returning success it is possible to load
the driver even if the workqueue cannot be enabled and
allocations that do not exist are attempted to be freed during
driver remove.
Some examples of problematic flows:
(a)
idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():
In above flow, if idxd_wq_request_irq() fails then
idxd_wq_unmap_portal() is called on error exit path, but
drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The
driver is thus loaded successfully.
idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal()
Above flow on driver unload triggers the WARN in devm_iounmap() because
the device resource has already been removed during error path of
drv_enable_wq().
(b)
idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():
In above flow, if idxd_wq_request_irq() fails then
idxd_wq_init_percpu_ref() is never called to initialize the percpu
counter, yet the driver loads successfully because drv_enable_wq()
returns 0.
idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill():
Above flow on driver unload triggers a BUG when attempting to drop the
initial ref of the uninitialized percpu ref:
BUG: kernel NULL pointer dereference, address: 0000000000000010
Fix the drv_enable_wq() error path by returning the original error that
indicates failure of workqueue enabling. This ensures that the probe
fails when an error is encountered and the driver remove paths are only
attempted when the workqueue was enabled successfully.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48868", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:38.503495Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:54.625Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/dma/idxd/device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0f150134dd795ffcd60b798a85ab737d8d010fb7", status: "affected", version: "1f2bb40337f0df1d9af80793e9fdacff7706e654", versionType: "git", }, { lessThan: "99dc4520b74e7ca8e9dc9abe37a0b10b49467960", status: "affected", version: "1f2bb40337f0df1d9af80793e9fdacff7706e654", versionType: "git", }, { lessThan: "b51b75f0604f17c0f6f3b6f68f1a521a5cc6b04f", status: "affected", version: "1f2bb40337f0df1d9af80793e9fdacff7706e654", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/dma/idxd/device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Let probe fail when workqueue cannot be enabled\n\nThe workqueue is enabled when the appropriate driver is loaded and\ndisabled when the driver is removed. When the driver is removed it\nassumes that the workqueue was enabled successfully and proceeds to\nfree allocations made during workqueue enabling.\n\nFailure during workqueue enabling does not prevent the driver from\nbeing loaded. This is because the error path within drv_enable_wq()\nreturns success unless a second failure is encountered\nduring the error path. By returning success it is possible to load\nthe driver even if the workqueue cannot be enabled and\nallocations that do not exist are attempted to be freed during\ndriver remove.\n\nSome examples of problematic flows:\n(a)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_unmap_portal() is called on error exit path, but\n drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The\n driver is thus loaded successfully.\n\n idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal()\n Above flow on driver unload triggers the WARN in devm_iounmap() because\n the device resource has already been removed during error path of\n drv_enable_wq().\n\n(b)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_init_percpu_ref() is never called to initialize the percpu\n counter, yet the driver loads successfully because drv_enable_wq()\n returns 0.\n\n idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill():\n Above flow on driver unload triggers a BUG when attempting to drop the\n initial ref of the uninitialized percpu ref:\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n\nFix the drv_enable_wq() error path by returning the original error that\nindicates failure of workqueue enabling. This ensures that the probe\nfails when an error is encountered and the driver remove paths are only\nattempted when the workqueue was enabled successfully.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:31.042Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0f150134dd795ffcd60b798a85ab737d8d010fb7", }, { url: "https://git.kernel.org/stable/c/99dc4520b74e7ca8e9dc9abe37a0b10b49467960", }, { url: "https://git.kernel.org/stable/c/b51b75f0604f17c0f6f3b6f68f1a521a5cc6b04f", }, ], title: "dmaengine: idxd: Let probe fail when workqueue cannot be enabled", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48868", datePublished: "2024-08-21T06:09:58.431Z", dateReserved: "2024-07-16T11:38:08.921Z", dateUpdated: "2024-12-19T08:09:31.042Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48891
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: da9211: Use irq handler when ready
If the system does not come from reset (like when it is kexec()), the
regulator might have an IRQ waiting for us.
If we enable the IRQ handler before its structures are ready, we crash.
This patch fixes:
[ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078
[ 1.316096] Call trace:
[ 1.316101] blocking_notifier_call_chain+0x20/0xa8
[ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests
[ 1.327823] regulator_notifier_call_chain+0x1c/0x2c
[ 1.327825] da9211_irq_handler+0x68/0xf8
[ 1.327829] irq_thread+0x11c/0x234
[ 1.327833] kthread+0x13c/0x154
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48891", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:22.121781Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:06.401Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/regulator/da9211-regulator.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1c1afcb8839b91c09d211ea304faa269763b1f91", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f75cde714e0a67f73ef169aa50d4ed77d04f7236", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d443308edbfb6e9e757b478af908515110d1efd5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d4aa749e046435f054e94ebf50cad143d6229fae", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "470f6a9175f13a53810734658c35cc5bba33be01", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ad1336274f733a7cb1f87b5c5908165a2c14df53", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "02228f6aa6a64d588bc31e3267d05ff184d772eb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/regulator/da9211-regulator.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.303", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.270", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.229", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.164", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9211: Use irq handler when ready\n\nIf the system does not come from reset (like when it is kexec()), the\nregulator might have an IRQ waiting for us.\n\nIf we enable the IRQ handler before its structures are ready, we crash.\n\nThis patch fixes:\n\n[ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078\n[ 1.316096] Call trace:\n[ 1.316101] blocking_notifier_call_chain+0x20/0xa8\n[ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests\n[ 1.327823] regulator_notifier_call_chain+0x1c/0x2c\n[ 1.327825] da9211_irq_handler+0x68/0xf8\n[ 1.327829] irq_thread+0x11c/0x234\n[ 1.327833] kthread+0x13c/0x154", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:58.226Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1c1afcb8839b91c09d211ea304faa269763b1f91", }, { url: "https://git.kernel.org/stable/c/f75cde714e0a67f73ef169aa50d4ed77d04f7236", }, { url: "https://git.kernel.org/stable/c/d443308edbfb6e9e757b478af908515110d1efd5", }, { url: "https://git.kernel.org/stable/c/d4aa749e046435f054e94ebf50cad143d6229fae", }, { url: "https://git.kernel.org/stable/c/470f6a9175f13a53810734658c35cc5bba33be01", }, { url: "https://git.kernel.org/stable/c/ad1336274f733a7cb1f87b5c5908165a2c14df53", }, { url: "https://git.kernel.org/stable/c/02228f6aa6a64d588bc31e3267d05ff184d772eb", }, ], title: "regulator: da9211: Use irq handler when ready", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48891", datePublished: "2024-08-21T06:10:23.318Z", dateReserved: "2024-08-21T06:06:23.290Z", dateUpdated: "2024-12-19T08:09:58.226Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43862
Vulnerability from cvelistv5
Published
2024-08-20 23:45
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: wan: fsl_qmc_hdlc: Convert carrier_lock spinlock to a mutex
The carrier_lock spinlock protects the carrier detection. While it is
held, framer_get_status() is called which in turn takes a mutex.
This is not correct and can lead to a deadlock.
A run with PROVE_LOCKING enabled detected the issue:
[ BUG: Invalid wait context ]
...
c204ddbc (&framer->mutex){+.+.}-{3:3}, at: framer_get_status+0x40/0x78
other info that might help us debug this:
context-{4:4}
2 locks held by ifconfig/146:
#0: c0926a38 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0x12c/0x664
#1: c2006a40 (&qmc_hdlc->carrier_lock){....}-{2:2}, at: qmc_hdlc_framer_set_carrier+0x30/0x98
Avoid the spinlock usage and convert carrier_lock to a mutex.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43862", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:49.152851Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:19.773Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wan/fsl_qmc_hdlc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f223d2b4acb7a45a6e0581cb380e1af1a6dc7ab9", status: "affected", version: "54762918ca856028d33d1d56d017a4d7706c6196", versionType: "git", }, { lessThan: "c4d6a347ba7babdf9d90a0eb24048c266cae0532", status: "affected", version: "54762918ca856028d33d1d56d017a4d7706c6196", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wan/fsl_qmc_hdlc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wan: fsl_qmc_hdlc: Convert carrier_lock spinlock to a mutex\n\nThe carrier_lock spinlock protects the carrier detection. While it is\nheld, framer_get_status() is called which in turn takes a mutex.\nThis is not correct and can lead to a deadlock.\n\nA run with PROVE_LOCKING enabled detected the issue:\n [ BUG: Invalid wait context ]\n ...\n c204ddbc (&framer->mutex){+.+.}-{3:3}, at: framer_get_status+0x40/0x78\n other info that might help us debug this:\n context-{4:4}\n 2 locks held by ifconfig/146:\n #0: c0926a38 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0x12c/0x664\n #1: c2006a40 (&qmc_hdlc->carrier_lock){....}-{2:2}, at: qmc_hdlc_framer_set_carrier+0x30/0x98\n\nAvoid the spinlock usage and convert carrier_lock to a mutex.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:21.595Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f223d2b4acb7a45a6e0581cb380e1af1a6dc7ab9", }, { url: "https://git.kernel.org/stable/c/c4d6a347ba7babdf9d90a0eb24048c266cae0532", }, ], title: "net: wan: fsl_qmc_hdlc: Convert carrier_lock spinlock to a mutex", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43862", datePublished: "2024-08-20T23:45:26.643Z", dateReserved: "2024-08-17T09:11:59.279Z", dateUpdated: "2024-12-19T09:17:21.595Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43879
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()
Currently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in
cfg80211_calculate_bitrate_he(), leading to below warning:
kernel: invalid HE MCS: bw:6, ru:6
kernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211]
Fix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c4cbaf7973a794839af080f13748335976cf3f3f Version: c4cbaf7973a794839af080f13748335976cf3f3f Version: c4cbaf7973a794839af080f13748335976cf3f3f Version: c4cbaf7973a794839af080f13748335976cf3f3f Version: c4cbaf7973a794839af080f13748335976cf3f3f Version: c4cbaf7973a794839af080f13748335976cf3f3f Version: c4cbaf7973a794839af080f13748335976cf3f3f Version: c4cbaf7973a794839af080f13748335976cf3f3f |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43879", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:54.386411Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:17.515Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/wireless/util.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "45d20a1c54be4f3173862c7b950d4468447814c9", status: "affected", version: "c4cbaf7973a794839af080f13748335976cf3f3f", versionType: "git", }, { lessThan: "b289ebb0516526cb4abae081b7ec29fd4fa1209d", status: "affected", version: "c4cbaf7973a794839af080f13748335976cf3f3f", versionType: "git", }, { lessThan: "2e201b3d162c6c49417c438ffb30b58c9f85769f", status: "affected", version: "c4cbaf7973a794839af080f13748335976cf3f3f", versionType: "git", }, { lessThan: "576c64622649f3ec07e97bac8fec8b8a2ef4d086", status: "affected", version: "c4cbaf7973a794839af080f13748335976cf3f3f", versionType: "git", }, { lessThan: "16ad67e73309db0c20cc2a651992bd01c05e6b27", status: "affected", version: "c4cbaf7973a794839af080f13748335976cf3f3f", versionType: "git", }, { lessThan: "67b5f1054197e4f5553047759c15c1d67d4c8142", status: "affected", version: "c4cbaf7973a794839af080f13748335976cf3f3f", versionType: "git", }, { lessThan: "19eaf4f2f5a981f55a265242ada2bf92b0c742dd", status: "affected", version: "c4cbaf7973a794839af080f13748335976cf3f3f", versionType: "git", }, { lessThan: "bcbd771cd5d68c0c52567556097d75f9fc4e7cd6", status: "affected", version: "c4cbaf7973a794839af080f13748335976cf3f3f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/wireless/util.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.19", }, { lessThan: "4.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.320", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.282", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.224", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.103", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.44", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()\n\nCurrently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in\ncfg80211_calculate_bitrate_he(), leading to below warning:\n\nkernel: invalid HE MCS: bw:6, ru:6\nkernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211]\n\nFix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:41.696Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/45d20a1c54be4f3173862c7b950d4468447814c9", }, { url: "https://git.kernel.org/stable/c/b289ebb0516526cb4abae081b7ec29fd4fa1209d", }, { url: "https://git.kernel.org/stable/c/2e201b3d162c6c49417c438ffb30b58c9f85769f", }, { url: "https://git.kernel.org/stable/c/576c64622649f3ec07e97bac8fec8b8a2ef4d086", }, { url: "https://git.kernel.org/stable/c/16ad67e73309db0c20cc2a651992bd01c05e6b27", }, { url: "https://git.kernel.org/stable/c/67b5f1054197e4f5553047759c15c1d67d4c8142", }, { url: "https://git.kernel.org/stable/c/19eaf4f2f5a981f55a265242ada2bf92b0c742dd", }, { url: "https://git.kernel.org/stable/c/bcbd771cd5d68c0c52567556097d75f9fc4e7cd6", }, ], title: "wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43879", datePublished: "2024-08-21T00:06:31.488Z", dateReserved: "2024-08-17T09:11:59.286Z", dateUpdated: "2024-12-19T09:17:41.696Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52899
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Add exception protection processing for vd in axi_chan_handle_err function
Since there is no protection for vd, a kernel panic will be
triggered here in exceptional cases.
You can refer to the processing of axi_chan_block_xfer_complete function
The triggered kernel panic is as follows:
[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
[ 67.848447] Mem abort info:
[ 67.848449] ESR = 0x96000004
[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits
[ 67.848454] SET = 0, FnV = 0
[ 67.848456] EA = 0, S1PTW = 0
[ 67.848458] Data abort info:
[ 67.848460] ISV = 0, ISS = 0x00000004
[ 67.848462] CM = 0, WnR = 0
[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000
[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000
[ 67.848472] Internal error: Oops: 96000004 [#1] SMP
[ 67.848475] Modules linked in: dmatest
[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11
[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)
[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230
[ 67.848491] lr : axi_chan_handle_err+0x30/0x230
[ 67.848493] sp : ffff0803fe55ae50
[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200
[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080
[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850
[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000
[ 67.848512] x21: 0000000000000080 x20: 0000000000002000
[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000
[ 67.848521] x17: 0000000000000000 x16: 0000000000000000
[ 67.848525] x15: 0000000000000000 x14: 0000000000000000
[ 67.848529] x13: 0000000000000000 x12: 0000000000000040
[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a
[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270
[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0
[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480
[ 67.848550] x3 : dead000000000100 x2 : dead000000000122
[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168
[ 67.848559] Call trace:
[ 67.848562] axi_chan_handle_err+0xc4/0x230
[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590
[ 67.848569] __handle_irq_event_percpu+0x60/0x220
[ 67.848573] handle_irq_event+0x64/0x120
[ 67.848576] handle_fasteoi_irq+0xc4/0x220
[ 67.848580] __handle_domain_irq+0x80/0xe0
[ 67.848583] gic_handle_irq+0xc0/0x138
[ 67.848585] el1_irq+0xc8/0x180
[ 67.848588] arch_cpu_idle+0x14/0x2c
[ 67.848591] default_idle_call+0x40/0x16c
[ 67.848594] do_idle+0x1f0/0x250
[ 67.848597] cpu_startup_entry+0x2c/0x60
[ 67.848600] rest_init+0xc0/0xcc
[ 67.848603] arch_call_rest_init+0x14/0x1c
[ 67.848606] start_kernel+0x4cc/0x500
[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)
[ 67.848613] ---[ end trace 585a97036f88203a ]---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52899", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:34.135190Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:16.116Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f534dc438828cc3f1f8c6895b8bdfbef079521fb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "53dd833fd0a2d8f0118d01ea063a70652689d31e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "20d0a6d17e85a8a816a64fa7d7cae616f1617833", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5054d001ffaf76155637c5e5b922c11016cd6a5d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "51a7ad5b60efac65691729d10745c28fa1016b96", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "57054fe516d59d03a7bcf1888e82479ccc244f87", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.271", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nAdd exception protection processing for vd in axi_chan_handle_err function\n\nSince there is no protection for vd, a kernel panic will be\ntriggered here in exceptional cases.\n\nYou can refer to the processing of axi_chan_block_xfer_complete function\n\nThe triggered kernel panic is as follows:\n\n[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n[ 67.848447] Mem abort info:\n[ 67.848449] ESR = 0x96000004\n[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 67.848454] SET = 0, FnV = 0\n[ 67.848456] EA = 0, S1PTW = 0\n[ 67.848458] Data abort info:\n[ 67.848460] ISV = 0, ISS = 0x00000004\n[ 67.848462] CM = 0, WnR = 0\n[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000\n[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000\n[ 67.848472] Internal error: Oops: 96000004 [#1] SMP\n[ 67.848475] Modules linked in: dmatest\n[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11\n[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)\n[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230\n[ 67.848491] lr : axi_chan_handle_err+0x30/0x230\n[ 67.848493] sp : ffff0803fe55ae50\n[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200\n[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080\n[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850\n[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000\n[ 67.848512] x21: 0000000000000080 x20: 0000000000002000\n[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000\n[ 67.848521] x17: 0000000000000000 x16: 0000000000000000\n[ 67.848525] x15: 0000000000000000 x14: 0000000000000000\n[ 67.848529] x13: 0000000000000000 x12: 0000000000000040\n[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a\n[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270\n[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0\n[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480\n[ 67.848550] x3 : dead000000000100 x2 : dead000000000122\n[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168\n[ 67.848559] Call trace:\n[ 67.848562] axi_chan_handle_err+0xc4/0x230\n[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590\n[ 67.848569] __handle_irq_event_percpu+0x60/0x220\n[ 67.848573] handle_irq_event+0x64/0x120\n[ 67.848576] handle_fasteoi_irq+0xc4/0x220\n[ 67.848580] __handle_domain_irq+0x80/0xe0\n[ 67.848583] gic_handle_irq+0xc0/0x138\n[ 67.848585] el1_irq+0xc8/0x180\n[ 67.848588] arch_cpu_idle+0x14/0x2c\n[ 67.848591] default_idle_call+0x40/0x16c\n[ 67.848594] do_idle+0x1f0/0x250\n[ 67.848597] cpu_startup_entry+0x2c/0x60\n[ 67.848600] rest_init+0xc0/0xcc\n[ 67.848603] arch_call_rest_init+0x14/0x1c\n[ 67.848606] start_kernel+0x4cc/0x500\n[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)\n[ 67.848613] ---[ end trace 585a97036f88203a ]---", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:08.427Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f534dc438828cc3f1f8c6895b8bdfbef079521fb", }, { url: "https://git.kernel.org/stable/c/53dd833fd0a2d8f0118d01ea063a70652689d31e", }, { url: "https://git.kernel.org/stable/c/20d0a6d17e85a8a816a64fa7d7cae616f1617833", }, { url: "https://git.kernel.org/stable/c/5054d001ffaf76155637c5e5b922c11016cd6a5d", }, { url: "https://git.kernel.org/stable/c/51a7ad5b60efac65691729d10745c28fa1016b96", }, { url: "https://git.kernel.org/stable/c/57054fe516d59d03a7bcf1888e82479ccc244f87", }, ], title: "Add exception protection processing for vd in axi_chan_handle_err function", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52899", datePublished: "2024-08-21T06:10:39.438Z", dateReserved: "2024-08-21T06:07:11.014Z", dateUpdated: "2024-12-19T08:28:08.427Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52900
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix general protection fault in nilfs_btree_insert()
If nilfs2 reads a corrupted disk image and tries to reads a b-tree node
block by calling __nilfs_btree_get_block() against an invalid virtual
block address, it returns -ENOENT because conversion of the virtual block
address to a disk block address fails. However, this return value is the
same as the internal code that b-tree lookup routines return to indicate
that the block being searched does not exist, so functions that operate on
that b-tree may misbehave.
When nilfs_btree_insert() receives this spurious 'not found' code from
nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was
successful and continues the insert operation using incomplete lookup path
data, causing the following crash:
general protection fault, probably for non-canonical address
0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
...
RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]
RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]
RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238
Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89
ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c
28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02
...
Call Trace:
<TASK>
nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]
nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147
nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101
__block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991
__block_write_begin fs/buffer.c:2041 [inline]
block_write_begin+0x93/0x1e0 fs/buffer.c:2102
nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261
generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772
__generic_file_write_iter+0x176/0x400 mm/filemap.c:3900
generic_file_write_iter+0xab/0x310 mm/filemap.c:3932
call_write_iter include/linux/fs.h:2186 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7dc/0xc50 fs/read_write.c:584
ksys_write+0x177/0x2a0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
...
</TASK>
This patch fixes the root cause of this problem by replacing the error
code that __nilfs_btree_get_block() returns on block address conversion
failure from -ENOENT to another internal code -EINVAL which means that the
b-tree metadata is corrupted.
By returning -EINVAL, it propagates without glitches, and for all relevant
b-tree operations, functions in the upper bmap layer output an error
message indicating corrupted b-tree metadata via
nilfs_bmap_convert_error(), and code -EIO will be eventually returned as
it should be.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52900", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:31.052227Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:15.051Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nilfs2/btree.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3c2a2ff67d46106715c2132021b98bd057c27545", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d9fde9eab1766170ff2ade67d09178d2cfd78749", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b0ba060d3287108eba17603bee3810e4cf2c272d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "712bd74eccb9d3626a0a236641962eca8e11a243", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "45627a1a6450662e1e0f8174ef07b05710a20062", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0bf463939c09e5b2c35c71ed74a5fd60a74d6a04", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7633355e5c7f29c049a9048e461427d1d8ed3051", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nilfs2/btree.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.304", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.271", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix general protection fault in nilfs_btree_insert()\n\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\nblock by calling __nilfs_btree_get_block() against an invalid virtual\nblock address, it returns -ENOENT because conversion of the virtual block\naddress to a disk block address fails. However, this return value is the\nsame as the internal code that b-tree lookup routines return to indicate\nthat the block being searched does not exist, so functions that operate on\nthat b-tree may misbehave.\n\nWhen nilfs_btree_insert() receives this spurious 'not found' code from\nnilfs_btree_do_lookup(), it misunderstands that the 'not found' check was\nsuccessful and continues the insert operation using incomplete lookup path\ndata, causing the following crash:\n\n general protection fault, probably for non-canonical address\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n ...\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\n ...\n Call Trace:\n <TASK>\n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\n __block_write_begin fs/buffer.c:2041 [inline]\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ...\n </TASK>\n\nThis patch fixes the root cause of this problem by replacing the error\ncode that __nilfs_btree_get_block() returns on block address conversion\nfailure from -ENOENT to another internal code -EINVAL which means that the\nb-tree metadata is corrupted.\n\nBy returning -EINVAL, it propagates without glitches, and for all relevant\nb-tree operations, functions in the upper bmap layer output an error\nmessage indicating corrupted b-tree metadata via\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\nit should be.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:09.639Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545", }, { url: "https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749", }, { url: "https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d", }, { url: "https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243", }, { url: "https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062", }, { url: "https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04", }, { url: "https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051", }, ], title: "nilfs2: fix general protection fault in nilfs_btree_insert()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52900", datePublished: "2024-08-21T06:10:40.533Z", dateReserved: "2024-08-21T06:07:11.014Z", dateUpdated: "2024-12-19T08:28:09.639Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52911
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: another fix for the headless Adreno GPU
Fix another oops reproducible when rebooting the board with the Adreno
GPU working in the headless mode (e.g. iMX platforms).
Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read
[00000000] *pgd=74936831, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1] ARM
CPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11
Hardware name: Freescale i.MX53 (Device Tree Support)
PC is at msm_atomic_commit_tail+0x50/0x970
LR is at commit_tail+0x9c/0x188
pc : [<c06aa430>] lr : [<c067a214>] psr: 600e0013
sp : e0851d30 ip : ee4eb7eb fp : 00090acc
r10: 00000058 r9 : c2193014 r8 : c4310000
r7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000
r3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 74910019 DAC: 00000051
Register r0 information: NULL pointer
Register r1 information: NULL pointer
Register r2 information: NULL pointer
Register r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024
Register r4 information: NULL pointer
Register r5 information: NULL pointer
Register r6 information: non-paged memory
Register r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128
Register r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-paged memory
Register r11 information: non-paged memory
Register r12 information: non-paged memory
Process reboot (pid: 51, stack limit = 0xc80046d9)
Stack: (0xe0851d30 to 0xe0852000)
1d20: c4759380 fbd77200 000005ff 002b9c70
1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058
1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c
1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468
1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810
1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00
1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8
1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854
1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000
1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60
1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4
1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000
1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058
1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028
1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc
1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000
msm_atomic_commit_tail from commit_tail+0x9c/0x188
commit_tail from drm_atomic_helper_commit+0x160/0x188
drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0
drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0
drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140
drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240
device_shutdown from kernel_restart+0x38/0x90
kernel_restart from __do_sys_reboot+0x
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52911", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T15:34:48.964677Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:03.382Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/msm/msm_drv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b107b08c41b3076a508113fbaaffe15ce1fe7f65", status: "affected", version: "0a58d2ae572adaec8d046f8d35b40c2c32ac7468", versionType: "git", }, { lessThan: "00dd060ab3cf95ca6ede7853bc14397014971b5e", status: "affected", version: "0a58d2ae572adaec8d046f8d35b40c2c32ac7468", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/msm/msm_drv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: another fix for the headless Adreno GPU\n\nFix another oops reproducible when rebooting the board with the Adreno\nGPU working in the headless mode (e.g. iMX platforms).\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n[00000000] *pgd=74936831, *pte=00000000, *ppte=00000000\nInternal error: Oops: 17 [#1] ARM\nCPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11\nHardware name: Freescale i.MX53 (Device Tree Support)\nPC is at msm_atomic_commit_tail+0x50/0x970\nLR is at commit_tail+0x9c/0x188\npc : [<c06aa430>] lr : [<c067a214>] psr: 600e0013\nsp : e0851d30 ip : ee4eb7eb fp : 00090acc\nr10: 00000058 r9 : c2193014 r8 : c4310000\nr7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000\nr3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000\nFlags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\nControl: 10c5387d Table: 74910019 DAC: 00000051\nRegister r0 information: NULL pointer\nRegister r1 information: NULL pointer\nRegister r2 information: NULL pointer\nRegister r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024\nRegister r4 information: NULL pointer\nRegister r5 information: NULL pointer\nRegister r6 information: non-paged memory\nRegister r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128\nRegister r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048\nRegister r9 information: non-slab/vmalloc memory\nRegister r10 information: non-paged memory\nRegister r11 information: non-paged memory\nRegister r12 information: non-paged memory\nProcess reboot (pid: 51, stack limit = 0xc80046d9)\nStack: (0xe0851d30 to 0xe0852000)\n1d20: c4759380 fbd77200 000005ff 002b9c70\n1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058\n1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c\n1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468\n1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810\n1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00\n1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8\n1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854\n1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000\n1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60\n1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4\n1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000\n1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058\n1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028\n1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc\n1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000\n msm_atomic_commit_tail from commit_tail+0x9c/0x188\n commit_tail from drm_atomic_helper_commit+0x160/0x188\n drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0\n drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0\n drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140\n drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240\n device_shutdown from kernel_restart+0x38/0x90\n kernel_restart from __do_sys_reboot+0x\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:24.187Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b107b08c41b3076a508113fbaaffe15ce1fe7f65", }, { url: "https://git.kernel.org/stable/c/00dd060ab3cf95ca6ede7853bc14397014971b5e", }, ], title: "drm/msm: another fix for the headless Adreno GPU", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52911", datePublished: "2024-08-21T06:10:52.403Z", dateReserved: "2024-08-21T06:07:11.016Z", dateUpdated: "2024-12-19T08:28:24.187Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43873
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost/vsock: always initialize seqpacket_allow
There are two issues around seqpacket_allow:
1. seqpacket_allow is not initialized when socket is
created. Thus if features are never set, it will be
read uninitialized.
2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,
then seqpacket_allow will not be cleared appropriately
(existing apps I know about don't usually do this but
it's legal and there's no way to be sure no one relies
on this).
To fix:
- initialize seqpacket_allow after allocation
- set it unconditionally in set_features
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ced7b713711fdd8f99d8d04dc53451441d194c60 Version: ced7b713711fdd8f99d8d04dc53451441d194c60 Version: ced7b713711fdd8f99d8d04dc53451441d194c60 Version: ced7b713711fdd8f99d8d04dc53451441d194c60 Version: ced7b713711fdd8f99d8d04dc53451441d194c60 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43873", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:13.431243Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:18.350Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/vhost/vsock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ea558f10fb05a6503c6e655a1b7d81fdf8e5924c", status: "affected", version: "ced7b713711fdd8f99d8d04dc53451441d194c60", versionType: "git", }, { lessThan: "3062cb100787a9ddf45de30004b962035cd497fb", status: "affected", version: "ced7b713711fdd8f99d8d04dc53451441d194c60", versionType: "git", }, { lessThan: "30bd4593669443ac58515e23557dc8cef70d8582", status: "affected", version: "ced7b713711fdd8f99d8d04dc53451441d194c60", versionType: "git", }, { lessThan: "eab96e8716cbfc2834b54f71cc9501ad4eec963b", status: "affected", version: "ced7b713711fdd8f99d8d04dc53451441d194c60", versionType: "git", }, { lessThan: "1e1fdcbdde3b7663e5d8faeb2245b9b151417d22", status: "affected", version: "ced7b713711fdd8f99d8d04dc53451441d194c60", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/vhost/vsock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.14", }, { lessThan: "5.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.103", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.44", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/vsock: always initialize seqpacket_allow\n\nThere are two issues around seqpacket_allow:\n1. seqpacket_allow is not initialized when socket is\n created. Thus if features are never set, it will be\n read uninitialized.\n2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,\n then seqpacket_allow will not be cleared appropriately\n (existing apps I know about don't usually do this but\n it's legal and there's no way to be sure no one relies\n on this).\n\nTo fix:\n\t- initialize seqpacket_allow after allocation\n\t- set it unconditionally in set_features", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:34.388Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c", }, { url: "https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb", }, { url: "https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582", }, { url: "https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b", }, { url: "https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22", }, ], title: "vhost/vsock: always initialize seqpacket_allow", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43873", datePublished: "2024-08-21T00:06:25.114Z", dateReserved: "2024-08-17T09:11:59.281Z", dateUpdated: "2024-12-19T09:17:34.388Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52898
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xhci: Fix null pointer dereference when host dies
Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race
and cause null pointer dereference when host suddenly dies.
Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id]
virt device at the same time that xhci_kill_endpoint_urbs() tries to
loop through all the device's endpoints, checking if there are any
cancelled urbs left to give back.
hold the xhci spinlock while freeing the virt device
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52898", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:37.248352Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:16.551Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/usb/host/xhci.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6fac4b5cecb3928a0a81069aaa815a2edc8dd5a1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "133b902378e4acbd824c29dd0d48570ad596e368", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "081105213ff6f661c114781d469233c7d0e09c2e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c462ac871f49753eca86bb960f573b993976a5ea", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ea2ee5e9991caf74e0604f994c1831a5867055b2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a2bc47c43e70cf904b1af49f76d572326c08bca7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/usb/host/xhci.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.271", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix null pointer dereference when host dies\n\nMake sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race\nand cause null pointer dereference when host suddenly dies.\n\nUsb core may call xhci_free_dev() which frees the xhci->devs[slot_id]\nvirt device at the same time that xhci_kill_endpoint_urbs() tries to\nloop through all the device's endpoints, checking if there are any\ncancelled urbs left to give back.\n\nhold the xhci spinlock while freeing the virt device", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:07.233Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6fac4b5cecb3928a0a81069aaa815a2edc8dd5a1", }, { url: "https://git.kernel.org/stable/c/133b902378e4acbd824c29dd0d48570ad596e368", }, { url: "https://git.kernel.org/stable/c/081105213ff6f661c114781d469233c7d0e09c2e", }, { url: "https://git.kernel.org/stable/c/c462ac871f49753eca86bb960f573b993976a5ea", }, { url: "https://git.kernel.org/stable/c/ea2ee5e9991caf74e0604f994c1831a5867055b2", }, { url: "https://git.kernel.org/stable/c/a2bc47c43e70cf904b1af49f76d572326c08bca7", }, ], title: "xhci: Fix null pointer dereference when host dies", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52898", datePublished: "2024-08-21T06:10:38.365Z", dateReserved: "2024-08-21T06:07:11.014Z", dateUpdated: "2024-12-19T08:28:07.233Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52906
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_mpls: Fix warning during failed attribute validation
The 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a
validation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid
combination according to the comment above 'struct nla_policy':
"
Meaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:
NLA_BINARY Validation function called for the attribute.
All other Unused - but note that it's a union
"
This can trigger the warning [1] in nla_get_range_unsigned() when
validation of the attribute fails. Despite being of 'NLA_U32' type, the
associated 'min'/'max' fields in the policy are negative as they are
aliased by the 'validate' field.
Fix by changing the attribute type to 'NLA_BINARY' which is consistent
with the above comment and all other users of NLA_POLICY_VALIDATE_FN().
As a result, move the length validation to the validation function.
No regressions in MPLS tests:
# ./tdc.py -f tc-tests/actions/mpls.json
[...]
# echo $?
0
[1]
WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118
nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
Modules linked in:
CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
[...]
Call Trace:
<TASK>
__netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310
netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411
netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]
netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506
netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546
rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0x38f/0x500 net/socket.c:2482
___sys_sendmsg net/socket.c:2536 [inline]
__sys_sendmsg+0x197/0x230 net/socket.c:2565
__do_sys_sendmsg net/socket.c:2574 [inline]
__se_sys_sendmsg net/socket.c:2572 [inline]
__x64_sys_sendmsg+0x42/0x50 net/socket.c:2572
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 2a2ea50870baa3fb4de0872c5b60828138654ca7 Version: 2a2ea50870baa3fb4de0872c5b60828138654ca7 Version: 2a2ea50870baa3fb4de0872c5b60828138654ca7 Version: 2a2ea50870baa3fb4de0872c5b60828138654ca7 Version: 2a2ea50870baa3fb4de0872c5b60828138654ca7 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52906", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:11.641593Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:13.683Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/sched/act_mpls.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "2b157c3c5d6b8ddca48d53c9e662032f65af8d61", status: "affected", version: "2a2ea50870baa3fb4de0872c5b60828138654ca7", versionType: "git", }, { lessThan: "453277feb41c2235cf2c0de9209eef962c401457", status: "affected", version: "2a2ea50870baa3fb4de0872c5b60828138654ca7", versionType: "git", }, { lessThan: "9e2c38827cdc6fdd3bb375c8607fc04d289756f9", status: "affected", version: "2a2ea50870baa3fb4de0872c5b60828138654ca7", versionType: "git", }, { lessThan: "8a97b544b98e44f596219ebb290fd2ba2fd5d644", status: "affected", version: "2a2ea50870baa3fb4de0872c5b60828138654ca7", versionType: "git", }, { lessThan: "9e17f99220d111ea031b44153fdfe364b0024ff2", status: "affected", version: "2a2ea50870baa3fb4de0872c5b60828138654ca7", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/sched/act_mpls.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.3", }, { lessThan: "5.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.229", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.164", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mpls: Fix warning during failed attribute validation\n\nThe 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a\nvalidation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid\ncombination according to the comment above 'struct nla_policy':\n\n\"\nMeaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:\n NLA_BINARY Validation function called for the attribute.\n All other Unused - but note that it's a union\n\"\n\nThis can trigger the warning [1] in nla_get_range_unsigned() when\nvalidation of the attribute fails. Despite being of 'NLA_U32' type, the\nassociated 'min'/'max' fields in the policy are negative as they are\naliased by the 'validate' field.\n\nFix by changing the attribute type to 'NLA_BINARY' which is consistent\nwith the above comment and all other users of NLA_POLICY_VALIDATE_FN().\nAs a result, move the length validation to the validation function.\n\nNo regressions in MPLS tests:\n\n # ./tdc.py -f tc-tests/actions/mpls.json\n [...]\n # echo $?\n 0\n\n[1]\nWARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118\nnla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\nModules linked in:\nCPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\n[...]\nCall Trace:\n <TASK>\n __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310\n netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411\n netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]\n netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506\n netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546\n rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2482\n ___sys_sendmsg net/socket.c:2536 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2565\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:18.439Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61", }, { url: "https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457", }, { url: "https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9", }, { url: "https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644", }, { url: "https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2", }, ], title: "net/sched: act_mpls: Fix warning during failed attribute validation", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52906", datePublished: "2024-08-21T06:10:47.121Z", dateReserved: "2024-08-21T06:07:11.015Z", dateUpdated: "2024-12-19T08:28:18.439Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52905
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: Fix resource leakage in VF driver unbind
resources allocated like mcam entries to support the Ntuple feature
and hash tables for the tc feature are not getting freed in driver
unbind. This patch fixes the issue.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52905", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:14.828340Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:13.804Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c8ca0ad10df08ea36bcac1288062d567d22604c9", status: "affected", version: "2da48943274712fc3204089d9a97078350765635", versionType: "git", }, { lessThan: "53da7aec32982f5ee775b69dce06d63992ce4af3", status: "affected", version: "2da48943274712fc3204089d9a97078350765635", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix resource leakage in VF driver unbind\n\nresources allocated like mcam entries to support the Ntuple feature\nand hash tables for the tc feature are not getting freed in driver\nunbind. This patch fixes the issue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:17.145Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c8ca0ad10df08ea36bcac1288062d567d22604c9", }, { url: "https://git.kernel.org/stable/c/53da7aec32982f5ee775b69dce06d63992ce4af3", }, ], title: "octeontx2-pf: Fix resource leakage in VF driver unbind", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52905", datePublished: "2024-08-21T06:10:46.057Z", dateReserved: "2024-08-21T06:07:11.015Z", dateUpdated: "2024-12-19T08:28:17.145Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48883
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent
A user is able to configure an arbitrary number of rx queues when
creating an interface via netlink. This doesn't work for child PKEY
interfaces because the child interface uses the parent receive channels.
Although the child shares the parent's receive channels, the number of
rx queues is important for the channel_stats array: the parent's rx
channel index is used to access the child's channel_stats. So the array
has to be at least as large as the parent's rx queue size for the
counting to work correctly and to prevent out of bound accesses.
This patch checks for the mentioned scenario and returns an error when
trying to create the interface. The error is propagated to the user.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48883", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:49.165689Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:52.439Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib_vlan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5844a46f09f768da866d6b0ffbf1a9073266bf24", status: "affected", version: "be98737a4faa3a0dc1781ced5bbf5c47865e29d7", versionType: "git", }, { lessThan: "31c70bfe58ef09fe36327ddcced9143a16e9e83d", status: "affected", version: "be98737a4faa3a0dc1781ced5bbf5c47865e29d7", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib_vlan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent\n\nA user is able to configure an arbitrary number of rx queues when\ncreating an interface via netlink. This doesn't work for child PKEY\ninterfaces because the child interface uses the parent receive channels.\n\nAlthough the child shares the parent's receive channels, the number of\nrx queues is important for the channel_stats array: the parent's rx\nchannel index is used to access the child's channel_stats. So the array\nhas to be at least as large as the parent's rx queue size for the\ncounting to work correctly and to prevent out of bound accesses.\n\nThis patch checks for the mentioned scenario and returns an error when\ntrying to create the interface. The error is propagated to the user.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:48.337Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5844a46f09f768da866d6b0ffbf1a9073266bf24", }, { url: "https://git.kernel.org/stable/c/31c70bfe58ef09fe36327ddcced9143a16e9e83d", }, ], title: "net/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48883", datePublished: "2024-08-21T06:10:14.763Z", dateReserved: "2024-07-16T11:38:08.924Z", dateUpdated: "2024-12-19T08:09:48.337Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52897
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: qgroup: do not warn on record without old_roots populated
[BUG]
There are some reports from the mailing list that since v6.1 kernel, the
WARN_ON() inside btrfs_qgroup_account_extent() gets triggered during
rescan:
WARNING: CPU: 3 PID: 6424 at fs/btrfs/qgroup.c:2756 btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]
CPU: 3 PID: 6424 Comm: snapperd Tainted: P OE 6.1.2-1-default #1 openSUSE Tumbleweed 05c7a1b1b61d5627475528f71f50444637b5aad7
RIP: 0010:btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]
Call Trace:
<TASK>
btrfs_commit_transaction+0x30c/0xb40 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
? start_transaction+0xc3/0x5b0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
btrfs_qgroup_rescan+0x42/0xc0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
btrfs_ioctl+0x1ab9/0x25c0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
? __rseq_handle_notify_resume+0xa9/0x4a0
? mntput_no_expire+0x4a/0x240
? __seccomp_filter+0x319/0x4d0
__x64_sys_ioctl+0x90/0xd0
do_syscall_64+0x5b/0x80
? syscall_exit_to_user_mode+0x17/0x40
? do_syscall_64+0x67/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd9b790d9bf
</TASK>
[CAUSE]
Since commit e15e9f43c7ca ("btrfs: introduce
BTRFS_QGROUP_RUNTIME_FLAG_NO_ACCOUNTING to skip qgroup accounting"), if
our qgroup is already in inconsistent state, we will no longer do the
time-consuming backref walk.
This can leave some qgroup records without a valid old_roots ulist.
Normally this is fine, as btrfs_qgroup_account_extents() would also skip
those records if we have NO_ACCOUNTING flag set.
But there is a small window, if we have NO_ACCOUNTING flag set, and
inserted some qgroup_record without a old_roots ulist, but then the user
triggered a qgroup rescan.
During btrfs_qgroup_rescan(), we firstly clear NO_ACCOUNTING flag, then
commit current transaction.
And since we have a qgroup_record with old_roots = NULL, we trigger the
WARN_ON() during btrfs_qgroup_account_extents().
[FIX]
Unfortunately due to the introduction of NO_ACCOUNTING flag, the
assumption that every qgroup_record would have its old_roots populated
is no longer correct.
Fix the false alerts and drop the WARN_ON().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52897", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:40.621800Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:12.687Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/btrfs/qgroup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "bb2c2e62539f2b63c5e0beb51501d328260c7595", status: "affected", version: "e15e9f43c7ca25603fcf4c20d44ec777726f1034", versionType: "git", }, { lessThan: "75181406b4eafacc531ff2ee5fb032bd93317e2b", status: "affected", version: "e15e9f43c7ca25603fcf4c20d44ec777726f1034", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/btrfs/qgroup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: do not warn on record without old_roots populated\n\n[BUG]\nThere are some reports from the mailing list that since v6.1 kernel, the\nWARN_ON() inside btrfs_qgroup_account_extent() gets triggered during\nrescan:\n\n WARNING: CPU: 3 PID: 6424 at fs/btrfs/qgroup.c:2756 btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]\n CPU: 3 PID: 6424 Comm: snapperd Tainted: P OE 6.1.2-1-default #1 openSUSE Tumbleweed 05c7a1b1b61d5627475528f71f50444637b5aad7\n RIP: 0010:btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]\n Call Trace:\n <TASK>\n btrfs_commit_transaction+0x30c/0xb40 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n ? start_transaction+0xc3/0x5b0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n btrfs_qgroup_rescan+0x42/0xc0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n btrfs_ioctl+0x1ab9/0x25c0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n ? __rseq_handle_notify_resume+0xa9/0x4a0\n ? mntput_no_expire+0x4a/0x240\n ? __seccomp_filter+0x319/0x4d0\n __x64_sys_ioctl+0x90/0xd0\n do_syscall_64+0x5b/0x80\n ? syscall_exit_to_user_mode+0x17/0x40\n ? do_syscall_64+0x67/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7fd9b790d9bf\n </TASK>\n\n[CAUSE]\nSince commit e15e9f43c7ca (\"btrfs: introduce\nBTRFS_QGROUP_RUNTIME_FLAG_NO_ACCOUNTING to skip qgroup accounting\"), if\nour qgroup is already in inconsistent state, we will no longer do the\ntime-consuming backref walk.\n\nThis can leave some qgroup records without a valid old_roots ulist.\nNormally this is fine, as btrfs_qgroup_account_extents() would also skip\nthose records if we have NO_ACCOUNTING flag set.\n\nBut there is a small window, if we have NO_ACCOUNTING flag set, and\ninserted some qgroup_record without a old_roots ulist, but then the user\ntriggered a qgroup rescan.\n\nDuring btrfs_qgroup_rescan(), we firstly clear NO_ACCOUNTING flag, then\ncommit current transaction.\n\nAnd since we have a qgroup_record with old_roots = NULL, we trigger the\nWARN_ON() during btrfs_qgroup_account_extents().\n\n[FIX]\nUnfortunately due to the introduction of NO_ACCOUNTING flag, the\nassumption that every qgroup_record would have its old_roots populated\nis no longer correct.\n\nFix the false alerts and drop the WARN_ON().", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:05.995Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/bb2c2e62539f2b63c5e0beb51501d328260c7595", }, { url: "https://git.kernel.org/stable/c/75181406b4eafacc531ff2ee5fb032bd93317e2b", }, ], title: "btrfs: qgroup: do not warn on record without old_roots populated", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52897", datePublished: "2024-08-21T06:10:37.316Z", dateReserved: "2024-08-21T06:07:11.014Z", dateUpdated: "2024-12-19T08:28:05.995Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48888
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dpu: Fix memory leak in msm_mdss_parse_data_bus_icc_path
of_icc_get() alloc resources for path1, we should release it when not
need anymore. Early return when IS_ERR_OR_NULL(path0) may leak path1.
Defer getting path1 to fix this.
Patchwork: https://patchwork.freedesktop.org/patch/514264/
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48888", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:32.201976Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:55.428Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/msm/msm_mdss.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c6fa1de83fd87267ab24359e6fa52f98f5cee3f9", status: "affected", version: "b9364eed9232f3d2a846f68c2307eb25c93cc2d0", versionType: "git", }, { lessThan: "45dac1352b55b1d8cb17f218936b2bc2bc1fb4ee", status: "affected", version: "b9364eed9232f3d2a846f68c2307eb25c93cc2d0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/msm/msm_mdss.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Fix memory leak in msm_mdss_parse_data_bus_icc_path\n\nof_icc_get() alloc resources for path1, we should release it when not\nneed anymore. Early return when IS_ERR_OR_NULL(path0) may leak path1.\nDefer getting path1 to fix this.\n\nPatchwork: https://patchwork.freedesktop.org/patch/514264/", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:53.931Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c6fa1de83fd87267ab24359e6fa52f98f5cee3f9", }, { url: "https://git.kernel.org/stable/c/45dac1352b55b1d8cb17f218936b2bc2bc1fb4ee", }, ], title: "drm/msm/dpu: Fix memory leak in msm_mdss_parse_data_bus_icc_path", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48888", datePublished: "2024-08-21T06:10:20.129Z", dateReserved: "2024-08-21T06:06:23.290Z", dateUpdated: "2024-12-19T08:09:53.931Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48879
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
efi: fix NULL-deref in init error path
In cases where runtime services are not supported or have been disabled,
the runtime services workqueue will never have been allocated.
Do not try to destroy the workqueue unconditionally in the unlikely
event that EFI initialisation fails to avoid dereferencing a NULL
pointer.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 2ff3c97b47521d6700cc6485c7935908dcd2c27c Version: 5167f194da6947e19a3e970485ee3ccb44f7958d Version: 98086df8b70c06234a8f4290c46064e44dafa0ed Version: 98086df8b70c06234a8f4290c46064e44dafa0ed Version: 98086df8b70c06234a8f4290c46064e44dafa0ed Version: 98086df8b70c06234a8f4290c46064e44dafa0ed |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48879", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:03.005794Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:51.607Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/firmware/efi/efi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "585a0b2b3ae7903c6abee3087d09c69e955a7794", status: "affected", version: "2ff3c97b47521d6700cc6485c7935908dcd2c27c", versionType: "git", }, { lessThan: "5fcf75a8a4c3e7ee9122d143684083c9faf20452", status: "affected", version: "5167f194da6947e19a3e970485ee3ccb44f7958d", versionType: "git", }, { lessThan: "4ca71bc0e1995d15486cd7b60845602a28399cb5", status: "affected", version: "98086df8b70c06234a8f4290c46064e44dafa0ed", versionType: "git", }, { lessThan: "e2ea55564229e4bea1474af15b111b3a3043b76f", status: "affected", version: "98086df8b70c06234a8f4290c46064e44dafa0ed", versionType: "git", }, { lessThan: "adc96d30f6503d30dc68670c013716f1d9fcc747", status: "affected", version: "98086df8b70c06234a8f4290c46064e44dafa0ed", versionType: "git", }, { lessThan: "703c13fe3c9af557d312f5895ed6a5fda2711104", status: "affected", version: "98086df8b70c06234a8f4290c46064e44dafa0ed", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/firmware/efi/efi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.9", }, { lessThan: "5.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.270", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.229", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.164", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix NULL-deref in init error path\n\nIn cases where runtime services are not supported or have been disabled,\nthe runtime services workqueue will never have been allocated.\n\nDo not try to destroy the workqueue unconditionally in the unlikely\nevent that EFI initialisation fails to avoid dereferencing a NULL\npointer.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:43.594Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/585a0b2b3ae7903c6abee3087d09c69e955a7794", }, { url: "https://git.kernel.org/stable/c/5fcf75a8a4c3e7ee9122d143684083c9faf20452", }, { url: "https://git.kernel.org/stable/c/4ca71bc0e1995d15486cd7b60845602a28399cb5", }, { url: "https://git.kernel.org/stable/c/e2ea55564229e4bea1474af15b111b3a3043b76f", }, { url: "https://git.kernel.org/stable/c/adc96d30f6503d30dc68670c013716f1d9fcc747", }, { url: "https://git.kernel.org/stable/c/703c13fe3c9af557d312f5895ed6a5fda2711104", }, ], title: "efi: fix NULL-deref in init error path", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48879", datePublished: "2024-08-21T06:10:10.454Z", dateReserved: "2024-07-16T11:38:08.923Z", dateUpdated: "2024-12-19T08:09:43.594Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48872
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Fix use-after-free race condition for maps
It is possible that in between calling fastrpc_map_get() until
map->fl->lock is taken in fastrpc_free_map(), another thread can call
fastrpc_map_lookup() and get a reference to a map that is about to be
deleted.
Rewrite fastrpc_map_get() to only increase the reference count of a map
if it's non-zero. Propagate this to callers so they can know if a map is
about to be deleted.
Fixes this warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate
...
Call trace:
refcount_warn_saturate
[fastrpc_map_get inlined]
[fastrpc_map_lookup inlined]
fastrpc_map_create
fastrpc_internal_invoke
fastrpc_device_ioctl
__arm64_sys_ioctl
invoke_syscall
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 Version: c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 Version: c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 Version: c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 Version: c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48872", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:25.671974Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:54.076Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/misc/fastrpc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "556dfdb226ce1e5231d8836159b23f8bb0395bf4", status: "affected", version: "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988", versionType: "git", }, { lessThan: "b171d0d2cf1b8387c72c8d325c5d5746fa271e39", status: "affected", version: "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988", versionType: "git", }, { lessThan: "61a0890cb95afec5c8a2f4a879de2b6220984ef1", status: "affected", version: "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988", versionType: "git", }, { lessThan: "079c78c68714f7d8d58e66c477b0243b31806907", status: "affected", version: "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988", versionType: "git", }, { lessThan: "96b328d119eca7563c1edcc4e1039a62e6370ecb", status: "affected", version: "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/misc/fastrpc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.1", }, { lessThan: "5.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix use-after-free race condition for maps\n\nIt is possible that in between calling fastrpc_map_get() until\nmap->fl->lock is taken in fastrpc_free_map(), another thread can call\nfastrpc_map_lookup() and get a reference to a map that is about to be\ndeleted.\n\nRewrite fastrpc_map_get() to only increase the reference count of a map\nif it's non-zero. Propagate this to callers so they can know if a map is\nabout to be deleted.\n\nFixes this warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate\n...\nCall trace:\n refcount_warn_saturate\n [fastrpc_map_get inlined]\n [fastrpc_map_lookup inlined]\n fastrpc_map_create\n fastrpc_internal_invoke\n fastrpc_device_ioctl\n __arm64_sys_ioctl\n invoke_syscall", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:35.649Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4", }, { url: "https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39", }, { url: "https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1", }, { url: "https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907", }, { url: "https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb", }, ], title: "misc: fastrpc: Fix use-after-free race condition for maps", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48872", datePublished: "2024-08-21T06:10:02.954Z", dateReserved: "2024-07-16T11:38:08.921Z", dateUpdated: "2024-12-19T08:09:35.649Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48893
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:10
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gt: Cleanup partial engine discovery failures
If we abort driver initialisation in the middle of gt/engine discovery,
some engines will be fully setup and some not. Those incompletely setup
engines only have 'engine->release == NULL' and so will leak any of the
common objects allocated.
v2:
- Drop the destroy_pinned_context() helper for now. It's not really
worth it with just a single callsite at the moment. (Janusz)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48893", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:15.684796Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:06.159Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/i915/gt/intel_engine_cs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5c855bcc730656c4b7d30aaddcd0eafc7003e112", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "78a033433a5ae4fee85511ee075bc9a48312c79e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/i915/gt/intel_engine_cs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Cleanup partial engine discovery failures\n\nIf we abort driver initialisation in the middle of gt/engine discovery,\nsome engines will be fully setup and some not. Those incompletely setup\nengines only have 'engine->release == NULL' and so will leak any of the\ncommon objects allocated.\n\nv2:\n - Drop the destroy_pinned_context() helper for now. It's not really\n worth it with just a single callsite at the moment. (Janusz)", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:10:00.867Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5c855bcc730656c4b7d30aaddcd0eafc7003e112", }, { url: "https://git.kernel.org/stable/c/78a033433a5ae4fee85511ee075bc9a48312c79e", }, ], title: "drm/i915/gt: Cleanup partial engine discovery failures", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48893", datePublished: "2024-08-21T06:10:25.448Z", dateReserved: "2024-08-21T06:06:23.290Z", dateUpdated: "2024-12-19T08:10:00.867Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43877
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: pci: ivtv: Add check for DMA map result
In case DMA fails, 'dma->SG_length' is 0. This value is later used to
access 'dma->SGarray[dma->SG_length - 1]', which will cause out of
bounds access.
Add check to return early on invalid value. Adjust warnings accordingly.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43877", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:00.730463Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:17.774Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/pci/ivtv/ivtv-udma.c", "drivers/media/pci/ivtv/ivtv-yuv.c", "drivers/media/pci/ivtv/ivtvfb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "24062aa7407091dee3e45a8e8037df437e848718", status: "affected", version: "1932dc2f4cf6ac23e48e5fcc24d21adbe35691d1", versionType: "git", }, { lessThan: "3d8fd92939e21ff0d45100ab208f8124af79402a", status: "affected", version: "1932dc2f4cf6ac23e48e5fcc24d21adbe35691d1", versionType: "git", }, { lessThan: "c766065e8272085ea9c436414b7ddf1f12e7787b", status: "affected", version: "1932dc2f4cf6ac23e48e5fcc24d21adbe35691d1", versionType: "git", }, { lessThan: "629913d6d79508b166c66e07e4857e20233d85a9", status: "affected", version: "1932dc2f4cf6ac23e48e5fcc24d21adbe35691d1", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/media/pci/ivtv/ivtv-udma.c", "drivers/media/pci/ivtv/ivtv-yuv.c", "drivers/media/pci/ivtv/ivtvfb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.16", }, { lessThan: "5.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.103", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.44", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: ivtv: Add check for DMA map result\n\nIn case DMA fails, 'dma->SG_length' is 0. This value is later used to\naccess 'dma->SGarray[dma->SG_length - 1]', which will cause out of\nbounds access.\n\nAdd check to return early on invalid value. Adjust warnings accordingly.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:38.961Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/24062aa7407091dee3e45a8e8037df437e848718", }, { url: "https://git.kernel.org/stable/c/3d8fd92939e21ff0d45100ab208f8124af79402a", }, { url: "https://git.kernel.org/stable/c/c766065e8272085ea9c436414b7ddf1f12e7787b", }, { url: "https://git.kernel.org/stable/c/629913d6d79508b166c66e07e4857e20233d85a9", }, ], title: "media: pci: ivtv: Add check for DMA map result", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43877", datePublished: "2024-08-21T00:06:29.330Z", dateReserved: "2024-08-17T09:11:59.281Z", dateUpdated: "2024-12-19T09:17:38.961Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43878
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Fix input error path memory access
When there is a misconfiguration of input state slow path
KASAN report error. Fix this error.
west login:
[ 52.987278] eth1: renamed from veth11
[ 53.078814] eth1: renamed from veth21
[ 53.181355] eth1: renamed from veth31
[ 54.921702] ==================================================================
[ 54.922602] BUG: KASAN: wild-memory-access in xfrmi_rcv_cb+0x2d/0x295
[ 54.923393] Read of size 8 at addr 6b6b6b6b00000000 by task ping/512
[ 54.924169]
[ 54.924386] CPU: 0 PID: 512 Comm: ping Not tainted 6.9.0-08574-gcd29a4313a1b #25
[ 54.925290] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 54.926401] Call Trace:
[ 54.926731] <IRQ>
[ 54.927009] dump_stack_lvl+0x2a/0x3b
[ 54.927478] kasan_report+0x84/0xa6
[ 54.927930] ? xfrmi_rcv_cb+0x2d/0x295
[ 54.928410] xfrmi_rcv_cb+0x2d/0x295
[ 54.928872] ? xfrm4_rcv_cb+0x3d/0x5e
[ 54.929354] xfrm4_rcv_cb+0x46/0x5e
[ 54.929804] xfrm_rcv_cb+0x7e/0xa1
[ 54.930240] xfrm_input+0x1b3a/0x1b96
[ 54.930715] ? xfrm_offload+0x41/0x41
[ 54.931182] ? raw_rcv+0x292/0x292
[ 54.931617] ? nf_conntrack_confirm+0xa2/0xa2
[ 54.932158] ? skb_sec_path+0xd/0x3f
[ 54.932610] ? xfrmi_input+0x90/0xce
[ 54.933066] xfrm4_esp_rcv+0x33/0x54
[ 54.933521] ip_protocol_deliver_rcu+0xd7/0x1b2
[ 54.934089] ip_local_deliver_finish+0x110/0x120
[ 54.934659] ? ip_protocol_deliver_rcu+0x1b2/0x1b2
[ 54.935248] NF_HOOK.constprop.0+0xf8/0x138
[ 54.935767] ? ip_sublist_rcv_finish+0x68/0x68
[ 54.936317] ? secure_tcpv6_ts_off+0x23/0x168
[ 54.936859] ? ip_protocol_deliver_rcu+0x1b2/0x1b2
[ 54.937454] ? __xfrm_policy_check2.constprop.0+0x18d/0x18d
[ 54.938135] NF_HOOK.constprop.0+0xf8/0x138
[ 54.938663] ? ip_sublist_rcv_finish+0x68/0x68
[ 54.939220] ? __xfrm_policy_check2.constprop.0+0x18d/0x18d
[ 54.939904] ? ip_local_deliver_finish+0x120/0x120
[ 54.940497] __netif_receive_skb_one_core+0xc9/0x107
[ 54.941121] ? __netif_receive_skb_list_core+0x1c2/0x1c2
[ 54.941771] ? blk_mq_start_stopped_hw_queues+0xc7/0xf9
[ 54.942413] ? blk_mq_start_stopped_hw_queue+0x38/0x38
[ 54.943044] ? virtqueue_get_buf_ctx+0x295/0x46b
[ 54.943618] process_backlog+0xb3/0x187
[ 54.944102] __napi_poll.constprop.0+0x57/0x1a7
[ 54.944669] net_rx_action+0x1cb/0x380
[ 54.945150] ? __napi_poll.constprop.0+0x1a7/0x1a7
[ 54.945744] ? vring_new_virtqueue+0x17a/0x17a
[ 54.946300] ? note_interrupt+0x2cd/0x367
[ 54.946805] handle_softirqs+0x13c/0x2c9
[ 54.947300] do_softirq+0x5f/0x7d
[ 54.947727] </IRQ>
[ 54.948014] <TASK>
[ 54.948300] __local_bh_enable_ip+0x48/0x62
[ 54.948832] __neigh_event_send+0x3fd/0x4ca
[ 54.949361] neigh_resolve_output+0x1e/0x210
[ 54.949896] ip_finish_output2+0x4bf/0x4f0
[ 54.950410] ? __ip_finish_output+0x171/0x1b8
[ 54.950956] ip_send_skb+0x25/0x57
[ 54.951390] raw_sendmsg+0xf95/0x10c0
[ 54.951850] ? check_new_pages+0x45/0x71
[ 54.952343] ? raw_hash_sk+0x21b/0x21b
[ 54.952815] ? kernel_init_pages+0x42/0x51
[ 54.953337] ? prep_new_page+0x44/0x51
[ 54.953811] ? get_page_from_freelist+0x72b/0x915
[ 54.954390] ? signal_pending_state+0x77/0x77
[ 54.954936] ? preempt_count_sub+0x14/0xb3
[ 54.955450] ? __might_resched+0x8a/0x240
[ 54.955951] ? __might_sleep+0x25/0xa0
[ 54.956424] ? first_zones_zonelist+0x2c/0x43
[ 54.956977] ? __rcu_read_lock+0x2d/0x3a
[ 54.957476] ? __pte_offset_map+0x32/0xa4
[ 54.957980] ? __might_resched+0x8a/0x240
[ 54.958483] ? __might_sleep+0x25/0xa0
[ 54.958963] ? inet_send_prepare+0x54/0x54
[ 54.959478] ? sock_sendmsg_nosec+0x42/0x6c
[ 54.960000] sock_sendmsg_nosec+0x42/0x6c
[ 54.960502] __sys_sendto+0x15d/0x1cc
[ 54.960966] ? __x64_sys_getpeername+0x44/0x44
[ 54.961522] ? __handle_mm_fault+0x679/0xae4
[ 54.962068] ? find_vma+0x6b/0x
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43878", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:57.570463Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:17.625Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/xfrm/xfrm_input.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a4c10813bc394ff2b5c61f913971be216f8f8834", status: "affected", version: "304b44f0d5a4c2f91f82f7c31538d00485fb484c", versionType: "git", }, { lessThan: "54fcc6189dfb822eea984fa2b3e477a02447279d", status: "affected", version: "304b44f0d5a4c2f91f82f7c31538d00485fb484c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/xfrm/xfrm_input.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.10", }, { lessThan: "6.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Fix input error path memory access\n\nWhen there is a misconfiguration of input state slow path\nKASAN report error. Fix this error.\nwest login:\n[ 52.987278] eth1: renamed from veth11\n[ 53.078814] eth1: renamed from veth21\n[ 53.181355] eth1: renamed from veth31\n[ 54.921702] ==================================================================\n[ 54.922602] BUG: KASAN: wild-memory-access in xfrmi_rcv_cb+0x2d/0x295\n[ 54.923393] Read of size 8 at addr 6b6b6b6b00000000 by task ping/512\n[ 54.924169]\n[ 54.924386] CPU: 0 PID: 512 Comm: ping Not tainted 6.9.0-08574-gcd29a4313a1b #25\n[ 54.925290] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 54.926401] Call Trace:\n[ 54.926731] <IRQ>\n[ 54.927009] dump_stack_lvl+0x2a/0x3b\n[ 54.927478] kasan_report+0x84/0xa6\n[ 54.927930] ? xfrmi_rcv_cb+0x2d/0x295\n[ 54.928410] xfrmi_rcv_cb+0x2d/0x295\n[ 54.928872] ? xfrm4_rcv_cb+0x3d/0x5e\n[ 54.929354] xfrm4_rcv_cb+0x46/0x5e\n[ 54.929804] xfrm_rcv_cb+0x7e/0xa1\n[ 54.930240] xfrm_input+0x1b3a/0x1b96\n[ 54.930715] ? xfrm_offload+0x41/0x41\n[ 54.931182] ? raw_rcv+0x292/0x292\n[ 54.931617] ? nf_conntrack_confirm+0xa2/0xa2\n[ 54.932158] ? skb_sec_path+0xd/0x3f\n[ 54.932610] ? xfrmi_input+0x90/0xce\n[ 54.933066] xfrm4_esp_rcv+0x33/0x54\n[ 54.933521] ip_protocol_deliver_rcu+0xd7/0x1b2\n[ 54.934089] ip_local_deliver_finish+0x110/0x120\n[ 54.934659] ? ip_protocol_deliver_rcu+0x1b2/0x1b2\n[ 54.935248] NF_HOOK.constprop.0+0xf8/0x138\n[ 54.935767] ? ip_sublist_rcv_finish+0x68/0x68\n[ 54.936317] ? secure_tcpv6_ts_off+0x23/0x168\n[ 54.936859] ? ip_protocol_deliver_rcu+0x1b2/0x1b2\n[ 54.937454] ? __xfrm_policy_check2.constprop.0+0x18d/0x18d\n[ 54.938135] NF_HOOK.constprop.0+0xf8/0x138\n[ 54.938663] ? ip_sublist_rcv_finish+0x68/0x68\n[ 54.939220] ? __xfrm_policy_check2.constprop.0+0x18d/0x18d\n[ 54.939904] ? ip_local_deliver_finish+0x120/0x120\n[ 54.940497] __netif_receive_skb_one_core+0xc9/0x107\n[ 54.941121] ? __netif_receive_skb_list_core+0x1c2/0x1c2\n[ 54.941771] ? blk_mq_start_stopped_hw_queues+0xc7/0xf9\n[ 54.942413] ? blk_mq_start_stopped_hw_queue+0x38/0x38\n[ 54.943044] ? virtqueue_get_buf_ctx+0x295/0x46b\n[ 54.943618] process_backlog+0xb3/0x187\n[ 54.944102] __napi_poll.constprop.0+0x57/0x1a7\n[ 54.944669] net_rx_action+0x1cb/0x380\n[ 54.945150] ? __napi_poll.constprop.0+0x1a7/0x1a7\n[ 54.945744] ? vring_new_virtqueue+0x17a/0x17a\n[ 54.946300] ? note_interrupt+0x2cd/0x367\n[ 54.946805] handle_softirqs+0x13c/0x2c9\n[ 54.947300] do_softirq+0x5f/0x7d\n[ 54.947727] </IRQ>\n[ 54.948014] <TASK>\n[ 54.948300] __local_bh_enable_ip+0x48/0x62\n[ 54.948832] __neigh_event_send+0x3fd/0x4ca\n[ 54.949361] neigh_resolve_output+0x1e/0x210\n[ 54.949896] ip_finish_output2+0x4bf/0x4f0\n[ 54.950410] ? __ip_finish_output+0x171/0x1b8\n[ 54.950956] ip_send_skb+0x25/0x57\n[ 54.951390] raw_sendmsg+0xf95/0x10c0\n[ 54.951850] ? check_new_pages+0x45/0x71\n[ 54.952343] ? raw_hash_sk+0x21b/0x21b\n[ 54.952815] ? kernel_init_pages+0x42/0x51\n[ 54.953337] ? prep_new_page+0x44/0x51\n[ 54.953811] ? get_page_from_freelist+0x72b/0x915\n[ 54.954390] ? signal_pending_state+0x77/0x77\n[ 54.954936] ? preempt_count_sub+0x14/0xb3\n[ 54.955450] ? __might_resched+0x8a/0x240\n[ 54.955951] ? __might_sleep+0x25/0xa0\n[ 54.956424] ? first_zones_zonelist+0x2c/0x43\n[ 54.956977] ? __rcu_read_lock+0x2d/0x3a\n[ 54.957476] ? __pte_offset_map+0x32/0xa4\n[ 54.957980] ? __might_resched+0x8a/0x240\n[ 54.958483] ? __might_sleep+0x25/0xa0\n[ 54.958963] ? inet_send_prepare+0x54/0x54\n[ 54.959478] ? sock_sendmsg_nosec+0x42/0x6c\n[ 54.960000] sock_sendmsg_nosec+0x42/0x6c\n[ 54.960502] __sys_sendto+0x15d/0x1cc\n[ 54.960966] ? __x64_sys_getpeername+0x44/0x44\n[ 54.961522] ? __handle_mm_fault+0x679/0xae4\n[ 54.962068] ? find_vma+0x6b/0x\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:40.472Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a4c10813bc394ff2b5c61f913971be216f8f8834", }, { url: "https://git.kernel.org/stable/c/54fcc6189dfb822eea984fa2b3e477a02447279d", }, ], title: "xfrm: Fix input error path memory access", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43878", datePublished: "2024-08-21T00:06:30.412Z", dateReserved: "2024-08-17T09:11:59.286Z", dateUpdated: "2024-12-19T09:17:40.472Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43880
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_acl_erp: Fix object nesting warning
ACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM
(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can
contain more ACLs (i.e., tc filters), but the number of masks in each
region (i.e., tc chain) is limited.
In order to mitigate the effects of the above limitation, the device
allows filters to share a single mask if their masks only differ in up
to 8 consecutive bits. For example, dst_ip/25 can be represented using
dst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the
number of masks being used (and therefore does not support mask
aggregation), but can contain a limited number of filters.
The driver uses the "objagg" library to perform the mask aggregation by
passing it objects that consist of the filter's mask and whether the
filter is to be inserted into the A-TCAM or the C-TCAM since filters in
different TCAMs cannot share a mask.
The set of created objects is dependent on the insertion order of the
filters and is not necessarily optimal. Therefore, the driver will
periodically ask the library to compute a more optimal set ("hints") by
looking at all the existing objects.
When the library asks the driver whether two objects can be aggregated
the driver only compares the provided masks and ignores the A-TCAM /
C-TCAM indication. This is the right thing to do since the goal is to
move as many filters as possible to the A-TCAM. The driver also forbids
two identical masks from being aggregated since this can only happen if
one was intentionally put in the C-TCAM to avoid a conflict in the
A-TCAM.
The above can result in the following set of hints:
H1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta
H3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta
After getting the hints from the library the driver will start migrating
filters from one region to another while consulting the computed hints
and instructing the device to perform a lookup in both regions during
the transition.
Assuming a filter with mask X is being migrated into the A-TCAM in the
new region, the hints lookup will return H1. Since H2 is the parent of
H1, the library will try to find the object associated with it and
create it if necessary in which case another hints lookup (recursive)
will be performed. This hints lookup for {mask Y, A-TCAM} will either
return H2 or H3 since the driver passes the library an object comparison
function that ignores the A-TCAM / C-TCAM indication.
This can eventually lead to nested objects which are not supported by
the library [1].
Fix by removing the object comparison function from both the driver and
the library as the driver was the only user. That way the lookup will
only return exact matches.
I do not have a reliable reproducer that can reproduce the issue in a
timely manner, but before the fix the issue would reproduce in several
minutes and with the fix it does not reproduce in over an hour.
Note that the current usefulness of the hints is limited because they
include the C-TCAM indication and represent aggregation that cannot
actually happen. This will be addressed in net-next.
[1]
WARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0
Modules linked in:
CPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42
Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018
Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work
RIP: 0010:objagg_obj_parent_assign+0xb5/0xd0
[...]
Call Trace:
<TASK>
__objagg_obj_get+0x2bb/0x580
objagg_obj_get+0xe/0x80
mlxsw_sp_acl_erp_mask_get+0xb5/0xf0
mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0
mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0
mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270
mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510
process_one_work+0x151/0x370
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9069a3817d82b01b3a55da382c774e3575946130 Version: 9069a3817d82b01b3a55da382c774e3575946130 Version: 9069a3817d82b01b3a55da382c774e3575946130 Version: 9069a3817d82b01b3a55da382c774e3575946130 Version: 9069a3817d82b01b3a55da382c774e3575946130 Version: 9069a3817d82b01b3a55da382c774e3575946130 Version: 9069a3817d82b01b3a55da382c774e3575946130 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43880", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:51.322073Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:17.371Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c", "include/linux/objagg.h", "lib/objagg.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4dc09f6f260db3c4565a4ec52ba369393598f2fb", status: "affected", version: "9069a3817d82b01b3a55da382c774e3575946130", versionType: "git", }, { lessThan: "36a9996e020dd5aa325e0ecc55eb2328288ea6bb", status: "affected", version: "9069a3817d82b01b3a55da382c774e3575946130", versionType: "git", }, { lessThan: "9a5261a984bba4f583d966c550fa72c33ff3714e", status: "affected", version: "9069a3817d82b01b3a55da382c774e3575946130", versionType: "git", }, { lessThan: "25c6fd9648ad05da493a5d30881896a78a08b624", status: "affected", version: "9069a3817d82b01b3a55da382c774e3575946130", versionType: "git", }, { lessThan: "0e59c2d22853266704e127915653598f7f104037", status: "affected", version: "9069a3817d82b01b3a55da382c774e3575946130", versionType: "git", }, { lessThan: "fb5d4fc578e655d113f09565f6f047e15f7ab578", status: "affected", version: "9069a3817d82b01b3a55da382c774e3575946130", versionType: "git", }, { lessThan: "97d833ceb27dc19f8777d63f90be4a27b5daeedf", status: "affected", version: "9069a3817d82b01b3a55da382c774e3575946130", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c", "include/linux/objagg.h", "lib/objagg.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.1", }, { lessThan: "5.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.282", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.224", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.103", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.44", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_erp: Fix object nesting warning\n\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\ncontain more ACLs (i.e., tc filters), but the number of masks in each\nregion (i.e., tc chain) is limited.\n\nIn order to mitigate the effects of the above limitation, the device\nallows filters to share a single mask if their masks only differ in up\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\nnumber of masks being used (and therefore does not support mask\naggregation), but can contain a limited number of filters.\n\nThe driver uses the \"objagg\" library to perform the mask aggregation by\npassing it objects that consist of the filter's mask and whether the\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\ndifferent TCAMs cannot share a mask.\n\nThe set of created objects is dependent on the insertion order of the\nfilters and is not necessarily optimal. Therefore, the driver will\nperiodically ask the library to compute a more optimal set (\"hints\") by\nlooking at all the existing objects.\n\nWhen the library asks the driver whether two objects can be aggregated\nthe driver only compares the provided masks and ignores the A-TCAM /\nC-TCAM indication. This is the right thing to do since the goal is to\nmove as many filters as possible to the A-TCAM. The driver also forbids\ntwo identical masks from being aggregated since this can only happen if\none was intentionally put in the C-TCAM to avoid a conflict in the\nA-TCAM.\n\nThe above can result in the following set of hints:\n\nH1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta\nH3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta\n\nAfter getting the hints from the library the driver will start migrating\nfilters from one region to another while consulting the computed hints\nand instructing the device to perform a lookup in both regions during\nthe transition.\n\nAssuming a filter with mask X is being migrated into the A-TCAM in the\nnew region, the hints lookup will return H1. Since H2 is the parent of\nH1, the library will try to find the object associated with it and\ncreate it if necessary in which case another hints lookup (recursive)\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\nreturn H2 or H3 since the driver passes the library an object comparison\nfunction that ignores the A-TCAM / C-TCAM indication.\n\nThis can eventually lead to nested objects which are not supported by\nthe library [1].\n\nFix by removing the object comparison function from both the driver and\nthe library as the driver was the only user. That way the lookup will\nonly return exact matches.\n\nI do not have a reliable reproducer that can reproduce the issue in a\ntimely manner, but before the fix the issue would reproduce in several\nminutes and with the fix it does not reproduce in over an hour.\n\nNote that the current usefulness of the hints is limited because they\ninclude the C-TCAM indication and represent aggregation that cannot\nactually happen. This will be addressed in net-next.\n\n[1]\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\nModules linked in:\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\n[...]\nCall Trace:\n <TASK>\n __objagg_obj_get+0x2bb/0x580\n objagg_obj_get+0xe/0x80\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:42.826Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4dc09f6f260db3c4565a4ec52ba369393598f2fb", }, { url: "https://git.kernel.org/stable/c/36a9996e020dd5aa325e0ecc55eb2328288ea6bb", }, { url: "https://git.kernel.org/stable/c/9a5261a984bba4f583d966c550fa72c33ff3714e", }, { url: "https://git.kernel.org/stable/c/25c6fd9648ad05da493a5d30881896a78a08b624", }, { url: "https://git.kernel.org/stable/c/0e59c2d22853266704e127915653598f7f104037", }, { url: "https://git.kernel.org/stable/c/fb5d4fc578e655d113f09565f6f047e15f7ab578", }, { url: "https://git.kernel.org/stable/c/97d833ceb27dc19f8777d63f90be4a27b5daeedf", }, ], title: "mlxsw: spectrum_acl_erp: Fix object nesting warning", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43880", datePublished: "2024-08-21T00:06:32.562Z", dateReserved: "2024-08-17T09:11:59.287Z", dateUpdated: "2024-12-19T09:17:42.826Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52896
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race between quota rescan and disable leading to NULL pointer deref
If we have one task trying to start the quota rescan worker while another
one is trying to disable quotas, we can end up hitting a race that results
in the quota rescan worker doing a NULL pointer dereference. The steps for
this are the following:
1) Quotas are enabled;
2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().
It calls qgroup_rescan_init() which returns 0 (success) and then joins a
transaction and commits it;
3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().
It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls
btrfs_qgroup_wait_for_completion(), which returns immediately since the
rescan worker is not yet running.
Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;
4) Task A queues the rescan worker, by calling btrfs_queue_work();
5) The rescan worker starts, and calls rescan_should_stop() at the start
of its while loop, which results in 0 iterations of the loop, since
the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by
task B at step 3);
6) Task B sets fs_info->quota_root to NULL;
7) The rescan worker tries to start a transaction and uses
fs_info->quota_root as the root argument for btrfs_start_transaction().
This results in a NULL pointer dereference down the call chain of
btrfs_start_transaction(). The stack trace is something like the one
reported in Link tag below:
general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]
CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: btrfs-qgroup-rescan btrfs_work_helper
RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564
Code: 48 89 fb 48 (...)
RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206
RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d
R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402
btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280
process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
So fix this by having the rescan worker function not attempt to start a
transaction if it didn't do any rescan work.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 26b3901d20bf9da2c6a00cb1fb48932166f80a45 Version: 32747e01436aac8ef93fe85b5b523b4f3b52f040 Version: 89d4cca583fc9594ee7d1a0bc986886d6fb587e6 Version: e804861bd4e69cc5fe1053eedcb024982dde8e48 Version: e804861bd4e69cc5fe1053eedcb024982dde8e48 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52896", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:43.723269Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:13.066Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/btrfs/qgroup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "89ac597e3e807b91e2ebd6a7c36fec7b97290233", status: "affected", version: "26b3901d20bf9da2c6a00cb1fb48932166f80a45", versionType: "git", }, { lessThan: "3bd43374857103ba3cac751d6d4afa8d83b5d92a", status: "affected", version: "32747e01436aac8ef93fe85b5b523b4f3b52f040", versionType: "git", }, { lessThan: "64287cd456a22373053998c1fccf14b651e9cbbd", status: "affected", version: "89d4cca583fc9594ee7d1a0bc986886d6fb587e6", versionType: "git", }, { lessThan: "1004fc90f0d79a4b7d9e3d432729914f472f9ad1", status: "affected", version: "e804861bd4e69cc5fe1053eedcb024982dde8e48", versionType: "git", }, { lessThan: "b7adbf9ada3513d2092362c8eac5cddc5b651f5c", status: "affected", version: "e804861bd4e69cc5fe1053eedcb024982dde8e48", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/btrfs/qgroup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between quota rescan and disable leading to NULL pointer deref\n\nIf we have one task trying to start the quota rescan worker while another\none is trying to disable quotas, we can end up hitting a race that results\nin the quota rescan worker doing a NULL pointer dereference. The steps for\nthis are the following:\n\n1) Quotas are enabled;\n\n2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().\n It calls qgroup_rescan_init() which returns 0 (success) and then joins a\n transaction and commits it;\n\n3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().\n It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls\n btrfs_qgroup_wait_for_completion(), which returns immediately since the\n rescan worker is not yet running.\n Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;\n\n4) Task A queues the rescan worker, by calling btrfs_queue_work();\n\n5) The rescan worker starts, and calls rescan_should_stop() at the start\n of its while loop, which results in 0 iterations of the loop, since\n the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by\n task B at step 3);\n\n6) Task B sets fs_info->quota_root to NULL;\n\n7) The rescan worker tries to start a transaction and uses\n fs_info->quota_root as the root argument for btrfs_start_transaction().\n This results in a NULL pointer dereference down the call chain of\n btrfs_start_transaction(). The stack trace is something like the one\n reported in Link tag below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Workqueue: btrfs-qgroup-rescan btrfs_work_helper\n RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564\n Code: 48 89 fb 48 (...)\n RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206\n RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\n RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d\n R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003\n FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n <TASK>\n btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402\n btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n </TASK>\n Modules linked in:\n\nSo fix this by having the rescan worker function not attempt to start a\ntransaction if it didn't do any rescan work.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:04.707Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/89ac597e3e807b91e2ebd6a7c36fec7b97290233", }, { url: "https://git.kernel.org/stable/c/3bd43374857103ba3cac751d6d4afa8d83b5d92a", }, { url: "https://git.kernel.org/stable/c/64287cd456a22373053998c1fccf14b651e9cbbd", }, { url: "https://git.kernel.org/stable/c/1004fc90f0d79a4b7d9e3d432729914f472f9ad1", }, { url: "https://git.kernel.org/stable/c/b7adbf9ada3513d2092362c8eac5cddc5b651f5c", }, ], title: "btrfs: fix race between quota rescan and disable leading to NULL pointer deref", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52896", datePublished: "2024-08-21T06:10:36.233Z", dateReserved: "2024-08-21T06:07:11.014Z", dateUpdated: "2024-12-19T08:28:04.707Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43867
Vulnerability from cvelistv5
Published
2024-08-20 23:50
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: prime: fix refcount underflow
Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and
hence the backing ttm_bo) leads to a refcount underflow.
Instead of calling nouveau_bo_ref() in the unwind path of
drm_gem_object_init(), clean things up manually.
(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6 Version: ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6 Version: ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6 Version: ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6 Version: ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6 Version: ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6 Version: ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43867", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:32.667012Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:19.112Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/nouveau/nouveau_prime.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3bcb8bba72ce89667fa863054956267c450c47ef", status: "affected", version: "ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6", versionType: "git", }, { lessThan: "906372e753c5027a1dc88743843b6aa2ad1aaecf", status: "affected", version: "ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6", versionType: "git", }, { lessThan: "16998763c62bb465ebc409d0373b9cdcef1a61a6", status: "affected", version: "ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6", versionType: "git", }, { lessThan: "ebebba4d357b6c67f96776a48ddbaf0060fa4c10", status: "affected", version: "ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6", versionType: "git", }, { lessThan: "f23cd66933fe76b84d8e282e5606b4d99068c320", status: "affected", version: "ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6", versionType: "git", }, { lessThan: "2a1b327d57a8ac080977633a18999f032d7e9e3f", status: "affected", version: "ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6", versionType: "git", }, { lessThan: "a9bf3efc33f1fbf88787a277f7349459283c9b95", status: "affected", version: "ab9ccb96a6e6f95bcde6b8b2a524370efdbfdcd6", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/nouveau/nouveau_prime.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.9", }, { lessThan: "3.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.282", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.224", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.104", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.45", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix refcount underflow\n\nCalling nouveau_bo_ref() on a nouveau_bo without initializing it (and\nhence the backing ttm_bo) leads to a refcount underflow.\n\nInstead of calling nouveau_bo_ref() in the unwind path of\ndrm_gem_object_init(), clean things up manually.\n\n(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:27.377Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3bcb8bba72ce89667fa863054956267c450c47ef", }, { url: "https://git.kernel.org/stable/c/906372e753c5027a1dc88743843b6aa2ad1aaecf", }, { url: "https://git.kernel.org/stable/c/16998763c62bb465ebc409d0373b9cdcef1a61a6", }, { url: "https://git.kernel.org/stable/c/ebebba4d357b6c67f96776a48ddbaf0060fa4c10", }, { url: "https://git.kernel.org/stable/c/f23cd66933fe76b84d8e282e5606b4d99068c320", }, { url: "https://git.kernel.org/stable/c/2a1b327d57a8ac080977633a18999f032d7e9e3f", }, { url: "https://git.kernel.org/stable/c/a9bf3efc33f1fbf88787a277f7349459283c9b95", }, ], title: "drm/nouveau: prime: fix refcount underflow", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43867", datePublished: "2024-08-20T23:50:50.429Z", dateReserved: "2024-08-17T09:11:59.280Z", dateUpdated: "2024-12-19T09:17:27.377Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52912
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fixed bug on error when unloading amdgpu
Fixed bug on error when unloading amdgpu.
The error message is as follows:
[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!
[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1
[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021
[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]
[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53
[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287
[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000
[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70
[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001
[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70
[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70
[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000
[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0
[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 377.706361] Call Trace:
[ 377.706365] <TASK>
[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy]
[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]
[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]
[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu]
[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]
[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]
[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu]
[ 377.706975] drm_dev_release+0x20/0x40 [drm]
[ 377.707006] release_nodes+0x35/0xb0
[ 377.707014] devres_release_all+0x8b/0xc0
[ 377.707020] device_unbind_cleanup+0xe/0x70
[ 377.707027] device_release_driver_internal+0xee/0x160
[ 377.707033] driver_detach+0x44/0x90
[ 377.707039] bus_remove_driver+0x55/0xe0
[ 377.707045] pci_unregister_driver+0x3b/0x90
[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu]
[ 377.707194] __x64_sys_delete_module+0x142/0x2b0
[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50
[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190
[ 377.707215] do_syscall_64+0x38/0x90
[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52912", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T15:34:45.870527Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:03.232Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9196eb7c52e55749a332974f0081f77d53d60199", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "99f1a36c90a7524972be5a028424c57fa17753ee", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fixed bug on error when unloading amdgpu\n\nFixed bug on error when unloading amdgpu.\n\nThe error message is as follows:\n[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!\n[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1\n[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021\n[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]\n[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53\n[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287\n[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000\n[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70\n[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001\n[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70\n[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70\n[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000\n[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0\n[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 377.706361] Call Trace:\n[ 377.706365] <TASK>\n[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy]\n[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]\n[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]\n[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu]\n[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]\n[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]\n[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu]\n[ 377.706975] drm_dev_release+0x20/0x40 [drm]\n[ 377.707006] release_nodes+0x35/0xb0\n[ 377.707014] devres_release_all+0x8b/0xc0\n[ 377.707020] device_unbind_cleanup+0xe/0x70\n[ 377.707027] device_release_driver_internal+0xee/0x160\n[ 377.707033] driver_detach+0x44/0x90\n[ 377.707039] bus_remove_driver+0x55/0xe0\n[ 377.707045] pci_unregister_driver+0x3b/0x90\n[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu]\n[ 377.707194] __x64_sys_delete_module+0x142/0x2b0\n[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50\n[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190\n[ 377.707215] do_syscall_64+0x38/0x90\n[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:25.639Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9196eb7c52e55749a332974f0081f77d53d60199", }, { url: "https://git.kernel.org/stable/c/99f1a36c90a7524972be5a028424c57fa17753ee", }, ], title: "drm/amdgpu: Fixed bug on error when unloading amdgpu", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52912", datePublished: "2024-08-21T06:10:53.481Z", dateReserved: "2024-08-21T06:07:11.016Z", dateUpdated: "2024-12-19T08:28:25.639Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43869
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix event leak upon exec and file release
The perf pending task work is never waited upon the matching event
release. In the case of a child event, released via free_event()
directly, this can potentially result in a leaked event, such as in the
following scenario that doesn't even require a weak IRQ work
implementation to trigger:
schedule()
prepare_task_switch()
=======> <NMI>
perf_event_overflow()
event->pending_sigtrap = ...
irq_work_queue(&event->pending_irq)
<======= </NMI>
perf_event_task_sched_out()
event_sched_out()
event->pending_sigtrap = 0;
atomic_long_inc_not_zero(&event->refcount)
task_work_add(&event->pending_task)
finish_lock_switch()
=======> <IRQ>
perf_pending_irq()
//do nothing, rely on pending task work
<======= </IRQ>
begin_new_exec()
perf_event_exit_task()
perf_event_exit_event()
// If is child event
free_event()
WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)
// event is leaked
Similar scenarios can also happen with perf_event_remove_on_exec() or
simply against concurrent perf_event_release().
Fix this with synchonizing against the possibly remaining pending task
work while freeing the event, just like is done with remaining pending
IRQ work. This means that the pending task callback neither need nor
should hold a reference to the event, preventing it from ever beeing
freed.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8bffa95ac19ff27c8261904f89d36c7fcf215d59 Version: 517e6a301f34613bff24a8e35b5455884f2d83d8 Version: 517e6a301f34613bff24a8e35b5455884f2d83d8 Version: 517e6a301f34613bff24a8e35b5455884f2d83d8 Version: 517e6a301f34613bff24a8e35b5455884f2d83d8 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43869", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:26.274126Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:18.868Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/perf_event.h", "kernel/events/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9ad46f1fef421d43cdab3a7d1744b2f43b54dae0", status: "affected", version: "8bffa95ac19ff27c8261904f89d36c7fcf215d59", versionType: "git", }, { lessThan: "ed2c202dac55423a52d7e2290f2888bf08b8ee99", status: "affected", version: "517e6a301f34613bff24a8e35b5455884f2d83d8", versionType: "git", }, { lessThan: "104e258a004037bc7dba9f6085c71dad6af57ad4", status: "affected", version: "517e6a301f34613bff24a8e35b5455884f2d83d8", versionType: "git", }, { lessThan: "f34d8307a73a18de5320fcc6f40403146d061891", status: "affected", version: "517e6a301f34613bff24a8e35b5455884f2d83d8", versionType: "git", }, { lessThan: "3a5465418f5fd970e86a86c7f4075be262682840", status: "affected", version: "517e6a301f34613bff24a8e35b5455884f2d83d8", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/perf_event.h", "kernel/events/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.103", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.44", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn't even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n prepare_task_switch()\n=======> <NMI>\n perf_event_overflow()\n event->pending_sigtrap = ...\n irq_work_queue(&event->pending_irq)\n<======= </NMI>\n perf_event_task_sched_out()\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n task_work_add(&event->pending_task)\n finish_lock_switch()\n=======> <IRQ>\n perf_pending_irq()\n //do nothing, rely on pending task work\n<======= </IRQ>\n\nbegin_new_exec()\n perf_event_exit_task()\n perf_event_exit_event()\n // If is child event\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:29.651Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0", }, { url: "https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99", }, { url: "https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4", }, { url: "https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891", }, { url: "https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840", }, ], title: "perf: Fix event leak upon exec and file release", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43869", datePublished: "2024-08-21T00:06:20.807Z", dateReserved: "2024-08-17T09:11:59.280Z", dateUpdated: "2024-12-19T09:17:29.651Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48869
Vulnerability from cvelistv5
Published
2024-08-21 06:09
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadgetfs: Fix race between mounting and unmounting
The syzbot fuzzer and Gerald Lee have identified a use-after-free bug
in the gadgetfs driver, involving processes concurrently mounting and
unmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()
can race with gadgetfs_kill_sb(), causing the latter to deallocate
the_device while the former is using it. The output from KASAN says,
in part:
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689
CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
...
atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
__refcount_sub_and_test include/linux/refcount.h:272 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
vfs_get_super fs/super.c:1190 [inline]
get_tree_single+0xd0/0x160 fs/super.c:1207
vfs_get_tree+0x88/0x270 fs/super.c:1531
vfs_fsconfig_locked fs/fsopen.c:232 [inline]
The simplest solution is to ensure that gadgetfs_fill_super() and
gadgetfs_kill_sb() are serialized by making them both acquire a new
mutex.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e5d82a7360d124ae1a38c2a5eac92ba49b125191 Version: e5d82a7360d124ae1a38c2a5eac92ba49b125191 Version: e5d82a7360d124ae1a38c2a5eac92ba49b125191 Version: e5d82a7360d124ae1a38c2a5eac92ba49b125191 Version: e5d82a7360d124ae1a38c2a5eac92ba49b125191 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48869", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:35.321755Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:54.495Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/usb/gadget/legacy/inode.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9a39f4626b361ee7aa10fd990401c37ec3b466ae", status: "affected", version: "e5d82a7360d124ae1a38c2a5eac92ba49b125191", versionType: "git", }, { lessThan: "856e4b5e53f21edbd15d275dde62228dd94fb2b4", status: "affected", version: "e5d82a7360d124ae1a38c2a5eac92ba49b125191", versionType: "git", }, { lessThan: "a2e075f40122d8daf587db126c562a67abd69cf9", status: "affected", version: "e5d82a7360d124ae1a38c2a5eac92ba49b125191", versionType: "git", }, { lessThan: "616fd34d017000ecf9097368b13d8a266f4920b3", status: "affected", version: "e5d82a7360d124ae1a38c2a5eac92ba49b125191", versionType: "git", }, { lessThan: "d18dcfe9860e842f394e37ba01ca9440ab2178f4", status: "affected", version: "e5d82a7360d124ae1a38c2a5eac92ba49b125191", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/usb/gadget/legacy/inode.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.3", }, { lessThan: "5.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadgetfs: Fix race between mounting and unmounting\n\nThe syzbot fuzzer and Gerald Lee have identified a use-after-free bug\nin the gadgetfs driver, involving processes concurrently mounting and\nunmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()\ncan race with gadgetfs_kill_sb(), causing the latter to deallocate\nthe_device while the former is using it. The output from KASAN says,\nin part:\n\nBUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]\nBUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\nBUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]\nBUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]\nBUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]\nBUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\nBUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\nWrite of size 4 at addr ffff8880276d7840 by task syz-executor126/18689\n\nCPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n <TASK>\n...\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\n __refcount_sub_and_test include/linux/refcount.h:272 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\n gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n vfs_get_super fs/super.c:1190 [inline]\n get_tree_single+0xd0/0x160 fs/super.c:1207\n vfs_get_tree+0x88/0x270 fs/super.c:1531\n vfs_fsconfig_locked fs/fsopen.c:232 [inline]\n\nThe simplest solution is to ensure that gadgetfs_fill_super() and\ngadgetfs_kill_sb() are serialized by making them both acquire a new\nmutex.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:32.205Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae", }, { url: "https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4", }, { url: "https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9", }, { url: "https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3", }, { url: "https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4", }, ], title: "USB: gadgetfs: Fix race between mounting and unmounting", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48869", datePublished: "2024-08-21T06:09:59.526Z", dateReserved: "2024-07-16T11:38:08.921Z", dateUpdated: "2024-12-19T08:09:32.205Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43881
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: change DMA direction while mapping reinjected packets
For fragmented packets, ath12k reassembles each fragment as a normal
packet and then reinjects it into HW ring. In this case, the DMA
direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE. Otherwise,
an invalid payload may be reinjected into the HW and
subsequently delivered to the host.
Given that arbitrary memory can be allocated to the skb buffer,
knowledge about the data contained in the reinjected buffer is lacking.
Consequently, there’s a risk of private information being leaked.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43881", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:47.970201Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:15.718Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath12k/dp_rx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e99d9b16ff153de9540073239d24adc3b0a3a997", status: "affected", version: "d889913205cf7ebda905b1e62c5867ed4e39f6c2", versionType: "git", }, { lessThan: "6925320fcd40d8042d32bf4ede8248e7a5315c3b", status: "affected", version: "d889913205cf7ebda905b1e62c5867ed4e39f6c2", versionType: "git", }, { lessThan: "33322e3ef07409278a18c6919c448e369d66a18e", status: "affected", version: "d889913205cf7ebda905b1e62c5867ed4e39f6c2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath12k/dp_rx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.3", }, { lessThan: "6.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.44", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: change DMA direction while mapping reinjected packets\n\nFor fragmented packets, ath12k reassembles each fragment as a normal\npacket and then reinjects it into HW ring. In this case, the DMA\ndirection should be DMA_TO_DEVICE, not DMA_FROM_DEVICE. Otherwise,\nan invalid payload may be reinjected into the HW and\nsubsequently delivered to the host.\n\nGiven that arbitrary memory can be allocated to the skb buffer,\nknowledge about the data contained in the reinjected buffer is lacking.\nConsequently, there’s a risk of private information being leaked.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:43.993Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e99d9b16ff153de9540073239d24adc3b0a3a997", }, { url: "https://git.kernel.org/stable/c/6925320fcd40d8042d32bf4ede8248e7a5315c3b", }, { url: "https://git.kernel.org/stable/c/33322e3ef07409278a18c6919c448e369d66a18e", }, ], title: "wifi: ath12k: change DMA direction while mapping reinjected packets", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43881", datePublished: "2024-08-21T00:06:33.622Z", dateReserved: "2024-08-17T09:11:59.287Z", dateUpdated: "2024-12-19T09:17:43.993Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52904
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()
The subs function argument may be NULL, so do not use it before the NULL check.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52904", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:17.931881Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:17.251Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "sound/usb/pcm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f57204edc10760c935d8d36ea999dc8acf018030", status: "affected", version: "bfd36b1d1869859af7ba94dc95ec05e74f40d0b7", versionType: "git", }, { lessThan: "a474d4ad59cd4642d1b7e3a6c08cef9eca0992c8", status: "affected", version: "e1e0a181aea375edfae2f9a59070f95d904980d1", versionType: "git", }, { lessThan: "92a9c0ad86d47ff4cce899012e355c400f02cfb8", status: "affected", version: "291e9da91403e0e628d7692b5ed505100e7b7706", versionType: "git", }, ], }, { defaultStatus: "unaffected", product: "Linux", programFiles: [ "sound/usb/pcm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5.15.168", status: "affected", version: "5.15.152", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()\n\nThe subs function argument may be NULL, so do not use it before the NULL check.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:15.823Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f57204edc10760c935d8d36ea999dc8acf018030", }, { url: "https://git.kernel.org/stable/c/a474d4ad59cd4642d1b7e3a6c08cef9eca0992c8", }, { url: "https://git.kernel.org/stable/c/92a9c0ad86d47ff4cce899012e355c400f02cfb8", }, ], title: "ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52904", datePublished: "2024-08-21T06:10:44.960Z", dateReserved: "2024-08-21T06:07:11.014Z", dateUpdated: "2024-12-19T08:28:15.823Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48873
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Don't remove map on creater_process and device_release
Do not remove the map from the list on error path in
fastrpc_init_create_process, instead call fastrpc_map_put, to avoid
use-after-free. Do not remove it on fastrpc_device_release either,
call fastrpc_map_put instead.
The fastrpc_free_map is the only proper place to remove the map.
This is called only after the reference count is 0.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b49f6d83e290f17e20f4e5cf31288d3bb4955ea6 Version: b49f6d83e290f17e20f4e5cf31288d3bb4955ea6 Version: b49f6d83e290f17e20f4e5cf31288d3bb4955ea6 Version: b49f6d83e290f17e20f4e5cf31288d3bb4955ea6 Version: b49f6d83e290f17e20f4e5cf31288d3bb4955ea6 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48873", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:22.474051Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:53.911Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/misc/fastrpc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4b5c44e924a571d0ad07054de549624fbc04e4d7", status: "affected", version: "b49f6d83e290f17e20f4e5cf31288d3bb4955ea6", versionType: "git", }, { lessThan: "193cd853145b63e670bd73740250983af1475330", status: "affected", version: "b49f6d83e290f17e20f4e5cf31288d3bb4955ea6", versionType: "git", }, { lessThan: "1b7b7bb400dd13dcb03fc6e591bb7ca4664bbec8", status: "affected", version: "b49f6d83e290f17e20f4e5cf31288d3bb4955ea6", versionType: "git", }, { lessThan: "35ddd482345c43d9eec1f3406c0f20a95ed4054b", status: "affected", version: "b49f6d83e290f17e20f4e5cf31288d3bb4955ea6", versionType: "git", }, { lessThan: "5bb96c8f9268e2fdb0e5321cbc358ee5941efc15", status: "affected", version: "b49f6d83e290f17e20f4e5cf31288d3bb4955ea6", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/misc/fastrpc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.2", }, { lessThan: "5.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Don't remove map on creater_process and device_release\n\nDo not remove the map from the list on error path in\nfastrpc_init_create_process, instead call fastrpc_map_put, to avoid\nuse-after-free. Do not remove it on fastrpc_device_release either,\ncall fastrpc_map_put instead.\n\nThe fastrpc_free_map is the only proper place to remove the map.\nThis is called only after the reference count is 0.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:36.758Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4b5c44e924a571d0ad07054de549624fbc04e4d7", }, { url: "https://git.kernel.org/stable/c/193cd853145b63e670bd73740250983af1475330", }, { url: "https://git.kernel.org/stable/c/1b7b7bb400dd13dcb03fc6e591bb7ca4664bbec8", }, { url: "https://git.kernel.org/stable/c/35ddd482345c43d9eec1f3406c0f20a95ed4054b", }, { url: "https://git.kernel.org/stable/c/5bb96c8f9268e2fdb0e5321cbc358ee5941efc15", }, ], title: "misc: fastrpc: Don't remove map on creater_process and device_release", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48873", datePublished: "2024-08-21T06:10:04.024Z", dateReserved: "2024-07-16T11:38:08.921Z", dateUpdated: "2024-12-19T08:09:36.758Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52903
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: lock overflowing for IOPOLL
syzbot reports an issue with overflow filling for IOPOLL:
WARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734
CPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0
Workqueue: events_unbound io_ring_exit_work
Call trace:
io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734
io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773
io_fill_cqe_req io_uring/io_uring.h:168 [inline]
io_do_iopoll+0x474/0x62c io_uring/rw.c:1065
io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513
io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056
io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869
process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
worker_thread+0x340/0x610 kernel/workqueue.c:2436
kthread+0x12c/0x158 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863
There is no real problem for normal IOPOLL as flush is also called with
uring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,
for which __io_cqring_overflow_flush() happens from the CQ waiting path.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52903", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:21.069603Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:14.061Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "io_uring/rw.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "de77faee280163ff03b7ab64af6c9d779a43d4c4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ed4629d1e968359fbb91d0a3780b1e86a2c08845", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7fc3990dad04a677606337ebc61964094d6cb41b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "544d163d659d45a206d8929370d5a2984e546cb7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "io_uring/rw.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: lock overflowing for IOPOLL\n\nsyzbot reports an issue with overflow filling for IOPOLL:\n\nWARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\nCPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0\nWorkqueue: events_unbound io_ring_exit_work\nCall trace:\n io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\n io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773\n io_fill_cqe_req io_uring/io_uring.h:168 [inline]\n io_do_iopoll+0x474/0x62c io_uring/rw.c:1065\n io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513\n io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056\n io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869\n process_one_work+0x2d8/0x504 kernel/workqueue.c:2289\n worker_thread+0x340/0x610 kernel/workqueue.c:2436\n kthread+0x12c/0x158 kernel/kthread.c:376\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863\n\nThere is no real problem for normal IOPOLL as flush is also called with\nuring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,\nfor which __io_cqring_overflow_flush() happens from the CQ waiting path.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:14.526Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/de77faee280163ff03b7ab64af6c9d779a43d4c4", }, { url: "https://git.kernel.org/stable/c/ed4629d1e968359fbb91d0a3780b1e86a2c08845", }, { url: "https://git.kernel.org/stable/c/7fc3990dad04a677606337ebc61964094d6cb41b", }, { url: "https://git.kernel.org/stable/c/544d163d659d45a206d8929370d5a2984e546cb7", }, ], title: "io_uring: lock overflowing for IOPOLL", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52903", datePublished: "2024-08-21T06:10:43.857Z", dateReserved: "2024-08-21T06:07:11.014Z", dateUpdated: "2024-12-19T08:28:14.526Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52908
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix potential NULL dereference
Fix potential NULL dereference, in the case when "man", the resource manager
might be NULL, when/if we print debug information.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52908", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:05.312816Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:13.328Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/amdgpu/amdgpu_object.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f2faf0699af78968a27ca154bf76e94247f8c471", status: "affected", version: "8ba7c55e112f4ffd2a95b99be1cb1c891ef08ba1", versionType: "git", }, { lessThan: "0be7ed8e7eb15282b5d0f6fdfea884db594ea9bf", status: "affected", version: "7554886daa31eacc8e7fac9e15bbce67d10b8f1f", versionType: "git", }, ], }, { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/amdgpu/amdgpu_object.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6.1.7", status: "affected", version: "6.1.5", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix potential NULL dereference\n\nFix potential NULL dereference, in the case when \"man\", the resource manager\nmight be NULL, when/if we print debug information.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:20.718Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f2faf0699af78968a27ca154bf76e94247f8c471", }, { url: "https://git.kernel.org/stable/c/0be7ed8e7eb15282b5d0f6fdfea884db594ea9bf", }, ], title: "drm/amdgpu: Fix potential NULL dereference", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52908", datePublished: "2024-08-21T06:10:49.223Z", dateReserved: "2024-08-21T06:07:11.015Z", dateUpdated: "2024-12-19T08:28:20.718Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43863
Vulnerability from cvelistv5
Published
2024-08-20 23:45
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix a deadlock in dma buf fence polling
Introduce a version of the fence ops that on release doesn't remove
the fence from the pending list, and thus doesn't require a lock to
fix poll->fence wait->fence unref deadlocks.
vmwgfx overwrites the wait callback to iterate over the list of all
fences and update their status, to do that it holds a lock to prevent
the list modifcations from other threads. The fence destroy callback
both deletes the fence and removes it from the list of pending
fences, for which it holds a lock.
dma buf polling cb unrefs a fence after it's been signaled: so the poll
calls the wait, which signals the fences, which are being destroyed.
The destruction tries to acquire the lock on the pending fences list
which it can never get because it's held by the wait from which it
was called.
Old bug, but not a lot of userspace apps were using dma-buf polling
interfaces. Fix those, in particular this fixes KDE stalls/deadlock.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 2298e804e96eb3635c39519c8287befd92460303 Version: 2298e804e96eb3635c39519c8287befd92460303 Version: 2298e804e96eb3635c39519c8287befd92460303 Version: 2298e804e96eb3635c39519c8287befd92460303 Version: 2298e804e96eb3635c39519c8287befd92460303 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43863", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:45.941347Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:19.603Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/vmwgfx/vmwgfx_fence.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9e20d028d8d1deb1e7fed18f22ffc01669cf3237", status: "affected", version: "2298e804e96eb3635c39519c8287befd92460303", versionType: "git", }, { lessThan: "3b933b16c996af8adb6bc1b5748a63dfb41a82bc", status: "affected", version: "2298e804e96eb3635c39519c8287befd92460303", versionType: "git", }, { lessThan: "a8943969f9ead2fd3044fc826140a21622ef830e", status: "affected", version: "2298e804e96eb3635c39519c8287befd92460303", versionType: "git", }, { lessThan: "c98ab18b9f315ff977c2c65d7c71298ef98be8e3", status: "affected", version: "2298e804e96eb3635c39519c8287befd92460303", versionType: "git", }, { lessThan: "e58337100721f3cc0c7424a18730e4f39844934f", status: "affected", version: "2298e804e96eb3635c39519c8287befd92460303", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/vmwgfx/vmwgfx_fence.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.18", }, { lessThan: "3.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.104", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.45", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a deadlock in dma buf fence polling\n\nIntroduce a version of the fence ops that on release doesn't remove\nthe fence from the pending list, and thus doesn't require a lock to\nfix poll->fence wait->fence unref deadlocks.\n\nvmwgfx overwrites the wait callback to iterate over the list of all\nfences and update their status, to do that it holds a lock to prevent\nthe list modifcations from other threads. The fence destroy callback\nboth deletes the fence and removes it from the list of pending\nfences, for which it holds a lock.\n\ndma buf polling cb unrefs a fence after it's been signaled: so the poll\ncalls the wait, which signals the fences, which are being destroyed.\nThe destruction tries to acquire the lock on the pending fences list\nwhich it can never get because it's held by the wait from which it\nwas called.\n\nOld bug, but not a lot of userspace apps were using dma-buf polling\ninterfaces. Fix those, in particular this fixes KDE stalls/deadlock.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:22.722Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9e20d028d8d1deb1e7fed18f22ffc01669cf3237", }, { url: "https://git.kernel.org/stable/c/3b933b16c996af8adb6bc1b5748a63dfb41a82bc", }, { url: "https://git.kernel.org/stable/c/a8943969f9ead2fd3044fc826140a21622ef830e", }, { url: "https://git.kernel.org/stable/c/c98ab18b9f315ff977c2c65d7c71298ef98be8e3", }, { url: "https://git.kernel.org/stable/c/e58337100721f3cc0c7424a18730e4f39844934f", }, ], title: "drm/vmwgfx: Fix a deadlock in dma buf fence polling", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43863", datePublished: "2024-08-20T23:45:27.756Z", dateReserved: "2024-08-17T09:11:59.279Z", dateUpdated: "2024-12-19T09:17:22.722Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48878
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_qca: Fix driver shutdown on closed serdev
The driver shutdown callback (which sends EDL_SOC_RESET to the device
over serdev) should not be invoked when HCI device is not open (e.g. if
hci_dev_open_sync() failed), because the serdev and its TTY are not open
either. Also skip this step if device is powered off
(qca_power_shutdown()).
The shutdown callback causes use-after-free during system reboot with
Qualcomm Atheros Bluetooth:
Unable to handle kernel paging request at virtual address
0072662f67726fd7
...
CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W
6.1.0-rt5-00325-g8a5f56bcfcca #8
Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
Call trace:
tty_driver_flush_buffer+0x4/0x30
serdev_device_write_flush+0x24/0x34
qca_serdev_shutdown+0x80/0x130 [hci_uart]
device_shutdown+0x15c/0x260
kernel_restart+0x48/0xac
KASAN report:
BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50
Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1
CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted
6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28
Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
Call trace:
dump_backtrace.part.0+0xdc/0xf0
show_stack+0x18/0x30
dump_stack_lvl+0x68/0x84
print_report+0x188/0x488
kasan_report+0xa4/0xf0
__asan_load8+0x80/0xac
tty_driver_flush_buffer+0x1c/0x50
ttyport_write_flush+0x34/0x44
serdev_device_write_flush+0x48/0x60
qca_serdev_shutdown+0x124/0x274
device_shutdown+0x1e8/0x350
kernel_restart+0x48/0xb0
__do_sys_reboot+0x244/0x2d0
__arm64_sys_reboot+0x54/0x70
invoke_syscall+0x60/0x190
el0_svc_common.constprop.0+0x7c/0x160
do_el0_svc+0x44/0xf0
el0_svc+0x2c/0x6c
el0t_64_sync_handler+0xbc/0x140
el0t_64_sync+0x190/0x194
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48878", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:06.349695Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:53.074Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/bluetooth/hci_qca.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e84ec6e25df9bb0968599e92eacedaf3a0a5b587", status: "affected", version: "7e7bbddd029b644f00f0ffbfbc485ed71977d0d5", versionType: "git", }, { lessThan: "908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3", status: "affected", version: "7e7bbddd029b644f00f0ffbfbc485ed71977d0d5", versionType: "git", }, { lessThan: "ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447", status: "affected", version: "7e7bbddd029b644f00f0ffbfbc485ed71977d0d5", versionType: "git", }, { lessThan: "272970be3dabd24cbe50e393ffee8f04aec3b9a8", status: "affected", version: "7e7bbddd029b644f00f0ffbfbc485ed71977d0d5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/bluetooth/hci_qca.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.8", }, { lessThan: "5.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_qca: Fix driver shutdown on closed serdev\n\nThe driver shutdown callback (which sends EDL_SOC_RESET to the device\nover serdev) should not be invoked when HCI device is not open (e.g. if\nhci_dev_open_sync() failed), because the serdev and its TTY are not open\neither. Also skip this step if device is powered off\n(qca_power_shutdown()).\n\nThe shutdown callback causes use-after-free during system reboot with\nQualcomm Atheros Bluetooth:\n\n Unable to handle kernel paging request at virtual address\n 0072662f67726fd7\n ...\n CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W\n 6.1.0-rt5-00325-g8a5f56bcfcca #8\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n tty_driver_flush_buffer+0x4/0x30\n serdev_device_write_flush+0x24/0x34\n qca_serdev_shutdown+0x80/0x130 [hci_uart]\n device_shutdown+0x15c/0x260\n kernel_restart+0x48/0xac\n\nKASAN report:\n\n BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50\n Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1\n\n CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted\n 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xdc/0xf0\n show_stack+0x18/0x30\n dump_stack_lvl+0x68/0x84\n print_report+0x188/0x488\n kasan_report+0xa4/0xf0\n __asan_load8+0x80/0xac\n tty_driver_flush_buffer+0x1c/0x50\n ttyport_write_flush+0x34/0x44\n serdev_device_write_flush+0x48/0x60\n qca_serdev_shutdown+0x124/0x274\n device_shutdown+0x1e8/0x350\n kernel_restart+0x48/0xb0\n __do_sys_reboot+0x244/0x2d0\n __arm64_sys_reboot+0x54/0x70\n invoke_syscall+0x60/0x190\n el0_svc_common.constprop.0+0x7c/0x160\n do_el0_svc+0x44/0xf0\n el0_svc+0x2c/0x6c\n el0t_64_sync_handler+0xbc/0x140\n el0t_64_sync+0x190/0x194", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:42.422Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587", }, { url: "https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3", }, { url: "https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447", }, { url: "https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8", }, ], title: "Bluetooth: hci_qca: Fix driver shutdown on closed serdev", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48878", datePublished: "2024-08-21T06:10:09.418Z", dateReserved: "2024-07-16T11:38:08.922Z", dateUpdated: "2024-12-19T08:09:42.422Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48897
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:10
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/mm: fix incorrect file_map_count for invalid pmd
The page table check trigger BUG_ON() unexpectedly when split hugepage:
------------[ cut here ]------------
kernel BUG at mm/page_table_check.c:119!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 7 PID: 210 Comm: transhuge-stres Not tainted 6.1.0-rc3+ #748
Hardware name: linux,dummy-virt (DT)
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : page_table_check_set.isra.0+0x398/0x468
lr : page_table_check_set.isra.0+0x1c0/0x468
[...]
Call trace:
page_table_check_set.isra.0+0x398/0x468
__page_table_check_pte_set+0x160/0x1c0
__split_huge_pmd_locked+0x900/0x1648
__split_huge_pmd+0x28c/0x3b8
unmap_page_range+0x428/0x858
unmap_single_vma+0xf4/0x1c8
zap_page_range+0x2b0/0x410
madvise_vma_behavior+0xc44/0xe78
do_madvise+0x280/0x698
__arm64_sys_madvise+0x90/0xe8
invoke_syscall.constprop.0+0xdc/0x1d8
do_el0_svc+0xf4/0x3f8
el0_svc+0x58/0x120
el0t_64_sync_handler+0xb8/0xc0
el0t_64_sync+0x19c/0x1a0
[...]
On arm64, pmd_leaf() will return true even if the pmd is invalid due to
pmd_present_invalid() check. So in pmdp_invalidate() the file_map_count
will not only decrease once but also increase once. Then in set_pte_at(),
the file_map_count increase again, and so trigger BUG_ON() unexpectedly.
Add !pmd_present_invalid() check in pmd_user_accessible_page() to fix the
problem.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48897", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:02.667738Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:12.803Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/arm64/include/asm/pgtable.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "21e5eca0ac9046da9918a919bc92b7b5a78d27e7", status: "affected", version: "42b2547137f5c974bb1bfd657c869fe96b96d86f", versionType: "git", }, { lessThan: "74c2f81054510d45b813548cb0a1c4ebf87cdd5f", status: "affected", version: "42b2547137f5c974bb1bfd657c869fe96b96d86f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/arm64/include/asm/pgtable.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/mm: fix incorrect file_map_count for invalid pmd\n\nThe page table check trigger BUG_ON() unexpectedly when split hugepage:\n\n ------------[ cut here ]------------\n kernel BUG at mm/page_table_check.c:119!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n Dumping ftrace buffer:\n (ftrace buffer empty)\n Modules linked in:\n CPU: 7 PID: 210 Comm: transhuge-stres Not tainted 6.1.0-rc3+ #748\n Hardware name: linux,dummy-virt (DT)\n pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : page_table_check_set.isra.0+0x398/0x468\n lr : page_table_check_set.isra.0+0x1c0/0x468\n[...]\n Call trace:\n page_table_check_set.isra.0+0x398/0x468\n __page_table_check_pte_set+0x160/0x1c0\n __split_huge_pmd_locked+0x900/0x1648\n __split_huge_pmd+0x28c/0x3b8\n unmap_page_range+0x428/0x858\n unmap_single_vma+0xf4/0x1c8\n zap_page_range+0x2b0/0x410\n madvise_vma_behavior+0xc44/0xe78\n do_madvise+0x280/0x698\n __arm64_sys_madvise+0x90/0xe8\n invoke_syscall.constprop.0+0xdc/0x1d8\n do_el0_svc+0xf4/0x3f8\n el0_svc+0x58/0x120\n el0t_64_sync_handler+0xb8/0xc0\n el0t_64_sync+0x19c/0x1a0\n[...]\n\nOn arm64, pmd_leaf() will return true even if the pmd is invalid due to\npmd_present_invalid() check. So in pmdp_invalidate() the file_map_count\nwill not only decrease once but also increase once. Then in set_pte_at(),\nthe file_map_count increase again, and so trigger BUG_ON() unexpectedly.\n\nAdd !pmd_present_invalid() check in pmd_user_accessible_page() to fix the\nproblem.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:10:05.463Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/21e5eca0ac9046da9918a919bc92b7b5a78d27e7", }, { url: "https://git.kernel.org/stable/c/74c2f81054510d45b813548cb0a1c4ebf87cdd5f", }, ], title: "arm64/mm: fix incorrect file_map_count for invalid pmd", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48897", datePublished: "2024-08-21T06:10:29.785Z", dateReserved: "2024-08-21T06:06:23.291Z", dateUpdated: "2024-12-19T08:10:05.463Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48894
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:10
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/arm-smmu-v3: Don't unregister on shutdown
Similar to SMMUv2, this driver calls iommu_device_unregister() from the
shutdown path, which removes the IOMMU groups with no coordination
whatsoever with their users - shutdown methods are optional in device
drivers. This can lead to NULL pointer dereferences in those drivers'
DMA API calls, or worse.
Instead of calling the full arm_smmu_device_remove() from
arm_smmu_device_shutdown(), let's pick only the relevant function call -
arm_smmu_device_disable() - more or less the reverse of
arm_smmu_device_reset() - and call just that from the shutdown path.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48894", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:12.466609Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:54.892Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ead3e6c79479890444c777fd329afc125fecde48", status: "affected", version: "57365a04c92126525a58bf7a1599ddfa832415e9", versionType: "git", }, { lessThan: "32ea2c57dc216b6ad8125fa680d31daa5d421c95", status: "affected", version: "57365a04c92126525a58bf7a1599ddfa832415e9", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3: Don't unregister on shutdown\n\nSimilar to SMMUv2, this driver calls iommu_device_unregister() from the\nshutdown path, which removes the IOMMU groups with no coordination\nwhatsoever with their users - shutdown methods are optional in device\ndrivers. This can lead to NULL pointer dereferences in those drivers'\nDMA API calls, or worse.\n\nInstead of calling the full arm_smmu_device_remove() from\narm_smmu_device_shutdown(), let's pick only the relevant function call -\narm_smmu_device_disable() - more or less the reverse of\narm_smmu_device_reset() - and call just that from the shutdown path.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:10:02.022Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ead3e6c79479890444c777fd329afc125fecde48", }, { url: "https://git.kernel.org/stable/c/32ea2c57dc216b6ad8125fa680d31daa5d421c95", }, ], title: "iommu/arm-smmu-v3: Don't unregister on shutdown", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48894", datePublished: "2024-08-21T06:10:26.515Z", dateReserved: "2024-08-21T06:06:23.290Z", dateUpdated: "2024-12-19T08:10:02.022Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48877
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: let's avoid panic if extent_tree is not created
This patch avoids the below panic.
pc : __lookup_extent_tree+0xd8/0x760
lr : f2fs_do_write_data_page+0x104/0x87c
sp : ffffffc010cbb3c0
x29: ffffffc010cbb3e0 x28: 0000000000000000
x27: ffffff8803e7f020 x26: ffffff8803e7ed40
x25: ffffff8803e7f020 x24: ffffffc010cbb460
x23: ffffffc010cbb480 x22: 0000000000000000
x21: 0000000000000000 x20: ffffffff22e90900
x19: 0000000000000000 x18: ffffffc010c5d080
x17: 0000000000000000 x16: 0000000000000020
x15: ffffffdb1acdbb88 x14: ffffff888759e2b0
x13: 0000000000000000 x12: ffffff802da49000
x11: 000000000a001200 x10: ffffff8803e7ed40
x9 : ffffff8023195800 x8 : ffffff802da49078
x7 : 0000000000000001 x6 : 0000000000000000
x5 : 0000000000000006 x4 : ffffffc010cbba28
x3 : 0000000000000000 x2 : ffffffc010cbb480
x1 : 0000000000000000 x0 : ffffff8803e7ed40
Call trace:
__lookup_extent_tree+0xd8/0x760
f2fs_do_write_data_page+0x104/0x87c
f2fs_write_single_data_page+0x420/0xb60
f2fs_write_cache_pages+0x418/0xb1c
__f2fs_write_data_pages+0x428/0x58c
f2fs_write_data_pages+0x30/0x40
do_writepages+0x88/0x190
__writeback_single_inode+0x48/0x448
writeback_sb_inodes+0x468/0x9e8
__writeback_inodes_wb+0xb8/0x2a4
wb_writeback+0x33c/0x740
wb_do_writeback+0x2b4/0x400
wb_workfn+0xe4/0x34c
process_one_work+0x24c/0x5bc
worker_thread+0x3e8/0xa50
kthread+0x150/0x1b4
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48877", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:09.893682Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:53.225Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/extent_cache.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "dd83a9763e29ed7a21c8a43f7a62cd0a6bf74692", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ff85a1dbd90d29f73033177ff8d8de4a27d9721c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "557e85ff9afef6d45020b6f09357111d38033c31", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "72009139a661ade5cb1da4239734ed02fa1cfff0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2c129e868992621a739bdd57a5bffa3985ef1b91", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1c38cdc747f00daf7394535eae5afc4c503c59bb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "df9d44b645b83fffccfb4e28c1f93376585fdec8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/extent_cache.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.304", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.271", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: let's avoid panic if extent_tree is not created\n\nThis patch avoids the below panic.\n\npc : __lookup_extent_tree+0xd8/0x760\nlr : f2fs_do_write_data_page+0x104/0x87c\nsp : ffffffc010cbb3c0\nx29: ffffffc010cbb3e0 x28: 0000000000000000\nx27: ffffff8803e7f020 x26: ffffff8803e7ed40\nx25: ffffff8803e7f020 x24: ffffffc010cbb460\nx23: ffffffc010cbb480 x22: 0000000000000000\nx21: 0000000000000000 x20: ffffffff22e90900\nx19: 0000000000000000 x18: ffffffc010c5d080\nx17: 0000000000000000 x16: 0000000000000020\nx15: ffffffdb1acdbb88 x14: ffffff888759e2b0\nx13: 0000000000000000 x12: ffffff802da49000\nx11: 000000000a001200 x10: ffffff8803e7ed40\nx9 : ffffff8023195800 x8 : ffffff802da49078\nx7 : 0000000000000001 x6 : 0000000000000000\nx5 : 0000000000000006 x4 : ffffffc010cbba28\nx3 : 0000000000000000 x2 : ffffffc010cbb480\nx1 : 0000000000000000 x0 : ffffff8803e7ed40\nCall trace:\n __lookup_extent_tree+0xd8/0x760\n f2fs_do_write_data_page+0x104/0x87c\n f2fs_write_single_data_page+0x420/0xb60\n f2fs_write_cache_pages+0x418/0xb1c\n __f2fs_write_data_pages+0x428/0x58c\n f2fs_write_data_pages+0x30/0x40\n do_writepages+0x88/0x190\n __writeback_single_inode+0x48/0x448\n writeback_sb_inodes+0x468/0x9e8\n __writeback_inodes_wb+0xb8/0x2a4\n wb_writeback+0x33c/0x740\n wb_do_writeback+0x2b4/0x400\n wb_workfn+0xe4/0x34c\n process_one_work+0x24c/0x5bc\n worker_thread+0x3e8/0xa50\n kthread+0x150/0x1b4", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:41.307Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/dd83a9763e29ed7a21c8a43f7a62cd0a6bf74692", }, { url: "https://git.kernel.org/stable/c/ff85a1dbd90d29f73033177ff8d8de4a27d9721c", }, { url: "https://git.kernel.org/stable/c/557e85ff9afef6d45020b6f09357111d38033c31", }, { url: "https://git.kernel.org/stable/c/72009139a661ade5cb1da4239734ed02fa1cfff0", }, { url: "https://git.kernel.org/stable/c/2c129e868992621a739bdd57a5bffa3985ef1b91", }, { url: "https://git.kernel.org/stable/c/1c38cdc747f00daf7394535eae5afc4c503c59bb", }, { url: "https://git.kernel.org/stable/c/df9d44b645b83fffccfb4e28c1f93376585fdec8", }, ], title: "f2fs: let's avoid panic if extent_tree is not created", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48877", datePublished: "2024-08-21T06:10:08.371Z", dateReserved: "2024-07-16T11:38:08.922Z", dateUpdated: "2024-12-19T08:09:41.307Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48876
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix initialization of rx->link and rx->link_sta
There are some codepaths that do not initialize rx->link_sta properly. This
causes a crash in places which assume that rx->link_sta is valid if rx->sta
is valid.
One known instance is triggered by __ieee80211_rx_h_amsdu being called from
fast-rx. It results in a crash like this one:
BUG: kernel NULL pointer dereference, address: 00000000000000a8
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G E 6.1.0-debian64x+1.7 #3
Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014
RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211]
Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48
83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 <48> 83 84 d0 a8 00 00 00 01 41 8b 86 c0
11 00 00 8d 50 fd 83 fa 01
RSP: 0018:ffff999040803b10 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900
R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000
FS: 0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0
Call Trace:
<TASK>
__ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211]
? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]
? __local_bh_enable_ip+0x3b/0xa0
ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]
? prepare_transfer+0x109/0x1a0 [xhci_hcd]
ieee80211_rx_list+0xa80/0xda0 [mac80211]
mt76_rx_complete+0x207/0x2e0 [mt76]
mt76_rx_poll_complete+0x357/0x5a0 [mt76]
mt76u_rx_worker+0x4f5/0x600 [mt76_usb]
? mt76_get_min_avg_rssi+0x140/0x140 [mt76]
__mt76_worker_fn+0x50/0x80 [mt76]
kthread+0xed/0x120
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
Since the initialization of rx->link and rx->link_sta is rather convoluted
and duplicated in many places, clean it up by using a helper function to
set it.
[remove unnecessary rx->sta->sta.mlo check]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48876", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:13.063011Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:53.407Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/mac80211/rx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a57c981d9f24d2bd89eaa76dc477e8ca252e22e8", status: "affected", version: "b320d6c456ff2aa43491654407d448bcfa58ac9f", versionType: "git", }, { lessThan: "e66b7920aa5ac5b1a1997a454004ba9246a3c005", status: "affected", version: "b320d6c456ff2aa43491654407d448bcfa58ac9f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/mac80211/rx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix initialization of rx->link and rx->link_sta\n\nThere are some codepaths that do not initialize rx->link_sta properly. This\ncauses a crash in places which assume that rx->link_sta is valid if rx->sta\nis valid.\nOne known instance is triggered by __ieee80211_rx_h_amsdu being called from\nfast-rx. It results in a crash like this one:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000a8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G E 6.1.0-debian64x+1.7 #3\n Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014\n RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211]\n Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48\n 83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 <48> 83 84 d0 a8 00 00 00 01 41 8b 86 c0\n 11 00 00 8d 50 fd 83 fa 01\n RSP: 0018:ffff999040803b10 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900\n R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000\n FS: 0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0\n Call Trace:\n <TASK>\n __ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211]\n ? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]\n ? __local_bh_enable_ip+0x3b/0xa0\n ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]\n ? prepare_transfer+0x109/0x1a0 [xhci_hcd]\n ieee80211_rx_list+0xa80/0xda0 [mac80211]\n mt76_rx_complete+0x207/0x2e0 [mt76]\n mt76_rx_poll_complete+0x357/0x5a0 [mt76]\n mt76u_rx_worker+0x4f5/0x600 [mt76_usb]\n ? mt76_get_min_avg_rssi+0x140/0x140 [mt76]\n __mt76_worker_fn+0x50/0x80 [mt76]\n kthread+0xed/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n\nSince the initialization of rx->link and rx->link_sta is rather convoluted\nand duplicated in many places, clean it up by using a helper function to\nset it.\n\n[remove unnecessary rx->sta->sta.mlo check]", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:40.181Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a57c981d9f24d2bd89eaa76dc477e8ca252e22e8", }, { url: "https://git.kernel.org/stable/c/e66b7920aa5ac5b1a1997a454004ba9246a3c005", }, ], title: "wifi: mac80211: fix initialization of rx->link and rx->link_sta", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48876", datePublished: "2024-08-21T06:10:07.310Z", dateReserved: "2024-07-16T11:38:08.922Z", dateUpdated: "2024-12-19T08:09:40.181Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52902
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nommu: fix memory leak in do_mmap() error path
The preallocation of the maple tree nodes may leak if the error path to
"error_just_free" is taken. Fix this by moving the freeing of the maple
tree nodes to a shared location for all error paths.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52902", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:24.356390Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:14.439Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/nommu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1442d51026c58e7c11dd5f9b19650632a48676d4", status: "affected", version: "8220543df1489ef96c3d4e8b0b3b03c340e3943e", versionType: "git", }, { lessThan: "7f31cced5724e6d414fe750aa1cd7e7b578ec22f", status: "affected", version: "8220543df1489ef96c3d4e8b0b3b03c340e3943e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/nommu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnommu: fix memory leak in do_mmap() error path\n\nThe preallocation of the maple tree nodes may leak if the error path to\n\"error_just_free\" is taken. Fix this by moving the freeing of the maple\ntree nodes to a shared location for all error paths.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:13.365Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1442d51026c58e7c11dd5f9b19650632a48676d4", }, { url: "https://git.kernel.org/stable/c/7f31cced5724e6d414fe750aa1cd7e7b578ec22f", }, ], title: "nommu: fix memory leak in do_mmap() error path", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52902", datePublished: "2024-08-21T06:10:42.766Z", dateReserved: "2024-08-21T06:07:11.014Z", dateUpdated: "2024-12-19T08:28:13.365Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43876
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()
Avoid large backtrace, it is sufficient to warn the user that there has
been a link problem. Either the link has failed and the system is in need
of maintenance, or the link continues to work and user has been informed.
The message from the warning can be looked up in the sources.
This makes an actual link issue less verbose.
First of all, this controller has a limitation in that the controller
driver has to assist the hardware with transition to L1 link state by
writing L1IATN to PMCTRL register, the L1 and L0 link state switching
is not fully automatic on this controller.
In case of an ASMedia ASM1062 PCIe SATA controller which does not support
ASPM, on entry to suspend or during platform pm_test, the SATA controller
enters D3hot state and the link enters L1 state. If the SATA controller
wakes up before rcar_pcie_wakeup() was called and returns to D0, the link
returns to L0 before the controller driver even started its transition to
L1 link state. At this point, the SATA controller did send an PM_ENTER_L1
DLLP to the PCIe controller and the PCIe controller received it, and the
PCIe controller did set PMSR PMEL1RX bit.
Once rcar_pcie_wakeup() is called, if the link is already back in L0 state
and PMEL1RX bit is set, the controller driver has no way to determine if
it should perform the link transition to L1 state, or treat the link as if
it is in L0 state. Currently the driver attempts to perform the transition
to L1 link state unconditionally, which in this specific case fails with a
PMSR L1FAEG poll timeout, however the link still works as it is already
back in L0 state.
Reduce this warning verbosity. In case the link is really broken, the
rcar_pcie_config_access() would fail, otherwise it will succeed and any
system with this controller and ASM1062 can suspend without generating
a backtrace.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43876", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:03.924258Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:17.886Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/pci/controller/pcie-rcar-host.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "2ae4769332dfdb97f4b6f5dc9ac8f46d02aaa3df", status: "affected", version: "84b576146294c2be702cfcd174eaa74167e276f9", versionType: "git", }, { lessThan: "526a877c6273d4cd0d0aede84c1d620479764b1c", status: "affected", version: "84b576146294c2be702cfcd174eaa74167e276f9", versionType: "git", }, { lessThan: "3ff3bdde950f1840df4030726cef156758a244d7", status: "affected", version: "84b576146294c2be702cfcd174eaa74167e276f9", versionType: "git", }, { lessThan: "c93637e6a4c4e1d0e85ef7efac78d066bbb24d96", status: "affected", version: "84b576146294c2be702cfcd174eaa74167e276f9", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/pci/controller/pcie-rcar-host.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.103", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.44", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()\n\nAvoid large backtrace, it is sufficient to warn the user that there has\nbeen a link problem. Either the link has failed and the system is in need\nof maintenance, or the link continues to work and user has been informed.\nThe message from the warning can be looked up in the sources.\n\nThis makes an actual link issue less verbose.\n\nFirst of all, this controller has a limitation in that the controller\ndriver has to assist the hardware with transition to L1 link state by\nwriting L1IATN to PMCTRL register, the L1 and L0 link state switching\nis not fully automatic on this controller.\n\nIn case of an ASMedia ASM1062 PCIe SATA controller which does not support\nASPM, on entry to suspend or during platform pm_test, the SATA controller\nenters D3hot state and the link enters L1 state. If the SATA controller\nwakes up before rcar_pcie_wakeup() was called and returns to D0, the link\nreturns to L0 before the controller driver even started its transition to\nL1 link state. At this point, the SATA controller did send an PM_ENTER_L1\nDLLP to the PCIe controller and the PCIe controller received it, and the\nPCIe controller did set PMSR PMEL1RX bit.\n\nOnce rcar_pcie_wakeup() is called, if the link is already back in L0 state\nand PMEL1RX bit is set, the controller driver has no way to determine if\nit should perform the link transition to L1 state, or treat the link as if\nit is in L0 state. Currently the driver attempts to perform the transition\nto L1 link state unconditionally, which in this specific case fails with a\nPMSR L1FAEG poll timeout, however the link still works as it is already\nback in L0 state.\n\nReduce this warning verbosity. In case the link is really broken, the\nrcar_pcie_config_access() would fail, otherwise it will succeed and any\nsystem with this controller and ASM1062 can suspend without generating\na backtrace.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:37.817Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/2ae4769332dfdb97f4b6f5dc9ac8f46d02aaa3df", }, { url: "https://git.kernel.org/stable/c/526a877c6273d4cd0d0aede84c1d620479764b1c", }, { url: "https://git.kernel.org/stable/c/3ff3bdde950f1840df4030726cef156758a244d7", }, { url: "https://git.kernel.org/stable/c/c93637e6a4c4e1d0e85ef7efac78d066bbb24d96", }, ], title: "PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43876", datePublished: "2024-08-21T00:06:28.260Z", dateReserved: "2024-08-17T09:11:59.281Z", dateUpdated: "2024-12-19T09:17:37.817Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48887
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Remove rcu locks from user resources
User resource lookups used rcu to avoid two extra atomics. Unfortunately
the rcu paths were buggy and it was easy to make the driver crash by
submitting command buffers from two different threads. Because the
lookups never show up in performance profiles replace them with a
regular spin lock which fixes the races in accesses to those shared
resources.
Fixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and
seen crashes with apps using shared resources.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48887", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:35.491654Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:51.743Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/vmwgfx/ttm_object.c", "drivers/gpu/drm/vmwgfx/ttm_object.h", "drivers/gpu/drm/vmwgfx/vmwgfx_bo.c", "drivers/gpu/drm/vmwgfx/vmwgfx_drv.h", "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c", "drivers/gpu/drm/vmwgfx/vmwgfx_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7ac9578e45b20e3f3c0c8eb71f5417a499a7226a", status: "affected", version: "e14c02e6b6990e9f6ee18a214a22ac26bae1b25e", versionType: "git", }, { lessThan: "a309c7194e8a2f8bd4539b9449917913f6c2cd50", status: "affected", version: "e14c02e6b6990e9f6ee18a214a22ac26bae1b25e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/vmwgfx/ttm_object.c", "drivers/gpu/drm/vmwgfx/ttm_object.h", "drivers/gpu/drm/vmwgfx/vmwgfx_bo.c", "drivers/gpu/drm/vmwgfx/vmwgfx_drv.h", "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c", "drivers/gpu/drm/vmwgfx/vmwgfx_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.20", }, { lessThan: "4.20", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Remove rcu locks from user resources\n\nUser resource lookups used rcu to avoid two extra atomics. Unfortunately\nthe rcu paths were buggy and it was easy to make the driver crash by\nsubmitting command buffers from two different threads. Because the\nlookups never show up in performance profiles replace them with a\nregular spin lock which fixes the races in accesses to those shared\nresources.\n\nFixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and\nseen crashes with apps using shared resources.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:52.796Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7ac9578e45b20e3f3c0c8eb71f5417a499a7226a", }, { url: "https://git.kernel.org/stable/c/a309c7194e8a2f8bd4539b9449917913f6c2cd50", }, ], title: "drm/vmwgfx: Remove rcu locks from user resources", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48887", datePublished: "2024-08-21T06:10:19.073Z", dateReserved: "2024-08-21T06:06:23.290Z", dateUpdated: "2024-12-19T08:09:52.796Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43882
Vulnerability from cvelistv5
Published
2024-08-21 00:10
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
exec: Fix ToCToU between perm check and set-uid/gid usage
When opening a file for exec via do_filp_open(), permission checking is
done against the file's metadata at that moment, and on success, a file
pointer is passed back. Much later in the execve() code path, the file
metadata (specifically mode, uid, and gid) is used to determine if/how
to set the uid and gid. However, those values may have changed since the
permissions check, meaning the execution may gain unintended privileges.
For example, if a file could change permissions from executable and not
set-id:
---------x 1 root root 16048 Aug 7 13:16 target
to set-id and non-executable:
---S------ 1 root root 16048 Aug 7 13:16 target
it is possible to gain root privileges when execution should have been
disallowed.
While this race condition is rare in real-world scenarios, it has been
observed (and proven exploitable) when package managers are updating
the setuid bits of installed programs. Such files start with being
world-executable but then are adjusted to be group-exec with a set-uid
bit. For example, "chmod o-x,u+s target" makes "target" executable only
by uid "root" and gid "cdrom", while also becoming setuid-root:
-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target
becomes:
-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target
But racing the chmod means users without group "cdrom" membership can
get the permission to execute "target" just before the chmod, and when
the chmod finishes, the exec reaches brpm_fill_uid(), and performs the
setuid to root, violating the expressed authorization of "only cdrom
group members can setuid to root".
Re-check that we still have execute permissions in case the metadata
has changed. It would be better to keep a copy from the perm-check time,
but until we can do that refactoring, the least-bad option is to do a
full inode_permission() call (under inode lock). It is understood that
this is safe against dead-locks, but hardly optimal.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 8.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-43882", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-12-10T04:55:56.573367Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-367", description: "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-12-10T18:58:31.805Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/exec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d5c3c7e26275a2d83b894d30f7582a42853a958f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "368f6985d46657b8b466a421dddcacd4051f7ada", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "15469d46ba34559bfe7e3de6659115778c624759", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9b424c5d4130d56312e2a3be17efb0928fec4d64", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d2a2a4714d80d09b0f8eb6438ab4224690b7121e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f50733b45d865f91db90919f8311e2127ce5a0cb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/exec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.320", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.282", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.224", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.106", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.47", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.6", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: Fix ToCToU between perm check and set-uid/gid usage\n\nWhen opening a file for exec via do_filp_open(), permission checking is\ndone against the file's metadata at that moment, and on success, a file\npointer is passed back. Much later in the execve() code path, the file\nmetadata (specifically mode, uid, and gid) is used to determine if/how\nto set the uid and gid. However, those values may have changed since the\npermissions check, meaning the execution may gain unintended privileges.\n\nFor example, if a file could change permissions from executable and not\nset-id:\n\n---------x 1 root root 16048 Aug 7 13:16 target\n\nto set-id and non-executable:\n\n---S------ 1 root root 16048 Aug 7 13:16 target\n\nit is possible to gain root privileges when execution should have been\ndisallowed.\n\nWhile this race condition is rare in real-world scenarios, it has been\nobserved (and proven exploitable) when package managers are updating\nthe setuid bits of installed programs. Such files start with being\nworld-executable but then are adjusted to be group-exec with a set-uid\nbit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only\nby uid \"root\" and gid \"cdrom\", while also becoming setuid-root:\n\n-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target\n\nbecomes:\n\n-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target\n\nBut racing the chmod means users without group \"cdrom\" membership can\nget the permission to execute \"target\" just before the chmod, and when\nthe chmod finishes, the exec reaches brpm_fill_uid(), and performs the\nsetuid to root, violating the expressed authorization of \"only cdrom\ngroup members can setuid to root\".\n\nRe-check that we still have execute permissions in case the metadata\nhas changed. It would be better to keep a copy from the perm-check time,\nbut until we can do that refactoring, the least-bad option is to do a\nfull inode_permission() call (under inode lock). It is understood that\nthis is safe against dead-locks, but hardly optimal.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:45.419Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f", }, { url: "https://git.kernel.org/stable/c/368f6985d46657b8b466a421dddcacd4051f7ada", }, { url: "https://git.kernel.org/stable/c/15469d46ba34559bfe7e3de6659115778c624759", }, { url: "https://git.kernel.org/stable/c/9b424c5d4130d56312e2a3be17efb0928fec4d64", }, { url: "https://git.kernel.org/stable/c/f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1", }, { url: "https://git.kernel.org/stable/c/d2a2a4714d80d09b0f8eb6438ab4224690b7121e", }, { url: "https://git.kernel.org/stable/c/90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e", }, { url: "https://git.kernel.org/stable/c/f50733b45d865f91db90919f8311e2127ce5a0cb", }, ], title: "exec: Fix ToCToU between perm check and set-uid/gid usage", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43882", datePublished: "2024-08-21T00:10:49.556Z", dateReserved: "2024-08-17T09:11:59.287Z", dateUpdated: "2024-12-19T09:17:45.419Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43871
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
devres: Fix memory leakage caused by driver API devm_free_percpu()
It will cause memory leakage when use driver API devm_free_percpu()
to free memory allocated by devm_alloc_percpu(), fixed by using
devres_release() instead of devres_destroy() within devm_free_percpu().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ff86aae3b4112b85d2231c23bccbc49589df1c06 Version: ff86aae3b4112b85d2231c23bccbc49589df1c06 Version: ff86aae3b4112b85d2231c23bccbc49589df1c06 Version: ff86aae3b4112b85d2231c23bccbc49589df1c06 Version: ff86aae3b4112b85d2231c23bccbc49589df1c06 Version: ff86aae3b4112b85d2231c23bccbc49589df1c06 Version: ff86aae3b4112b85d2231c23bccbc49589df1c06 Version: ff86aae3b4112b85d2231c23bccbc49589df1c06 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43871", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:19.881196Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:18.604Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/base/devres.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "700e8abd65b10792b2f179ce4e858f2ca2880f85", status: "affected", version: "ff86aae3b4112b85d2231c23bccbc49589df1c06", versionType: "git", }, { lessThan: "b044588a16a978cd891cb3d665dd7ae06850d5bf", status: "affected", version: "ff86aae3b4112b85d2231c23bccbc49589df1c06", versionType: "git", }, { lessThan: "ef56dcdca8f2a53abc3a83d388b8336447533d85", status: "affected", version: "ff86aae3b4112b85d2231c23bccbc49589df1c06", versionType: "git", }, { lessThan: "3047f99caec240a88ccd06197af2868da1af6a96", status: "affected", version: "ff86aae3b4112b85d2231c23bccbc49589df1c06", versionType: "git", }, { lessThan: "3dcd0673e47664bc6c719ad47dadac6d55d5950d", status: "affected", version: "ff86aae3b4112b85d2231c23bccbc49589df1c06", versionType: "git", }, { lessThan: "b67552d7c61f52f1271031adfa7834545ae99701", status: "affected", version: "ff86aae3b4112b85d2231c23bccbc49589df1c06", versionType: "git", }, { lessThan: "95065edb8ebb27771d5f1e898eef6ab43dc6c87c", status: "affected", version: "ff86aae3b4112b85d2231c23bccbc49589df1c06", versionType: "git", }, { lessThan: "bd50a974097bb82d52a458bd3ee39fb723129a0c", status: "affected", version: "ff86aae3b4112b85d2231c23bccbc49589df1c06", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/base/devres.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.10", }, { lessThan: "4.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.320", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.282", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.224", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.103", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.44", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndevres: Fix memory leakage caused by driver API devm_free_percpu()\n\nIt will cause memory leakage when use driver API devm_free_percpu()\nto free memory allocated by devm_alloc_percpu(), fixed by using\ndevres_release() instead of devres_destroy() within devm_free_percpu().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:32.080Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/700e8abd65b10792b2f179ce4e858f2ca2880f85", }, { url: "https://git.kernel.org/stable/c/b044588a16a978cd891cb3d665dd7ae06850d5bf", }, { url: "https://git.kernel.org/stable/c/ef56dcdca8f2a53abc3a83d388b8336447533d85", }, { url: "https://git.kernel.org/stable/c/3047f99caec240a88ccd06197af2868da1af6a96", }, { url: "https://git.kernel.org/stable/c/3dcd0673e47664bc6c719ad47dadac6d55d5950d", }, { url: "https://git.kernel.org/stable/c/b67552d7c61f52f1271031adfa7834545ae99701", }, { url: "https://git.kernel.org/stable/c/95065edb8ebb27771d5f1e898eef6ab43dc6c87c", }, { url: "https://git.kernel.org/stable/c/bd50a974097bb82d52a458bd3ee39fb723129a0c", }, ], title: "devres: Fix memory leakage caused by driver API devm_free_percpu()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43871", datePublished: "2024-08-21T00:06:22.964Z", dateReserved: "2024-08-17T09:11:59.280Z", dateUpdated: "2024-12-19T09:17:32.080Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43861
Vulnerability from cvelistv5
Published
2024-08-20 21:37
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: qmi_wwan: fix memory leak for not ip packets
Free the unused skb when not ip packets arrive.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43861", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:52.223158Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:19.900Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/usb/qmi_wwan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3c90a69533b5bba73401ef884d033ea49ee99662", status: "affected", version: "c6adf77953bcec0ad63d7782479452464e50f7a3", versionType: "git", }, { lessThan: "37c093449704017870604994ba9b813cdb9475a4", status: "affected", version: "c6adf77953bcec0ad63d7782479452464e50f7a3", versionType: "git", }, { lessThan: "e87f52225e04a7001bf55bbd7a330fa4252327b5", status: "affected", version: "c6adf77953bcec0ad63d7782479452464e50f7a3", versionType: "git", }, { lessThan: "c4251a3deccad852b27e60625f31fba6cc14372f", status: "affected", version: "c6adf77953bcec0ad63d7782479452464e50f7a3", versionType: "git", }, { lessThan: "da518cc9b64df391795d9952aed551e0f782e446", status: "affected", version: "c6adf77953bcec0ad63d7782479452464e50f7a3", versionType: "git", }, { lessThan: "f2c353227de14b0289298ffc3ba92058c4768384", status: "affected", version: "c6adf77953bcec0ad63d7782479452464e50f7a3", versionType: "git", }, { lessThan: "c6c5b91424fafc0f83852d961c10c7e43a001882", status: "affected", version: "c6adf77953bcec0ad63d7782479452464e50f7a3", versionType: "git", }, { lessThan: "7ab107544b777c3bd7feb9fe447367d8edd5b202", status: "affected", version: "c6adf77953bcec0ad63d7782479452464e50f7a3", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/usb/qmi_wwan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.12", }, { lessThan: "4.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.320", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.282", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.224", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.105", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.46", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.5", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: fix memory leak for not ip packets\n\nFree the unused skb when not ip packets arrive.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:20.388Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3c90a69533b5bba73401ef884d033ea49ee99662", }, { url: "https://git.kernel.org/stable/c/37c093449704017870604994ba9b813cdb9475a4", }, { url: "https://git.kernel.org/stable/c/e87f52225e04a7001bf55bbd7a330fa4252327b5", }, { url: "https://git.kernel.org/stable/c/c4251a3deccad852b27e60625f31fba6cc14372f", }, { url: "https://git.kernel.org/stable/c/da518cc9b64df391795d9952aed551e0f782e446", }, { url: "https://git.kernel.org/stable/c/f2c353227de14b0289298ffc3ba92058c4768384", }, { url: "https://git.kernel.org/stable/c/c6c5b91424fafc0f83852d961c10c7e43a001882", }, { url: "https://git.kernel.org/stable/c/7ab107544b777c3bd7feb9fe447367d8edd5b202", }, ], title: "net: usb: qmi_wwan: fix memory leak for not ip packets", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43861", datePublished: "2024-08-20T21:37:53.029Z", dateReserved: "2024-08-17T09:11:59.279Z", dateUpdated: "2024-12-19T09:17:20.388Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48899
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:10
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/virtio: Fix GEM handle creation UAF
Userspace can guess the handle value and try to race GEM object creation
with handle close, resulting in a use-after-free if we dereference the
object after dropping the handle's reference. For that reason, dropping
the handle's reference must be done *after* we are done dereferencing
the object.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257 Version: 62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257 Version: 62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257 Version: 62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257 Version: 62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257 Version: 62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48899", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:56.343879Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:15.193Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/virtio/virtgpu_ioctl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "19ec87d06acfab2313ee82b2a689bf0c154e57ea", status: "affected", version: "62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257", versionType: "git", }, { lessThan: "d01d6d2b06c0d8390adf8f3ba08aa60b5642ef73", status: "affected", version: "62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257", versionType: "git", }, { lessThan: "68bcd063857075d2f9edfed6024387ac377923e2", status: "affected", version: "62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257", versionType: "git", }, { lessThan: "011ecdbcd520c90c344b872ca6b4821f7783b2f8", status: "affected", version: "62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257", versionType: "git", }, { lessThan: "adc48e5e408afbb01d261bd303fd9fbbbaa3e317", status: "affected", version: "62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257", versionType: "git", }, { lessThan: "52531258318ed59a2dc5a43df2eaf0eb1d65438e", status: "affected", version: "62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/virtio/virtgpu_ioctl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.4", }, { lessThan: "4.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.270", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.229", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.164", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Fix GEM handle creation UAF\n\nUserspace can guess the handle value and try to race GEM object creation\nwith handle close, resulting in a use-after-free if we dereference the\nobject after dropping the handle's reference. For that reason, dropping\nthe handle's reference must be done *after* we are done dereferencing\nthe object.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:10:07.743Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/19ec87d06acfab2313ee82b2a689bf0c154e57ea", }, { url: "https://git.kernel.org/stable/c/d01d6d2b06c0d8390adf8f3ba08aa60b5642ef73", }, { url: "https://git.kernel.org/stable/c/68bcd063857075d2f9edfed6024387ac377923e2", }, { url: "https://git.kernel.org/stable/c/011ecdbcd520c90c344b872ca6b4821f7783b2f8", }, { url: "https://git.kernel.org/stable/c/adc48e5e408afbb01d261bd303fd9fbbbaa3e317", }, { url: "https://git.kernel.org/stable/c/52531258318ed59a2dc5a43df2eaf0eb1d65438e", }, ], title: "drm/virtio: Fix GEM handle creation UAF", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48899", datePublished: "2024-08-21T06:10:31.936Z", dateReserved: "2024-08-21T06:06:23.291Z", dateUpdated: "2024-12-19T08:10:07.743Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48875
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: sdata can be NULL during AMPDU start
ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a
deauthentication is ongoing.
Here a trace triggering the race with the hostapd test
multi_ap_fronthaul_on_ap:
(gdb) list *drv_ampdu_action+0x46
0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).
391 int ret = -EOPNOTSUPP;
392
393 might_sleep();
394
395 sdata = get_bss_sdata(sdata);
396 if (!check_sdata_in_driver(sdata))
397 return -EIO;
398
399 trace_drv_ampdu_action(local, sdata, params);
400
wlan0: moving STA 02:00:00:00:03:00 to state 3
wlan0: associated
wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)
wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0
wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)
wlan0: moving STA 02:00:00:00:03:00 to state 2
wlan0: moving STA 02:00:00:00:03:00 to state 1
wlan0: Removed STA 02:00:00:00:03:00
wlan0: Destroyed STA 02:00:00:00:03:00
BUG: unable to handle page fault for address: fffffffffffffb48
PGD 11814067 P4D 11814067 PUD 11816067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
Workqueue: phy3 ieee80211_ba_session_work [mac80211]
RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]
Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85
RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287
RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240
RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40
RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0
R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8
FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0
Call Trace:
<TASK>
ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]
ieee80211_ba_session_work+0xff/0x2e0 [mac80211]
process_one_work+0x29f/0x620
worker_thread+0x4d/0x3d0
? process_one_work+0x620/0x620
kthread+0xfb/0x120
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48875", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:16.319547Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:53.565Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/mac80211/agg-tx.c", "net/mac80211/driver-ops.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "187523fa7c2d4c780f775cb869216865c4a909ef", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a12fd43bd175fa52c82f9740179d38c34ca1b62e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c838df8461a601b20dc1b9fb1834d2aad8e2f949", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "69403bad97aa0162e3d7911b27e25abe774093df", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/mac80211/agg-tx.c", "net/mac80211/driver-ops.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: sdata can be NULL during AMPDU start\n\nieee80211_tx_ba_session_handle_start() may get NULL for sdata when a\ndeauthentication is ongoing.\n\nHere a trace triggering the race with the hostapd test\nmulti_ap_fronthaul_on_ap:\n\n(gdb) list *drv_ampdu_action+0x46\n0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).\n391 int ret = -EOPNOTSUPP;\n392\n393 might_sleep();\n394\n395 sdata = get_bss_sdata(sdata);\n396 if (!check_sdata_in_driver(sdata))\n397 return -EIO;\n398\n399 trace_drv_ampdu_action(local, sdata, params);\n400\n\nwlan0: moving STA 02:00:00:00:03:00 to state 3\nwlan0: associated\nwlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)\nwlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0\nwlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)\nwlan0: moving STA 02:00:00:00:03:00 to state 2\nwlan0: moving STA 02:00:00:00:03:00 to state 1\nwlan0: Removed STA 02:00:00:00:03:00\nwlan0: Destroyed STA 02:00:00:00:03:00\nBUG: unable to handle page fault for address: fffffffffffffb48\nPGD 11814067 P4D 11814067 PUD 11816067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\nWorkqueue: phy3 ieee80211_ba_session_work [mac80211]\nRIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]\nCode: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85\nRSP: 0018:ffffc900025ebd20 EFLAGS: 00010287\nRAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240\nRDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40\nRBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0\nR13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8\nFS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0\nCall Trace:\n <TASK>\n ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]\n ieee80211_ba_session_work+0xff/0x2e0 [mac80211]\n process_one_work+0x29f/0x620\n worker_thread+0x4d/0x3d0\n ? process_one_work+0x620/0x620\n kthread+0xfb/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n </TASK>", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:39.059Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef", }, { url: "https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e", }, { url: "https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949", }, { url: "https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df", }, ], title: "wifi: mac80211: sdata can be NULL during AMPDU start", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48875", datePublished: "2024-08-21T06:10:06.207Z", dateReserved: "2024-07-16T11:38:08.922Z", dateUpdated: "2024-12-19T08:09:39.059Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43864
Vulnerability from cvelistv5
Published
2024-08-20 23:45
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix CT entry update leaks of modify header context
The cited commit allocates a new modify header to replace the old
one when updating CT entry. But if failed to allocate a new one, eg.
exceed the max number firmware can support, modify header will be
an error pointer that will trigger a panic when deallocating it. And
the old modify header point is copied to old attr. When the old
attr is freed, the old modify header is lost.
Fix it by restoring the old attr to attr when failed to allocate a
new modify header context. So when the CT entry is freed, the right
modify header context will be freed. And the panic of accessing
error pointer is also fixed.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43864", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:42.010575Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:19.476Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "daab2cc17b6b6ab158566bba037e9551fd432b59", status: "affected", version: "94ceffb48eac7692677d8093dcde6965b70c4b35", versionType: "git", }, { lessThan: "89064d09c56b44c668509bf793c410484f63f5ad", status: "affected", version: "94ceffb48eac7692677d8093dcde6965b70c4b35", versionType: "git", }, { lessThan: "025f2b85a5e5a46df14ecf162c3c80a957a36d0b", status: "affected", version: "94ceffb48eac7692677d8093dcde6965b70c4b35", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.3", }, { lessThan: "6.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.45", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix CT entry update leaks of modify header context\n\nThe cited commit allocates a new modify header to replace the old\none when updating CT entry. But if failed to allocate a new one, eg.\nexceed the max number firmware can support, modify header will be\nan error pointer that will trigger a panic when deallocating it. And\nthe old modify header point is copied to old attr. When the old\nattr is freed, the old modify header is lost.\n\nFix it by restoring the old attr to attr when failed to allocate a\nnew modify header context. So when the CT entry is freed, the right\nmodify header context will be freed. And the panic of accessing\nerror pointer is also fixed.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:23.860Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/daab2cc17b6b6ab158566bba037e9551fd432b59", }, { url: "https://git.kernel.org/stable/c/89064d09c56b44c668509bf793c410484f63f5ad", }, { url: "https://git.kernel.org/stable/c/025f2b85a5e5a46df14ecf162c3c80a957a36d0b", }, ], title: "net/mlx5e: Fix CT entry update leaks of modify header context", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43864", datePublished: "2024-08-20T23:45:28.833Z", dateReserved: "2024-08-17T09:11:59.279Z", dateUpdated: "2024-12-19T09:17:23.860Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48896
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:10
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ixgbe: fix pci device refcount leak
As the comment of pci_get_domain_bus_and_slot() says, it
returns a PCI device with refcount incremented, when finish
using it, the caller must decrement the reference count by
calling pci_dev_put().
In ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),
pci_dev_put() is called to avoid leak.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8fa10ef01260937eb540b4e9bbc3efa023595993 Version: 8fa10ef01260937eb540b4e9bbc3efa023595993 Version: 8fa10ef01260937eb540b4e9bbc3efa023595993 Version: 8fa10ef01260937eb540b4e9bbc3efa023595993 Version: 8fa10ef01260937eb540b4e9bbc3efa023595993 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48896", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:05.827374Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:13.189Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "53cefa802f070d46c0c518f4865be2c749818a18", status: "affected", version: "8fa10ef01260937eb540b4e9bbc3efa023595993", versionType: "git", }, { lessThan: "112df4cd2b09acd64bcd18f5ef83ba5d07b34bf0", status: "affected", version: "8fa10ef01260937eb540b4e9bbc3efa023595993", versionType: "git", }, { lessThan: "4c93422a54cd6a349988f42e1c6bf082cf4ea9d8", status: "affected", version: "8fa10ef01260937eb540b4e9bbc3efa023595993", versionType: "git", }, { lessThan: "c49996c6aa03590e4ef5add8772cb6068d99fd59", status: "affected", version: "8fa10ef01260937eb540b4e9bbc3efa023595993", versionType: "git", }, { lessThan: "b93fb4405fcb5112c5739c5349afb52ec7f15c07", status: "affected", version: "8fa10ef01260937eb540b4e9bbc3efa023595993", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.0", }, { lessThan: "5.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.229", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.164", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix pci device refcount leak\n\nAs the comment of pci_get_domain_bus_and_slot() says, it\nreturns a PCI device with refcount incremented, when finish\nusing it, the caller must decrement the reference count by\ncalling pci_dev_put().\n\nIn ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),\npci_dev_put() is called to avoid leak.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:10:04.357Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/53cefa802f070d46c0c518f4865be2c749818a18", }, { url: "https://git.kernel.org/stable/c/112df4cd2b09acd64bcd18f5ef83ba5d07b34bf0", }, { url: "https://git.kernel.org/stable/c/4c93422a54cd6a349988f42e1c6bf082cf4ea9d8", }, { url: "https://git.kernel.org/stable/c/c49996c6aa03590e4ef5add8772cb6068d99fd59", }, { url: "https://git.kernel.org/stable/c/b93fb4405fcb5112c5739c5349afb52ec7f15c07", }, ], title: "ixgbe: fix pci device refcount leak", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48896", datePublished: "2024-08-21T06:10:28.674Z", dateReserved: "2024-08-21T06:06:23.291Z", dateUpdated: "2024-12-19T08:10:04.357Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43866
Vulnerability from cvelistv5
Published
2024-08-20 23:50
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Always drain health in shutdown callback
There is no point in recovery during device shutdown. if health
work started need to wait for it to avoid races and NULL pointer
access.
Hence, drain health WQ on shutdown callback.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43866", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:35.774939Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:19.231Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/main.c", "drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5005e2e159b300c1b8c6820a1e13a62eb0127b9b", status: "affected", version: "d2aa060d40fa060e963f9a356d43481e43ba3dac", versionType: "git", }, { lessThan: "6b6c2ebd83f2bf97e8f221479372aaca97a4a9b2", status: "affected", version: "d2aa060d40fa060e963f9a356d43481e43ba3dac", versionType: "git", }, { lessThan: "6048dec754554a1303d632be6042d3feb3295285", status: "affected", version: "d2aa060d40fa060e963f9a356d43481e43ba3dac", versionType: "git", }, { lessThan: "1b75da22ed1e6171e261bc9265370162553d5393", status: "affected", version: "d2aa060d40fa060e963f9a356d43481e43ba3dac", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/main.c", "drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.14", }, { lessThan: "4.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.45", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always drain health in shutdown callback\n\nThere is no point in recovery during device shutdown. if health\nwork started need to wait for it to avoid races and NULL pointer\naccess.\n\nHence, drain health WQ on shutdown callback.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:26.194Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5005e2e159b300c1b8c6820a1e13a62eb0127b9b", }, { url: "https://git.kernel.org/stable/c/6b6c2ebd83f2bf97e8f221479372aaca97a4a9b2", }, { url: "https://git.kernel.org/stable/c/6048dec754554a1303d632be6042d3feb3295285", }, { url: "https://git.kernel.org/stable/c/1b75da22ed1e6171e261bc9265370162553d5393", }, ], title: "net/mlx5: Always drain health in shutdown callback", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43866", datePublished: "2024-08-20T23:50:49.364Z", dateReserved: "2024-08-17T09:11:59.280Z", dateUpdated: "2024-12-19T09:17:26.194Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52893
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gsmi: fix null-deref in gsmi_get_variable
We can get EFI variables without fetching the attribute, so we must
allow for that in gsmi.
commit 859748255b43 ("efi: pstore: Omit efivars caching EFI varstore
access layer") added a new get_variable call with attr=NULL, which
triggers panic in gsmi.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 74c5b31c6618f01079212332b2e5f6c42f2d6307 Version: 74c5b31c6618f01079212332b2e5f6c42f2d6307 Version: 74c5b31c6618f01079212332b2e5f6c42f2d6307 Version: 74c5b31c6618f01079212332b2e5f6c42f2d6307 Version: 74c5b31c6618f01079212332b2e5f6c42f2d6307 Version: 74c5b31c6618f01079212332b2e5f6c42f2d6307 Version: 74c5b31c6618f01079212332b2e5f6c42f2d6307 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52893", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:53.149409Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:14.166Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/firmware/google/gsmi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ee5763ef829bd923033510de6d1df7c73f085e4b", status: "affected", version: "74c5b31c6618f01079212332b2e5f6c42f2d6307", versionType: "git", }, { lessThan: "32313c11bdc8a02c577abaf865be3664ab30410a", status: "affected", version: "74c5b31c6618f01079212332b2e5f6c42f2d6307", versionType: "git", }, { lessThan: "ffef77794fb5f1245c3249b86342bad2299accb5", status: "affected", version: "74c5b31c6618f01079212332b2e5f6c42f2d6307", versionType: "git", }, { lessThan: "ae2a9dcc8caa60b1e14671294e5ec902ea5d1dfd", status: "affected", version: "74c5b31c6618f01079212332b2e5f6c42f2d6307", versionType: "git", }, { lessThan: "eb0421d90f916dffe96b4c049ddf01c0c50620d2", status: "affected", version: "74c5b31c6618f01079212332b2e5f6c42f2d6307", versionType: "git", }, { lessThan: "6646d769fdb0ce4318ef9afd127f8526d1ca8393", status: "affected", version: "74c5b31c6618f01079212332b2e5f6c42f2d6307", versionType: "git", }, { lessThan: "a769b05eeed7accc4019a1ed9799dd72067f1ce8", status: "affected", version: "74c5b31c6618f01079212332b2e5f6c42f2d6307", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/firmware/google/gsmi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.0", }, { lessThan: "3.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.304", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.271", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ngsmi: fix null-deref in gsmi_get_variable\n\nWe can get EFI variables without fetching the attribute, so we must\nallow for that in gsmi.\n\ncommit 859748255b43 (\"efi: pstore: Omit efivars caching EFI varstore\naccess layer\") added a new get_variable call with attr=NULL, which\ntriggers panic in gsmi.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:01.009Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ee5763ef829bd923033510de6d1df7c73f085e4b", }, { url: "https://git.kernel.org/stable/c/32313c11bdc8a02c577abaf865be3664ab30410a", }, { url: "https://git.kernel.org/stable/c/ffef77794fb5f1245c3249b86342bad2299accb5", }, { url: "https://git.kernel.org/stable/c/ae2a9dcc8caa60b1e14671294e5ec902ea5d1dfd", }, { url: "https://git.kernel.org/stable/c/eb0421d90f916dffe96b4c049ddf01c0c50620d2", }, { url: "https://git.kernel.org/stable/c/6646d769fdb0ce4318ef9afd127f8526d1ca8393", }, { url: "https://git.kernel.org/stable/c/a769b05eeed7accc4019a1ed9799dd72067f1ce8", }, ], title: "gsmi: fix null-deref in gsmi_get_variable", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52893", datePublished: "2024-08-21T06:10:33.043Z", dateReserved: "2024-08-21T06:07:11.013Z", dateUpdated: "2024-12-19T08:28:01.009Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48885
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix potential memory leak in ice_gnss_tty_write()
The ice_gnss_tty_write() return directly if the write_buf alloc failed,
leaking the cmd_buf.
Fix by free cmd_buf if write_buf alloc failed.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48885", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:41.711745Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:52.024Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ice/ice_gnss.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "500ca1da9d0876244eb4d1b0ece6fa0e9968d45d", status: "affected", version: "d6b98c8d242aee40e7b8919dd07b593b0739e38d", versionType: "git", }, { lessThan: "f58985620f55580a07d40062c4115d8c9cf6ae27", status: "affected", version: "d6b98c8d242aee40e7b8919dd07b593b0739e38d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ice/ice_gnss.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix potential memory leak in ice_gnss_tty_write()\n\nThe ice_gnss_tty_write() return directly if the write_buf alloc failed,\nleaking the cmd_buf.\n\nFix by free cmd_buf if write_buf alloc failed.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:50.563Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/500ca1da9d0876244eb4d1b0ece6fa0e9968d45d", }, { url: "https://git.kernel.org/stable/c/f58985620f55580a07d40062c4115d8c9cf6ae27", }, ], title: "ice: Fix potential memory leak in ice_gnss_tty_write()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48885", datePublished: "2024-08-21T06:10:16.947Z", dateReserved: "2024-07-16T11:38:08.925Z", dateUpdated: "2024-12-19T08:09:50.563Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48895
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:10
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/arm-smmu: Don't unregister on shutdown
Michael Walle says he noticed the following stack trace while performing
a shutdown with "reboot -f". He suggests he got "lucky" and just hit the
correct spot for the reboot while there was a packet transmission in
flight.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098
CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930
Hardware name: Kontron KBox A-230-LS (DT)
pc : iommu_get_dma_domain+0x14/0x20
lr : iommu_dma_map_page+0x9c/0x254
Call trace:
iommu_get_dma_domain+0x14/0x20
dma_map_page_attrs+0x1ec/0x250
enetc_start_xmit+0x14c/0x10b0
enetc_xmit+0x60/0xdc
dev_hard_start_xmit+0xb8/0x210
sch_direct_xmit+0x11c/0x420
__dev_queue_xmit+0x354/0xb20
ip6_finish_output2+0x280/0x5b0
__ip6_finish_output+0x15c/0x270
ip6_output+0x78/0x15c
NF_HOOK.constprop.0+0x50/0xd0
mld_sendpack+0x1bc/0x320
mld_ifc_work+0x1d8/0x4dc
process_one_work+0x1e8/0x460
worker_thread+0x178/0x534
kthread+0xe0/0xe4
ret_from_fork+0x10/0x20
Code: d503201f f9416800 d503233f d50323bf (f9404c00)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception in interrupt
This appears to be reproducible when the board has a fixed IP address,
is ping flooded from another host, and "reboot -f" is used.
The following is one more manifestation of the issue:
$ reboot -f
kvm: exiting hardware virtualization
cfg80211: failed to load regulatory.db
arm-smmu 5000000.iommu: disabling translation
sdhci-esdhc 2140000.mmc: Removing from iommu group 11
sdhci-esdhc 2150000.mmc: Removing from iommu group 12
fsl-edma 22c0000.dma-controller: Removing from iommu group 17
dwc3 3100000.usb: Removing from iommu group 9
dwc3 3110000.usb: Removing from iommu group 10
ahci-qoriq 3200000.sata: Removing from iommu group 2
fsl-qdma 8380000.dma-controller: Removing from iommu group 20
platform f080000.display: Removing from iommu group 0
etnaviv-gpu f0c0000.gpu: Removing from iommu group 1
etnaviv etnaviv: Removing from iommu group 1
caam_jr 8010000.jr: Removing from iommu group 13
caam_jr 8020000.jr: Removing from iommu group 14
caam_jr 8030000.jr: Removing from iommu group 15
caam_jr 8040000.jr: Removing from iommu group 16
fsl_enetc 0000:00:00.0: Removing from iommu group 4
arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000
fsl_enetc 0000:00:00.1: Removing from iommu group 5
arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000
arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000
fsl_enetc 0000:00:00.2: Removing from iommu group 6
fsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8
mscc_felix 0000:00:00.5: Removing from iommu group 3
fsl_enetc 0000:00:00.6: Removing from iommu group 7
pcieport 0001:00:00.0: Removing from iommu group 18
arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
arm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000
pcieport 0002:00:00.0: Removing from iommu group 19
Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8
pc : iommu_get_dma_domain+0x14/0x20
lr : iommu_dma_unmap_page+0x38/0xe0
Call trace:
iommu_get_dma_domain+0x14/0x20
dma_unmap_page_attrs+0x38/0x1d0
en
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48895", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:08.905790Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:15.419Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/iommu/arm/arm-smmu/arm-smmu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a1b9c7b1978aacf4b2f33e34bde1e2bb80b8497a", status: "affected", version: "57365a04c92126525a58bf7a1599ddfa832415e9", versionType: "git", }, { lessThan: "ce31e6ca68bd7639bd3e5ef97be215031842bbab", status: "affected", version: "57365a04c92126525a58bf7a1599ddfa832415e9", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/iommu/arm/arm-smmu/arm-smmu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Don't unregister on shutdown\n\nMichael Walle says he noticed the following stack trace while performing\na shutdown with \"reboot -f\". He suggests he got \"lucky\" and just hit the\ncorrect spot for the reboot while there was a packet transmission in\nflight.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000098\nCPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930\nHardware name: Kontron KBox A-230-LS (DT)\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_map_page+0x9c/0x254\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_map_page_attrs+0x1ec/0x250\n enetc_start_xmit+0x14c/0x10b0\n enetc_xmit+0x60/0xdc\n dev_hard_start_xmit+0xb8/0x210\n sch_direct_xmit+0x11c/0x420\n __dev_queue_xmit+0x354/0xb20\n ip6_finish_output2+0x280/0x5b0\n __ip6_finish_output+0x15c/0x270\n ip6_output+0x78/0x15c\n NF_HOOK.constprop.0+0x50/0xd0\n mld_sendpack+0x1bc/0x320\n mld_ifc_work+0x1d8/0x4dc\n process_one_work+0x1e8/0x460\n worker_thread+0x178/0x534\n kthread+0xe0/0xe4\n ret_from_fork+0x10/0x20\nCode: d503201f f9416800 d503233f d50323bf (f9404c00)\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\n\nThis appears to be reproducible when the board has a fixed IP address,\nis ping flooded from another host, and \"reboot -f\" is used.\n\nThe following is one more manifestation of the issue:\n\n$ reboot -f\nkvm: exiting hardware virtualization\ncfg80211: failed to load regulatory.db\narm-smmu 5000000.iommu: disabling translation\nsdhci-esdhc 2140000.mmc: Removing from iommu group 11\nsdhci-esdhc 2150000.mmc: Removing from iommu group 12\nfsl-edma 22c0000.dma-controller: Removing from iommu group 17\ndwc3 3100000.usb: Removing from iommu group 9\ndwc3 3110000.usb: Removing from iommu group 10\nahci-qoriq 3200000.sata: Removing from iommu group 2\nfsl-qdma 8380000.dma-controller: Removing from iommu group 20\nplatform f080000.display: Removing from iommu group 0\netnaviv-gpu f0c0000.gpu: Removing from iommu group 1\netnaviv etnaviv: Removing from iommu group 1\ncaam_jr 8010000.jr: Removing from iommu group 13\ncaam_jr 8020000.jr: Removing from iommu group 14\ncaam_jr 8030000.jr: Removing from iommu group 15\ncaam_jr 8040000.jr: Removing from iommu group 16\nfsl_enetc 0000:00:00.0: Removing from iommu group 4\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.1: Removing from iommu group 5\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.2: Removing from iommu group 6\nfsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8\nmscc_felix 0000:00:00.5: Removing from iommu group 3\nfsl_enetc 0000:00:00.6: Removing from iommu group 7\npcieport 0001:00:00.0: Removing from iommu group 18\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\npcieport 0002:00:00.0: Removing from iommu group 19\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_unmap_page+0x38/0xe0\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_unmap_page_attrs+0x38/0x1d0\n en\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:10:03.202Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a1b9c7b1978aacf4b2f33e34bde1e2bb80b8497a", }, { url: "https://git.kernel.org/stable/c/ce31e6ca68bd7639bd3e5ef97be215031842bbab", }, ], title: "iommu/arm-smmu: Don't unregister on shutdown", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48895", datePublished: "2024-08-21T06:10:27.612Z", dateReserved: "2024-08-21T06:06:23.290Z", dateUpdated: "2024-12-19T08:10:03.202Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43872
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hns: Fix soft lockup under heavy CEQE load
CEQEs are handled in interrupt handler currently. This may cause the
CPU core staying in interrupt context too long and lead to soft lockup
under heavy load.
Handle CEQEs in BH workqueue and set an upper limit for the number of
CEQE handled by a single call of work handler.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43872", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:16.645858Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:18.467Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/hw/hns/hns_roce_device.h", "drivers/infiniband/hw/hns/hns_roce_hw_v2.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "06580b33c183c9f98e2a2ca96a86137179032c08", status: "affected", version: "a5073d6054f75d7c94b3354206eec4b804d2fbd4", versionType: "git", }, { lessThan: "2fdf34038369c0a27811e7b4680662a14ada1d6b", status: "affected", version: "a5073d6054f75d7c94b3354206eec4b804d2fbd4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/hw/hns/hns_roce_device.h", "drivers/infiniband/hw/hns/hns_roce_hw_v2.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.16", }, { lessThan: "4.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix soft lockup under heavy CEQE load\n\nCEQEs are handled in interrupt handler currently. This may cause the\nCPU core staying in interrupt context too long and lead to soft lockup\nunder heavy load.\n\nHandle CEQEs in BH workqueue and set an upper limit for the number of\nCEQE handled by a single call of work handler.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:33.247Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/06580b33c183c9f98e2a2ca96a86137179032c08", }, { url: "https://git.kernel.org/stable/c/2fdf34038369c0a27811e7b4680662a14ada1d6b", }, ], title: "RDMA/hns: Fix soft lockup under heavy CEQE load", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43872", datePublished: "2024-08-21T00:06:24.041Z", dateReserved: "2024-08-17T09:11:59.281Z", dateUpdated: "2024-12-19T09:17:33.247Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43870
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix event leak upon exit
When a task is scheduled out, pending sigtrap deliveries are deferred
to the target task upon resume to userspace via task_work.
However failures while adding an event's callback to the task_work
engine are ignored. And since the last call for events exit happen
after task work is eventually closed, there is a small window during
which pending sigtrap can be queued though ignored, leaking the event
refcount addition such as in the following scenario:
TASK A
-----
do_exit()
exit_task_work(tsk);
<IRQ>
perf_event_overflow()
event->pending_sigtrap = pending_id;
irq_work_queue(&event->pending_irq);
</IRQ>
=========> PREEMPTION: TASK A -> TASK B
event_sched_out()
event->pending_sigtrap = 0;
atomic_long_inc_not_zero(&event->refcount)
// FAILS: task work has exited
task_work_add(&event->pending_task)
[...]
<IRQ WORK>
perf_pending_irq()
// early return: event->oncpu = -1
</IRQ WORK>
[...]
=========> TASK B -> TASK A
perf_event_exit_task(tsk)
perf_event_exit_event()
free_event()
WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)
// leak event due to unexpected refcount == 2
As a result the event is never released while the task exits.
Fix this with appropriate task_work_add()'s error handling.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8bffa95ac19ff27c8261904f89d36c7fcf215d59 Version: 517e6a301f34613bff24a8e35b5455884f2d83d8 Version: 517e6a301f34613bff24a8e35b5455884f2d83d8 Version: 517e6a301f34613bff24a8e35b5455884f2d83d8 Version: 517e6a301f34613bff24a8e35b5455884f2d83d8 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43870", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:23.024053Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:18.734Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/events/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "67fad724f1b568b356c1065d50df46e6b30eb2f7", status: "affected", version: "8bffa95ac19ff27c8261904f89d36c7fcf215d59", versionType: "git", }, { lessThan: "70882d7fa74f0731492a0d493e8515a4f7131831", status: "affected", version: "517e6a301f34613bff24a8e35b5455884f2d83d8", versionType: "git", }, { lessThan: "05d3fd599594abf79aad4484bccb2b26e1cb0b51", status: "affected", version: "517e6a301f34613bff24a8e35b5455884f2d83d8", versionType: "git", }, { lessThan: "3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a", status: "affected", version: "517e6a301f34613bff24a8e35b5455884f2d83d8", versionType: "git", }, { lessThan: "2fd5ad3f310de22836cdacae919dd99d758a1f1b", status: "affected", version: "517e6a301f34613bff24a8e35b5455884f2d83d8", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/events/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.103", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.44", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n <IRQ>\n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n </IRQ>\n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n <IRQ WORK>\n perf_pending_irq()\n // early return: event->oncpu = -1\n </IRQ WORK>\n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:30.797Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7", }, { url: "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831", }, { url: "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51", }, { url: "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a", }, { url: "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b", }, ], title: "perf: Fix event leak upon exit", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43870", datePublished: "2024-08-21T00:06:21.878Z", dateReserved: "2024-08-17T09:11:59.280Z", dateUpdated: "2024-12-19T09:17:30.797Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48884
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix command stats access after free
Command may fail while driver is reloading and can't accept FW commands
till command interface is reinitialized. Such command failure is being
logged to command stats. This results in NULL pointer access as command
stats structure is being freed and reallocated during mlx5 devlink
reload (see kernel log below).
Fix it by making command stats statically allocated on driver probe.
Kernel log:
[ 2394.808802] BUG: unable to handle kernel paging request at 000000000002a9c0
[ 2394.810610] PGD 0 P4D 0
[ 2394.811811] Oops: 0002 [#1] SMP NOPTI
...
[ 2394.815482] RIP: 0010:native_queued_spin_lock_slowpath+0x183/0x1d0
...
[ 2394.829505] Call Trace:
[ 2394.830667] _raw_spin_lock_irq+0x23/0x26
[ 2394.831858] cmd_status_err+0x55/0x110 [mlx5_core]
[ 2394.833020] mlx5_access_reg+0xe7/0x150 [mlx5_core]
[ 2394.834175] mlx5_query_port_ptys+0x78/0xa0 [mlx5_core]
[ 2394.835337] mlx5e_ethtool_get_link_ksettings+0x74/0x590 [mlx5_core]
[ 2394.836454] ? kmem_cache_alloc_trace+0x140/0x1c0
[ 2394.837562] __rh_call_get_link_ksettings+0x33/0x100
[ 2394.838663] ? __rtnl_unlock+0x25/0x50
[ 2394.839755] __ethtool_get_link_ksettings+0x72/0x150
[ 2394.840862] duplex_show+0x6e/0xc0
[ 2394.841963] dev_attr_show+0x1c/0x40
[ 2394.843048] sysfs_kf_seq_show+0x9b/0x100
[ 2394.844123] seq_read+0x153/0x410
[ 2394.845187] vfs_read+0x91/0x140
[ 2394.846226] ksys_read+0x4f/0xb0
[ 2394.847234] do_syscall_64+0x5b/0x1a0
[ 2394.848228] entry_SYSCALL_64_after_hwframe+0x65/0xca
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48884", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:45.615051Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:52.151Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/cmd.c", "include/linux/mlx5/driver.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ddf458641a511e7dff19f3bf0cbbc5dd9fe08ce5", status: "affected", version: "34f46ae0d4b38e83cfb26fb6f06b5b5efea47fdc", versionType: "git", }, { lessThan: "da2e552b469a0cd130ff70a88ccc4139da428a65", status: "affected", version: "34f46ae0d4b38e83cfb26fb6f06b5b5efea47fdc", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/cmd.c", "include/linux/mlx5/driver.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix command stats access after free\n\nCommand may fail while driver is reloading and can't accept FW commands\ntill command interface is reinitialized. Such command failure is being\nlogged to command stats. This results in NULL pointer access as command\nstats structure is being freed and reallocated during mlx5 devlink\nreload (see kernel log below).\n\nFix it by making command stats statically allocated on driver probe.\n\nKernel log:\n[ 2394.808802] BUG: unable to handle kernel paging request at 000000000002a9c0\n[ 2394.810610] PGD 0 P4D 0\n[ 2394.811811] Oops: 0002 [#1] SMP NOPTI\n...\n[ 2394.815482] RIP: 0010:native_queued_spin_lock_slowpath+0x183/0x1d0\n...\n[ 2394.829505] Call Trace:\n[ 2394.830667] _raw_spin_lock_irq+0x23/0x26\n[ 2394.831858] cmd_status_err+0x55/0x110 [mlx5_core]\n[ 2394.833020] mlx5_access_reg+0xe7/0x150 [mlx5_core]\n[ 2394.834175] mlx5_query_port_ptys+0x78/0xa0 [mlx5_core]\n[ 2394.835337] mlx5e_ethtool_get_link_ksettings+0x74/0x590 [mlx5_core]\n[ 2394.836454] ? kmem_cache_alloc_trace+0x140/0x1c0\n[ 2394.837562] __rh_call_get_link_ksettings+0x33/0x100\n[ 2394.838663] ? __rtnl_unlock+0x25/0x50\n[ 2394.839755] __ethtool_get_link_ksettings+0x72/0x150\n[ 2394.840862] duplex_show+0x6e/0xc0\n[ 2394.841963] dev_attr_show+0x1c/0x40\n[ 2394.843048] sysfs_kf_seq_show+0x9b/0x100\n[ 2394.844123] seq_read+0x153/0x410\n[ 2394.845187] vfs_read+0x91/0x140\n[ 2394.846226] ksys_read+0x4f/0xb0\n[ 2394.847234] do_syscall_64+0x5b/0x1a0\n[ 2394.848228] entry_SYSCALL_64_after_hwframe+0x65/0xca", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:49.446Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ddf458641a511e7dff19f3bf0cbbc5dd9fe08ce5", }, { url: "https://git.kernel.org/stable/c/da2e552b469a0cd130ff70a88ccc4139da428a65", }, ], title: "net/mlx5: Fix command stats access after free", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48884", datePublished: "2024-08-21T06:10:15.857Z", dateReserved: "2024-07-16T11:38:08.925Z", dateUpdated: "2024-12-19T08:09:49.446Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43868
Vulnerability from cvelistv5
Published
2024-08-20 23:50
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv/purgatory: align riscv_kernel_entry
When alignment handling is delegated to the kernel, everything must be
word-aligned in purgatory, since the trap handler is then set to the
kexec one. Without the alignment, hitting the exception would
ultimately crash. On other occasions, the kernel's handler would take
care of exceptions.
This has been tested on a JH7110 SoC with oreboot and its SBI delegating
unaligned access exceptions and the kernel configured to handle them.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43868", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:29.530813Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:18.989Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/riscv/purgatory/entry.S", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "10ffafb456f293976c42f700578ef740467cb569", status: "affected", version: "736e30af583fb6e0e2b8211b894ff99dea0f1ee7", versionType: "git", }, { lessThan: "6e62dab357eea12db0fc62dea94c7a892888e6e8", status: "affected", version: "736e30af583fb6e0e2b8211b894ff99dea0f1ee7", versionType: "git", }, { lessThan: "5d4aaf16a8255f7c71790e211724ba029609c5ff", status: "affected", version: "736e30af583fb6e0e2b8211b894ff99dea0f1ee7", versionType: "git", }, { lessThan: "fb197c5d2fd24b9af3d4697d0cf778645846d6d5", status: "affected", version: "736e30af583fb6e0e2b8211b894ff99dea0f1ee7", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/riscv/purgatory/entry.S", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.117", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.61", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/purgatory: align riscv_kernel_entry\n\nWhen alignment handling is delegated to the kernel, everything must be\nword-aligned in purgatory, since the trap handler is then set to the\nkexec one. Without the alignment, hitting the exception would\nultimately crash. On other occasions, the kernel's handler would take\ncare of exceptions.\nThis has been tested on a JH7110 SoC with oreboot and its SBI delegating\nunaligned access exceptions and the kernel configured to handle them.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:28.477Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/10ffafb456f293976c42f700578ef740467cb569", }, { url: "https://git.kernel.org/stable/c/6e62dab357eea12db0fc62dea94c7a892888e6e8", }, { url: "https://git.kernel.org/stable/c/5d4aaf16a8255f7c71790e211724ba029609c5ff", }, { url: "https://git.kernel.org/stable/c/fb197c5d2fd24b9af3d4697d0cf778645846d6d5", }, ], title: "riscv/purgatory: align riscv_kernel_entry", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43868", datePublished: "2024-08-20T23:50:51.464Z", dateReserved: "2024-08-17T09:11:59.280Z", dateUpdated: "2024-12-19T09:17:28.477Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48898
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:10
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer
There are 3 possible interrupt sources are handled by DP controller,
HPDstatus, Controller state changes and Aux read/write transaction.
At every irq, DP controller have to check isr status of every interrupt
sources and service the interrupt if its isr status bits shows interrupts
are pending. There is potential race condition may happen at current aux
isr handler implementation since it is always complete dp_aux_cmd_fifo_tx()
even irq is not for aux read or write transaction. This may cause aux read
transaction return premature if host aux data read is in the middle of
waiting for sink to complete transferring data to host while irq happen.
This will cause host's receiving buffer contains unexpected data. This
patch fixes this problem by checking aux isr and return immediately at
aux isr handler if there are no any isr status bits set.
Current there is a bug report regrading eDP edid corruption happen during
system booting up. After lengthy debugging to found that VIDEO_READY
interrupt was continuously firing during system booting up which cause
dp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data
from aux hardware buffer which is not yet contains complete data transfer
from sink. This cause edid corruption.
Follows are the signature at kernel logs when problem happen,
EDID has corrupt header
panel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID
Changes in v2:
-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()
-- add more commit text
Changes in v3:
-- add Stephen suggested
-- dp_aux_isr() return IRQ_XXX back to caller
-- dp_ctrl_isr() return IRQ_XXX back to caller
Changes in v4:
-- split into two patches
Changes in v5:
-- delete empty line between tags
Changes in v6:
-- remove extra "that" and fixed line more than 75 char at commit text
Patchwork: https://patchwork.freedesktop.org/patch/516121/
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48898", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:59.433408Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:16.252Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/msm/dp/dp_aux.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "785607e5e6fb52caf141e4580de40405565f04f1", status: "affected", version: "c943b4948b5848fc0e07f875edbd35a973879e22", versionType: "git", }, { lessThan: "984ad875db804948c86ca9e1c2e784ae8252715a", status: "affected", version: "c943b4948b5848fc0e07f875edbd35a973879e22", versionType: "git", }, { lessThan: "b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59", status: "affected", version: "c943b4948b5848fc0e07f875edbd35a973879e22", versionType: "git", }, { lessThan: "1cba0d150fa102439114a91b3e215909efc9f169", status: "affected", version: "c943b4948b5848fc0e07f875edbd35a973879e22", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/msm/dp/dp_aux.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.10", }, { lessThan: "5.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.164", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer\n\nThere are 3 possible interrupt sources are handled by DP controller,\nHPDstatus, Controller state changes and Aux read/write transaction.\nAt every irq, DP controller have to check isr status of every interrupt\nsources and service the interrupt if its isr status bits shows interrupts\nare pending. There is potential race condition may happen at current aux\nisr handler implementation since it is always complete dp_aux_cmd_fifo_tx()\neven irq is not for aux read or write transaction. This may cause aux read\ntransaction return premature if host aux data read is in the middle of\nwaiting for sink to complete transferring data to host while irq happen.\nThis will cause host's receiving buffer contains unexpected data. This\npatch fixes this problem by checking aux isr and return immediately at\naux isr handler if there are no any isr status bits set.\n\nCurrent there is a bug report regrading eDP edid corruption happen during\nsystem booting up. After lengthy debugging to found that VIDEO_READY\ninterrupt was continuously firing during system booting up which cause\ndp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data\nfrom aux hardware buffer which is not yet contains complete data transfer\nfrom sink. This cause edid corruption.\n\nFollows are the signature at kernel logs when problem happen,\nEDID has corrupt header\npanel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID\n\nChanges in v2:\n-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()\n-- add more commit text\n\nChanges in v3:\n-- add Stephen suggested\n-- dp_aux_isr() return IRQ_XXX back to caller\n-- dp_ctrl_isr() return IRQ_XXX back to caller\n\nChanges in v4:\n-- split into two patches\n\nChanges in v5:\n-- delete empty line between tags\n\nChanges in v6:\n-- remove extra \"that\" and fixed line more than 75 char at commit text\n\nPatchwork: https://patchwork.freedesktop.org/patch/516121/", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:10:06.584Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1", }, { url: "https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a", }, { url: "https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59", }, { url: "https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169", }, ], title: "drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48898", datePublished: "2024-08-21T06:10:30.879Z", dateReserved: "2024-08-21T06:06:23.291Z", dateUpdated: "2024-12-19T08:10:06.584Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43865
Vulnerability from cvelistv5
Published
2024-08-20 23:50
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/fpu: Re-add exception handling in load_fpu_state()
With the recent rewrite of the fpu code exception handling for the
lfpc instruction within load_fpu_state() was erroneously removed.
Add it again to prevent that loading invalid floating point register
values cause an unhandled specification exception.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43865", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:38.893574Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:19.355Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/s390/kernel/fpu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "494b14138201f07343e5488db6360c828fcc8cf6", status: "affected", version: "8c09871a950a3fe686e0e27fd4193179c5f74f37", versionType: "git", }, { lessThan: "4734406c39238cbeafe66f0060084caa3247ff53", status: "affected", version: "8c09871a950a3fe686e0e27fd4193179c5f74f37", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/s390/kernel/fpu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/fpu: Re-add exception handling in load_fpu_state()\n\nWith the recent rewrite of the fpu code exception handling for the\nlfpc instruction within load_fpu_state() was erroneously removed.\n\nAdd it again to prevent that loading invalid floating point register\nvalues cause an unhandled specification exception.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:25.029Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/494b14138201f07343e5488db6360c828fcc8cf6", }, { url: "https://git.kernel.org/stable/c/4734406c39238cbeafe66f0060084caa3247ff53", }, ], title: "s390/fpu: Re-add exception handling in load_fpu_state()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43865", datePublished: "2024-08-20T23:50:48.269Z", dateReserved: "2024-08-17T09:11:59.280Z", dateUpdated: "2024-12-19T09:17:25.029Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52894
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()
In Google internal bug 265639009 we've received an (as yet) unreproducible
crash report from an aarch64 GKI 5.10.149-android13 running device.
AFAICT the source code is at:
https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10
The call stack is:
ncm_close() -> ncm_notify() -> ncm_do_notify()
with the crash at:
ncm_do_notify+0x98/0x270
Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)
Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):
// halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)
0B 0D 00 79 strh w11, [x8, #6]
// word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)
6C 0A 00 B9 str w12, [x19, #8]
// x10 (NULL) was read here from offset 0 of valid pointer x9
// IMHO we're reading 'cdev->gadget' and getting NULL
// gadget is indeed at offset 0 of struct usb_composite_dev
2A 01 40 F9 ldr x10, [x9]
// loading req->buf pointer, which is at offset 0 of struct usb_request
69 02 40 F9 ldr x9, [x19]
// x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed
4B 5D 40 B9 ldr w11, [x10, #0x5c]
which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:
event->wLength = cpu_to_le16(8);
req->length = NCM_STATUS_BYTECOUNT;
/* SPEED_CHANGE data is up/down speeds in bits/sec */
data = req->buf + sizeof *event;
data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
My analysis of registers and NULL ptr deref crash offset
(Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)
heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:
data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
which calls:
ncm_bitrate(NULL)
which then calls:
gadget_is_superspeed(NULL)
which reads
((struct usb_gadget *)NULL)->max_speed
and hits a panic.
AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.
(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)
It's not at all clear to me how this is all supposed to work...
but returning 0 seems much better than panic-ing...
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52894", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:50.056364Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:13.931Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/usb/gadget/function/f_ncm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fef6b29671b66dfb71f17e337c1ad14b5a2cedae", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "63d161f29cd39c050e8873aa36e0c9fc013bb763", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a21da7f7aae618c785f7e4a275d43c06dc8412b6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e92c70059178da751e5af7de02384b7dfadb5ec7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a69c8dfb85b44be9cc223be07d35cc3a9baefbea", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "09e4507ec8ef2d44da6ba4092b8ee2d81f216497", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c6ec929595c7443250b2a4faea988c62019d5cd2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/usb/gadget/function/f_ncm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.304", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.271", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.230", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()\n\nIn Google internal bug 265639009 we've received an (as yet) unreproducible\ncrash report from an aarch64 GKI 5.10.149-android13 running device.\n\nAFAICT the source code is at:\n https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10\n\nThe call stack is:\n ncm_close() -> ncm_notify() -> ncm_do_notify()\nwith the crash at:\n ncm_do_notify+0x98/0x270\nCode: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)\n\nWhich I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):\n\n // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)\n 0B 0D 00 79 strh w11, [x8, #6]\n\n // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)\n 6C 0A 00 B9 str w12, [x19, #8]\n\n // x10 (NULL) was read here from offset 0 of valid pointer x9\n // IMHO we're reading 'cdev->gadget' and getting NULL\n // gadget is indeed at offset 0 of struct usb_composite_dev\n 2A 01 40 F9 ldr x10, [x9]\n\n // loading req->buf pointer, which is at offset 0 of struct usb_request\n 69 02 40 F9 ldr x9, [x19]\n\n // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed\n 4B 5D 40 B9 ldr w11, [x10, #0x5c]\n\nwhich seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:\n\n event->wLength = cpu_to_le16(8);\n req->length = NCM_STATUS_BYTECOUNT;\n\n /* SPEED_CHANGE data is up/down speeds in bits/sec */\n data = req->buf + sizeof *event;\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\n\nMy analysis of registers and NULL ptr deref crash offset\n (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)\nheavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\nwhich calls:\n ncm_bitrate(NULL)\nwhich then calls:\n gadget_is_superspeed(NULL)\nwhich reads\n ((struct usb_gadget *)NULL)->max_speed\nand hits a panic.\n\nAFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.\n(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)\n\nIt's not at all clear to me how this is all supposed to work...\nbut returning 0 seems much better than panic-ing...", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:02.249Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fef6b29671b66dfb71f17e337c1ad14b5a2cedae", }, { url: "https://git.kernel.org/stable/c/63d161f29cd39c050e8873aa36e0c9fc013bb763", }, { url: "https://git.kernel.org/stable/c/a21da7f7aae618c785f7e4a275d43c06dc8412b6", }, { url: "https://git.kernel.org/stable/c/e92c70059178da751e5af7de02384b7dfadb5ec7", }, { url: "https://git.kernel.org/stable/c/a69c8dfb85b44be9cc223be07d35cc3a9baefbea", }, { url: "https://git.kernel.org/stable/c/09e4507ec8ef2d44da6ba4092b8ee2d81f216497", }, { url: "https://git.kernel.org/stable/c/c6ec929595c7443250b2a4faea988c62019d5cd2", }, ], title: "usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52894", datePublished: "2024-08-21T06:10:34.120Z", dateReserved: "2024-08-21T06:07:11.013Z", dateUpdated: "2024-12-19T08:28:02.249Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48889
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: sof-nau8825: fix module alias overflow
The maximum name length for a platform_device_id entry is 20 characters
including the trailing NUL byte. The sof_nau8825.c file exceeds that,
which causes an obscure error message:
sound/soc/intel/boards/snd-soc-sof_nau8825.mod.c:35:45: error: illegal character encoding in string literal [-Werror,-Winvalid-source-encoding]
MODULE_ALIAS("platform:adl_max98373_nau8825<U+0018><AA>");
^~~~
include/linux/module.h:168:49: note: expanded from macro 'MODULE_ALIAS'
^~~~~~
include/linux/module.h:165:56: note: expanded from macro 'MODULE_INFO'
^~~~
include/linux/moduleparam.h:26:47: note: expanded from macro '__MODULE_INFO'
= __MODULE_INFO_PREFIX __stringify(tag) "=" info
I could not figure out how to make the module handling robust enough
to handle this better, but as a quick fix, using slightly shorter
names that are still unique avoids the build issue.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48889", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:28.421801Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:55.252Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "sound/soc/intel/boards/sof_nau8825.c", "sound/soc/intel/common/soc-acpi-intel-adl-match.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fba1b23befd88366fe646787b3797e64d7338fd2", status: "affected", version: "8d0872f6239f9d067d538d8368bdec643bb0d255", versionType: "git", }, { lessThan: "3e78986a840d59dd27e636eae3f52dc11125c835", status: "affected", version: "8d0872f6239f9d067d538d8368bdec643bb0d255", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "sound/soc/intel/boards/sof_nau8825.c", "sound/soc/intel/common/soc-acpi-intel-adl-match.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: sof-nau8825: fix module alias overflow\n\nThe maximum name length for a platform_device_id entry is 20 characters\nincluding the trailing NUL byte. The sof_nau8825.c file exceeds that,\nwhich causes an obscure error message:\n\nsound/soc/intel/boards/snd-soc-sof_nau8825.mod.c:35:45: error: illegal character encoding in string literal [-Werror,-Winvalid-source-encoding]\nMODULE_ALIAS(\"platform:adl_max98373_nau8825<U+0018><AA>\");\n ^~~~\ninclude/linux/module.h:168:49: note: expanded from macro 'MODULE_ALIAS'\n ^~~~~~\ninclude/linux/module.h:165:56: note: expanded from macro 'MODULE_INFO'\n ^~~~\ninclude/linux/moduleparam.h:26:47: note: expanded from macro '__MODULE_INFO'\n = __MODULE_INFO_PREFIX __stringify(tag) \"=\" info\n\nI could not figure out how to make the module handling robust enough\nto handle this better, but as a quick fix, using slightly shorter\nnames that are still unique avoids the build issue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:55.823Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fba1b23befd88366fe646787b3797e64d7338fd2", }, { url: "https://git.kernel.org/stable/c/3e78986a840d59dd27e636eae3f52dc11125c835", }, ], title: "ASoC: Intel: sof-nau8825: fix module alias overflow", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48889", datePublished: "2024-08-21T06:10:21.195Z", dateReserved: "2024-08-21T06:06:23.290Z", dateUpdated: "2024-12-19T08:09:55.823Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48874
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Fix use-after-free and race in fastrpc_map_find
Currently, there is a race window between the point when the mutex is
unlocked in fastrpc_map_lookup and the reference count increasing
(fastrpc_map_get) in fastrpc_map_find, which can also lead to
use-after-free.
So lets merge fastrpc_map_find into fastrpc_map_lookup which allows us
to both protect the maps list by also taking the &fl->lock spinlock and
the reference count, since the spinlock will be released only after.
Add take_ref argument to make this suitable for all callers.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48874", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:19.392844Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:53.688Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/misc/fastrpc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a50c5c25b6e7d2824698c0e6385f882a18f4a498", status: "affected", version: "8f6c1d8c4f0cc316b0456788fff8373554d1d99d", versionType: "git", }, { lessThan: "9446fa1683a7e3937d9970248ced427c1983a1c5", status: "affected", version: "8f6c1d8c4f0cc316b0456788fff8373554d1d99d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/misc/fastrpc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix use-after-free and race in fastrpc_map_find\n\nCurrently, there is a race window between the point when the mutex is\nunlocked in fastrpc_map_lookup and the reference count increasing\n(fastrpc_map_get) in fastrpc_map_find, which can also lead to\nuse-after-free.\n\nSo lets merge fastrpc_map_find into fastrpc_map_lookup which allows us\nto both protect the maps list by also taking the &fl->lock spinlock and\nthe reference count, since the spinlock will be released only after.\nAdd take_ref argument to make this suitable for all callers.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:37.898Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a50c5c25b6e7d2824698c0e6385f882a18f4a498", }, { url: "https://git.kernel.org/stable/c/9446fa1683a7e3937d9970248ced427c1983a1c5", }, ], title: "misc: fastrpc: Fix use-after-free and race in fastrpc_map_find", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48874", datePublished: "2024-08-21T06:10:05.081Z", dateReserved: "2024-07-16T11:38:08.921Z", dateUpdated: "2024-12-19T08:09:37.898Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52895
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/poll: don't reissue in case of poll race on multishot request
A previous commit fixed a poll race that can occur, but it's only
applicable for multishot requests. For a multishot request, we can safely
ignore a spurious wakeup, as we never leave the waitqueue to begin with.
A blunt reissue of a multishot armed request can cause us to leak a
buffer, if they are ring provided. While this seems like a bug in itself,
it's not really defined behavior to reissue a multishot request directly.
It's less efficient to do so as well, and not required to rearm anything
like it is for singleshot poll requests.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52895", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:46.864583Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:13.444Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "io_uring/poll.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "36fc7317cdb16cfeae0f879916995037bb615ac4", status: "affected", version: "c06015ebc4367be38904b88582e13cc079672075", versionType: "git", }, { lessThan: "8caa03f10bf92cb8657408a6ece6a8a73f96ce13", status: "affected", version: "6e5aedb9324aab1c14a23fae3d8eeb64a679c20e", versionType: "git", }, ], }, { defaultStatus: "unaffected", product: "Linux", programFiles: [ "io_uring/poll.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6.1.8", status: "affected", version: "6.1.7", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: don't reissue in case of poll race on multishot request\n\nA previous commit fixed a poll race that can occur, but it's only\napplicable for multishot requests. For a multishot request, we can safely\nignore a spurious wakeup, as we never leave the waitqueue to begin with.\n\nA blunt reissue of a multishot armed request can cause us to leak a\nbuffer, if they are ring provided. While this seems like a bug in itself,\nit's not really defined behavior to reissue a multishot request directly.\nIt's less efficient to do so as well, and not required to rearm anything\nlike it is for singleshot poll requests.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:03.459Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4", }, { url: "https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13", }, ], title: "io_uring/poll: don't reissue in case of poll race on multishot request", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52895", datePublished: "2024-08-21T06:10:35.179Z", dateReserved: "2024-08-21T06:07:11.013Z", dateUpdated: "2024-12-19T08:28:03.459Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-43875
Vulnerability from cvelistv5
Published
2024-08-21 00:06
Modified
2024-12-19 09:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Clean up error handling in vpci_scan_bus()
Smatch complains about inconsistent NULL checking in vpci_scan_bus():
drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021)
Instead of printing an error message and then crashing we should return
an error code and clean up.
Also the NULL check is reversed so it prints an error for success
instead of failure.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e2b6ef72b7aea9d7d480d2df499bcd1c93247abb Version: e35f56bb03304abc92c928b641af41ca372966bb Version: e35f56bb03304abc92c928b641af41ca372966bb Version: e35f56bb03304abc92c928b641af41ca372966bb Version: e35f56bb03304abc92c928b641af41ca372966bb |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-43875", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:06:07.224237Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:18.016Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/pci/endpoint/functions/pci-epf-vntb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "24414c842a24d0fd498f9db6d2a762a8dddf1832", status: "affected", version: "e2b6ef72b7aea9d7d480d2df499bcd1c93247abb", versionType: "git", }, { lessThan: "7d368de78b60088ec9031c60c88976c0063ea4c0", status: "affected", version: "e35f56bb03304abc92c928b641af41ca372966bb", versionType: "git", }, { lessThan: "0e27e2e8697b8ce96cdef43f135426525d9d1f8f", status: "affected", version: "e35f56bb03304abc92c928b641af41ca372966bb", versionType: "git", }, { lessThan: "b9e8695246bcfc028341470cbf92630cdc1ba36b", status: "affected", version: "e35f56bb03304abc92c928b641af41ca372966bb", versionType: "git", }, { lessThan: "8e0f5a96c534f781e8c57ca30459448b3bfe5429", status: "affected", version: "e35f56bb03304abc92c928b641af41ca372966bb", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/pci/endpoint/functions/pci-epf-vntb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.165", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.103", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.44", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Clean up error handling in vpci_scan_bus()\n\nSmatch complains about inconsistent NULL checking in vpci_scan_bus():\n\n drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021)\n\nInstead of printing an error message and then crashing we should return\nan error code and clean up.\n\nAlso the NULL check is reversed so it prints an error for success\ninstead of failure.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:17:36.683Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/24414c842a24d0fd498f9db6d2a762a8dddf1832", }, { url: "https://git.kernel.org/stable/c/7d368de78b60088ec9031c60c88976c0063ea4c0", }, { url: "https://git.kernel.org/stable/c/0e27e2e8697b8ce96cdef43f135426525d9d1f8f", }, { url: "https://git.kernel.org/stable/c/b9e8695246bcfc028341470cbf92630cdc1ba36b", }, { url: "https://git.kernel.org/stable/c/8e0f5a96c534f781e8c57ca30459448b3bfe5429", }, ], title: "PCI: endpoint: Clean up error handling in vpci_scan_bus()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-43875", datePublished: "2024-08-21T00:06:27.204Z", dateReserved: "2024-08-17T09:11:59.281Z", dateUpdated: "2024-12-19T09:17:36.683Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48871
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer
Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on
default RX FIFO depth, e.g. 16. Later during serial startup the
qcom_geni_serial_port_setup() updates the RX FIFO depth
(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.
The RX UART handle code will read "port->rx_fifo_depth" number of words
into "port->rx_fifo" buffer, thus exceeding the bounds. This can be
observed in certain configurations with Qualcomm Bluetooth HCI UART
device and KASAN:
Bluetooth: hci0: QCA Product ID :0x00000010
Bluetooth: hci0: QCA SOC Version :0x400a0200
Bluetooth: hci0: QCA ROM Version :0x00000200
Bluetooth: hci0: QCA Patch Version:0x00000d2b
Bluetooth: hci0: QCA controller version 0x02000200
Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv
bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2
Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)
Bluetooth: hci0: QCA Failed to download patch (-2)
==================================================================
BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c
Write of size 4 at addr ffff279347d578c0 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26
Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
Call trace:
dump_backtrace.part.0+0xe0/0xf0
show_stack+0x18/0x40
dump_stack_lvl+0x8c/0xb8
print_report+0x188/0x488
kasan_report+0xb4/0x100
__asan_store4+0x80/0xa4
handle_rx_uart+0xa8/0x18c
qcom_geni_serial_handle_rx+0x84/0x9c
qcom_geni_serial_isr+0x24c/0x760
__handle_irq_event_percpu+0x108/0x500
handle_irq_event+0x6c/0x110
handle_fasteoi_irq+0x138/0x2cc
generic_handle_domain_irq+0x48/0x64
If the RX FIFO depth changes after probe, be sure to resize the buffer.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48871", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:05:28.910017Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:54.202Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/tty/serial/qcom_geni_serial.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "894681682dbefdad917b88f86cde1069140a047a", status: "affected", version: "f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9", versionType: "git", }, { lessThan: "cb53a3366eb28fed67850c80afa52075bb71a38a", status: "affected", version: "f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9", versionType: "git", }, { lessThan: "fd524ca7fe45b8a06dca2dd546d62684a9768f95", status: "affected", version: "f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9", versionType: "git", }, { lessThan: "b8caf69a6946e18ffebad49847e258f5b6d52ac2", status: "affected", version: "f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/tty/serial/qcom_geni_serial.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.7", }, { lessThan: "5.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.165", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.90", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.8", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer\n\nDriver's probe allocates memory for RX FIFO (port->rx_fifo) based on\ndefault RX FIFO depth, e.g. 16. Later during serial startup the\nqcom_geni_serial_port_setup() updates the RX FIFO depth\n(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.\n\nThe RX UART handle code will read \"port->rx_fifo_depth\" number of words\ninto \"port->rx_fifo\" buffer, thus exceeding the bounds. This can be\nobserved in certain configurations with Qualcomm Bluetooth HCI UART\ndevice and KASAN:\n\n Bluetooth: hci0: QCA Product ID :0x00000010\n Bluetooth: hci0: QCA SOC Version :0x400a0200\n Bluetooth: hci0: QCA ROM Version :0x00000200\n Bluetooth: hci0: QCA Patch Version:0x00000d2b\n Bluetooth: hci0: QCA controller version 0x02000200\n Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv\n bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2\n Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)\n Bluetooth: hci0: QCA Failed to download patch (-2)\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c\n Write of size 4 at addr ffff279347d578c0 by task swapper/0/0\n\n CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xe0/0xf0\n show_stack+0x18/0x40\n dump_stack_lvl+0x8c/0xb8\n print_report+0x188/0x488\n kasan_report+0xb4/0x100\n __asan_store4+0x80/0xa4\n handle_rx_uart+0xa8/0x18c\n qcom_geni_serial_handle_rx+0x84/0x9c\n qcom_geni_serial_isr+0x24c/0x760\n __handle_irq_event_percpu+0x108/0x500\n handle_irq_event+0x6c/0x110\n handle_fasteoi_irq+0x138/0x2cc\n generic_handle_domain_irq+0x48/0x64\n\nIf the RX FIFO depth changes after probe, be sure to resize the buffer.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:34.519Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a", }, { url: "https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a", }, { url: "https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95", }, { url: "https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2", }, ], title: "tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48871", datePublished: "2024-08-21T06:10:01.859Z", dateReserved: "2024-07-16T11:38:08.921Z", dateUpdated: "2024-12-19T08:09:34.519Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48881
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86/amd: Fix refcount leak in amd_pmc_probe
pci_get_domain_bus_and_slot() takes reference, the caller should release
the reference by calling pci_dev_put() after use. Call pci_dev_put() in
the error path to fix this.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48881", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:56.421586Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:52.819Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/platform/x86/amd/pmc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3944162821295993ec89992dec98ab6be6306cc0", status: "affected", version: "3d7d407dfb05b257e15cb0c6b056428a4a8c2e5d", versionType: "git", }, { lessThan: "ccb32e2be14271a60e9ba89c6d5660cc9998773c", status: "affected", version: "3d7d407dfb05b257e15cb0c6b056428a4a8c2e5d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/platform/x86/amd/pmc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd: Fix refcount leak in amd_pmc_probe\n\npci_get_domain_bus_and_slot() takes reference, the caller should release\nthe reference by calling pci_dev_put() after use. Call pci_dev_put() in\nthe error path to fix this.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:46.087Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3944162821295993ec89992dec98ab6be6306cc0", }, { url: "https://git.kernel.org/stable/c/ccb32e2be14271a60e9ba89c6d5660cc9998773c", }, ], title: "platform/x86/amd: Fix refcount leak in amd_pmc_probe", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48881", datePublished: "2024-08-21T06:10:12.573Z", dateReserved: "2024-07-16T11:38:08.924Z", dateUpdated: "2024-12-19T08:09:46.087Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48880
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/surface: aggregator: Add missing call to ssam_request_sync_free()
Although rare, ssam_request_sync_init() can fail. In that case, the
request should be freed via ssam_request_sync_free(). Currently it is
leaked instead. Fix this.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48880", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:59.583081Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:52.962Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/platform/surface/aggregator/controller.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d2dc110deabe7142b60ebeed689e67f92795ee24", status: "affected", version: "c167b9c7e3d6131b4a4865c112a3dbc86d2e997d", versionType: "git", }, { lessThan: "50b3cdf8239b11545f311c4f7b89e0092e4feedb", status: "affected", version: "c167b9c7e3d6131b4a4865c112a3dbc86d2e997d", versionType: "git", }, { lessThan: "c965daac370f08a9b71d573a71d13cda76f2a884", status: "affected", version: "c167b9c7e3d6131b4a4865c112a3dbc86d2e997d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/platform/surface/aggregator/controller.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.12", }, { lessThan: "5.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/surface: aggregator: Add missing call to ssam_request_sync_free()\n\nAlthough rare, ssam_request_sync_init() can fail. In that case, the\nrequest should be freed via ssam_request_sync_free(). Currently it is\nleaked instead. Fix this.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:44.738Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d2dc110deabe7142b60ebeed689e67f92795ee24", }, { url: "https://git.kernel.org/stable/c/50b3cdf8239b11545f311c4f7b89e0092e4feedb", }, { url: "https://git.kernel.org/stable/c/c965daac370f08a9b71d573a71d13cda76f2a884", }, ], title: "platform/surface: aggregator: Add missing call to ssam_request_sync_free()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48880", datePublished: "2024-08-21T06:10:11.524Z", dateReserved: "2024-07-16T11:38:08.923Z", dateUpdated: "2024-12-19T08:09:44.738Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52914
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/poll: add hash if ready poll request can't complete inline
If we don't, then we may lose access to it completely, leading to a
request leak. This will eventually stall the ring exit process as
well.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52914", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T15:34:39.750904Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:03.107Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "io_uring/poll.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4ad6c063541665c407d17e1faf2fe4f04e947dcc", status: "affected", version: "49f1c68e048f1706b71c8255faf8110113d1cc48", versionType: "git", }, { lessThan: "febb985c06cb6f5fac63598c0bffd4fd823d110d", status: "affected", version: "49f1c68e048f1706b71c8255faf8110113d1cc48", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "io_uring/poll.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: add hash if ready poll request can't complete inline\n\nIf we don't, then we may lose access to it completely, leading to a\nrequest leak. This will eventually stall the ring exit process as\nwell.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:27.949Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4ad6c063541665c407d17e1faf2fe4f04e947dcc", }, { url: "https://git.kernel.org/stable/c/febb985c06cb6f5fac63598c0bffd4fd823d110d", }, ], title: "io_uring/poll: add hash if ready poll request can't complete inline", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52914", datePublished: "2024-08-21T06:10:55.630Z", dateReserved: "2024-08-21T06:07:11.017Z", dateUpdated: "2024-12-19T08:28:27.949Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52910
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/iova: Fix alloc iova overflows issue
In __alloc_and_insert_iova_range, there is an issue that retry_pfn
overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when
iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will
overflow. As a result, if the retry logic is executed, low_pfn is
updated to 0, and then new_pfn < low_pfn returns false to make the
allocation successful.
This issue occurs in the following two situations:
1. The first iova size exceeds the domain size. When initializing
iova domain, iovad->cached_node is assigned as iovad->anchor. For
example, the iova domain size is 10M, start_pfn is 0x1_F000_0000,
and the iova size allocated for the first time is 11M. The
following is the log information, new->pfn_lo is smaller than
iovad->cached_node.
Example log as follows:
[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00
[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff
2. The node with the largest iova->pfn_lo value in the iova domain
is deleted, iovad->cached_node will be updated to iovad->anchor,
and then the alloc iova size exceeds the maximum iova size that can
be allocated in the domain.
After judging that retry_pfn is less than limit_pfn, call retry_pfn+1
to fix the overflow issue.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52910", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T15:34:52.014408Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:03.507Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/iommu/iova.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c929a230c84441e400c32e7b7b4ab763711fb63e", status: "affected", version: "4e89dce725213d3d0b0475211b500eda4ef4bf2f", versionType: "git", }, { lessThan: "61cbf790e7329ed78877560be7136f0b911bba7f", status: "affected", version: "4e89dce725213d3d0b0475211b500eda4ef4bf2f", versionType: "git", }, { lessThan: "dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c", status: "affected", version: "4e89dce725213d3d0b0475211b500eda4ef4bf2f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/iommu/iova.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.11", }, { lessThan: "5.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/iova: Fix alloc iova overflows issue\n\nIn __alloc_and_insert_iova_range, there is an issue that retry_pfn\noverflows. The value of iovad->anchor.pfn_hi is ~0UL, then when\niovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will\noverflow. As a result, if the retry logic is executed, low_pfn is\nupdated to 0, and then new_pfn < low_pfn returns false to make the\nallocation successful.\n\nThis issue occurs in the following two situations:\n1. The first iova size exceeds the domain size. When initializing\niova domain, iovad->cached_node is assigned as iovad->anchor. For\nexample, the iova domain size is 10M, start_pfn is 0x1_F000_0000,\nand the iova size allocated for the first time is 11M. The\nfollowing is the log information, new->pfn_lo is smaller than\niovad->cached_node.\n\nExample log as follows:\n[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nstart_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00\n[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nsuccess start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff\n\n2. The node with the largest iova->pfn_lo value in the iova domain\nis deleted, iovad->cached_node will be updated to iovad->anchor,\nand then the alloc iova size exceeds the maximum iova size that can\nbe allocated in the domain.\n\nAfter judging that retry_pfn is less than limit_pfn, call retry_pfn+1\nto fix the overflow issue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:22.995Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e", }, { url: "https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f", }, { url: "https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c", }, ], title: "iommu/iova: Fix alloc iova overflows issue", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52910", datePublished: "2024-08-21T06:10:51.337Z", dateReserved: "2024-08-21T06:07:11.015Z", dateUpdated: "2024-12-19T08:28:22.995Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52909
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix handling of cached open files in nfsd4_open codepath
Commit fb70bf124b05 ("NFSD: Instantiate a struct file when creating a
regular NFSv4 file") added the ability to cache an open fd over a
compound. There are a couple of problems with the way this currently
works:
It's racy, as a newly-created nfsd_file can end up with its PENDING bit
cleared while the nf is hashed, and the nf_file pointer is still zeroed
out. Other tasks can find it in this state and they expect to see a
valid nf_file, and can oops if nf_file is NULL.
Also, there is no guarantee that we'll end up creating a new nfsd_file
if one is already in the hash. If an extant entry is in the hash with a
valid nf_file, nfs4_get_vfs_file will clobber its nf_file pointer with
the value of op_file and the old nf_file will leak.
Fix both issues by making a new nfsd_file_acquirei_opened variant that
takes an optional file pointer. If one is present when this is called,
we'll take a new reference to it instead of trying to open the file. If
the nfsd_file already has a valid nf_file, we'll just ignore the
optional file and pass the nfsd_file back as-is.
Also rework the tracepoints a bit to allow for an "opened" variant and
don't try to avoid counting acquisitions in the case where we already
have a cached open file.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52909", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:03:02.157963Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:12.921Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nfsd/filecache.c", "fs/nfsd/filecache.h", "fs/nfsd/nfs4state.c", "fs/nfsd/trace.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "45c08a752982116f3287afcd1bd9c50f4fab0c28", status: "affected", version: "c20097329d2c196b818c4666c7820c1378d69d61", versionType: "git", }, { lessThan: "0b778361998d6c6356b8d2fc7ddf025fb3224654", status: "affected", version: "106331a12b0fa5afa6995b1f9ebb03ddcaac6915", versionType: "git", }, { lessThan: "973acfdfe90c8a4e58ade97ff0653a498531ff2e", status: "affected", version: "fb70bf124b051d4ded4ce57511dfec6d3ebf2b43", versionType: "git", }, { lessThan: "0b3a551fa58b4da941efeb209b3770868e2eddd7", status: "affected", version: "fb70bf124b051d4ded4ce57511dfec6d3ebf2b43", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nfsd/filecache.c", "fs/nfsd/filecache.h", "fs/nfsd/nfs4state.c", "fs/nfsd/trace.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix handling of cached open files in nfsd4_open codepath\n\nCommit fb70bf124b05 (\"NFSD: Instantiate a struct file when creating a\nregular NFSv4 file\") added the ability to cache an open fd over a\ncompound. There are a couple of problems with the way this currently\nworks:\n\nIt's racy, as a newly-created nfsd_file can end up with its PENDING bit\ncleared while the nf is hashed, and the nf_file pointer is still zeroed\nout. Other tasks can find it in this state and they expect to see a\nvalid nf_file, and can oops if nf_file is NULL.\n\nAlso, there is no guarantee that we'll end up creating a new nfsd_file\nif one is already in the hash. If an extant entry is in the hash with a\nvalid nf_file, nfs4_get_vfs_file will clobber its nf_file pointer with\nthe value of op_file and the old nf_file will leak.\n\nFix both issues by making a new nfsd_file_acquirei_opened variant that\ntakes an optional file pointer. If one is present when this is called,\nwe'll take a new reference to it instead of trying to open the file. If\nthe nfsd_file already has a valid nf_file, we'll just ignore the\noptional file and pass the nfsd_file back as-is.\n\nAlso rework the tracepoints a bit to allow for an \"opened\" variant and\ndon't try to avoid counting acquisitions in the case where we already\nhave a cached open file.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:21.879Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/45c08a752982116f3287afcd1bd9c50f4fab0c28", }, { url: "https://git.kernel.org/stable/c/0b778361998d6c6356b8d2fc7ddf025fb3224654", }, { url: "https://git.kernel.org/stable/c/973acfdfe90c8a4e58ade97ff0653a498531ff2e", }, { url: "https://git.kernel.org/stable/c/0b3a551fa58b4da941efeb209b3770868e2eddd7", }, ], title: "nfsd: fix handling of cached open files in nfsd4_open codepath", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52909", datePublished: "2024-08-21T06:10:50.303Z", dateReserved: "2024-08-21T06:07:11.015Z", dateUpdated: "2024-12-19T08:28:21.879Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48886
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Add check for kzalloc
Add the check for the return value of kzalloc in order to avoid
NULL pointer dereference.
Moreover, use the goto-label to share the clean code.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48886", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:38.619808Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:51.891Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ice/ice_gnss.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "96a9873188552ebb2afe76033d7329a5ecabef6e", status: "affected", version: "d6b98c8d242aee40e7b8919dd07b593b0739e38d", versionType: "git", }, { lessThan: "40543b3d9d2c13227ecd3aa90a713c201d1d7f09", status: "affected", version: "d6b98c8d242aee40e7b8919dd07b593b0739e38d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ice/ice_gnss.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add check for kzalloc\n\nAdd the check for the return value of kzalloc in order to avoid\nNULL pointer dereference.\nMoreover, use the goto-label to share the clean code.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:51.687Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/96a9873188552ebb2afe76033d7329a5ecabef6e", }, { url: "https://git.kernel.org/stable/c/40543b3d9d2c13227ecd3aa90a713c201d1d7f09", }, ], title: "ice: Add check for kzalloc", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48886", datePublished: "2024-08-21T06:10:18.015Z", dateReserved: "2024-08-21T06:06:23.289Z", dateUpdated: "2024-12-19T08:09:51.687Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48882
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY)
Upon updating MAC security entity (SecY) in hw offload path, the macsec
security association (SA) initialization routine is called. In case of
extended packet number (epn) is enabled the salt and ssci attributes are
retrieved using the MACsec driver rx_sa context which is unavailable when
updating a SecY property such as encoding-sa hence the null dereference.
Fix by using the provided SA to set those attributes.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48882", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:52.593667Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:32:52.633Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "514d9c6a39213d8200884e70f60ce7faef1ee597", status: "affected", version: "4411a6c0abd3e55b4a4fb9432b3a0553f12337c2", versionType: "git", }, { lessThan: "9828994ac492e8e7de47fe66097b7e665328f348", status: "affected", version: "4411a6c0abd3e55b4a4fb9432b3a0553f12337c2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY)\n\nUpon updating MAC security entity (SecY) in hw offload path, the macsec\nsecurity association (SA) initialization routine is called. In case of\nextended packet number (epn) is enabled the salt and ssci attributes are\nretrieved using the MACsec driver rx_sa context which is unavailable when\nupdating a SecY property such as encoding-sa hence the null dereference.\nFix by using the provided SA to set those attributes.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:47.231Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/514d9c6a39213d8200884e70f60ce7faef1ee597", }, { url: "https://git.kernel.org/stable/c/9828994ac492e8e7de47fe66097b7e665328f348", }, ], title: "net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY)", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48882", datePublished: "2024-08-21T06:10:13.640Z", dateReserved: "2024-07-16T11:38:08.924Z", dateUpdated: "2024-12-19T08:09:47.231Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48892
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:09
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/core: Fix use-after-free bug in dup_user_cpus_ptr()
Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be
restricted on asymmetric systems"), the setting and clearing of
user_cpus_ptr are done under pi_lock for arm64 architecture. However,
dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
protection. Since sched_setaffinity() can be invoked from another
process, the process being modified may be undergoing fork() at
the same time. When racing with the clearing of user_cpus_ptr in
__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
possibly double-free in arm64 kernel.
Commit 8f9ea86fdf99 ("sched: Always preserve the user requested
cpumask") fixes this problem as user_cpus_ptr, once set, will never
be cleared in a task's lifetime. However, this bug was re-introduced
in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in
do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in
do_set_cpus_allowed(). This time, it will affect all arches.
Fix this bug by always clearing the user_cpus_ptr of the newly
cloned/forked task before the copying process starts and check the
user_cpus_ptr state of the source task under pi_lock.
Note to stable, this patch won't be applicable to stable releases.
Just copy the new dup_user_cpus_ptr() function over.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48892", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T16:04:18.997658Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:06.281Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/sched/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b22faa21b6230d5eccd233e1b7e0026a5002b287", status: "affected", version: "07ec77a1d4e82526e1588979fff2f024f8e96df2", versionType: "git", }, { lessThan: "7b5cc7fd1789ea5dbb942c9f8207b076d365badc", status: "affected", version: "07ec77a1d4e82526e1588979fff2f024f8e96df2", versionType: "git", }, { lessThan: "87ca4f9efbd7cc649ff43b87970888f2812945b8", status: "affected", version: "07ec77a1d4e82526e1588979fff2f024f8e96df2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/sched/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.89", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Fix use-after-free bug in dup_user_cpus_ptr()\n\nSince commit 07ec77a1d4e8 (\"sched: Allow task CPU affinity to be\nrestricted on asymmetric systems\"), the setting and clearing of\nuser_cpus_ptr are done under pi_lock for arm64 architecture. However,\ndup_user_cpus_ptr() accesses user_cpus_ptr without any lock\nprotection. Since sched_setaffinity() can be invoked from another\nprocess, the process being modified may be undergoing fork() at\nthe same time. When racing with the clearing of user_cpus_ptr in\n__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and\npossibly double-free in arm64 kernel.\n\nCommit 8f9ea86fdf99 (\"sched: Always preserve the user requested\ncpumask\") fixes this problem as user_cpus_ptr, once set, will never\nbe cleared in a task's lifetime. However, this bug was re-introduced\nin commit 851a723e45d1 (\"sched: Always clear user_cpus_ptr in\ndo_set_cpus_allowed()\") which allows the clearing of user_cpus_ptr in\ndo_set_cpus_allowed(). This time, it will affect all arches.\n\nFix this bug by always clearing the user_cpus_ptr of the newly\ncloned/forked task before the copying process starts and check the\nuser_cpus_ptr state of the source task under pi_lock.\n\nNote to stable, this patch won't be applicable to stable releases.\nJust copy the new dup_user_cpus_ptr() function over.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:09:59.365Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287", }, { url: "https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc", }, { url: "https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8", }, ], title: "sched/core: Fix use-after-free bug in dup_user_cpus_ptr()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48892", datePublished: "2024-08-21T06:10:24.407Z", dateReserved: "2024-08-21T06:06:23.290Z", dateUpdated: "2024-12-19T08:09:59.365Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52913
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix potential context UAFs
gem_context_register() makes the context visible to userspace, and which
point a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.
So we need to ensure that nothing uses the ctx ptr after this. And we
need to ensure that adding the ctx to the xarray is the *last* thing
that gem_context_register() does with the ctx pointer.
[tursulin: Stable and fixes tags add/tidy.]
(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52913", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T15:34:42.812004Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T17:33:12.564Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/i915/gem/i915_gem_context.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ae278887193110dfeb857ea63e243a3851fbb0bc", status: "affected", version: "eb4dedae920a07c485328af3da2202ec5184fb17", versionType: "git", }, { lessThan: "b696c627b3f56e173f7f70b8487d66da8ff22506", status: "affected", version: "eb4dedae920a07c485328af3da2202ec5184fb17", versionType: "git", }, { lessThan: "afce71ff6daa9c0f852df0727fe32c6fb107f0fa", status: "affected", version: "eb4dedae920a07c485328af3da2202ec5184fb17", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/i915/gem/i915_gem_context.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.10", }, { lessThan: "5.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.171", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.7", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential context UAFs\n\ngem_context_register() makes the context visible to userspace, and which\npoint a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.\nSo we need to ensure that nothing uses the ctx ptr after this. And we\nneed to ensure that adding the ctx to the xarray is the *last* thing\nthat gem_context_register() does with the ctx pointer.\n\n[tursulin: Stable and fixes tags add/tidy.]\n(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:26.776Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ae278887193110dfeb857ea63e243a3851fbb0bc", }, { url: "https://git.kernel.org/stable/c/b696c627b3f56e173f7f70b8487d66da8ff22506", }, { url: "https://git.kernel.org/stable/c/afce71ff6daa9c0f852df0727fe32c6fb107f0fa", }, ], title: "drm/i915: Fix potential context UAFs", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52913", datePublished: "2024-08-21T06:10:54.540Z", dateReserved: "2024-08-21T06:07:11.017Z", dateUpdated: "2024-12-19T08:28:26.776Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.